Dear Readers,
The article I would like to introduce is about IBM's Appscan Enterprise.
Introduction:
We often talk about securing a web application and discuss tools which can help us identify specific vulnerabilities. However, the problem gets interesting if we need to scale the solution and conduct assessment of web applications at an organizational level; where we need to certify applications every single time there is change in the application code.
There are several tools which can help us integrate application security in the SDLC and help us monitor the health of the organization via a dashboard. In this paper, we will be discussing IBM’s Appscan enterprise [1].
Appscan Enterprise
IBM’s Appscan enterprise enables organizations to manage and mitigate application security risks and achieve regulatory compliance. As shown below, Appscan enterprise uses dynamic analysis scanner (DAST) to conduct the pen-testing of web-applications & web-services. Similarly, the static source analysis (secure code review) can be conducted with Appscan source and results can be pushed to Appscan enterprise. It can also aggregate & correlate the results of static (white-box) and dynamic analysis (black-box) for enhanced reporting. Appscan enterprise provides detailed security reports and enterprise level dashboard to review the risks across the organization.
Figure 1: Appscan eco-system
Figure 2: Dyamic analysis scanner w/ Appscan enterprise
Figure 3: Integrating web-application security in the SDLC
Appscan enterprise components
Dynamic Agents
Dynamic agents perform dynamic scan of the web-application. There are various configuration options available to optimize the scan. It performs active and passive scanning as per the selected policy. It sends request with pre-built payloads and analyze response to identify security gap.
To kick off the scan one can select from preconfigured template like quick scan, comprehensive scan etc. It can conduct authenticated as well un-authenticated scanning. If we provide credentials, it will scan post login pages and identify vulnerabilities like privileged escalation. Once you provide the UR, the tool automatically crawls the pages. It has a “Manual Explore” option, in which user can walk through various web-application pages and limit the scan to a particular use case.
Users can configure various application related details (web-servers, application servers, database, Operating systems, and production vs test application), before conducting the scan. This step will help dynamic scanner to be more precise in selecting payloads and will reduce scan time. If that’s not provided beforehand, after analysis phase it will give certain recommendation to edit configuration for example remote web server, application technology etc. Along with this, it provides option to configure various details like exclude path or URL so mentioned path will not get scanned.
Dynamic agents are the independent components and can be installed on system where appscan enterprise is not available. Once the dynamic agents get installed it needs to be registered in the appscan enterprise. In the current version of appscan enterprise (8.8) some changes have been made in the architecture to improve performance. In the earlier version of appscan all the scanned data was stored in the central SQL database which can be on the local or remote machine. This approach is time consuming, since dynamic agents have to connect to a remote machine and push the scan results. In the current version a local database file is created at the start of the scan, so local database holds the information for each job and sends the data to the main SQL server database when the scan is completed.
Agent comprises of two components Agent service and agent. Agent is created by agent service for running the scan. Agent service monitor SQL server database for jobs to run. It will send email to user on registered email id once scan gets completed or suspended.
Agents and services are used by different component of IBM appscan enterprise like security analysis, developer plugin, and automation. These components can be used during different phases of SDLC which will see in the next section.
Appscan source
Appscan source is a static code analyzer, it scans the application source code and detects security vulnerabilities using techniques like Data flow analysis, control flow analysis, Inter-procedural analysis and pattern based semantic analysis etc.
There are 4 different Appscan source products:
1. Appscan source for remediation
2. Appscan source for developers
3. Appscan source for automation
4. Apspcan source for analysis
Appscan source for remediation:
This plug-in is useful for all application developers who need to review application security findings in their code and fix them. Appscan source for remediation can integrate with the IDE like eclipse and visual studio, such that developers can navigate to the vulnerable line of code, view the remediation assistance and fix the issues directly from their IDE.
Appscan source for developers:
In addition with all the functionalities provided by ‘AppScan source for remediation’, this plug-in provide scanning feature, so developers can configure and setup scan in their code while developing the application using IDE like eclipse, visual studio. This plug-in is useful for senior developers and technical leaders, who need to scan/rescan the application code to generate and verify the findings of their team members.
Appscan source for automation:
Appscan source for automation is useful for build engineers. It has an automation server component which enables code scanning directly from the build environment or during continuous integration. The automation server can integrate with ANT, MAVEN and MAKE. It provides a command line interface which can integrate with build environments like Jenkins, Team foundation server.
Appscan source for analysis:
This tool is helpful for senior developers and analysts. As opposed to a plug-in, this is a desktop tool which allows scan configuration, validation and triaging of applications. It also provides administration and features like user management, advanced triaging and creation of custom rules.
Appscan source work-flow:
Application developers can conduct scan of various programming languages including Android, Java, client side java script, JSP, cold fusion, C, C++, .NET, Classic ASP, PHP, Perl, Visual basic 6 etc.
Appscan source work-flow involves four steps: scan, triage, assign and remediate.
First, a user configures the application and resolves all the dependencies and then scans the source code. After a successful scan, a user will triage the findings to remove false positives from the scan. To ensure the scan coverage, it is essential to write proper custom rules, filters during this stage. Once the real issues are identified, they can be saved in bundles and assigned to the respective developers for remediation. Developers can load the bundles in their IDE using appscan plug-ins. They can remediate the issues by writing security functions and removing flaws. This iterative process will be repeated until all the critical issues are fixed.
Figure 4: Appscan source work-flow
Appscan Reports
Appscan enterprise generates over 40 reports, which can help the senior management and application developers check the health of the application and ensure that their organization meets the industry standard. These reports can be categorized as following:
Compliance Reports
-CWE SANS Top 25 2010
-OWASP Top 10 2007
-OWASP Top 10 2010
-PCI Data Security Standard V1.1
Security Reports
-Application Security Issues report
-Remediation Tasks report
-Security Issues report
-Security Risk Assessment report
-Code Analysis Security Issues report
-Static Analysis Security Issues report
-Correlated Security Issues report
Inventory Reports
-Authentication Points report
-Broken Links report
-File Inventory report
-HTTPS Servers Cipher Suites Details report
-Pages report
-Pages with Unfilled Forms
-Third-Party Links report
-Web Applications report
-Web Servers report
-Website Technologies report
Appscan reports data can be exported in XML file, Excel spreadsheet, pdf or CSV file so it can be consumed & shared among various stakeholders like Dev team, QA team, Internal & external auditors.
Enterprise Metrics
Enterprise metrics provide high level view of the organization security posture. A dashboard view can help managers to develop security strategy.
Organizations often want to slice & dice different application security information and derive the knowledge. An organization may have a lot of applications and based on the nature of the application it can be categorized. For example applications which are facing externally i.e. accessible over internet are of greater concerned than the ones which are limited to internal access. For medium and big organization scenario is even more complex. For example applications which are accessible over internet may have security concerns based on the framework and technology it’s using. And these applications can be further divided according to organization structure.
Few organizations want to focus more on OWASP Top 10 or may follow OSSTMM. So based on the predefined criteria application can be categorized to different security policy. Sometime business wants to first remediate applications with high risk vulnerabilities for example SQL injection and cross site scripting. Another important aspect from the manager perspective is occurrence of the particular security issue during periodic scan of an application. For instance application is set to periodic scan for every 30 days. Once scan is over report is shared with developer and they remediate the identified issues. In the next scan all of the security issues or some them show up again which should not be the case if developer remediated during first cycle. This can be due to reasons like developer might not have applied fix efficiently or there may be some gap in the application change management policy. By analyzing application scan result over periodic time can led manager to some conclusion and helps to identify policy gaps. So as we have seen at various level of organization there is different need for matrix.
Now let’s see features provided by app scan enterprise to fulfill organization requirement. In appscan once you run the scan it creates report pack which is having reports consisting identified vulnerabilities. The applications for which you want dashboard or matrix you have to create dashboard and include relevant report packs.
In dashboard it gives vulnerability bar showing high/medium/low severity vulnerabilities for each application. It gives total count of vulnerabilities based on the severity across all application. As we have seen sometimes organization is more concerned to particular vulnerabilities and wants to remediate those on priority. Appscan gives list of top security issues along with the count across the enterprise. Appscan has list of threat classes in which vulnerabilities are categorized based on the similar threat and it displays total count for each class.
Appscan gives details on the identified vulnerabilities and divide it between modules such as application security issues, infrastructure security issues, security risk assessment, static analysis security issues and correlated security issues. It shows vulnerabilities which are violating compliance like OWASP, HIPPA, PCI and GLBA. Hence as we have seen appscan helps to create individual dashboard as per user needs and helps the organization focus on the various issues based on the priority.
Conclusion
Organizations often look for scalable solutions for their software security initiatives. There are several tools in the industry: open source & licensed based.
This article highlighted the merits of IBM’s Appscan enterprise. This tool is easy to setup and compatible with popular operating systems and databases. Appscan enterprise provides components for different audience like security analysis, developer plugin and automation. All scanners have limitation of producing false positive and Appscan is no exception in that, but with proper scan configuration, custom rules & filters, one can lower the false positive ratio.
IBM Appscan enterprise does not replace the need of security professionals but can expedite the dynamic & static assessments of the applications and provide the dash-board summary of all applications in the organization.
Reference:
http://pic.dhe.ibm.com/infocenter/asehelp/v8r8m0/index.jsp
Mr. Bhaumik Shah is an information security consultant. Bhaumik has over 5 years of professional experience in Information Security Consulting, Enterprise Risk Assessments across industries such as Banking & Finance, BPO, Manufacturing, Telecom, FMCG and Information Technology. His research interests fall mainly in the field of Information Security and new technologies. Bhaumik is currently member of ISACA and he is also CISA and CEH certified. You can reach him at [email protected].
Mr. Ashutosh Agrawal works at Cigital Inc as a senior consultant in the Washington DC area. He has deployed Appscan enterprise at several fortune 500 clients, trained them and helped them mature their information security program. His areas of interest are web penetration testing and code review. He can be reached at: [email protected]
Author
