IBM Rational AppScan Product Overview

®
IBM Software Group
© 2007 IBM Corporation
Rational AppScan Developer & Build Edition
Ashish Patel
AppScan Architect & Development Lead
ashishp@ca.ibm.com

IBM Software Group | Rational software
Executive Summary
 Application security continues to be a top security threat
 Regulatory Compliance (PCI), user demand (Web 2.0) and Enterprise Modernization
(SOA) are driving awareness and action for security testing
 The cost and lack of coverage of reactive security is driving companies towards proactive
measures – building security into the application development process
 Traditional approaches make it unlikely that development will support security testing due
to schedule risks and potential project failure
Cost /
Complexity
Security
Team
Operations /
Infrastructure
Time
IBM Rational is announcing a new innovative
approach for integrating security testing into
application development providing the most
accurate and easy to use solution for non-
security professionals

Evolving Threats to Your Applications

Market Overview
Web Application Security Buyers/Users
Web Application Security being addressed in
three ways
Mainstream adoption happening beyond lead
sectors (FinServ / Technology / Government)
Vendors are ahead of market adoption
Development may have more adoption momentum
than QA
 Security Team (90%) / Development Organization
(10%)
 Security Team (40%) / Development Organization
(10%) / Outsourcing (50%)
 eCommerce (PCI), State/Local, Universities & SMB
(risk awareness) growing presence
 R&D investment focused on solutions for development
& QA adoption, <10% of buyers (large customer
projects)
 All projects still owned by Security & majority of
opportunities are security only (ie. Emerging SMB)
 Driven by natural fit of code analysis security testing
with the developer use case
 Requires that offerings align code analysis with
development requirements, not security
requirements

Current Market Drivers
 Increase in vulnerabilities / disclosures
 Application security has become the top threat
 Regulatory Compliance
 Requirements such as PCI, HIPAA, GLBA, etc
 User demand
 For rich applications is pushing development to
advanced code techniques – Web 2.0 introducing more
risks to threats
 Enterprise Modernization
 Driving traditional applications to online world (SOA),
increasing corporate risk
 Cost cutting in current economic climate
 Demands increased efficiencies
Source: IBM ISS
Threat Report
LexisNexis
Data Breach
-Washington Post
Feb 17, 2008
IndiaTimes.com
Malware
—InformationWeek
Feb 17,2008
Hacker breaks into
Ecuador’s
presidential website
— Thaindian, Feb 11, 2008

Expensive
Low Productivity
Error Prone
Inconsistent
Resource intensive
Manual Governance
Efficient/Cheaper
High Productivity
High Quality
Consistent/Repeatable
Self Documenting
Automated Governance
Manual Assembly Line Automated
Evolution of the Software Factory
IBM Rational AppScan

What is the cost of a defect?
During the
coding phase
$25/defect
During the build
phase
$100/defect
Once released as
a product
$16,000/defect
During the
QA/Testing phase
$450/defect
The increasing costs of fixing a defect….
80% of development costs are spent
identifying and correcting defects!

Embed security testing
into the development
environment and workflow
Seamlessly add security
testing alongside functional
& performance testing
Dashboard provides filtered
relevant data for more
informed decision-making
Full traceability for security
issue prioritization
CISO
Tester
Developer
Build
Manager
QA
Manager
Automated security tests
embedded into the build
process
All test assets and results
in one repository
Quality process
enactmentRational AppScan
Rational AppScan Developer & Build Editions raise the industry bar
Delivering security-focused solutions across the development lifecycle

Enabling the Operationalization of Security Testing
Enable the Security
Testing Organization
Rational AppScan Express Edition
Rational AppScan Standard Edition
Rational AppScan Enterprise Edition
 Requires web application security
subject matter expertise
 Single-step security testing (no
additional oversight required as
expertise is built-in)
 Eliminates training requirements
for non-security experts
Control, Monitor, Collaborate and Report Web Application Security Testing
Embed Security
Testing in the SDLC
Rational AppScan Developer Edition
Rational AppScan Build Edition
Rational AppScan Tester Edition
Rational AppScan Standard Edition
Rational AppScan Reporting Console
 Implement environment-specific security
testing solution for select stakeholders
 Alleviates security testing bottleneck
downstream
 Increases security awareness across the
organization (code security improvement,
vulnerability awareness)
 Enables a more efficient process for on-
time and on-budget application
development
  Outsource Security
Testing
Rational AppScan OnDemand
Rational AppScan Security Consulting
 Outsource web application security
infrastructure or testing
 Enables immediate identification
for sources of online risk without
the necessary time and investment
for in-house training and resources

Customers are addressing Web Application Security in three ways:

Embedding Security in the Development Lifecycle
Primary goals for Web Application Security
1. Manage Online risk with security audits
2. Realize process efficiencies with testing coverage
occurring early in the development lifecycle
Security Auditors Challenge
 Accountable for managing organizational risk through on-line activity
 Limited resources (by budget or skillset) to provide timely security
testing coverage
 The result is a bottleneck that impacts development release cycles
The Solution
 Engage more testers earlier in the development lifecycle
Emerging focus

 Security tools are being pitched to developers
 Security tools require security expertise and don’t address the developer use case
 Lack necessary process integration to enable success
 Current static analysis suffers from accuracy and efficiency shortcomings
 Creating doubt and pushback from development organizations
 No solution provides viable mix of blackbox & whitebox technology
 High cost of static analysis-only offerings
 High cost yet still incomplete solutions
 Lack of training
 Developers are not mandated or motivated to train on secure code practices
 Priority remains on building functionality
Current Static analysis offerings are lacking

Challenge: Building software securely from the ground up
Security Auditors need to enable more testers in the process, but software developers are
not trained to be security experts, nor can they meet new development demands
 Niche security testing teams have been performing audits before code can pass to production
 These teams cannot keep up with the demand from hundreds of developers pushing new applications
frequently > as a result software releases are delayed or risk is introduced
 Need to engage more testers earlier in the process
 Need to make it simple for non-security professionals
How do we get more resources to provide
more security testing for our applications
How do we make it easier
to identify security vulnerabilities?
How can I ensure our developers are
implementing our corporate policies?
Development does not like us halting releases due
to security issues. How can I give them back control?

Solution: Utilize offerings designed for the development environment to
identify and fix security issues early in the development process, and turn
the security audit into the final check, not the first step
 Rational AppScan Developer Edition & AppScan Build Edition provide
security and compliance checks
 Combination of Static Code Analysis and Dynamic Analysis provide non-security
professionals in development the ability to accurately check for security defects in code
 Designed for the developers uses case to seamlessly fit security testing into the
development workflow
 AppScan Build Edition embeds automated security testing into the build process
 Provides remediation advice to simplify ability to fix security issues
 High accuracy security issue identification that developers can understand and fix
 Includes embedded security issue training
 Bite-sized training modules allow developers to quickly understand
the security issue and make appropriate fix
 Facilitates non-disruptive adoption of security testing solutions to improve application
IBM Rational AppScan Developer Edition
IBM Rational AppScan Build Edition

Expertise: Development is not focused on or trained to address security issues. Not having security expertise makes the development
adoption of security testing a challenge. For development to be effective solutions must be designed for and for non-security professionals
and fit the developers use case, thereby improving accuracy and efficiency and avoiding disruption.
Cost/time: The push to move more business services online places greater demand on limited
security testing resources to achieve testing coverage. Tools that naturally fit into the development process provide lifecycle
efficiencies as security issues are now identified and addressed much earlier in the process.
Compliance: Embedding security testing into development processes and systems supports the same governance
requirements inherent in development & testing organizations, but the added risk of a security vulnerabilities demands
stringent governance processes to log, track & ensure remediation of identified security issues.
Bottom line – Development adoption of
security testing results in more secure
software with on-time release schedules
Development is critical to the security challenge
Easing the security bottleneck can only be achieved by engaging more resources

Addressing organizational security testing requirements
Enable more testers in the process to alleviate the security bottleneck
Powered by automation
Collaborative life cycle
Govern software delivery
Development & Security Analysts collaborate to achieve
greater testing coverage earlier in the development process.
Automate security testing as part of the normal code-build
process within existing development environments,
eliminating the need for non-security personnel to learn new
or advanced security tools
Govern the process of issue remediation by providing the
ability to log security issues directly into defect tracking tools
Rational AppScan Developer Edition & AppScan Build Edition
can be embedded into the development process

®
IBM Software Group
Rational AppScan Developer & Build
Editions

Rational AppScan Developer Edition and Build Edition Themes
 Designed for Developers, not Security Auditors
 Self-Serve – No Security Expertise Required
 Natural fit into the Development Lifecycle Process
& Tools
 Best Web Application Security Analysis
Total PotentialTotal Potential
Security IssuesSecurity Issues
DynamicDynamic
AnalysisAnalysis
StaticStatic
AnalysisAnalysis
RuntimeRuntime
AnalysisAnalysis
 Enable more people to contribute to security testing
coverage with solutions for specific use cases
 Use case offerings facilitate the adoption of security
with minimal disruption to existing objectives
Business Outcome

Analysis Techniques Used
Static Code Analysis <> Whitebox
- Looking at the code for issues (code-
level scanning)
Dynamic Analysis <> Blackbox
- Sending tests to a functioning
application
String Analysis
- IBM patent pending code analysis
technique
- Code analysis version of “Scan Expert”
for efficient configuration of scan to
enable accurate results
Composite Analysis
- Blend of all testing techniques for
improved accuracy of reporting
- Leverage strengths and overcomes
weaknesses of each individual
technique
Runtime Analysis
- Monitoring behavior for feedback while
application is running at a detailed level
to tell where a vulnerability exists in the
execution code

 Accuracy
 Source free
 Code coverage
 HTTP awareness only
 Multi components support
 Requires deployed application
 Code/path coverage
 Limited to given code
 More than HTTP validations
 Support partial applications
 Support per language/framework
 No need to deploy application
Black Box White BoxAppScan DE
 Few Prerequisites  Over approximation
 Works as a remote attacker  Integration/deployment issues

String Analysis
 IBM patent-pending technology
 Potentially game-changing technology in code-analysis
 Existing white-box offerings use Taint Analysis
Requires configuration, dependent on both knowledge of code & security expertise to be
done accurately
Inaccurate configuration results in volumes of false positives
 String Analysis automates configuration
Removes largest driver of inaccurate results of static code analysis
Simplifies use for developers (for non-security experts)
 Taint analysis measures whether an input is tainted, string analysis can determine
exactly how it is tainted

String Analysis vs. Taint Analysis
Taint Analysis String Analysis
Configuration Users must spend a long time
configuring sanitizers
Accurate out-of-the-box:
No need to define what the sanitizers are
Configuration
Validation
The entire analysis is based on
correct user configuration
String Analysis can validate the
correctness of user-defined sanitizers
Inline sanitizers No support; Users have to
change their code to scan it. Supports
Validators No support; Users have to
change their code to scan it. Supports
Result confidence
Many “low confidence” results
that require security professionals
to verify
“Self-serve” solution underlines high
confidence results; developer can trust
results to be real
Advanced Restricted to identify taint only Allows improved and accurate analysis
to pin point specific issues

Why Buy…
 Broadest suite of offerings to
support security testing across the
development lifecycle
 Only web application security
testing solution to provide combined
code, dynamic, runtime and string
analysis
 Broadest set of security compliance
reporting
 Integration with Rational portfolio
allowing security to become a
natural part of the software
development process
 R&D backed by IBM’s $1.5B annual
investment in security
 Designed for Developers, not Auditors
 Designed for developer efficiency & addresses non-security
expertise
 Enable both centralized and broad security testing (“Test
before check in” model)
 Best Application Security Analysis
 Includes multiple analysis techniques - leverages strengths of
all techniques & overcomes weaknesses
 Emphasis on Accuracy (low FP) & Actionable Results
 Self-Serve Security Testing for Developers
 Detailed results include all you need to know
 Remediation view turns risk into tasks
 Detailed Fix Recommendations clarify required actions
 Built-in & accompanying training supports self-serve
 Naturally fits into the SDLC process
 Minimize disruption
 Scale to large number of users
 Support collaboration within development
 Integrate with development tools
…IBM? …Ratl AppScan Developer Edition?

Highlights
What is AppScan Developer Edition?
 A solution created to empower developers with the ability to
invoke Web application security testing within their
development environment
 Designed as a complement to the Rational AppScan family of
security testing solutions, it enables the development
organization to address the volumes of security issues that can
be introduced in code.
 Supports existing developer and build environment use cases
for efficient and non-disruptive adoption of security testing with
IDE & build server integrations
What does it do?
 Provides security and compliance checks using static code
analysis for security vulnerabilities,
 Enables developers (who are not security experts) address
security defects early in development process where the cost of
fixing issues is least expensive
 Comprehensive Security Analysis
 Next-Generation Accuracy
 Unparalleled Ease of Use
 Identification of line-of-code
 Self-Serve Security Testing for
Developers
 Seamless Integration into the
Development Process
 Complete the Rational AppScan
End-to-End security solution
Overview

What is AppScan Build Edition?
 A solution created to embed automated Web application
security into the build process
 Designed as a complement to the Rational AppScan family of
security testing solutions, it enables the development
organization to address the volumes of security issues that can
be introduced in code.
 Supports existing developer and build environment use cases
for efficient and non-disruptive adoption of security testing with
IDE & build server integrations
What does it do?
 Allow scans from AppScan Standard Edition or AppScan
Developer Ed to be processed in a non-UI / scriptable mode
 Provides simple/generic command line support for integration
into most build environments, with an additional adaptor for
BuildForge
 Automated Security Testing in the
Development Process
 Comprehensive Security Analysis
 Next-Generation Accuracy
 Code Coverage
 Identification of line-of-code
 Seamless Integration into the
Development Process
 Complete the Rational AppScan
End-to-End security solution
Overview
Highlights

BuildCode SecurityQA
AppScan
Standard Ed
(desktop)
Typical Customer Adoption To Date
AppScan
Enterprise user
(web client)
IBM Rational Web Based Training for AppScan
IBM Rational AppScan Enterprise / Reporting Console
Automate Security /
Compliance testing in
the Build Process
Build security testing
into the IDE
Security / compliance testing
incorporated into testing &
remediation workflows
Security and Compliance
Testing, oversight, control,
policy, in-depth tests
Market Maturity

Rational
BuildForge
Rational Quality
Manager
Rational
Application
Developer
Rational
Software
Analyzer
Rational
ClearCase
Rational ClearQuest / Defect Management
AppScan
Standard Ed
(desktop)
IBM Rational AppScan Ecosystem
AppScan
Enterprise user
(web client)
AppScan Build Ed
(scanning agent)
AppScan Express
(desktop)
AppScan
Developer Ed
(desktop)
AppScan Ent.
QuickScan
(web client) AppScan Tester Ed
(scanning agent)
(QA clients)
AppScan Enterprise / Reporting ConsoleAppScan Enterprise / Reporting Console
CODE
Build security testing into the
IDE*
BUILD
Automate Security / Compliance
testing in the Build Process
QA
SECURITY
Security & Compliance Testing,
oversight, control, policy, audits

AppScan
Standard Ed
(desktop)
The New IBM Rational AppScan Ecosystem
AppScan
Enterprise user
(web client)
AppScan Build Ed
(scanning agent)
AppScan Express
(desktop)
AppScan
Developer Ed
(desktop)
AppScan Ent.
QuickScan
(web client) AppScan Tester Ed
(scanning agent)
(QA clients)
Rational
BuildForge
Rational Quality
Manager
Rational
Application
Developer
Rational
Software
Analyzer
Rational
ClearCase
Rational ClearQuest / Defect Management
AppScan Enterprise / Reporting ConsoleAppScan Enterprise / Reporting Console
Code
Build security testing into the
IDE*
Build
Automate Security / Compliance
testing in the Build Process
QA
Security
Security & Compliance Testing,
oversight, control, policy, audits

AppScan Developer Edition - Proactive Use Case
1. Developer Writes Code
2. Developer Tests Changes
Using AppScan DE
3. Developer Fixes or Logs Issues
4. Developer Checks in Code

AppScan Build Edition Use Case
1. Build System compiles code
2. AppScan Static Analysis Invoked
3. Application auto-deployed
4. AppScan Dynamic Analysis Invoked
5. Found issues logged

AppScan Developer Edition - Reactive Use-Case
1. Developer receives Defect *
(preferably with scan file)
2. Developer loads scan or
reproduces issue using AppScan DE
3. Developer Fixes Issue In Code
4. Developer Re-Tests using AppScan Dev Ed
5. Developer checks in fix and updates defect
* Defect originating from
other developer, QA or
Build System

Rational AppScan Value Propositions
 Customer Pain:
 Client has acquired a web application testing
desktop point product being run by a security
auditor.
 Limited licenses or resources performing the
testing have created a bottleneck by the security
team, and it is impeding the deployment of
applications.
 Value for Customer
 IBM Rational AppScan portfolio of web
application security testing solutions enables
software development stakeholders from
development, build management and QA to share
in the security testing responsibility and alleviated
the resource limitations of the security team.
 Unlike
 Competition who are lacking IBM’s investment in
security which allows IBM to lead with the
broadest and most advanced security testing and
lack the customer experience to enable customer
success
 Customer Pain:
 Client needs the development organization to
address the process inefficiencies and project
delays resulting from security testing bottleneck
occurring late in the development process.
 Value for Customer
 IBM Rational AppScan Developer Ed and
Rational AppScan Build Ed provide security
testing solutions that are designed for
development use cases to enable security testing
for non-security experts
 The offerings allow for the identification and
remediation of security issues much earlier in the
development process, resulting in a more efficient
process and projects delivered on time.
 Unlike
 Competition who are lacking breadth and strength
of testing techniques to provide the necessary
efficiencies and accuracy for development to be
successful with security testing
For Security Team For Development

®
IBM Software Group
Rational AppScan Developer Edition –
Screenshot Demo

Wizard-based
Scan Creation

Advanced
Configuration
(not a part of daily use)

Manual-Explore
Based Dynamic
Analysis

Detailed Progress
throughout Scan

Actionable Results
Prioritized, include all the info to
understand and remediate issues

Detailed Dynamic
Exploit Description

Complete static
data-flow display
including all the code involved

Code-level Execution
flow of Dynamic
Analysis issues

Built-in Export
to ClearQuest

Rational Software
Analyzer Integration
(adding Quality-related
Static Analysis)

IBM Rational AppScan Product Overview

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

Similaire à IBM Rational AppScan Product Overview

Similaire à IBM Rational AppScan Product Overview (20)

Plus de Ashish Patel

Plus de Ashish Patel (15)

Dernier

Dernier (20)

IBM Rational AppScan Product Overview

Notes de l'éditeur