rational app scan&policy tester

®

IBM Rational AppScan & Policy tester

© 2009 IBM Corporation

Charles LuptonWatchfire Sales Mgr UK & Ireland

Gareth O’SullivanTechnical Consultant Application Security & Compliance

IBM Rational AppScan

IBM Software Group | Rational software

Watchfire Overview

� Who were Watchfire:

�Market leader in application security

�Provider of application security and compliance software

and services

� Background:

�Founded 1996, 200+ employees, headquartered in

Boston, MA, acquired by IBM in June 2007.

�Created the first automated Web Application Security

testing product

�Products include:

� Application security solutions – AppScan

� Privacy and compliance solutions – Policy Tester

(Formerly WebXM/Bobby)

#1 in Market Share for Application Security

– Gartner & IDC

#1 in Market Share #1 in Market Share

for Application for Application

Security Security – Gartner & IDC

Best Security Company


Rational AppScan Press Coverage

� Software Test and Performance Magazine:

Rockstars of Testing November 2008

�Code Analysis: IBM’s RATIONAL SOFTWARE ANALYZER DEVELOPER

EDITION (WINNER)

�Security Testing: IBM’s RATIONAL APPSCAN STANDARD EDITION

(WINNER)

�SOA/Web Services Testing: IBM’s RATIONAL TESTER FOR SOA QUALITY (WINNER)

�Load/Performance Testing: IBM's RATIONAL PERFORMANCE TESTER

(RUNNER-UP)


How would your clients feel if this happened to them ?

• Monster.com lost 4.5m records in February 2009

• Panasonic web site hacked & prices turned to pennies Feb 2009

• American Express hit by XSS bugs Dec 2008

• BT web site hacked by prominent hacker Mar 2009

• US arm of RBS faces £141m lawsuit after admitting hackers breached web site Mar 2009

• Sony playstation site hit by SQL injection attack July 2008

What impression does this give ? What damage does it do to the brand ? Would you use these web sites again? Who gets the phone call when this happens?


Web Compliance Standards increasingly important

� Past customer spending has focused on network

security - yet 75% of attacks come through Web

applications.

� Every lost record costs $138 USD to the organization

who lost it.

� Nearly 45% of security incidents are caused by

privileged, ‘inside’ users.

� 40-60% of user accounts are “orphan” accounts—

those not belonging to active users.

“We estimate that 90 percent of externally accessible applications today are Web-enabled, and that two-thirds of them have exploitable vulnerabilities.”

— Gartner Group

Vulnerabilities are growing at an alarming rate


3 Benefits of AppScan

1. Assists in compliance procedures:-

• AppScan covers regulations 6.6 and 11 in the PCI schedule.

(Maintaining secure systems & regularly testing them) AppScan

can feed into a PCI compliance process

• Provides remediation on all defects and 40 different compliance

reports

• Provides a proven audit trail

• Automates compliance process



2. Security threats:-

• Dynamic web sites are constantly changing

• 75% of companies are expected to experience a security threat before 2012 (Gartner)

• Identifies internal threats as well as external threats ieIntranets and Extranets

• Highlights top threats such as XSS and SQL injection



3. Reduces Costs:-

• Through automation – scanning is quicker and less prone to human error

• Application security improves application functionality and timeto market

• Reduces the cost of external resources such as PEN testers

• Secure Apps reduce the risk and cost of brand damage

• Finding security defects early saves money

• The internet has to be maintained as a channel to market


BuildCode SecurityQA

AppScan Standard Ed

(desktop)

IBM Rational AppScan SDLC Ecosystem - AppScan versions

AppScan Enterprise user

(web client)

(scanning agent)

AppScan Build Ed

IBM Rational Web Based Training for AppScan

IBM Rational AppScan Enterprise / Reporting Console

Automate Security / Compliance testing in

the Build Process

Build security testing into the IDE

Security / compliance testing incorporated into testing &

remediation workflows

Security and Compliance Testing, oversight, control,

policy, in-depth tests

Rational ClearQuest / Defect Management

Build System

Eclipse/ RAD

Source Control

AppScan Express(desktop)

AppScan Ent. QuickScan (web client)

AppScan Tester Ed

(RQM/HPQC)

AppScan Standard Ed

(desktop)

AppScan Developer Ed(Eclipse IDE)

AppScan Ent. QuickScan (web client)


Software as a Service (SaaS) - AppScan OnDemand

� Alternative to Software Purchase - Outsourced Model

� Hosting outsourced to IBM/Rational

� IBM performs setup, hardware, upgrades, maintenance, backups—removing these tasks

from client

� Software is rented from IBM

�No license entitlement

� IBM performs product installation

� IBM keeps product up to date with application of Service packs and product upgrades

� Product configuration partially outsourced to IBM/Rational via Solution

Management service

�Collaborative model in which IBM configures product and/or assists client in production

configuration

� IBM supports client as needed = customer success

�Client can contract for additional Solution Mgmt hours if complete outsourcing model is

desired


Security/Compliance Scanning – SaaS

Policy Tester/ASEProcess

Analyze Reports

Filter and Prioritize Issues

Filter and Prioritize Issues

Generate Reports

(Measure Progress)

Store Data

Fix Issues

Scan Site

AppscanEnterprise

Job Configuration Job Configuration

Customer FocusCustomer Focus

Solution ManagementSolution Management

Solution ManagementSolution Management

rational app scan&policy tester

Technology