Track Keynote for the Application Security & Compliance Track at the IBM Rational Software Conference 2009
More and more we rely on Web-based software and systems to run business processes, conduct transactions and deliver sophisticated services to customers. Unfortunately, in the race to stay ahead competitors, we often give little or no attention to ensuring that these applications don't compromise our security or compliance by introducing exploitable vulnerabilities that can used to compromise confidential company information or sensitive client data. The most efficient way to stay ahead of application security and compliance is to build software securely from the ground up. Unfortunately, application security is often an after-thought, "bolted on" at the end of the software development process, rather than "built in" across the entire development and delivery cycle, resulting in vulnerabilities that are found late -- if at all -- where they prose the greatest threats and are significantly more costly to repair.
In this track we will focus on the fundamentals of application security - common attack types, how to defend against these attacks, secure coding practices, identifying vulnerabilities through a combination of manual and automated approaches, what to do when vulnerabilities have been identified, and best practices for integrating security testing into application development. We will also delve into emerging threats in Web 2.0 environments, SOA security and the inherent risks of Web-enabling legacy applications.
2. IBM Rational Software Conference 2009
Today’s Agenda
Strategic Trends in Application Security
Best Practices and Strategies
Vision and Roadmap for 2009 and Beyond
ASC01
3. IBM Rational Software Conference 2009
Changing security landscape creates complex
threats
Web-enabled Applications Drive the Need for Security
New Applications are increasing
the attack surface
Complex Web applications create
complex security risks
Making applications more
available to “good” users, makes
them more available to “bad”
users
Web attacks are evolving to
blended attacks (i.e. planting of
malware on legitimate web sites)
Web Applications
ASC01
4. IBM Rational Software Conference 2009
2009 Web Threats Take Center Stage
Web application vulnerabilities
Represent largest category in vuln disclosures (55% in 2008)
4 ASC01
5. IBM Rational Software Conference 2009
Growth of Web Application Vulnerabilities
SQL injection The number of
vulnerability active,
disclosures automated
more than attacks on web
doubled in servers was
comparison to unprecedented
2007
ASC01
6. IBM Rational Software Conference 2009
Webapp Exploitation is Cheaper and Easier than Alternatives
ASC01
7. IBM Rational Software Conference 2009
Exploitation of SQL injection skyrocketed in 2008
Increased by 30x from the midyear to the end of 2008
ASC01
8. IBM Rational Software Conference 2009
Application Security Maturity Model
UNAWARE CORRECTIVE BOLT ON BUILT IN
PHASE PHASE PHASE
20 %
50 %
Maturity
20 %
10 %
Duration 2-3 Years Time
ASC01
9. IBM Rational Software Conference 2009
Driver #1 – Cost Benefits of Early Detection
ASC01
10. IBM Rational Software Conference 2009
Driver #2 – Need to Scale
Phase 1 Phase 2 Phase 3
Development
# of Team
people
involved
Development
Team
QA Team
QA Team
Security Team Security Team Security Team
Low High
% Applications Tested
ASC01
11. IBM Rational Software Conference 2009
IBM Rational Vision and Roadmap for
Application Security
ASC01
12. IBM Rational Software Conference 2009
Securing a smarter planet
Globalization and Globally
Available Resources
Billions of mobile devices Access to streams of
accessing the Web information in the Real Time
New possibilities.
New Forms of Collaboration New complexities.
New risks.
ASC01
13. IBM Rational Software Conference 2009
Key Focus Areas
1. Build security into the development lifecycle
Development, QA, Security audit, Production monitoring and defense
2. Composite analysis technology for automation
Integrated blackbox, whitebox and runtime analysis
3. Provide multiple delivery options
Software, software as service, consulting, appliance/IPS
ASC01
14. IBM Rational Software Conference 2009
IBM Rational AppScan End-to-End Web Application Security
REQUIREMENTS CODE BUILD QA SECURITY PRODUCTION
Req’ts Definition AppScan Developer AppScan Build AppScan Tester AppScan Standard AppScan OnDemand
(security templates) (desktop) (scanning agent) (scan agent & clients) (desktop) (SaaS)
AppScan Enterprise / Reporting Console
(enterprise-wide scanning and reporting)
Security requirements Automate Security / Security / compliance Security & Outsourced testing
defined before design Build security Compliance testing testing incorporated Compliance Testing, for security audits &
& implementation testing into the IDE in the Build Process into testing & oversight, control, production site
remediation workflows policy, audits monitoring
Application Security Best Practices
ASC01
15. IBM Rational Software Conference 2009
IBM Rational AppScan – Security in the Development Lifecycle
CODE BUILD QA SECURITY
AppScan Enterprise / Reporting Console
AppScan Ent. (scanning agent) AppScan AppScan
AppScan AppScan Build Ed
Developer Ed QuickScan (QA clients) Enterprise user Standard Ed
(web client) (scanning agent) AppScan Tester Ed (web client) (desktop)
(desktop)
AppScan Express
Rational Rational (desktop)
Application Software Rational Rational Rational Quality
Developer Analyzer ClearCase BuildForge Manager
Rational ClearQuest / Defect Management
IBM Rational Web Based Training for AppScan
Build security testing into Automate Security / Security / compliance testing Security & Compliance
the IDE* Compliance testing in the incorporated into testing & Testing, oversight,
Build Process remediation workflows control, policy, audits
ASC01
16. IBM Rational Software Conference 2009
Application Security in: Code/Build
REQUIREMENTS CODE BUILD QA SECURITY PRODUCTION
Req’ts Definition AppScan Developer AppScan Build AppScan Tester AppScan Standard AppScan OnDemand
(security templates) (desktop) (scanning agent) (scan agent & clients) (desktop) (SaaS)
AppScan Enterprise / Reporting Console
(enterprise-wide scanning and reporting)
Security requirements Automate Security / Security / compliance Security & Outsourced testing
defined before design Build security Compliance testing testing incorporated Compliance Testing, for security audits &
& implementation testing into the IDE in the Build Process into testing & oversight, control, production site
remediation workflows policy, audits monitoring
Application Security Best Practices
ASC01
17. IBM Rational Software Conference 2009
Dev Team 1
Scan
Scan Data and
Data and
Dev Team 2
Reports
Dev Team 5 Reports
Scan
Data and
Reports
ASE Portal
Scan
Scan Data and
Data and Scan Reports
Reports Data and
Reports
Dev Team 4
Dev Team 3
Security Team
ASC01
18. IBM Rational Software Conference 2009
IBM Rational AppScan Developer & Build Editions
Web Application Security Solutions for Development
The most efficient place in the SDLC to find and fix security issues
Dev Ed Empowers Developers to do Security Testing
Desktop IDE-Integrated Solution for Developers
Also helps build a developer’s web appsec awareness
Build Ed Ensures All Code is Scanned
Many dev environments do automated regression tests in their regular build process
Now can include Security tests in regression tests
Automation-Friendly, Build time oriented solution
Key Stakeholder/User – Build Engineer
ASC01
19. IBM Rational Software Conference 2009
Security Issues Coverage
Total Potential
Security Issues
Static Dynamic
Runtime Analysis
Analysis Analysis
ASC01
20. IBM Rational Software Conference 2009
Roadmap Highlights: Code/Build
Add new language support
Current product only supports Java, In 2009 we will add .NET Support
analysis of Web Applications built on .NET; using both black box and white box testing techniques
Productizing String Analysis
Provides automatic detection of user defined sanitizers – automating parts of the configuration to contain false positive issues from static analysis
Included to-date as a Tech Preview; will improve accuracy and performance, modify detection methodology, and be turned on by default
Enhanced Static Analysis engine
Support for all Java frameworks (including Portal and services)
Evolve performance, scalability and usability
Responding to customer feedback to date
Tighter integration with Code Quality tools (Software Analyzer and
Logiscope)
ASC01
21. IBM Rational Software Conference 2009
Application Security in: QA
REQUIREMENTS CODE BUILD QA SECURITY PRODUCTION
Req’ts Definition AppScan Developer AppScan Build AppScan Tester AppScan Standard AppScan OnDemand
(security templates) (desktop) (scanning agent) (scan agent & clients) (desktop) (SaaS)
AppScan Enterprise / Reporting Console
(enterprise-wide scanning and reporting)
Security requirements Automate Security / Security / compliance Security & Outsourced testing
defined before design Build security Compliance testing testing incorporated Compliance Testing, for security audits &
& implementation testing into the IDE in the Build Process into testing & oversight, control, production site
remediation workflows policy, audits monitoring
Application Security Best Practices
ASC01
22. IBM Rational Software Conference 2009
Introducing AppScan Tester Edition for RQM
RQM - Rational Quality Manager
Embedd Security Testing into the QA
Process
Ideal way to scale security testing
Integrated into the QA environment to enable the adoption of security testing alongside functional
and performance testing
Delivering the building blocks to help
customers build a process to address
security & compliance
Leverage existing compliance mechanisms in the QA process
Provides collaboration tools for security testing between development, QA and security teams
The Result: Seamless integration of security testing to
provide Collaboration, Automation and Reporting
ASC01
23. IBM Rational Software Conference 2009
Rational Quality Manager – Test Management Hub
IBM Collaborative Application Lifecycle Management
Rational Quality Manager
Quality Dashboard
Requirements Test Management and Execution Defect
Management Management
Create Build Manage Report
Plan Tests Test Lab Results
Open Platform
Best Practice Processes
JAZZ TEAM SERVER
SAP System z, i
Java Open Lifecycle Service Integrations
.NET
Functional Security and
Testing Performance Code Compliance
Web Service
Testing Quality Quality
homegrown
ASC01
24. IBM Rational Software Conference 2009
Application Security in: Security Team
REQUIREMENTS CODE BUILD QA SECURITY PRODUCTION
Req’ts Definition AppScan Developer AppScan Build AppScan Tester AppScan Standard AppScan OnDemand
(security templates) (desktop) (scanning agent) (scan agent & clients) (desktop) (SaaS)
AppScan Enterprise / Reporting Console
(enterprise-wide scanning and reporting)
Security requirements Automate Security / Security / compliance Security & Outsourced testing
defined before design Build security Compliance testing testing incorporated Compliance Testing, for security audits &
& implementation testing into the IDE in the Build Process into testing & oversight, control, production site
remediation workflows policy, audits monitoring
Application Security Best Practices
ASC01
25. IBM Rational Software Conference 2009
Introducing Rational AppScan Version 7.8
Securing next generation Web applications and
technologies
Automated scanning and testing for Flash-based applications
Support for increasingly sophisticated Web Services applications
Built in expert security intelligence for analyzing
results
Addresses #1 problem inhibiting broader adoption of scanning tools
“Results Expert” helps users understand and articulate issues to external audiences
The Result: Improved Security and More Efficient Testing
ASC01
26. IBM Rational Software Conference 2009
Advancing Web 2.0 Security: automatically auditing Adobe
Flash Applications
Evolution of Flash support
First generation tools partially explored through Flash applications
Second generation (emerging now) can fully explore and audit Flash applications
Rational AppScan automatically scans Flash-based applications
Is the first to introduce automatic Flash Execution (first “Second Generation” scanner)
Similar to AJAX: 1st gen was parsing, 2nd gen was execution
Automatically explores deep and complex Flash applications
Identifies traditional, as well as Flash-specific security issues
Cross-Site Flashing, Cross-Site Scripting through Flash, Phishing…
Supports Flash & Flex applications
Includes server-side testing of Flex applications (only scanner to support AMF protocol)
Continued leadership in Flash application security
Flash Execution is now a strategic & evolving component of AppScan
ASC01
27. IBM Rational Software Conference 2009
Extending AppScan’s lead in Web Services security
testing
Web Services momentum continues
Enterprise Modernization allows organizations to transition legacy applications to sophisticated Web 2.0 and SOA solutions, driven by user demand
Legacy applications were not designed with Web security considerations
SOA deployments present a complex and rich technology heavy scanning environments
Leveraging IBM’s rich investment in
SOA
Using established Rational SOA Tester capabilities
Powerful functional & performance testing for SOA
AppScan to include GSC: General SOA Client
Testing Custom Web Services code
Identifies business logic vulnerabilities
Support complex Web Services
deployments
XML Signatures
XML Encryption
Complex Types in WSDL
…
ASC01
28. IBM Rational Software Conference 2009
CVSS support provides industry
standard severity rating
Guides user through verifying
that the issue is a legitimate
vulnerability
Integrated screenshots with
explanations immediately
demonstrate whether an issue
truly exists, saving time and effort
ASC01
29. IBM Rational Software Conference 2009
The Problem: Legitimate Sites serving Malware
Malware is served or linked primarily from Legitimate Sites!
“Federal Travel Booking Site
“TrendMicro site Spreads Malware”
infected users with -Washington Post
Trojan” “A large web
- CIO hosting firm (IPower)
“BusinessWeek
website attacked and inflicted by mass “Twitter
hosts malware” malware installation” worm strikes”
-Net-Security - Washington Post
- New York
Times
Flagged as the “New Biggest Problem”:
WebSense: "Legitimate Sites Carry Increasing Portion Of Malware“ (Jan, '09)
ScanSafe: "Web-based malware up 400%, 68% hosted on legitimate websites“ (June, '08)
Blog: "Online Trust: A Thing of the Past?" (Jan, '09)
X-Force: "Are Legitimate Sites the Next Malware Threat?" (Feb, '09)
Breach: “SQL Injection Attacks Planting Malware on Web Sites Ranks #1 in Breach Security’s 2008 Web Hacking Incidents
Database Report” (Feb, '09)
ASC01
30. IBM Rational Software Conference 2009
AppScan’s HTTP-Based Malware Scanning
1. Discover all content and
links in a Web Application
Execute JavaScript & Flash
Fill forms and login sequences
Analyze secure pages
…
2. Analyze all content for
malicious behavior
indicators
link1
link2
3. Compare all links to link3
comprehensive black-lists
ASC01
31. IBM Rational Software Conference 2009
Application Security in: Production
REQUIREMENTS CODE BUILD QA SECURITY PRODUCTION
Req’ts Definition AppScan Developer AppScan Build AppScan Tester AppScan Standard AppScan OnDemand
(security templates) (desktop) (scanning agent) (scan agent & clients) (desktop) (SaaS)
AppScan Enterprise / Reporting Console
(enterprise-wide scanning and reporting)
Security requirements Automate Security / Security / compliance Security & Outsourced testing
defined before design Build security Compliance testing testing incorporated Compliance Testing, for security audits &
& implementation testing into the IDE in the Build Process into testing & oversight, control, production site
remediation workflows policy, audits monitoring
Application Security Best Practices
ASC01
32. IBM Rational Software Conference 2009
Expanded Options for Production Testing and Defense
1. Testing solutions:
– AppScan Enterprise
– AppScan OnDemand
– ISS Managed Security Services
2. Defensive solutions:
– ISS Proventia IPS with New Web Protection
– DataPower SOA Appliance
3. Combined approach
– Integrated scanning and defense
ASC01
33. IBM Rational Software Conference 2009
Introducing expanded Rational AppScan OnDemand
AppScan OnDemand:
Comprehensive testing of pre-production applications
Periodic assessment of applications in QA or Security
Monthly scans
Flexible offerings base on organization (Small/Medium/Large)
AppScan OnDemand Production Site Monitoring:
Continuous scanning of production Web sites for vulnerabilities
that may have been introduced after the app went live
Dynamic or interactive content and forms, online registrations
Weekly scans
The Result: Ability to address online risk without in-house
resources with the faster route to actionable information
Policy Testing OnDemand is also available to support website
ASC01 compliance management for Privacy, Quality & Accessibility
34. IBM Rational Software Conference 2009
Block attacks in real-time with Proventia Web application
security
Intrusion prevention just got
smarter with web application
protection backed by the
power of X-Force
Virtual Patch Threat Detection & Content Analysis Web Protection Network Policy
Prevention Enforcement
What It Does: What It Does: What It Does:
Shields vulnerabilities What It Does: Monitors and identifies Protects web applications What It Does:
from exploitation Detects and prevents unencrypted personally against sophisticated Manages security policy
independent of a software entire classes of threats as identifiable information (PII) application-level attacks and risks within defined
patch, and enables a opposed to a specific and other confidential such as SQL Injection, segments of the network,
responsible patch exploit or vulnerability. information for data awareness. XSS (Cross-site such as ActiveX
management process that Also provides capability to scripting), PHP file- fingerprinting, Peer To
can be adhered to without Why Important: explore data flow through the includes, CSRF (Cross- Peer, Instant Messaging,
fear of a breach Eliminates need of network to help determine if any site request forgery). and tunneling.
constant signature potential risks exist.
Why Important: updates. Protection Why Important: Why Important:
At the end of 2008, 53% includes the proprietary Why Important: Expands security Enforces network
of all vulnerabilities Shellcode Heuristics (SCH) Flexible and scalable capabilities to meet both application and service
disclosed during the year technology, which has an customized data search criteria; compliance requirements access based on
had no vendor-supplied unbeatable track record of serves as a complement to data and threat evolution. corporate policy and
patches available to protecting against zero day security strategy
remedy the vulnerability governance.
vulnerabilities.
ASC01
35. IBM Rational Software Conference 2009
Rational/ISS Vision: Application & Network Security Ecosystem
Proventia IDS/IPS
Site Protector Enterprise Scanner
Joint interface for Application & Network Security AppScan Agent
Collaborative flow of product usage
Mutual leveraging of technology
ASC01
36. IBM Rational Software Conference 2009
WebSphere DataPower SOA Appliances
An SOA Appliance…
Creating customer value through extreme
SOA connectivity, performance and
security
Simplifies SOA and accelerates time to value
Helps secure SOA XML implementations
Governs and enforces SOA/Web services policies
WebSphere DataPower SOA Appliances redefine the boundaries of middleware
extending the SOA Foundation with specialized, consumable, dedicated SOA
appliances that combine superior performance and hardened security for
SOA implementations.
ASC01
37. IBM Rational Software Conference 2009
Virtual Application Security Patch
1. Rational AppScan Scans Web Application,
Uncovers Security Issues
2. WebSphere DataPower Rules are Auto-Created,
Based on Found Issues
3. Custom protection blocks exploits on vulnerable
locations, blocking where required while
avoiding False Positives
4. Vulnerabilities are remediated in the next
release of Web Application 2 1
3
4
ASC01
38. IBM Rational Software Conference 2009
2009 Roadmap
Q1
New AppScan Releases
AppScan Standard, Express, Developer, Build
Product Translations
Available for all products
Japanese, Korean, Traditional Chinese, Simplified Chinese, French, Italian, and German
Expanded SaaS offering
Production Site Monitoring
Q2
Web-based Malware Detection & Scanning
AppScan-ISS SiteProtector Integration
Q4
Portfolio-wide release (AppScan DE, Standard and Enterprise)
Joint ISS initiatives
ASC01
39. IBM Rational Software Conference 2009
Application Security at RSC
1. Application Security Track Sessions
2. Rational Labs
3. User First Lounge
ASC01
40. IBM Rational Software Conference 2009
IBM Rational User Technologies
Try out Rational AppScan for yourself.
You’re invited to the Users First
Lounge, where you will get to speak one-
on-one with the AppScan User
Experience team on topics including:
usage scenarios, user interface design,
ease-of-use, user assistance, learning,
and quality.
This is a chance to share your reality
with us and help shape the future of
the AppScan family!
Sign up at tinyurl.com/djoj9b
or in person at Europe 5
ASC01 40