rational app scan&policy tester
Post on 11-Sep-2014
2.088 views
DESCRIPTION
TRANSCRIPT
®
IBM Rational AppScan & Policy tester
© 2009 IBM Corporation
Charles LuptonWatchfire Sales Mgr UK & Ireland
Gareth O’SullivanTechnical Consultant Application Security & Compliance
IBM Rational AppScan
IBM Software Group | Rational software
Watchfire Overview
� Who were Watchfire:
�Market leader in application security
�Provider of application security and compliance software
and services
� Background:
�Founded 1996, 200+ employees, headquartered in
Boston, MA, acquired by IBM in June 2007.
�Created the first automated Web Application Security
testing product
�Products include:
� Application security solutions – AppScan
� Privacy and compliance solutions – Policy Tester
(Formerly WebXM/Bobby)
#1 in Market Share for Application Security
– Gartner & IDC
#1 in Market Share #1 in Market Share
for Application for Application
Security Security – Gartner & IDC
Best Security Company
IBM Software Group | Rational software
Rational AppScan Press Coverage
� Software Test and Performance Magazine:
Rockstars of Testing November 2008
�Code Analysis: IBM’s RATIONAL SOFTWARE ANALYZER DEVELOPER
EDITION (WINNER)
�Security Testing: IBM’s RATIONAL APPSCAN STANDARD EDITION
(WINNER)
�SOA/Web Services Testing: IBM’s RATIONAL TESTER FOR SOA QUALITY (WINNER)
�Load/Performance Testing: IBM's RATIONAL PERFORMANCE TESTER
(RUNNER-UP)
IBM Software Group | Rational software
How would your clients feel if this happened to them ?
• Monster.com lost 4.5m records in February 2009
• Panasonic web site hacked & prices turned to pennies Feb 2009
• American Express hit by XSS bugs Dec 2008
• BT web site hacked by prominent hacker Mar 2009
• US arm of RBS faces £141m lawsuit after admitting hackers breached web site Mar 2009
• Sony playstation site hit by SQL injection attack July 2008
What impression does this give ? What damage does it do to the brand ? Would you use these web sites again? Who gets the phone call when this happens?
IBM Software Group | Rational software
Web Compliance Standards increasingly important
� Past customer spending has focused on network
security - yet 75% of attacks come through Web
applications.
� Every lost record costs $138 USD to the organization
who lost it.
� Nearly 45% of security incidents are caused by
privileged, ‘inside’ users.
� 40-60% of user accounts are “orphan” accounts—
those not belonging to active users.
“We estimate that 90 percent of externally accessible applications today are Web-enabled, and that two-thirds of them have exploitable vulnerabilities.”
— Gartner Group
Vulnerabilities are growing at an alarming rate
IBM Software Group | Rational software
3 Benefits of AppScan
1. Assists in compliance procedures:-
• AppScan covers regulations 6.6 and 11 in the PCI schedule.
(Maintaining secure systems & regularly testing them) AppScan
can feed into a PCI compliance process
• Provides remediation on all defects and 40 different compliance
reports
• Provides a proven audit trail
• Automates compliance process
IBM Software Group | Rational software
3 Benefits of AppScan
2. Security threats:-
• Dynamic web sites are constantly changing
• 75% of companies are expected to experience a security threat before 2012 (Gartner)
• Identifies internal threats as well as external threats ieIntranets and Extranets
• Highlights top threats such as XSS and SQL injection
IBM Software Group | Rational software
3 Benefits of AppScan
3. Reduces Costs:-
• Through automation – scanning is quicker and less prone to human error
• Application security improves application functionality and timeto market
• Reduces the cost of external resources such as PEN testers
• Secure Apps reduce the risk and cost of brand damage
• Finding security defects early saves money
• The internet has to be maintained as a channel to market
IBM Software Group | Rational software
BuildCode SecurityQA
AppScan Standard Ed
(desktop)
IBM Rational AppScan SDLC Ecosystem - AppScan versions
AppScan Enterprise user
(web client)
(scanning agent)
AppScan Build Ed
IBM Rational Web Based Training for AppScan
IBM Rational AppScan Enterprise / Reporting Console
Automate Security / Compliance testing in
the Build Process
Build security testing into the IDE
Security / compliance testing incorporated into testing &
remediation workflows
Security and Compliance Testing, oversight, control,
policy, in-depth tests
Rational ClearQuest / Defect Management
Build System
Eclipse/ RAD
Source Control
AppScan Express(desktop)
AppScan Ent. QuickScan (web client)
AppScan Tester Ed
(RQM/HPQC)
AppScan Standard Ed
(desktop)
AppScan Developer Ed(Eclipse IDE)
AppScan Ent. QuickScan (web client)
IBM Software Group | Rational software
Software as a Service (SaaS) - AppScan OnDemand
� Alternative to Software Purchase - Outsourced Model
� Hosting outsourced to IBM/Rational
� IBM performs setup, hardware, upgrades, maintenance, backups—removing these tasks
from client
� Software is rented from IBM
�No license entitlement
� IBM performs product installation
� IBM keeps product up to date with application of Service packs and product upgrades
� Product configuration partially outsourced to IBM/Rational via Solution
Management service
�Collaborative model in which IBM configures product and/or assists client in production
configuration
� IBM supports client as needed = customer success
�Client can contract for additional Solution Mgmt hours if complete outsourcing model is
desired
IBM Software Group | Rational software
Security/Compliance Scanning – SaaS
Policy Tester/ASEProcess
Analyze Reports
Filter and Prioritize Issues
Filter and Prioritize Issues
Generate Reports
(Measure Progress)
Store Data
Fix Issues
Scan Site
AppscanEnterprise
Job Configuration Job Configuration
Customer FocusCustomer Focus
Solution ManagementSolution Management
Solution ManagementSolution Management