2. IBM Software Group | Rational software
Executive Summary
Application security continues to be a top security threat
Regulatory Compliance (PCI), user demand (Web 2.0) and Enterprise Modernization
(SOA) are driving awareness and action for security testing
The cost and lack of coverage of reactive security is driving companies towards proactive
measures – building security into the application development process
Traditional approaches make it unlikely that development will support security testing due
to schedule risks and potential project failure
Cost /
Complexity
Security
Team
Operations /
Infrastructure
Time
IBM Rational is announcing a new innovative
approach for integrating security testing into
application development providing the most
accurate and easy to use solution for non-
security professionals
3. IBM Software Group | Rational software
Evolving Threats to Your Applications
4. IBM Software Group | Rational software
Market Overview
Web Application Security Buyers/Users
Web Application Security being addressed in
three ways
Mainstream adoption happening beyond lead
sectors (FinServ / Technology / Government)
Vendors are ahead of market adoption
Development may have more adoption momentum
than QA
Security Team (90%) / Development Organization
(10%)
Security Team (40%) / Development Organization
(10%) / Outsourcing (50%)
eCommerce (PCI), State/Local, Universities & SMB
(risk awareness) growing presence
R&D investment focused on solutions for development
& QA adoption, <10% of buyers (large customer
projects)
All projects still owned by Security & majority of
opportunities are security only (ie. Emerging SMB)
Driven by natural fit of code analysis security testing
with the developer use case
Requires that offerings align code analysis with
development requirements, not security
requirements
5. IBM Software Group | Rational software
Current Market Drivers
Increase in vulnerabilities / disclosures
Application security has become the top threat
Regulatory Compliance
Requirements such as PCI, HIPAA, GLBA, etc
User demand
For rich applications is pushing development to
advanced code techniques – Web 2.0 introducing more
risks to threats
Enterprise Modernization
Driving traditional applications to online world (SOA),
increasing corporate risk
Cost cutting in current economic climate
Demands increased efficiencies
Source: IBM ISS
Threat Report
LexisNexis
Data Breach
-Washington Post
Feb 17, 2008
IndiaTimes.com
Malware
—InformationWeek
Feb 17,2008
Hacker breaks into
Ecuador’s
presidential website
— Thaindian, Feb 11, 2008
6. IBM Software Group | Rational software
Expensive
Low Productivity
Error Prone
Inconsistent
Resource intensive
Manual Governance
Efficient/Cheaper
High Productivity
High Quality
Consistent/Repeatable
Self Documenting
Automated Governance
Manual Assembly Line Automated
Evolution of the Software Factory
IBM Rational AppScan
7. IBM Software Group | Rational software
What is the cost of a defect?
During the
coding phase
$25/defect
During the build
phase
$100/defect
Once released as
a product
$16,000/defect
During the
QA/Testing phase
$450/defect
The increasing costs of fixing a defect….
80% of development costs are spent
identifying and correcting defects!
8. IBM Software Group | Rational software
Embed security testing
into the development
environment and workflow
Seamlessly add security
testing alongside functional
& performance testing
Dashboard provides filtered
relevant data for more
informed decision-making
Full traceability for security
issue prioritization
CISO
Tester
Developer
Build
Manager
QA
Manager
Automated security tests
embedded into the build
process
All test assets and results
in one repository
Quality process
enactmentRational AppScan
Rational AppScan Developer & Build Editions raise the industry bar
Delivering security-focused solutions across the development lifecycle
9. IBM Software Group | Rational software
Enabling the Operationalization of Security Testing
Enable the Security
Testing Organization
Rational AppScan Express Edition
Rational AppScan Standard Edition
Rational AppScan Enterprise Edition
Requires web application security
subject matter expertise
Single-step security testing (no
additional oversight required as
expertise is built-in)
Eliminates training requirements
for non-security experts
Control, Monitor, Collaborate and Report Web Application Security Testing
Embed Security
Testing in the SDLC
Rational AppScan Developer Edition
Rational AppScan Build Edition
Rational AppScan Tester Edition
Rational AppScan Standard Edition
Rational AppScan Reporting Console
Implement environment-specific security
testing solution for select stakeholders
Alleviates security testing bottleneck
downstream
Increases security awareness across the
organization (code security improvement,
vulnerability awareness)
Enables a more efficient process for on-
time and on-budget application
development
Outsource Security
Testing
Rational AppScan OnDemand
Rational AppScan Security Consulting
Outsource web application security
infrastructure or testing
Enables immediate identification
for sources of online risk without
the necessary time and investment
for in-house training and resources
Customers are addressing Web Application Security in three ways:
10. IBM Software Group | Rational software
Embedding Security in the Development Lifecycle
Primary goals for Web Application Security
1. Manage Online risk with security audits
2. Realize process efficiencies with testing coverage
occurring early in the development lifecycle
Security Auditors Challenge
Accountable for managing organizational risk through on-line activity
Limited resources (by budget or skillset) to provide timely security
testing coverage
The result is a bottleneck that impacts development release cycles
The Solution
Engage more testers earlier in the development lifecycle
Emerging focus
11. IBM Software Group | Rational software
Security tools are being pitched to developers
Security tools require security expertise and don’t address the developer use case
Lack necessary process integration to enable success
Current static analysis suffers from accuracy and efficiency shortcomings
Creating doubt and pushback from development organizations
No solution provides viable mix of blackbox & whitebox technology
High cost of static analysis-only offerings
High cost yet still incomplete solutions
Lack of training
Developers are not mandated or motivated to train on secure code practices
Priority remains on building functionality
Current Static analysis offerings are lacking
12. IBM Software Group | Rational software
Challenge: Building software securely from the ground up
Security Auditors need to enable more testers in the process, but software developers are
not trained to be security experts, nor can they meet new development demands
Niche security testing teams have been performing audits before code can pass to production
These teams cannot keep up with the demand from hundreds of developers pushing new applications
frequently > as a result software releases are delayed or risk is introduced
Need to engage more testers earlier in the process
Need to make it simple for non-security professionals
How do we get more resources to provide
more security testing for our applications
How do we make it easier
to identify security vulnerabilities?
How can I ensure our developers are
implementing our corporate policies?
Development does not like us halting releases due
to security issues. How can I give them back control?
13. IBM Software Group | Rational software
Solution: Utilize offerings designed for the development environment to
identify and fix security issues early in the development process, and turn
the security audit into the final check, not the first step
Rational AppScan Developer Edition & AppScan Build Edition provide
security and compliance checks
Combination of Static Code Analysis and Dynamic Analysis provide non-security
professionals in development the ability to accurately check for security defects in code
Designed for the developers uses case to seamlessly fit security testing into the
development workflow
AppScan Build Edition embeds automated security testing into the build process
Provides remediation advice to simplify ability to fix security issues
High accuracy security issue identification that developers can understand and fix
Includes embedded security issue training
Bite-sized training modules allow developers to quickly understand
the security issue and make appropriate fix
Facilitates non-disruptive adoption of security testing solutions to improve application
IBM Rational AppScan Developer Edition
IBM Rational AppScan Build Edition
14. IBM Software Group | Rational software
Expertise: Development is not focused on or trained to address security issues. Not having security expertise makes the development
adoption of security testing a challenge. For development to be effective solutions must be designed for and for non-security professionals
and fit the developers use case, thereby improving accuracy and efficiency and avoiding disruption.
Cost/time: The push to move more business services online places greater demand on limited
security testing resources to achieve testing coverage. Tools that naturally fit into the development process provide lifecycle
efficiencies as security issues are now identified and addressed much earlier in the process.
Compliance: Embedding security testing into development processes and systems supports the same governance
requirements inherent in development & testing organizations, but the added risk of a security vulnerabilities demands
stringent governance processes to log, track & ensure remediation of identified security issues.
Bottom line – Development adoption of
security testing results in more secure
software with on-time release schedules
Development is critical to the security challenge
Easing the security bottleneck can only be achieved by engaging more resources
15. IBM Software Group | Rational software
Addressing organizational security testing requirements
Enable more testers in the process to alleviate the security bottleneck
Powered by automation
Collaborative life cycle
Govern software delivery
Development & Security Analysts collaborate to achieve
greater testing coverage earlier in the development process.
Automate security testing as part of the normal code-build
process within existing development environments,
eliminating the need for non-security personnel to learn new
or advanced security tools
Govern the process of issue remediation by providing the
ability to log security issues directly into defect tracking tools
Rational AppScan Developer Edition & AppScan Build Edition
can be embedded into the development process
17. IBM Software Group | Rational software
Rational AppScan Developer Edition and Build Edition Themes
Designed for Developers, not Security Auditors
Self-Serve – No Security Expertise Required
Natural fit into the Development Lifecycle Process
& Tools
Best Web Application Security Analysis
Total PotentialTotal Potential
Security IssuesSecurity Issues
DynamicDynamic
AnalysisAnalysis
StaticStatic
AnalysisAnalysis
RuntimeRuntime
AnalysisAnalysis
Enable more people to contribute to security testing
coverage with solutions for specific use cases
Use case offerings facilitate the adoption of security
with minimal disruption to existing objectives
Business Outcome
18. IBM Software Group | Rational software
Analysis Techniques Used
Static Code Analysis <> Whitebox
- Looking at the code for issues (code-
level scanning)
Dynamic Analysis <> Blackbox
- Sending tests to a functioning
application
String Analysis
- IBM patent pending code analysis
technique
- Code analysis version of “Scan Expert”
for efficient configuration of scan to
enable accurate results
Composite Analysis
- Blend of all testing techniques for
improved accuracy of reporting
- Leverage strengths and overcomes
weaknesses of each individual
technique
Runtime Analysis
- Monitoring behavior for feedback while
application is running at a detailed level
to tell where a vulnerability exists in the
execution code
19. IBM Software Group | Rational software
Accuracy
Source free
Code coverage
HTTP awareness only
Multi components support
Requires deployed application
Code/path coverage
Limited to given code
More than HTTP validations
Support partial applications
Support per language/framework
No need to deploy application
Black Box White BoxAppScan DE
Few Prerequisites Over approximation
Works as a remote attacker Integration/deployment issues
20. IBM Software Group | Rational software
String Analysis
IBM patent-pending technology
Potentially game-changing technology in code-analysis
Existing white-box offerings use Taint Analysis
Requires configuration, dependent on both knowledge of code & security expertise to be
done accurately
Inaccurate configuration results in volumes of false positives
String Analysis automates configuration
Removes largest driver of inaccurate results of static code analysis
Simplifies use for developers (for non-security experts)
Taint analysis measures whether an input is tainted, string analysis can determine
exactly how it is tainted
21. IBM Software Group | Rational software
String Analysis vs. Taint Analysis
Taint Analysis String Analysis
Configuration Users must spend a long time
configuring sanitizers
Accurate out-of-the-box:
No need to define what the sanitizers are
Configuration
Validation
The entire analysis is based on
correct user configuration
String Analysis can validate the
correctness of user-defined sanitizers
Inline sanitizers No support; Users have to
change their code to scan it. Supports
Validators No support; Users have to
change their code to scan it. Supports
Result confidence
Many “low confidence” results
that require security professionals
to verify
“Self-serve” solution underlines high
confidence results; developer can trust
results to be real
Advanced Restricted to identify taint only Allows improved and accurate analysis
to pin point specific issues
22. IBM Software Group | Rational software
Why Buy…
Broadest suite of offerings to
support security testing across the
development lifecycle
Only web application security
testing solution to provide combined
code, dynamic, runtime and string
analysis
Broadest set of security compliance
reporting
Integration with Rational portfolio
allowing security to become a
natural part of the software
development process
R&D backed by IBM’s $1.5B annual
investment in security
Designed for Developers, not Auditors
Designed for developer efficiency & addresses non-security
expertise
Enable both centralized and broad security testing (“Test
before check in” model)
Best Application Security Analysis
Includes multiple analysis techniques - leverages strengths of
all techniques & overcomes weaknesses
Emphasis on Accuracy (low FP) & Actionable Results
Self-Serve Security Testing for Developers
Detailed results include all you need to know
Remediation view turns risk into tasks
Detailed Fix Recommendations clarify required actions
Built-in & accompanying training supports self-serve
Naturally fits into the SDLC process
Minimize disruption
Scale to large number of users
Support collaboration within development
Integrate with development tools
…IBM? …Ratl AppScan Developer Edition?
23. IBM Software Group | Rational software
Highlights
What is AppScan Developer Edition?
A solution created to empower developers with the ability to
invoke Web application security testing within their
development environment
Designed as a complement to the Rational AppScan family of
security testing solutions, it enables the development
organization to address the volumes of security issues that can
be introduced in code.
Supports existing developer and build environment use cases
for efficient and non-disruptive adoption of security testing with
IDE & build server integrations
What does it do?
Provides security and compliance checks using static code
analysis for security vulnerabilities,
Enables developers (who are not security experts) address
security defects early in development process where the cost of
fixing issues is least expensive
Comprehensive Security Analysis
Next-Generation Accuracy
Unparalleled Ease of Use
Identification of line-of-code
Self-Serve Security Testing for
Developers
Seamless Integration into the
Development Process
Complete the Rational AppScan
End-to-End security solution
Overview
24. IBM Software Group | Rational software
What is AppScan Build Edition?
A solution created to embed automated Web application
security into the build process
Designed as a complement to the Rational AppScan family of
security testing solutions, it enables the development
organization to address the volumes of security issues that can
be introduced in code.
Supports existing developer and build environment use cases
for efficient and non-disruptive adoption of security testing with
IDE & build server integrations
What does it do?
Allow scans from AppScan Standard Edition or AppScan
Developer Ed to be processed in a non-UI / scriptable mode
Provides simple/generic command line support for integration
into most build environments, with an additional adaptor for
BuildForge
Automated Security Testing in the
Development Process
Comprehensive Security Analysis
Next-Generation Accuracy
Code Coverage
Identification of line-of-code
Seamless Integration into the
Development Process
Complete the Rational AppScan
End-to-End security solution
Overview
Highlights
25. IBM Software Group | Rational software
BuildCode SecurityQA
AppScan
Standard Ed
(desktop)
Typical Customer Adoption To Date
AppScan
Enterprise user
(web client)
IBM Rational Web Based Training for AppScan
IBM Rational AppScan Enterprise / Reporting Console
Automate Security /
Compliance testing in
the Build Process
Build security testing
into the IDE
Security / compliance testing
incorporated into testing &
remediation workflows
Security and Compliance
Testing, oversight, control,
policy, in-depth tests
Market Maturity
26. IBM Software Group | Rational software
Rational
BuildForge
Rational Quality
Manager
Rational
Application
Developer
Rational
Software
Analyzer
Rational
ClearCase
Rational ClearQuest / Defect Management
AppScan
Standard Ed
(desktop)
IBM Rational AppScan Ecosystem
AppScan
Enterprise user
(web client)
AppScan Build Ed
(scanning agent)
IBM Rational Web Based Training for AppScan
AppScan Express
(desktop)
AppScan
Developer Ed
(desktop)
AppScan Ent.
QuickScan
(web client) AppScan Tester Ed
(scanning agent)
(QA clients)
AppScan Enterprise / Reporting ConsoleAppScan Enterprise / Reporting Console
CODE
Build security testing into the
IDE*
BUILD
Automate Security / Compliance
testing in the Build Process
QA
Security / compliance testing
incorporated into testing &
remediation workflows
SECURITY
Security & Compliance Testing,
oversight, control, policy, audits
27. IBM Software Group | Rational software
AppScan
Standard Ed
(desktop)
The New IBM Rational AppScan Ecosystem
AppScan
Enterprise user
(web client)
AppScan Build Ed
(scanning agent)
IBM Rational Web Based Training for AppScan
AppScan Express
(desktop)
AppScan
Developer Ed
(desktop)
AppScan Ent.
QuickScan
(web client) AppScan Tester Ed
(scanning agent)
(QA clients)
Rational
BuildForge
Rational Quality
Manager
Rational
Application
Developer
Rational
Software
Analyzer
Rational
ClearCase
Rational ClearQuest / Defect Management
AppScan Enterprise / Reporting ConsoleAppScan Enterprise / Reporting Console
Code
Build security testing into the
IDE*
Build
Automate Security / Compliance
testing in the Build Process
QA
Security / compliance testing
incorporated into testing &
remediation workflows
Security
Security & Compliance Testing,
oversight, control, policy, audits
28. IBM Software Group | Rational software
AppScan Developer Edition - Proactive Use Case
1. Developer Writes Code
2. Developer Tests Changes
Using AppScan DE
3. Developer Fixes or Logs Issues
4. Developer Checks in Code
29. IBM Software Group | Rational software
AppScan Build Edition Use Case
1. Build System compiles code
2. AppScan Static Analysis Invoked
3. Application auto-deployed
4. AppScan Dynamic Analysis Invoked
5. Found issues logged
30. IBM Software Group | Rational software
AppScan Developer Edition - Reactive Use-Case
1. Developer receives Defect *
(preferably with scan file)
2. Developer loads scan or
reproduces issue using AppScan DE
3. Developer Fixes Issue In Code
4. Developer Re-Tests using AppScan Dev Ed
5. Developer checks in fix and updates defect
* Defect originating from
other developer, QA or
Build System
31. IBM Software Group | Rational software
Rational AppScan Value Propositions
Customer Pain:
Client has acquired a web application testing
desktop point product being run by a security
auditor.
Limited licenses or resources performing the
testing have created a bottleneck by the security
team, and it is impeding the deployment of
applications.
Value for Customer
IBM Rational AppScan portfolio of web
application security testing solutions enables
software development stakeholders from
development, build management and QA to share
in the security testing responsibility and alleviated
the resource limitations of the security team.
Unlike
Competition who are lacking IBM’s investment in
security which allows IBM to lead with the
broadest and most advanced security testing and
lack the customer experience to enable customer
success
Customer Pain:
Client needs the development organization to
address the process inefficiencies and project
delays resulting from security testing bottleneck
occurring late in the development process.
Value for Customer
IBM Rational AppScan Developer Ed and
Rational AppScan Build Ed provide security
testing solutions that are designed for
development use cases to enable security testing
for non-security experts
The offerings allow for the identification and
remediation of security issues much earlier in the
development process, resulting in a more efficient
process and projects delivered on time.
Unlike
Competition who are lacking breadth and strength
of testing techniques to provide the necessary
efficiencies and accuracy for development to be
successful with security testing
For Security Team For Development
42. IBM Software Group | Rational software
Rational Software
Analyzer Integration
(adding Quality-related
Static Analysis)
Notes de l'éditeur
Overview
To be competitive in today’s fast-paced business environment requires increased visibility and automation of governance and compliance measures. As software has become the driving force behind innovation, customers are focusing on improving and automating quality and security earlier in the software delivery lifecycle. The addition of Rational Software Analyzer to Rational’s quality management capabilities provides a centralized, extensible foundation for static analysis driving increased quality and reduced risk.
Centralized quality automation simplifies software delivery processes decreasing overhead and increasing software reliability
An extensible foundation enables inclusion of rules such as security, compliance, and intellectual property vulnerabilities increasing team responsiveness to business priorities
Powerful reporting features increase project visibility and support enforcement of corporate IT governance and compliance directives
NEW!
Rational Software Analyzer Available 4/29/08
Rational AppScan Developer Edition Beta Available 5/26/08
The National Institute of Standards and Technology (NIST) reports that “…80% of development costs [are spent] on identifying and correcting defects
The ‘Cost of Defect’ figures from Caper Jones (Applied Software Measurement, 1996):
At coding time - $25/defect
At build time - $100/defect
At QA - $450/defect
At field level - $16,000/defect
Here’s how we’re raising the quality bar and delivering innovation and value to our customers with RQM: how we’re bringing new differentiators to this space not delivered before…
(HP does not have ALM integration)
(HP lags with requirements integration)
Improved efficiency, utilization, and quality of test lab operations. (Unique market differentiator)
Test Case Prioritization (Unique market differentiator)
Real-time detection of defects and test case prioritization for resolution
Remote launch and control of integrated point products (Unique market differentiator)
(HP is closed - each vendor needs special arrangement to exchange data)
Pattern analysis and recognition (unique market differentiator) ??
Klockwork coming from quality with limited security expertise
Cenzic struggling & limited to blackkbox solution
This leaves Fortify & HP/SPI
Fortify is lacking the blackbox capability to compliment whitebox offerings for a complete & cost viable solution
HP/SPI has a credible blackbox offering, but a deficient whitebox offering leaving a poor hybrid solution
Rational AppScan Developer Edition provides security and compliance checks alongside of Rational Software Analyzer
Combines static analysis providing non-security professionals the ability to check for security defects in web applications
Ability to execute multiple scan rules and tools from a common framework increases productivity
Provides remediation advice to facilitate developer efforts to fix security issues efficiently
Developer Essentials test policy provides high accuracy issue identification for security issues that developers can understand and fix efficiently
Includes embedded security issue training
Bit-sized training modules allow developers to quickly understand the security issue and make the appropriate fix
Facilitates non-disruptive adoption of security testing solutions to improve application
If team is not collaborating what happens?
If team is not leveraging automation, what is the impact?
If team does not have appropriate level of governance, what happens?
Overview
To be competitive in today’s fast-paced business environment requires increased visibility and automation of governance and compliance measures. As software has become the driving force behind innovation, customers are focusing on improving and automating quality and security earlier in the software delivery lifecycle. The addition of Rational Software Analyzer to Rational’s quality management capabilities provides a centralized, extensible foundation for static analysis driving increased quality and reduced risk.
Centralized quality automation simplifies software delivery processes decreasing overhead and increasing software reliability
An extensible foundation enables inclusion of rules such as security, compliance, and intellectual property vulnerabilities increasing team responsiveness to business priorities
Powerful reporting features increase project visibility and support enforcement of corporate IT governance and compliance directives
NEW!
Rational Software Analyzer Available 4/29/08
Rational AppScan Developer Edition Beta Available 5/26/08
Designed for Developers, not Auditors
Support partially built applications
Manual Explore based scans on specific working flows
Static Analysis supports applications once they compile
Developers are not a gateway, and rather seek max efficiency
Prioritize quick results and ease of use over 100% coverage or extreme breadth of testing
Enable both centralized and broad security testing
Centralized scans in a build system or by team security leads
Broad testing by entire team - “Test before check in” model
Best Application Security Analysis
Includes Static, Dynamic & Runtime Analysis
Side-by-side, gain the strengths of all techniques
Uses Composite Analysis , merging the different ways
CA overcomes the weaknesses of each technique, such as:
Theoretical Static Analysis confirmed by Dynamic Analysis
Dynamic Analysis Coverage measured with Runtime Analysis
Extreme Emphasis on Accuracy & Actionable Results
Innovative Static String Analysis dramatically improves accuracy
Runtime Analysis maps Dynamic Analysis issues to code
Correlated Dynamic & Static results practically guaranteed
Self-Serve Security Testing for Developers
Detailed results include all you need to know
Comprehensive information about each security issue and its impact
Clear prioritization account for security risk and exploitability
Remediation view turns risk into tasks
Look at the problems from a development tasks perspective
Risk manifested in task priority
Detailed Fix Recommendations clarify needed action
Complete with platform-specific code examples
Retest capabilities enable verifying the fix works
Built in and accompanying training supports self-serve
Issue-specific flash-based training built into product
Product & Security Web-Based Training will be available at GA
Naturally fits into the SDLC process
Easily fit into the SDLC process - Minimize disruption
Fits common dev testing points (build or before check-in)
Uses dev concepts and terminology, not security ones
Scale to large number of users
Support centralized reporting & permissions through AppScan Enterprise or AppScan Reporting Console
Support collaboration within the development team
Share configuration, results and more
Integrate with development tools
IDE, Source Control, Build System, Defect Tracking system…
Comprehensive Security Analysis combining Dynamic, Static & Runtime Analysis, providing unmatched coverage of potential security issues for web applications
Next-Generation Accuracy with new patent-pending String Analysis, Developer Essentials test policy and the correlation of Static & Dynamic Analysis results all reducing the likelihood of false positives
Unparalleled Ease of Use with browsing based Dynamic Analysis and String Analysis enabling zero-configuration Static Analysis making efficient and accurate security testing possible for Developers
Identification of line-of-code location for Black-Box Issues - the Runtime-Analysis based Execution Flow provides textual and graphical insight, greatly simplifying the understanding and remediation of those issues.
Self-Serve Security Testing for Developers from built-in Flash-based training, accurate and prioritized results pointing straight to the line of code, and detailed remediation advice complete with code samples allow developers to be self-sufficient in their daily handling of web application security
Seamless Integration into the Development Process:
Specially designed for developer use case including deep integration with Rational Application Developer and Eclipse
Team collaboration through Rational ClearQuest and source-control systems
Complete the Rational AppScan End-to-End security solution enabling the security team to establish and control scanning permissions and policies and provide Security & QA teams with a way to pass reproducible security issues back to development for remediation and verification
Comprehensive Security Analysis combining Dynamic, Static & Runtime Analysis, providing unmatched coverage of potential security issues for web applications
Next-Generation Accuracy with new patent-pending String Analysis, Developer Essentials test policy and the correlation of Static & Dynamic Analysis results all reducing the likelihood of false positives
Unparalleled Ease of Use with browsing based Dynamic Analysis and String Analysis enabling zero-configuration Static Analysis making efficient and accurate security testing possible for Developers
Identification of line-of-code location for Black-Box Issues - the Runtime-Analysis based Execution Flow provides textual and graphical insight, greatly simplifying the understanding and remediation of those issues.
Self-Serve Security Testing for Developers from built-in Flash-based training, accurate and prioritized results pointing straight to the line of code, and detailed remediation advice complete with code samples allow developers to be self-sufficient in their daily handling of web application security
Seamless Integration into the Development Process:
Specially designed for developer use case including deep integration with Rational Application Developer and Eclipse
Team collaboration through Rational ClearQuest and source-control systems
Complete the Rational AppScan End-to-End security solution enabling the security team to establish and control scanning permissions and policies and provide Security & QA teams with a way to pass reproducible security issues back to development for remediation and verification
1. Security 2. Code 3. build 4. QA This represents our product suite – how we help clients get to the utopia which is testing throughout the entire SDLC. Taking security which usually resides in info sec or risk mgt and push it earlier. This is how we address it – start at the far right. This is where ownership usually falls. Should be on their heads if an issue occurs, they have final sign off. Desktop is the entry for many customers, but not all. Once you go beyond just sec and want to put controls in place and monitoring, ASE. See the web client for ASE – sec uses enterprise, ASE becomes the aggregation of all that info – central mgt and control. But depending on who you are and what your role is, we have different solutions to introduce sec so it’s the least intrusive as possible. Moving into QA, specifically built some funct into ASE which gives them capability to launch scans but not necessarily have the security background or knowledge. Setting up the scan can be a difficult process but to change that we have Quickscan…In addition to that, we have a Tester edition (for Quality Manager, comes out when QM is released). Tester ed – inside QM and QC, similar to DE but for those products – config and launching a scan from within those products. Create a new security test directly within that environment. Results will be accessible from within those tools, never need to get out of them. scans from within QC scheduled, in the future those scans will be run from ASE – so if they own ASE, the scan will run from ASE . Advantage – don’t have to have a locally installed version. Code – to get developers involved to perform tests – a few ways we can do it. One is with the brand new product DE – black and white testing and built into the IDE, gives you the ability to do the testing early in the code development. Does two tests to do both types of testing. Patented tech by ibm being embedded, string analysis, for watching the flow of informatio thru the application as you are testing it. Good analogy – putting dye in your blood and watching it. Understand where the problem is in the code to isolate it. Historically tricky to do but we found a way to do so, hence the patent. The other ASE quickscan. QS environmnet also built for that too – there may be instances when you don’t have access to source code – either not supported yet or a third party – portal deployment for QS. Build – automates tests as part of the building process, so let’s say getting ready to publish a new test version of an app – have build scripts that take all the code and deploy it. Sometimes have to start and stop the web servers or change registry settings (that’s what buildforge does) as part of the automated process and say once you’ve deployed that code, we’ll look at it and point out all the security defects. Could use quickscan but with the build edition, it’s all automated. Doesn’t require manual intervention. Build edition we think is being released at the same time as DE. Whenver security issues are found, can be pushed into defect management system.
1. Security 2. Code 3. build 4. QA This represents our product suite – how we help clients get to the utopia which is testing throughout the entire SDLC. Taking security which usually resides in info sec or risk mgt and push it earlier. This is how we address it – start at the far right. This is where ownership usually falls. Should be on their heads if an issue occurs, they have final sign off. Desktop is the entry for many customers, but not all. Once you go beyond just sec and want to put controls in place and monitoring, ASE. See the web client for ASE – sec uses enterprise, ASE becomes the aggregation of all that info – central mgt and control. But depending on who you are and what your role is, we have different solutions to introduce sec so it’s the least intrusive as possible. Moving into QA, specifically built some funct into ASE which gives them capability to launch scans but not necessarily have the security background or knowledge. Setting up the scan can be a difficult process but to change that we have Quickscan…In addition to that, we have a Tester edition (for Quality Manager, comes out when QM is released). Tester ed – inside QM and QC, similar to DE but for those products – config and launching a scan from within those products. Create a new security test directly within that environment. Results will be accessible from within those tools, never need to get out of them. scans from within QC scheduled, in the future those scans will be run from ASE – so if they own ASE, the scan will run from ASE . Advantage – don’t have to have a locally installed version. Code – to get developers involved to perform tests – a few ways we can do it. One is with the brand new product DE – black and white testing and built into the IDE, gives you the ability to do the testing early in the code development. Does two tests to do both types of testing. Patented tech by ibm being embedded, string analysis, for watching the flow of informatio thru the application as you are testing it. Good analogy – putting dye in your blood and watching it. Understand where the problem is in the code to isolate it. Historically tricky to do but we found a way to do so, hence the patent. The other ASE quickscan. QS environmnet also built for that too – there may be instances when you don’t have access to source code – either not supported yet or a third party – portal deployment for QS. Build – automates tests as part of the building process, so let’s say getting ready to publish a new test version of an app – have build scripts that take all the code and deploy it. Sometimes have to start and stop the web servers or change registry settings (that’s what buildforge does) as part of the automated process and say once you’ve deployed that code, we’ll look at it and point out all the security defects. Could use quickscan but with the build edition, it’s all automated. Doesn’t require manual intervention. Build edition we think is being released at the same time as DE. Whenver security issues are found, can be pushed into defect management system.
1. Security 2. Code 3. build 4. QA This represents our product suite – how we help clients get to the utopia which is testing throughout the entire SDLC. Taking security which usually resides in info sec or risk mgt and push it earlier. This is how we address it – start at the far right. This is where ownership usually falls. Should be on their heads if an issue occurs, they have final sign off. Desktop is the entry for many customers, but not all. Once you go beyond just sec and want to put controls in place and monitoring, ASE. See the web client for ASE – sec uses enterprise, ASE becomes the aggregation of all that info – central mgt and control. But depending on who you are and what your role is, we have different solutions to introduce sec so it’s the least intrusive as possible. Moving into QA, specifically built some funct into ASE which gives them capability to launch scans but not necessarily have the security background or knowledge. Setting up the scan can be a difficult process but to change that we have Quickscan…In addition to that, we have a Tester edition (for Quality Manager, comes out when QM is released). Tester ed – inside QM and QC, similar to DE but for those products – config and launching a scan from within those products. Create a new security test directly within that environment. Results will be accessible from within those tools, never need to get out of them. scans from within QC scheduled, in the future those scans will be run from ASE – so if they own ASE, the scan will run from ASE . Advantage – don’t have to have a locally installed version. Code – to get developers involved to perform tests – a few ways we can do it. One is with the brand new product DE – black and white testing and built into the IDE, gives you the ability to do the testing early in the code development. Does two tests to do both types of testing. Patented tech by ibm being embedded, string analysis, for watching the flow of informatio thru the application as you are testing it. Good analogy – putting dye in your blood and watching it. Understand where the problem is in the code to isolate it. Historically tricky to do but we found a way to do so, hence the patent. The other ASE quickscan. QS environmnet also built for that too – there may be instances when you don’t have access to source code – either not supported yet or a third party – portal deployment for QS. Build – automates tests as part of the building process, so let’s say getting ready to publish a new test version of an app – have build scripts that take all the code and deploy it. Sometimes have to start and stop the web servers or change registry settings (that’s what buildforge does) as part of the automated process and say once you’ve deployed that code, we’ll look at it and point out all the security defects. Could use quickscan but with the build edition, it’s all automated. Doesn’t require manual intervention. Build edition we think is being released at the same time as DE. Whenver security issues are found, can be pushed into defect management system.
Detailed configuration that can be saved and reused