What's new in AppScan Standard/Enterprise/Source version

Transcription

1 What's new in AppScan Standard/Enterprise/Source version support Open Mic Reminder: You must dial-in to the phone conference to listen to the panelists. The web cast does not include audio. USA toll-free: USA toll: Participant passcode: Slides and additional dial in numbers: Nov 16, 2016 NOTICE: By participating in this call, you give your Irrevocable consent to IBM to record any statements that you may make during the call, as well as to IBM s use of such Recording in any and all media, including for video postings on YouTube. If you object, please do not connect to this call.

2 Presenter: Tal Rabinovitch - AppScan Standard Dev Manager Makida Yohannes - AppScan Enterprise Developer Robert Fiszer - AppScan Source Support Engineer Panelist: Daniel Dubnikov AppScan Dev Team Lead Joe Lacy - AppScan Support Engineer Scott Hurd - AppScan Support Engineer Marek Stepien AppScan Knowledge Leader Moderator: Joe Kiggen AppScan and SKLA Support Manager

3 Goal of session To present what you (customer) can expect in AppScan Standard, AppScan Enterprise, and AppScan Source version released in October 2016.

4 Agenda What's new in Appscan Standard What's new in Appscan Enterprise What's new in Appscan Source Questions and Answers

5 What's new in Appscan Standard Presenter: Tal Rabinovitch, AppScan Standard Dev Manager New exploring method "Action Based Explore" Request filtering New improved "User Defined Tests" Possibility to Change Host in starting URL Improvements in Manual Explore UI Possibility to exclude tests in Multi-step operations

6 Action Based Action Based technology is where we utilize a browser in order to execute a set of actions. Action Based is an alternative method to Request Based where we use and manipulate the HTTP requests/responses. Action Based is a term we started using in AppScan 8.8, 3 years ago with Action Based Login Action Based Login allowed us to overcome a lot of the session challenges we encountered with the traditional Request Based approach, and dramatically improved AppScan s ability to cope with complex sessions out of the box. In (Jan 2016), Action Based technology was also integrated into the Automatic login option, allowing AppScan to automatically browse and locate the login page, fill out the credentials and submit. In , we are introducing Action Based Explore.

7 Action Based Explore Sometimes, using AppScan's (Request Based) automatic explore capabilities will not generate a sufficient coverage of the tested application. In such cases, manual explore is also required by the user. The advantage of manual explore is that it s utilizing a real browser Browsers have better JavaScript capabilities Browsers are up-to-date with the latest technologies Browsers give a true representation of the application In order to reduce the need for Manual Explore, we started integrating Action Based technology into the Explore phase. Another way to think about it is Automatic manual explore.

8 How to enable/disable Action Based Explore The new Action Based Method Our traditional automatic explore method In , Action Based Explore is added as a 2 nd explore method running before the traditional Request Based automatic explore method. Each of the methods can be turned on or off (one must be enabled) in the Scan Configuration > Explore Options tab. If you want to see the browser during the explore phase, set the SessionManagement.ShowActionBasedPlayerWindow option to 'True' in the Tools > Options > Advanced tab.

9 Action Based Explore Filtering Action Based Explore uses two main techniques to reduce the time of the scan Pages that have a similar DOM to an already explored page will be skipped (no action in these pages will be executed) Actions that we predict will lead to a page that will be filtered due to similar DOM will not be executed (We refer to this feature as Click Filtering) In addition, every request that is recorded during the Action Based Explore phase will be analyzed with our current DOM Filtering mechanism and might get filtered in AppScan.

10 Request Filtering Our current DOM Filtering in AppScan will filter a page if its DOM is similar to that of an already explored page. This can lead to a strange where we have two pages that have significantly different DOMs but contain an identical individual request within them. For example, a shared JS file. For these cases we have enhanced the DOM Filtering feature to also examine each individual request in a page, and if two requests have a near identical body, we will filter this individual request. Requests that are filtered due to this reason will be displayed under the Filtered tab with this filter type: Similar Body

11 User Defined Tests User defined tests were available in AppScan Standard from day one The current User Defined Tests are offering very limited power. Almost no Detection functions to decide whether a test should be executed or not Limited Mutations practically changing specific parameters, adding ones or changing the all path. Limited validations either we got a 200ok status, or specific pattern in the response Many Advanced users were asking us to enhance these capabilities so more meaningful tests can be created and also use them for company policy enforcements (e.g. to test if the app uses an old version of some 3 rd party dependencies..), re-creation of manually detected vulnerabilities, etc

12 User Defined Tests In we are introducing our enhanced User Defined Tests As for regular test, each test is build from 3 main functions: Detection Validation Mutation Detection: What conditions should be met in order to execute the test. Mutation (Test Sequence): What are the modifications done when running this test. Validation: What conditions should be met in order to mark this test as a valid issue. A test can now apply a set of conditions for each function with logical functions (And, Or, Not).

13 User Defined Tests As before, User Defined Tests can be found in Tools -> User Defined Test As before, creating a new test is done using a wizard which works you through the steps of creating a new rule. One of the first steps in the wizard is to choose the Test Type. Each test have different sets of mutation functions, depending on the tested element (request, parameter, path)

14 User Defined Tests Detection (Filter) Detections available: Request: Path match regexp Param / Cookie / Header: Exists Exists + Value match regexp Body match Regexp Detections Example: ( myuserid parameter exists in the request ) OR ( (Response Code is 3xx) AND (mybodypattern exist in the body response) ) Response: Status code Is / is not specific number (202) Is / is not belong to a specific group (2xx, 3xx) Header: Exists Exists + Value match regexp Body match Regexp

15 User Defined Tests Mutation (Test Sequence) Mutations available: Request Path: Set, Append, Prepend Param \ Cookie \ Header: Value - Set, Append. Add Remove Body set Mutation Example: ( Change value of parameter searchterms to <script>alert(1)</script> ) AND ( Add parameter ID with Value =1234 )

16 User Defined Tests Validations Validations available: Response Status code: Is / is not specific number (202) Is / is not belong to a specific group (2xx, 3xx) Header: Exists Exists + Value match regexp Body: Equal original response Match regex Validation Example: ( Response Code is not 2xx ) AND ( Body does NOT contain error )

17 User Defined Tests Import & Export User Defined Tests can be exported to a.udt file. A UDT file can contain more then one test (based on the tests the user decided to export)

18 Change Host 18 In testing environments, it is likely for host names, IPs or ports to be changed or even be set dynamically. This is typical for DevOps process kind of deployments. Up until now, users who already had a pre-configured templates for one host, had to create a new one when the host name was changed. Regardless of the fact that the deployed application is the exact same application. In we enhanced our support for such a scenario.

19 Change Host When no explored data exists 19 Use Case: an existing scan template which its host/ip/port/schema was modified. How to modify the scan template: 1) After loading the scan template, the user modifies the Starting URL 2) When the user apply this changes, AppScan will display a confirmation dialog asking whether a change host operation should be triggered. 3) If the user chooses Yes, AppScan triggers a modification and validation phase. In this phase AppScan will replace all the old data with the new data and validate the URL, Login and Multi-step seq (if such exist)

20 Change Host When explored data exists 20 If there is already some explore data, the starting url is disabled. To change the host, the user can click on menu: Scan->Change Host/Scheme/Port. A change host UI will appear allowing the user to specify his changes. After specifying the new Starting URL, the same confirmation dialog will appear. When confirmed, modification and validation phase will be triggered where all the explored data (apart from manual explore) and test results will be deleted.

21 Change Host CLI 21 As often change host capability will be needed as part of an automatic deploy/test scenario, this functionality also exists through the CLI. In this example we take an existing demo.testfire.net scan template, change its host from to and run an explore only scan.

22 Change Host ASE 22 In AppScan Enterprise, when using the ADAC (AppScan Dynamic Analysis Client), the same change host functionality exist. Similar to the one described in the AppScan Standard UI section.

23 Enhancements in Manual Explore UI 23 Up until now, In AppScan Standard, when the user recorded a manual explore sequence, recorded request couldn t be deleted before the analysis phase. Now the user can: Delete unneeded recorded requests. Easily specify which recorded hosts should be include in the scan. Same UI functionality exists in the ADAC.

24 Exclude test for Multi- Step sequences 24 Sometimes, you will want to only test specific requests in your Multi Step Sequence. Up until now, this was a tedious task In AppScan Standard. Now a simple UI option was added to the Multi step sequence allowing the user to mark which request is important for testing and which is not. This option can highly improve the efficiency of multi step testing which usually take longer because of the need to replay the seq before each test.

25 What's new in Appscan Enterprise Presenter: Makida Yohannes, AppScan Enterprise Developer Action Based Explorer User Defined Tests Issue import activities listed in Monitor Export to XML Option added in Monitor Scan File available for download

26 Action Based Explorer Overview The Explore method is included in AppScan Enterprise with similar configuration as AppScan Standard. Users can select any one of the Explore Methods, or both. By default both methods are selected.

27 User Defined Tests Overview It gives users the ability to import user defined tests that are exported from AppScan Standard. Export *.udt file from AppScan Standard.

28 User Defined Tests Overview - 2 In AppScan Enterprise, go to Main menu > Administration > User Defined Tests. Browse to the location of the *.udt file and import it. Note: Each *.udt file can contain many user-defined tests. The installed user defined test will be executed whenever a scan runs.

29 User Defined Tests Overview - 3 List of all User Defined Tests can be seen in the grid.

30 User Defined Test Overview - 4 While uploading the *.udt file, if duplicate user defined tests are in the system, the user can choose to override the existing tests or cancel the installation. Canceling the installation will also cancel installation of any new rules that might exist in *.udt file.

31 Issue import activities listed in Monitor tab Overview List of Issue Import activities can now be seen in Monitor tab Go to an application > Click view details

32 Export to XML Option added on Monitor Overview The ability to export reports in xml format is added in the monitor side. Go to an application select issues and choose Export to XML option.

33 Export to XML Option added on Monitor Overview - 2 Go through the pages selecting your options as you would do for the other export formats. The screenshot of the exported xml file is as shown below.

34 Scan File is Available The encrypted scan file that was only used by support, is no longer password protected and is now available for users as well. The file exists in Extended support log.

35 What's new in Appscan Source Presenter: Robert Fiszer, AppScan Source Support Engineer IFA entitlement for Source (on-prem) users Improvement in filter usability Improvements in scanning large/complex applications

36 What is IFA Intelligent Findings Analytics, a cloud based tool. Analyzes Source assessments to identify most critical issues in a scan. More info: IFA by Kris Duer IFA Walkthrough

37 IFA Enablement for Source (on-prem) Users AppScan Source users are entitled to 10 free IFA scans If you have paid IFA scans, you will have 10 additional free scans per month

38 IFA Enablement for Source (on-prem) Users Must have an existing paid or trial account with BlueMix as well as a (free) IBM ID. These scans count against applicable global limits.

39 AppScan Source Filter Improvements AppScan Source exclusion filter usability has been improved Exclusion filters now have the option to be applied in either an AND or an OR fashion. Restrict and inverted restrict filters remain the same.

40 Unchanged AppScan Source Filters Behavior Multiple restrict to filters applied: OR logic Any findings that matches any one of the filters will be retained. Multiple inverted restrict to filters applied: Pruning behavior Any finding that matches any one of the filters will be discarded.

41 Changed AppScan Source Filters Behavior Previously, multiple exclude filters applied: AND logic Only findings that match all filters were removed. Currently, multiple exclude filters applied: Selectable logic Can be set to match all (old behavior) or match one (new option).

42 Changed AppScan Source Filters Behavior

43 Improvements in Scanning Large/Complex Applications Previously, AppScan source suffered from several dubious errors: Internal Errors Memory Limit Failure Out of Memory errors Swap memory errors General compilation errors

44 Improvements in Scanning Large/Complex Applications Internal Errors Internal Errors have been resolved in General Compilation Errors Still need to be analyzed on a case-by-case basis

45 Improvements in Scanning Large/Complex Applications If you get one of these errors: Memory Limit Failure Out of Memory Swap Limit Failure please open a support ticket (PMR). The AppScan support has been provided with additional tools and procedures to resolve and work around these issues.

46 Questions for the panel Now is your opportunity to ask questions of our panelists. To ask a question now: Press *1 to ask a question over the phone or Type your question into the IBM Connections Cloud Meeting chat To ask a question after this presentation: You are encouraged to participate in our Forum on this topic -

47 Where do you get more information? Header content 1 header content 2 Questions on this or other topics can be directed to the product forum: AppScan Standard forum AppScan Enterprise forum AppScan Source forum More articles you can review: AppScan Standard Fix Pack 4 at Fix Central AppScan Enterprise fixpack available at FixCentral AppScan Source Fix Pack 4 for version at Fix Central Useful links: Get started with Support IBM Support Portal Sign up for My Notifications Follow us:

48 THANK YOU FOLLOW US ON: securityintelligence.com xforce.ibmcloud.com Copyright IBM Corporation All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.