Uniplus Consultants

In my previous blog, I wrote about the challenges executives and developers are encountering while trying to integrate security tools and processes into the software development life cycle. Since then, I have done a bit research to identify and evaluate the market-leading product in the field of web application security scanning and believe I have a result worth sharing.

Overview

With over a third of global market share, Watchfire AppScan from IBM’s Rational family of products has to be considered the leading web application security scanner worldwide. AppsScan offers solutions for all types of security testing – outsourced, desktop-user and enterprise-wide analysis. Users of all kinds benefit from this application, including application developers, quality assurance teams, penetration testers, security auditors and senior management. AppScan’s engine seems to be quite powerful and capable of providing continuous monitoring and audit of web applications, testing for security and compliance issues, and delivery of reports with specific fix recommendations.

Vulnerability Detection

AppScan also seems to credibly provide security vulnerability detection through simulation of hacker attacks as Cross-Site Scripting; HTTP Response Splitting, Parameter Tampering, Hidden Field Manipulation. Backdoors/Debug Options, Stealth Commanding, Forceful Browsing, Application Buffer Overflow, Cookie Poisoning, SQL Injections, Content Spoofing, LDAP Injection, Xpath Injection and Session Fixation. In addition, AppScan maps to the Open Web Application Security Project (OWASP) Top 10 and to the SANS Top 20 vulnerabilities.

Reporting and Remediation

During a test, AppScan highlights the code that has been determined to be the cause of a specific vulnerability. Reasoning testing is provided in natural language to explain the logic of the test and why an issue was identified. Appscan delta analysis report provides you with the changes that have occurred from one scan to the next. The reported information includes what has been fixed and new security issues that have been introduced since the initial scan.

Support for a total of 40 global regulatory compliance and standards reporting is another interesting feature of this product. BASEL II, Electronic Fund and Transfer Act (EFTA), Payment Card Industry (PCI) Data Security Standards are among supported compliance and standards reporting.

Summing Up

AppScan (v7.5) looks like a valid option for helping to ensure the security and compliance of web applications throughout the software development life cycle. It's been designed for the broadest range of users, from business users to advanced power users who can utilize the added tools and API to create a customized scanning environment. In an upcoming blog I will provide more detailed information on the scanning abilities of AppScan as it pertains to building secure web applications – much more to come!

In the previous blog, I described the new security tools and methodologies that IBM envisions – since then, I’ve been taking a closer look at the challenges executives and developers are encountering while trying to integrate security tools and processes into the software development lifecycle and have some interesting results to share!

Traditionally, organizations depend on perimeter controls to keep them secure. Unfortunately, network firewalls and network vulnerability scanners can not stop application-level attacks. By design, web applications allow outsiders to interact with an organization’s systems and data. This interaction passes through network defense mechanisms such as firewalls and network-based intrusion detection systems.

Studies indicate that 75 percent of attacks are now targeting web applications, and that these tend to be vulnerable to these types of attacks. Clearly, web application security can no longer be ignored.

From a technology perspective, the use of automated web application security tools is beneficial in scale and cost. An automated tool allows consistent, reliable and scalable examination of web application security vulnerabilities across large diverse environments. In addition, an automated tool can be used to provide consistent and relevant recommendations that are consistent with corporate policy and requirements.

From a process perspective, integrating web application security testing into the software development lifecycle is a key initiative for establishing good risk management. While this can and should be performed by a dedicated and knowledgeable security assessment team as part of the final review, it should also be integrated into the early stages of application development to focus on security issues as they appear and to save on time and cost.

Threats to web applications include but are not limited to:

• Cross-site scripting: 80% of web applications are vulnerable to this threat that would permit Impersonating another user
• SQL injection: 60% of web applications are vulnerable to this threat that would permit total data compromise
• Parameter tampering: 60% of web applications are vulnerable to this threat that would permit fraud and altering distributions
• Cookie poisoning: 40% of web applications are vulnerable to this threat that would open the door to stealing someone’s identity

The optimal web application testing tool would allow dedicated security auditors to provide detailed information around web application vulnerabilities as well as executive, management and developer reporting that is specifically designed for the role of the unique individual.

In the next blog, we will look at IBM Watchfire which is known as the best web application vulnerability assessment software.

In conclusion, Web Application Security Testing tools are becoming more integrated into the software development lifecycle. In my future blog, I would like to evaluate the best product in this category. IBM WatchFire AppScan happens the market leader in this space – much more to come!

In the previous blog, I described IBM’s enormous new security initiative – since then, I’ve been trying to dig deeper into the new tools and methodologies that IBM envisions, and have some results to share!

One of our contacts within IBM was willing to give a fairly detailed under-the-hood look into their thinking:

First, IBM is making sure that their new security framework addresses the full web of compliance requirements, with the following viewed as core:

·         Sarbanes-Oxley Act (SOX), Section 404

·         Health Insurance Portability and Accountability Act (HIPAA)

·         Gramm-Leach-Bliley Act (GLBA) Section 501

·         European Union Data Protection Act

·         Basel II

·         PATRIOT Act

Second, a bit of insight into the methodology - IBM’s approach to security consists of multi-faceted protection from the core to the perimeter and by helping clients put their security policy into practice through applying a unified process for assessing and addressing security and compliance concerns.

The steps involved in this unified process consist of Assessment, Planning, Implement ation and Monitoring.

ASSESSMENT: IBM consultants will inventory enterprise assets, apply security policies and identify and prioritize vulnerabilities – elements will include:

·         Gaining a clear understanding of client’s security and compliance posture

·         Independently identify and prioritize vulnerabilities

·         Inventory enterprise assets

·         Determine adequacy of security systems, processes and policies

·         Continually assess threat profile

IBM intends to identify gaps in client’s security posture by conducting Information Security Assessment or Payment Card Industry Assessment or empower clients to do it themselves using:

·         IBM Proventia® Enterprise Vulnerability Scanner software

·         IBM Tivoli® Security Compliance Manager software

PLANNING: In this step, IBM intends to help organizations to define an enterprise security roadmap that will close any gaps. Enterprise security policies, processes and procedures and enterprise security architecture are also developed and ongoing risk management and compliance programs are put in place. IBM also plans to help clients align security and business priorities or empower them to do it themselves by providing an information security framework

IMPLEMENTATION: Leading-edge intrusion defense, data security, application security and network security to keep clients ahead of the threat. Components:

·         Execute plans to preemptively help protect against internal and external threats

·         Implement security architecture and encryption to help protect critical data

·         Implement identity and access management

·         Centralize policy enforcement for business data and unstructured information

·         Design security incident response management plan

IBM will offer help in implementing plans through Encryption architecture, design and implementation services or empower clients to do it themselves using:

·         IBM FileNet® P8 4.0 software for enterprise content management

·         IBM Tivoli identity and access management technologies

·         IBM Emergency Response Services

MONITORING: This last step consists of advanced monitoring and reporting capabilities designed to help organizations proactively detect, analyze and react to threats through the following services:

·         Monitor and manage security infrastructure 24x7

·         Maintain audit-ready posture

·         Proactively detect, analyze and react to threats

·         Continually monitor trends for emerging threats

In conclusion, this is obviously an ambitious program, but has caught my interest b/c I agree with IBM that the industry’s current approach is neither effective nor sustainable. I’m in favor of any attempt to improve the state of the art, and will continue to dig for details – much more to come!