IBM Rational AppScan Technical Overview
4 likes982 views
The document discusses the IBM Rational AppScan product line, including Developer and Build Editions, which focus on automated security testing through dynamic, static, and runtime analysis. It highlights the integration of security testing into the software development lifecycle and outlines the benefits of IBM's innovative string analysis technology for detecting vulnerabilities. The document also addresses cross-product integration with other IBM tools and emphasizes the importance of collaboration and shared assets in development environments.
![IBM Rational
IBM Confidential © 2008 IBM Corporation
The Future: IBM’s String Analysis Technology
Novel string analysis is the “game-changer” in the market place
– Patented technology from IBM Research
– Currently commercializing and under testing
– Sought as the next generation of static analyzer technology
Automatically and statically detects the grammar of a string at the
point of use
public void submitQuery(String userName) {
userName = clean(userName);
String query = "SELECT id FROM users WHERE name = '" +
userName + "'";
execute(query);
}
public String clean(String input) {
return input.replaceAll(";","").replaceAll("'","");
}
public void submitQuery(String userName) {
userName = clean(userName);
String query = "SELECT id FROM users WHERE name = '" +
userName + "'";
execute(query);
}
public String clean(String input) {
return input.replaceAll(";","").replaceAll("'","");
}
input .*
output [~;’]*](https://image.slidesharecdn.com/appscandeveloperedition-technicaloverview-rsdc2008-151009192810-lva1-app6892/85/IBM-Rational-AppScan-Technical-Overview-11-320.jpg)
IBM Rational AppScan Technical Overview
- 1. IBM Software Group IBM Confidential | June 2008 © 2008 IBM Corporation IBM Rational AppScan Developer Edition & Build Edition Ashish Patel AppScan Architect & Development Lead [email protected]
- 2. IBM Rational IBM Confidential © 2008 IBM Corporation Overview AppScan Developer Edition & Demonstration Future of IBM’s Static Analysis: String Analysis AppScan Build Edition Cross-Product Integration
- 3. IBM Rational IBM Confidential © 2008 IBM Corporation BuildCode SecurityQA AppScan Standard Ed (desktop) Rational ClearQuest IBM Rational AppScan SDLC Ecosystem AppScan Enterprise user (web client) Includes Fall 2008 Releases Rational BuildForge AppScan Build Ed (headless eclipse) IBM Rational Web Based Training for AppScan AppScan Tester Ed (QA client) AppScan Tester Ed (scanning agent) Rational Quality Manager IBM Rational AppScan Enterprise / Reporting Console AppScan Ent. QuickScan (web client) AppScan Developer Ed (Eclipse IDE) Rational Application Developer Automate Security / Compliance testing in the Build Process Build security testing into the IDE Security / compliance testing incorporated into testing & remediation workflows Security and Compliance Testing, oversight, control, policy, in-depth tests Rational Software Analyzer Rational ClearCase
- 4. IBM Rational IBM Confidential © 2008 IBM Corporation Rational AppScan Developer Edition Dynamic Analysis (black box) – Automated testing of your deployed application, outside-in – Pros: Finding issues in your app using same techniques available to hackers. – Cons: Not able to pinpoint the problems areas in your code. *yet* Static Analysis (white box) – Static analysis of your web application code, inside-out – Pros: Coverage / Reported issues point directly to the suspect lines of code. – Cons: White box is building a model of your code, may find issues that can’t actually be exploited. *yet* Runtime Analysis – Trace the flow of the application for any security issue found using dynamic analysis – Pros: Coverage / Reported issues point directly to the suspect lines of code. – Cons: Not able to pinpoint which method in the coverage caused the issue. *yet*
- 5. IBM Rational IBM Confidential © 2008 IBM Corporation Dynamic Analysis (black box) AppScan is the market leader in Black Box testing A “hacker in a box”. Tests by sending modified HTTP requests to the app server and examining the responses to validate security rules. SQL Injection Test Example: Original Request: http://server/page.jsp?param=value Test Requests: http://server/page.jsp?param=‘ or 1=1 or ‘’=‘ http://server/page.jsp?param=“ or 1=1 or “”=“ http://server/page.jsp?param=‘ -- http://server/page.jsp?param=+1+1+1
- 6. IBM Rational IBM Confidential © 2008 IBM Corporation Dynamic Analysis (black box) AppScan Developer Edition brings this AppScan technology to Eclipse Focus in AppScan Developer Edition is on core development use cases: – Local test server environment (WebSphere, Tomcat) – Focused scans – Developer education (Fix Advisories, Fix Recommendations) – Team collaboration of scan configurations and results (CVS, SVN, ClearCase)
- 7. IBM Rational IBM Confidential © 2008 IBM Corporation Runtime Analysis: Bridging the gap between black box testing and source code Locating and understanding the code flow responsible for an issue found by a Black Box scan can be tricky. Runtime Analysis addresses this through instrumentation of your web application code. During Black Box testing method invocations are traced, and the trace information is mapped to specific Black Box issues. Allows you to understand exactly what your application was doing while AppScan was busy exploiting it.
- 8. IBM Rational IBM Confidential © 2008 IBM Corporation Static Analysis XSS, SQLi and other problems are instances of information- flow problems They can be solved using static taint analysis String str = req.getParameter(“searchvalue"); resp.getWriter().println(str); String str = req.getParameter(“searchvalue"); resp.getWriter().println(str); Source Sink
- 9. IBM Rational IBM Confidential © 2008 IBM Corporation Static Analysis – follow your tainted data Build System Dependence Graph Build “program slice” starting from sources Detect whether we encounter a sink Take sanitizers into account App Library Core
- 10. IBM Rational IBM Confidential © 2008 IBM Corporation Static Analysis rules Groups of sources, sinks, sanitizers determine issue types Sources: Sinks: XSS SQLi HTTPRSSanitizers:
- 11. IBM Rational IBM Confidential © 2008 IBM Corporation The Future: IBM’s String Analysis Technology Novel string analysis is the “game-changer” in the market place – Patented technology from IBM Research – Currently commercializing and under testing – Sought as the next generation of static analyzer technology Automatically and statically detects the grammar of a string at the point of use public void submitQuery(String userName) { userName = clean(userName); String query = "SELECT id FROM users WHERE name = '" + userName + "'"; execute(query); } public String clean(String input) { return input.replaceAll(";","").replaceAll("'",""); } public void submitQuery(String userName) { userName = clean(userName); String query = "SELECT id FROM users WHERE name = '" + userName + "'"; execute(query); } public String clean(String input) { return input.replaceAll(";","").replaceAll("'",""); } input .* output [~;’]*
- 12. IBM Rational IBM Confidential © 2008 IBM Corporation String analysis – How it works… public void submitQuery(String userName) { userName = clean(userName); String query = "SELECT id FROM users WHERE name = '" + userName + "'"; execute(query); } public String clean(String input) { String output = input.replaceAll(";","").replaceAll("'",""); return output; } public void submitQuery(String userName) { userName = clean(userName); String query = "SELECT id FROM users WHERE name = '" + userName + "'"; execute(query); } public String clean(String input) { String output = input.replaceAll(";","").replaceAll("'",""); return output; } submitQuery clean execute userName = Σ*userName = Σ* output = {Σ - {;,'}}*output = {Σ - {;,'}}* userName = {Σ - {;,'}}*userName = {Σ - {;,'}}* query = SELECT id FROM users WHERE name = '{Σ - {;,'}}*' query = SELECT id FROM users WHERE name = '{Σ - {;,'}}*' input = Σ*input = Σ*
- 13. IBM Rational IBM Confidential © 2008 IBM Corporation Other Uses: Stored Vulnerabilities Detects whether taint flows through a container (database, map, session, etc.) ResultSet rs = statement.executeQuery( "SELECT * FROM " + tableName + ";"); ResultSet rs = statement.executeQuery( "SELECT * FROM " + tableName + ";"); statement.executeUpdate("UPDATE " + tableName + " SET Name='" + firstName + "' WHERE LastName = '" + lastName + "';"); statement.executeUpdate("UPDATE " + tableName + " SET Name='" + firstName + "' WHERE LastName = '" + lastName + "';");
- 14. IBM Rational IBM Confidential © 2008 IBM Corporation Advantages of String Analysis No need to define what the sanitizers are Understands inline sanitization code Understands validators Can verify your sanitizers really do their job What this means for you – Greater accuracy out-of-the-box: – Fewer false-positives – Fewer false-negatives (detect buggy sanitizers!) – Less configuration IBM Tokyo Research Lab
- 15. IBM Rational IBM Confidential © 2008 IBM Corporation Rational AppScan Developer Edition: Highlights New offering from the AppScan family of products Eclipse-based, integrates with the Rational SDP Dynamic/Static/Runtime Analysis A collaboration with IBM Research First version will support Java, JSP, Struts Sharable assets (scans and reports) Rule updates Integrated with: – AppScan Standard Edition – AppScan Enterprise Edition – ClearQuest – Change and version control
- 16. IBM Software Group IBM Confidential | June 2008 © 2008 IBM Corporation IBM Rational AppScan Developer Edition Demonstration
- 17. IBM Rational IBM Confidential © 2008 IBM Corporation Rational AppScan Build Edition Command line Interface (CLI) into Rational AppScan DE Runs as a “headless” eclipse-based environment Integrates with BuildForge or any 3rd Party system
- 18. IBM Rational IBM Confidential © 2008 IBM Corporation Rational AppScan Build Edition Inputs/Outputs AppScan DE Scan (sscn) – Static Analysis – Dynamic Analysis (supports Manual Explore) – Runtime Analysis (not available) AppScan scan file (Dynamic Analysis only, supports auto-explore) AppScan DE Report (srpt), including API to extract: – Issues and information from static & dynamic analysis, correlation, execution flow, code snippets, etc. – RSAR-Format Static Analysis Results Only (XML) – AppScan-Format Dynamic Analysis Results Only (XML) for AppScan Std. Edition
- 19. IBM Rational IBM Confidential © 2008 IBM Corporation Rational AppScan Cross-Product Integration Rational ClearQuest (or other defect system) AppScan Build Ed (CLI to headless eclipse) AppScan Developer Ed (Eclipse IDE)Rational Application Developer Rational ClearCase (or other file repository: CVS, RAM …) AppScan Standard Ed (desktop) AppScan Enterprise / Reporting console (web client) DE Scan (.sscn) AppScan Scan (.scan)AppScan results (.srpt & XML) Issue management DE Scan and Reports Post-processing of build output Log a security issue as a defect DE Report (.srpt)
- 20. IBM Software Group IBM Confidential | June 2008 © 2008 IBM Corporation Q&A June 27, 2008 [email protected]
Editor's Notes
- #4: Security: Use Rational AppScan Standard Edition and AppScan Enterprise Edition to test for Web 2.0 security & compliance issues according to regulatory demands such as PCI Push results to Rational ClearQuest to define & manage remediation QA: Rational AppScan Tester Ed integrated with Rational Quality Manager provides non-security trained QA Professionals the tools to successfully test for security issues Two-way defect tracking between Rational AppScan Enterprise & Rational ClearQuest allows for efficient remediation and visibility into the security of the web applications Build: Standardize & automate the build process to ensure PCI security compliance with Rational BuildForge & Rational AppScan Developer Ed for Build Systems Continue to leverage Rational ClearQuest & AppScan Enterprise for remediation of security issues Operate on iterative releases/binaries from Rational ClearCase Coding: Enable security scanning at the early stages with Rational AppScan Developer Ed & Rational Software Analyzer Select from a choice of end-points for developer uses cases with QuickScan web client or AppScan Developer Edition Manage code versions and tasks in Rational ClearCase and Rational ClearQuest