What's new in AppScan Standard version

Transcription

1 What's new in AppScan Standard version IBM Audio Security Connection support dialog by Open access Mic the Slides and more information: February 22, 2017 IBM Security To hear the WebEx audio, select an option in the Communicate > Audio Connection menu option. To ask a question by voice, you must either Call In or have a microphone on your device. For more information, visit: NOTICE: By participating in this call, you give your Irrevocable consent to IBM to record any statements that you may make during the call, as well as to IBM s use of such Recording in any and all media, including for video postings on YouTube. If you object, please do not connect to this call.

2 Presenters: Ronen Bachar - AppScan Standard Dev Manager Shay Ophir - AppScan SW Engineer Idan Slonimsky - AppScan SW Engineer Lior Margalit - AppScan L3 Team lead Daniel Dubnikov - AppScan Engine Team Lead Panelist: Joe Lacy - AppScan Support Engineer Scott Hurd - AppScan Support Engineer Marek Stepien AppScan Knowledge Leader Moderator: Joe Kiggen AppScan and SKLA Support Manager IBM Security

3 Agenda: What's new in AppScan Standard version Product overview Action Based Multi-Step (ABMS) ASoC Integration AppScan commands improvements XSS testing with a Browser New compliance report GDPR IBM Security

4 Product Overview Customer Profiles Customers with a limited knowledge on either AppScan or security may run a scan easily Customers with limited resources can perform multiple scans Benefits Security scanning on cloud: A scalable solution to scan many apps easily Centralized management of your apps and results Scan Enablers verify coverage/in-session and security perspective Customer s machine isn t occupied during scan Scalable solution, allows concurrent scans Centralize your tested apps and scan results Action Base Multi-Step: Better support of RIA apps, especially in case apps with workflows Relatively easy to setup

5 Action-Based Multi-Step Operation (ABMS) Introduction Action-Based Advantages How to record Action-Based Sequence How to test Action-Based Multi-Step Operation Defining sequence variables Limitations

6 ABMS Introduction Scan Configuration > Multi-step Operations

7 ABMS Introduction Multi-step operation is enhanced with action based mechanism (Action-Based Multi-Step). This mechanism is based on the actions the user performs in the applications (the same as Action based login), rather than the traditional mechanism, which relies on recorded HTTP Requests. Action-based approach simplify configuration and provide a solution in cases where Request-Based Multi-Step fails.

8 Advantages of ABMS ABMS utilizes a real browser hence is free of many request-based limitations, since the browser does the client-side work. ABMS enables tracking parameters that are updated on client side (JS). With Request-based we track parameters from the response or the previous requests (but we could not track parameters that were updated on the tested request). ABMS simplifies the configuration. No need to use custom response, custom header response. Since the browser generates the correct parameters, cookies and headers, we can copy them from the browser to the mutated test request.

9 Advantages of ABMS ABMS enables better step validation. Browsers give a better representation of actual user actions. You can see if the actions played correctly with your own eyes by enabling browser-visible mode. ABMS utilizes a Browser's JS engine (don t need JSX). Browsers are up-to-date with the latest technologies.

10 How to record Action-Based Sequence Recording of the sequence is the same as recording the request-based sequence: 1. Set starting URL. 2. In Multi-Step Operation select: Login and then record or Record (without login) 3. Record the multi-step actions in the browser.

11 How to record Action-Based Sequence After closing the browser the sequence will be added to Multi Step Operations The sequence is recorded as a Request-based sequence

12 How to record Action-Based Sequence Select the Action-based option in the Playback Method section. Click Validate to validate the recording You may turn the Tracked option on the relevant parameters/cookies before the validation

13 Action-based mode description The Recorded Browser Actions panel shows the actions that were executed before each request The actions can be edited (as in Action-based Login).

14 How to test ABMS Start testing in the same way as with Request-based in previous versions of AppScan, for example with: Scan > Test Multi-Step Operations Only.

15 How to test ABMS You may also test using the Request-based method by switching Playback Method before starting the test. The selected playback method applies to all the multi-step sequences.

16 How to record and test ABMS short demo

17 Defining sequence variables in ABMS Define a sequence variable as follows 1. Right-click on the action and select Set a dynamic value. 2. Set the parameter as tracked.

18 ABMS Limitations ABMS is slow due to the need to open the browser for each test. You can reduce the time by choosing Don t test for requests that you do not need to test. ABMS playback does not support all sites. Play optimization is not available. When using Login and then record, ABMS does not check in-session, and login actions are performed in each test. Validation verifies only that all actions were performed properly, but does not validate the requests. External browser is not supported.

19 ASoC Integration AppScan Standard integration with ASoC ASoC stands for IBM Application Security on Clouds

20 ASoC Integration You can create a new scan in the cloud (ASoC) directly from AppScan Standard with: File > Export > Upload Scan to Application Security on Cloud

21 ASoC Integration - login There are two ways to login into AsoC from AppScan Standard: 1) With a User ID and Password 2) With Key ID and Key Secret (mainly used by federated users) Key ID and Secret can be generated from ASoC

22 ASoC Integration After login, you will be asked to Select an Application

23 ASoC Integration After selecting an application, you will get a dialog to define the basic configurations of the scan If needed, you can select a PSS (Private Site Scan) If a PSS is inactive its name will be shown in red with the suffix '(inactive)'. More information on PSS you can find at: PSS

24 ASoC Integration When clicking Upload and Run, the scan will be uploaded into ASoC, and ASoC will use the scan template and explore data from the scan to create a new scan, and will run it. Scan results will be created on ASoC (currently not possible to view the results in AppScan Standard) If the AppScan Standard scan already had results they will be cleared in ASoC.

25 ASoC Integration You can select the Test Only option only when the scan has Manual Explore data or Multi-Step Operations. Limitation: ASoC supports scan files up to 2GB

26 ASoC Integration Handling of Proxy ASoC Integration does not apply the AppScan Standard proxy that is defined at Scan Configuration > Communication and Proxy ASoC integration tries first to connect to the ASoC server without any proxy. If it fails, then Internet Explorer Proxy Settings are used.

27 New CLI commands CLI stands for Command Line Interface

28 New CLI commands AppScanCMD.exe /su " /cr "jsmith:demo1234" Ability to incorporate AppScanCMD in fully automated processes (such as Selenium QA). You can now set AppScan to Automatic Login, and define username and password for a scan, overriding any template settings. You no longer need to open AppScan manually to do this. AppScanCMD.exe /su " /cre "jsmith:demo1234" /to /mmer /opr /lp "53262" /so When opening the AppScan recording proxy using AppScanCMD, you can now save manual explore sequences to use later, without starting the scan.

29 XSS testing with a Browser The function is added to AppScan Standard , but it is not enabled by default. The feature has not been tested thoroughly, then if needed, it should be used with caution.

30 XSS testing with a Browser <p>here are the results for: <b>searchterm</b></p>

31 XSS testing with a Browser <p>here are the results for: <b><script>alert(666)</script></b></p>

32 XSS testing with a Browser <script> // Get the value of the p parameter var sterm = window.location.search.substr(3); </script>... <p>here are the results for: <b><script>document.write(sterm)</script></b></p>

33 XSS testing with a Browser <script> // Get the value of the p parameter var sterm = window.location.search.substr(3); </script>... <p>here are the results for: <b><script>document.write(sterm)</script></b></p>

34 XSS testing with a Browser Newer web technologies require complex JavaScript execution and page rendering in order to detect XSS vulnerabilities Sometimes parts of the page, and reflected data, are received asynchronously using AJAX In order to still detect these XSS vulnerabilities we are now utilizing a browser during our XSS tests Running the XSS detection on a browser s output can increase our detection capabilities and also decrease FP and FN results No changes will be required in order to support new upcoming web technologies

35 XSS testing with a Browser XSS tests that use a browser are the XSS Analyzer tests Browser testing acts as an extra validation only when the normal XSS detection fails Probes are used to prevent excessive redundant testing Issues are reported similarly to normal XSS tests, with a special header indicating that the response was rendered by a browser

36 XSS testing with a Browser If you need the feature, you can turn it on manually by setting the SendTestsUsingBrowser switch to True in the scan template. Contact AppScan Support if you need help with turning it on. The feature has not been tested thoroughly, then it is not supported in If having any issue with the feature, then the resolution may be turning it off.

37 Compliance Report - GDPR General Data Protection Regulation GDPR This Regulatory Compliance report can be generated through AppScan. [EU] Regulation 2016/679 Of The European Parliament And Of The Council (GDPR) Compliance Report

38 Questions for the panel Now is your opportunity to ask questions of our panelists. To ask a question now: Press *1 to ask a question over the phone or Type your question into the IBM Connections Cloud Meeting chat To ask a question after this presentation: You are encouraged to participate in our Forum on this topic - IBM Security

39 Where do you get more information? Header content 1 header content 2 Questions on this or other topics can be directed to the product forum: AppScan Standard forum Useful links: AppScan Standard Fix Pack 5 at Fix Central AppScan Standard versions available Get started with IBM Security Support IBM Support Portal Sign up for My Notifications Follow us: IBM Security

40 THANK YOU FOLLOW US ON: securityintelligence.com xforce.ibmcloud.com Copyright IBM Corporation All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party. IBM Security