Go from configuration to scan and results analysis with this quick AppScan Standard editor reference
IBM® Security AppScan® Standard automates application security testing by scanning applications, identifying vulnerabilities, and generating reports with intelligent fix recommendations to ease remediation. It provides static and dynamic application security testing throughout development.
In this article, watch video demonstrations to learn how to configure IBM Security AppScan for a dynamic scan of a new application, then analyze the results of a scan using a five-step process. You can also follow along with a case study that demonstrates using AppScan Standard to scan and test two web applications, then watch a real-life exploration of how an organization uses a combination of AppScan Standard and Source editions to provide the embedded security and analysis necessary to help developers eradicate source code vulnerabilities. There's also a resource for configuring AppScan to test mobile devices.
Technical support engineer Scott Hurd outlines the issues to consider when setting up your first Security AppScan Standard scan, including:
The demo is performed on a test site, but the presenter includes information on scanning a production site.
In "Case study: AppScan security scan of Rational Focal Point," Shivakumar Patil, an IBM Rational Focal Point development team member who has been working on security using Rational AppScan for the last two years, details using IBM Security AppScan Standard edition to test web-based applications and their external endpoints, such as SOAP and REST web services.
To add a mobile component to the mix, IT security professionals Daniel J. Anderson, Carlos Hoyos, and Nader Nassar help you explore different aspects of mobile application security using hands-on examples with AppScan Standard in the article "Secure your mobile applications with IBM Security AppScan Standard." For Android and iOS devices, they explain the types of mobile applications and web services; how to configure user agents, emulators, and the mobile device; how to perform recording and testing; and how to encrypt the transport layer.
Rodney Ryan discusses a simple five-step process to analyze AppScan Standard scan results. Ryan uses a cross-site scripting vulnerability (XSS) as the example. XSS is a type of computer security vulnerability typically found in web applications. It enables attackers to inject client-side script into web pages so attackers may bypass access control restrictions (for example, same origin policy, which allows scripts originating from the same site to access each other's methods and properties but restricts scripts from other sites to do so).
The steps include:
Sean Poris of The College Board discusses how his organization uses IBM Security AppScan Standard and IBM Security AppScan Source Editions to provide the embedded security and analysis necessary to help developers eradicate source code vulnerabilities at the not-for-profit, membership-driven institution.
The College Board is best known through its flagship products, SAT and AP tests. The IT environment at the College Board supports approximately 200 different applications, custom and off the shelf; there is a broad infrastructure to support those applications. The infrastructure has hundreds of servers in a data center off site, and they are currently working on a virtualization initiative to reduce the physical footprint of those servers. The Board uses IBM Rational® products to enable the development life cycle of a variety of web applications and non-web applications, data warehouse, front-end applications, and mobile apps.
According to Poris, security is really crucial to consider upfront within the development life cycle. One of the challenges the Board has is to be able to empower the developers earlier in the life cycle to identify vulnerabilities and eradicate them from the source code.
The Board uses AppScan Standard to attack their site—to come into the website like an attacker, map out what an attacker could potentially do, and then run automated scripts to find out if there are any vulnerabilities in the site. It combines AppScan Standard capabilities with AppScan Source, which performs static analysis and essentially interrogates source code looking for vulnerability paths within that source code.
Would you like to learn more or need to schedule an appointment? Please click here