®

IBM Software Group

Introduction to AppScan Enterprise

© 2007 IBM Corporation

Contents
ƒ The Application Security Problem
ƒ What is AppScan Enterprise?
ƒ Main Features
ƒ How does AppScan Enterprise work?
ƒ Key Concepts and Terminology
ƒ User Interface Tour

2
The Web Application Security Reality

Security Spending

% of Attacks % of Dollars

Web 10%
Applications

75% 90%

Network
Server
25%

75% of All Attacks on Information Security

Are Directed to the Web Application Layer

2/3 of All Web Applications Are Vulnerable

Sources: Gartner, Watchfire 3
Web Application Security Challenges

1 Security Team Has Become a Bottleneck

2 Lack of Control and Visibility

3 Catching Problems Late in the Cycle

4 Not Monitoring Deployed Applications

5 Difficulty Managing 3rd

rd Party Vendors

4
Solving The Problem Requires a Strategic Approach

Web Application Security Evolution

ƒ Enterprise-Wide
Strategic
Strategic ƒ Scalable Solution

ƒ Manual Efforts, Desktop Audit Tools

Tactical
Tactical ƒ 2-3 Internal Security Experts

ƒ Consultants
Outsourced
Outsourced ƒ Pen Testing

Unaware
Unaware

5
What is AppScan Enterprise?

INFORM

Push Reports
SCALE to Developers, MONITOR
QA, and
Reuse and Run Non-Security Staff Manage Problem
Multiple Scans Resolution
Across Through
Applications AppScan
AppScan Enterprise
Enterprise Trending Reports

Security Team

Integrate Web Application Security in the SDLC

6
AppScan Enterprise – Key Features & Benefits

1 Controlled, Web-based Application Testing

 Enable Development and QA to perform testing during SDLC
 Control what applications each user can test

2 Controlled, Web-based Report Distribution

 Easily distribute reports
 Control the access to information

3 Enterprise Metrics and Visibility

 Increase visibility and better understand enterprise risks

4 Issue Management

 Focus on fixing issues, not just finding issues

7
Multiple Report Levels

ƒ Dashboards
ƒ Report Pack Summaries
ƒ Detailed Reports
ƒ About this… Reports

8
Report Categories
ƒ Inventory Reports
 Broken Links
 Hosts
 Pages
 etc.
ƒ Security Reports
 Application Security Issues
 Infrastructure Security Issues
 Remediation Tasks
 Security Risk Assessment
ƒ Compliance Reports
 Safe Harbour
 Sarbanes-Oxley Act (SOX)
 Visa CISP
 etc.

9
User Roles and Access Permissions

ƒ Control access to
information Security Manager

ƒ Assign user roles

ƒ Specify what
applications a user can AppScan
Enterprise
scan Compliance
Officer
Pen Tester

ƒ Specify what types of

tests a user can
perform
Developer

10
What does AppScan Enterprise test for?

Web Applications

Third-party Components
AppScan
Enterprise
Web Server Configuration

Web Server

Database

Applications

Operating System

Network

11
How does AppScan Enterprise work?
ƒ Traverses a web application
ƒ Approaches an application as a black-box
ƒ Tests by sending modified HTTP requests
ƒ Thousands of tests for identifying hundreds of vulnerabilities

Web Application
HTTP Request

Application

Databases

HTTP Response Web

Servers

12
AppScan Enterprise Architecture

Clients AppScan Enterprise Target Sites

13
Terminology
Content Scan Job

Infrastructure Scan Job

Import Job

Report Pack

Dashboard

Folder
14
Jobs, Report Packs, Reports & Dashboards

Reports
Job1
Security
Scan
Report
Pack 1
Dashboard 1

Job2
Security
Data Import
Report
Pack 2

Job3 Global
Security Scan Data Dashboard 2
Scan

Report
Pack 3
Job4
Infrastructure
Scan
15
Web-Based User Interface

Navigate to AppScan Enterprise,

e.g.
http://aseserver/appscan

Enter your user name and password

16
Quick Scan vs. Advanced View
ƒ The UI mode is set in the user’s properties
ƒ Quick Scan View
 Makes it easier to create a scan by abstracting
complexity
 Leverages scan templates created by the
administrator
 Reduces the scan configuration time
 Suitable for developers, QA specialists who create
ad-hoc scans
ƒ Advanced View
 Exposes all scan options
 Suitable for administrators and advanced users
17