IBM Security AppScan Enterprise v9.0.1 Importing Issues from Third Party Scanners

Transcription

1 IBM Security AppScan Enterprise v9.0.1 Importing Issues from Third Party Scanners Anton Barua October 14, 2014 Abstract: To manage the challenge of addressing application security at the enterprise level, security teams must take a risk-based approach and prioritize assets, focus on identifying areas of highest risk, and then mitigate the risk. Addressing application security at an enterprise level goes beyond scanning applications for vulnerabilities. Large organizations might have thousands of applications that serve various purposes. If you use third-party scanners such as Nessus Vulnerability Scanner, or conduct manual pen testing to discover security issues, you can import these issues into AppScan Enterprise v9.0.1 for triaging. This white paper shows you how to: Edit an issue profile template to create customized attributes for the imported issues Customize a scanner profile template for Nessus Vulnerability Scanner and edit its issue attributes so that AppScan Enterprise understands them during the import process Import issues discovered by the Nessus Vulnerability Scanner Triage the issues after they are imported into AppScan Enterprise

2 Table of Contents 1Introduction Understanding Issue Attributes Understanding Scanner Profiles...4 2Importing issues from third party scanners Understanding Third-Party Scanner Issue Attributes Editing the Issue Attribute Profile Template Creating a Scanner Profile Importing Issues from CSV files Triaging Issues Triage a group of issues Summary Resources About the Author...18 Table of Figures Figure 1: Nessus scan data in CSV format...4 Figure 2: Navigating to the Issue Profile Template editor...5 Figure 3: Preconfigured AppScan Enterprise issue attributes...6 Figure 4: Creating custom attributes to consme Nessus issue data...6 Figure 5: Navigating to the Scanner Profile Template editor...7 Figure 6: Creating the Nessus Scanner Profile...8 Figure 7: Mapping Nessus attributes to AppScan Enterprise Issue Attributes...9 Figure 8: Before editing layout...10 Figure 9: After editing layout...10 Figure 10: Importing third party issues into Demo App...10 Figure 11: Import Issues dialog box...11 Figure 12: Importing issues...11 Figure 13: Nessus Issues imported into AppScan Enterprise...12 Figure 14: Updating issue attributes via import...12 Figure 15: Group issues by severity...13 Figure 16: Group issues by type...13 Figure 17: Mark issues as noise...14 Figure 18: After marking issues as noise...14 Figure 19: After marking issues to be In Progress...15 Figure 20: After marking issues as fixed...15 Figure 21: Change severity of a single issue...16 Figure 22: About Issue dialog box...16 Figure 23: Edit and save the severity value of an issue...17 Figure 24: After changing severity value of an issue...17 Figure 25: Edit and save the Source File attribute of an issue...18 Index of Tables Table 1: Issue attribute examples...3

3 1 Introduction An organization might have numerous applications that serve various purposes. It is the task of the security team to discover any vulnerability present in those applications, assess the risk of those applications, triage the security issues, and mitigate the risks. The security team might use various scanning tools or perform manual pen testing to discover security issues in the applications. Managing issues found by multiple scanning tools soon becomes a tedious task. Because each tool uses its own data format to produce and display scan results, inter-operability between these tools can sometimes be difficult. AppScan Enterprise v9.0.1 provides a centralized console where an organization can manage the security risks of all its applications. It provides security teams with the capability to import security issues found by other third-party scanner tools as well as from penetration testing exercises. It also provides the flexibility to customize necessary attributes to manage the imported issues. Users can create and customize profiles for different scanners to make regular issue import an easier process. Furthermore, users can integrate their existing tools with AppScan Enterprise's REST APIs to automate the security scanning and risk management tasks. In this article, I will describe the basic concepts behind these ideas and present a real world example of how a security team can import scan data from a well-known vulnerability scanning tool. 1.1 Understanding Issue Attributes Security issues are found after scanning a vulnerable application. A security issue in an application represents a potential vulnerability that can be exploited by an attacker. To easily search, filter, triage, and group security issues, Appscan Enterprise reports each issue by using a number of descriptive attributes. DAST Issue Attributes SAST Issue Attributes Severity: High Severity: Medium Location: Location: old_num_to_string_conversions.c (821) Issue Type: Cross-Site Scripting Issue Type: Buffer Overflow Application Name: Altoro 2.0 Application Name: Caretex Namtech Discovery Method: DAST Discovery Method: SAST Path: /disclaimer.htm Source File: %TestApps %\CPP\VS\all_c_vulns\all_c_vulns\all_c_vulns\ol d_num_to_string_conversions.c Domain: demo.testfire.net API: _gcvt Table 1: Issue attribute examples Table 1: Issue attribute examples contains examples of issue attributes of two issues found by Dynamic Analysis Security Testing (DAST) and Static Analysis Security Testing (SAST). The DAST issue is a high-severity Cross-Site Scripting issue found in the page of the web application Altoro 2.0. The SAST issue is a medium severity buffer overflow issue found in line 821 of the old_num_to_string_conversions.c file of the Caretex Namtech application. Some attributes

4 such as Path and Domain are only relevant to DAST issues. Similarly, Source file and API are relevant to SAST issues only. AppScan Enterprise describes issues according to an Issue Profile Template, which is preconfigured with a number of attributes that are used to describe issues it finds. A security analyst (with product administrator privileges in AppScan Enterprise) can customize the Issue Profile Template to facilitate importing issues that are found by third-party scanners, such as the Nessus Vulnerability Scanner. The security analyst can add custom attributes to the Issue Profile Template to describe different forms of data such as text, date, URL, etc. Furthermore, attributes can be enabled or disabled to show or hide those attributes' data from the AppScan Enterprise Monitor view. 1.2 Understanding Scanner Profiles Users can import scan data in a Comma-Separated Value (CSV) file format from third-party scanners. Third-party scanners use various attribute names to describe issues they discover. These issue attribute data must be normalized and converted into AppScan Enterprise's issue attribute format before they are imported. Security analysts (with product administrator privileges in AppScan Enterprise) can create scanner profiles for third-party scanners in AppScan Enterprise. A Scanner Profile is a one-to-one mapping from a third-party scanner's issue attributes to AppScan Enterprise's issue attributes. During the import process, AppScan Enterprise uses this mapping to convert the third-party scanner's issues into its own format. Normalizing issues data in this way provides an organization with a centralized issue management capability as issues found using multiple scanners across multiple applications can be triaged using a common issue management view. 2 Importing issues from third party scanners In this real-life example of importing data from a third-party scanner into AppScan Enterprise, I will use the Nessus Vulnerability Scanner. In this step-by-step guide, I will show you how to: Understand the issue attributes of Nessus Customize the issue attribute profile template of AppScan Enterprise to prepare it for managing issues found by Nessus Create a Nessus Scanner Profile in AppScan Enterprise to import issues found by Nessus Import issues found by Nessus 2.1 Understanding Third-Party Scanner Issue Attributes Figure 1: Nessus scan data in CSV format Security issues can be exported from Nessus Vulnerability Scanner in CSV format. Figure 1: Nessus scan data in CSV format shows a snippet of issues found by a Nessus scan (for brevity, only a subset of

5 the attributes that Nessus exports are shown). Here we can see that Nessus describes issues using these attributes: Plugin ID, CVE, Risk, Host, Protocol, Port, Name, and Synopsis. Among the attributes, the CVE attribute describes the Common Vulnerabilities and Exposures ID (see Resources) of the issue. Host, Protocol, and Port describe the network-related artifacts associated with the issue. Risk describes the potential risk if the issue is exploited. Name describes the type of the issue found, and Synopsis gives a brief summary of the issue. These attributes must be mapped to AppScan Enterprise's issue attributes before they are imported. 2.2 Editing the Issue Attribute Profile Template To import issues found by Nessus, prepare AppScan Enterprise to consume the data. Some of the Nessus Issue attributes can be mapped to the preconfigured attributes of AppScan Enterprise. For the remaining Nessus attributes, the security analyst creates corresponding attributes in AppScan Enterprise to use the correct data type. Figure 2: Navigating to the Issue Profile Template editor To add custom issue attributes for Nessus, navigate to the Edit Issue Profile Template dialog box by clicking the Edit Issue Profile Template menu item from the Portfolio tab in the IBM AppScan Enterprise "Monitor" view (see Figure 2: Navigating to the Issue Profile Template editor). Figure 3: Preconfigured AppScan Enterprise issue attributes shows the Issue Profile Template editor dialog box and highlights the preconfigured attributes that are potential candidates for matching attribute data exported by Nessus in red. The Issue Type attribute can be used to consume the Name attribute data from Nessus, which describes the type of the Issue. Similarly, Description, Severity Value, and Port can be used to consume data from Synopsis, Risk, and Port Nessus attributes. However, if none of the preconfigured attributes is a potential match, the security analyst can create new attributes.

6 Figure 3: Preconfigured AppScan Enterprise issue attributes Figure 4: Creating custom attributes to consme Nessus issue data

7 Figure 4: Creating custom attributes to consme Nessus issue data shows an example of creating four custom attributes for consuming the The best practice for creating custom Issue Host, Protocol, CVE, and Plugin ID attributes from Nessus. Because Attributes is to match the these attributes contain textual data that that is relatively short in data type that is the same or length, these attributes use Single Value as the Type. For longer text closest to the attribute data data (i.e., Synopsis), AppScan Enterprise provides a Long Text data type. Similarly, for date and Internet addresses, Date and URL attribute to be imported. types are provided. For attributes that can contain values from a finite set, the Dropdown attribute type is provided. For example, the Risk attribute in Nessus can only contain values from the set {High, Medium, Low, None}. For attributes that contain more than one value (i.e., a list of ports), the Comma Separated Value type is provided. 2.3 Creating a Scanner Profile After creating custom attributes to enable AppScan Enterprise to consume Nessus issue attributes, the security analyst creates a Scanner profile that will map Nessus attributes to the corresponding AppScan Enterprise issue attributes. To create a new scanner profile, navigate to the Edit Scanner Profile template dialog box (see Figure 5: Navigating to the Scanner Profile Template editor). Figure 5: Navigating to the Scanner Profile Template editor In the Edit Scanner Profile Template dialog box, a new Scanner profile can be added by clicking Add (see Figure 6: Creating the Nessus Scanner Profile). After creating the template for the Nessus scanner, define the mapping that will allow AppScan Enterprise to import Nessus issues. Navigate to the Edit Nessus Profile dialog box by clicking the Edit button next to the Nessus Scanner profile.

8 Figure 6: Creating the Nessus Scanner Profile In the Edit Nessus Profile dialog box, a one-to-one mapping is created between Nessus attributes and AppScan Enterprise attributes. Click Add to create a new mapping. For each mapping, provide the Nessus Attribute name. Then, select the corresponding AppScan Enterprise attribute from the Issue Attribute Name list. Figure 7: Mapping Nessus attributes to AppScan Enterprise Issue Attributes contains a snapshot of the mapping for the Nessus scanner.

9 Figure 7: Mapping Nessus attributes to AppScan Enterprise Issue Attributes One important aspect of creating a scanner profile template is to define which attribute(s) can uniquely identify an issue. For example, the exported scan data might contain an auto-incremented integer field for each row. In this case, that field alone can distinguish one issue from another. For our example data in Figure 1: Nessus scan data in CSV format, the fields that distinguish one issue from the next are Plugin ID, CVE, Host, Port, and Protocol. If two rows contain the same data for all of the uniqueness contributor fields, it means that the two issues are essentially duplicates. The uniqueness contributor fields provide a way to reduce duplicate issues from being imported. The uniqueness contributor attributes must be chosen carefully by examining a portion of the scan data and understanding which attribute values can distinguish one issue from the other. In Figure 7: Mapping Nessus attributes to AppScan Enterprise Issue Attributes, the Unique check box is enabled for the attributes mentioned above. If you want to change the order in which the imported issue attributes will be displayed, you can change it via the Edit Layout option (see Figure 7: Mapping Nessus attributes to AppScan Enterprise Issue Attributes). Figure 8: Before editing layout shows the initial ordering of the Nessus scanner profile attributes. The order can be changed by selecting an attribute from the menu and clicking the up/down arrow buttons on the right. Figure 9: After editing layout shows the ordering after the position of some of the attributes were changed. After reordering the attributes, the change can be seen in the About Issue dialog (see Section 3.2: Edit the attributes of a single issue).

10 Figure 8: Before editing layout Figure 9: After editing layout After defining the mapping, the security analyst saves the Scanner Profile by clicking Ok in the Edit Nessus Attribute dialog box and clicking Save in the Edit Scanner Profile Template dialog box. Now AppScan Enterprise is ready to import issues from the Nessus Vulnerability Scanner. Note: Creating a scanner profile is a one-time operation that is performed by the security analyst. After a profile has been created, other users can import issues using that scanner profile. The users do not need to create scanner profiles repeatedly for each of their import operations. 2.4 Importing Issues from CSV files In our example, the Nessus Vulnerability Scanner has run a scan against an application named Demo App. The scan results are exported from Nessus into a CSV file named CITM_ne33ch_orig.csv. In your organization, it might be a developer, quality assurance specialist, or the security analyst who is responsible for scanning applications. Click Import Issues on the Demo App tab in the Appscan Enterprise Monitor view to open the Import Issues dialog box. Figure 10: Importing third party issues into Demo App shows the navigation for performing this action. Figure 10: Importing third party issues into Demo App

11 Figure 11: Import Issues dialog box Figure 11: Import Issues dialog box shows the Import Issues from.csv File dialog box. Select the Scanner profile from the Scanner menu. In addition to the Scanner Profile, a name for the scan is also required. Finally, select a.csv file from the file system using the Select dialog box and click Import. Figure 12: Importing issues shows the progress information shown during an import. The Added, Updated, and Skipped statistics show how many issues were imported, updated (if the same issue existed before), and skipped during the import. After the import process is completed, examine the import log to get a detailed description of the import, such as how many issues were skipped, whether any attribute contained invalid data, and so forth. Figure 12: Importing issues Figure 13: Nessus Issues imported into AppScan Enterprise shows the issues after the Nessus scan data has been successfully imported into AppScan Enterprise. Now, you can view the issues, edit issue details, and triage the issues for performing application risk management tasks.

12 Figure 13: Nessus Issues imported into AppScan Enterprise After import, you may need to edit the values of some attributes. For example, you may need to edit the description attribute of an issue. You can change the value of the attribute in the CSV file and import the file again. This action will update the attribute value for the corresponding issue. Figure 14: Updating issue attributes via import shows such an example where the Description attribute of Issue#2381 was updated. In this way, multiple issues can be updated at once. You can also update the attributes of a single issue via the AppScan Enterprise user interface (see Section 3.2: Edit the attributes of a single issue). Figure 14: Updating issue attributes via import 3 Triaging Issues After importing third-party security scan results into AppScan Enterprise, the security team can proceed to the next task: triaging issues. This task is essential to effectively mitigate security vulnerabilities in an application and reduce the overall risk of the application. Issue triaging has the following benefits: Reduce noise to better focus on the real issues: After discovering vulnerabilities in the application, the security team needs to assign these vulnerabilities to the developers to fix. However, some of the issues found by the scans might be false positives which do not need fixing. These issues can be marked as Noise. In addition, some issues might be already fixed and are awaiting manual verification or review. These issues can be marked as Passed. After classifying

13 issues as Noise or Passed, the security team can then shift the focus on other issues, such as Open, Reopened and In Progress. Issues that are Open or Reopened have a negative impact on the overall risk of an application. Track progress toward remediation: The security team can track progress by evaluating each open issue and classifying it as Fixed, In Progress, Noise, or Passed. Assigning issues a status helps better manage large volumes of issue data. The security team can identify and track what issues to fix first and what does not need to be fixed at all. Show positive results: Classifying issues also allows the security team to show positive results or progress in the organization to give key stakeholders a more realistic picture of the application's security risk. 3.1 Triage a group of issues You can group of issues by severity or by their type. Figure 15: Group issues by severity and Figure 16: Group issues by type shows the IBM AppScan Enterprise Monitor view when issues are grouped by severity and type, respectively. Figure 15: Group issues by severity Figure 16: Group issues by type Mark a group of issues as noise You mark a group of issues as noise to indicate that the issues are not relevant and should no longer be considered as vulnerabilities. Issues are often marked as noise because they are false positives. After import, all issues will be marked as Open by default. To mark a group of issues as noise, select the issues that you have determined as noise. The issue triage action menu will display. From the menu, click Noise. Figure 17: Mark issues as noise shows an example of this action. Also notice that, 176 issues are currently in Active/Open state after import.

14 Figure 17: Mark issues as noise Figure 18: After marking issues as noise shows the result after 4 issues were marked as noise. Notice that the number of Active/Open issues have been reduced to 172 and 4 issues have been resolved as a result of this action. Figure 18: After marking issues as noise Mark a group of issues to be in progress You assign a group of issues as in progress to indicate that you triaged them and determined that these are real vulnerabilities that must be addressed. To mark issues in progress, select issues from the list, and click In Progress in the Issue Triage menu. Figure 19: After marking issues to be In Progress shows the result after 5 issues were selected and marked as In Progress.

15 Figure 19: After marking issues to be In Progress Mark a group of issues as Fixed After marking issues to be In Progress, the developers can investigate the issues and fix them. After the issues are fixed, you can mark those issues as fixed. Fixed issues should not be found in subsequent security scans of the application. Figure 20: After marking issues as fixed shows the result after three issues that were in progress have been fixed. Figure 20: After marking issues as fixed 3.2 Edit the attributes of a single issue You can change the status attribute of an issue from the Monitor view using the Issue Triage menu. However, if you want to change the values of other attributes such as the severity of an imported issue, you can navigate to the About Issue view to perform this task. For example, take a look at issue #2293:

16 SSL Certificate Cannot Be Trusted in Figure 21: Change severity of a single issue. This issue was classified as a Medium severity issue by Nessus. After triage, you may decide that this issue should be treated as a High severity issue. To make this change, click the Issue ID link to open the About Issue dialog. Figure 21: Change severity of a single issue Figure 22: About Issue dialog box shows the attribute values for issue #2293. To change the value of an attribute, click Edit Attributes in the top right corner. Figure 22: About Issue dialog box

17 Figure 23: Edit and save the severity value of an issue shows the About Issue dialog box in edit mode. The severity value of the issue has been changed from Medium to High. Notice that you can also change the Issue status in this dialog. After the necessary attribute values have been edited, click on Save Attributes in the top right corner to save the issue. Figure 24: After changing severity value of an issue shows Issue#2293 grouped under the High severity group after saving. Figure 23: Edit and save the severity value of an issue Figure 24: After changing severity value of an issue You can also change the value of issue attributes which are not part of the scanner profile mapping. For example, if an issue is found in the source file Authentication.java, you can manually edit the issue attribute called Source File to update this information for the issue (see Figure 25: Edit and save the Source File attribute of an issue). You can also add custom issue attributes by adding them to the Issue Attribute Template and edit the attribute value in the About Issue dialog.

18 Figure 25: Edit and save the Source File attribute of an issue 4 Summary To effectively manage the security risks of all the applications in an organization, security teams may use a variety of scanning tools. AppScan Enterprise v9.0.1 has the capability to import security issues found by third-party tools, providing security teams a convenient way to manage the security risks of their application inventory. In this white paper I have provided a step-by-step guide on importing issues from a well known scanning tool into AppScan Enterprise and explained the various triaging techniques that can be used after the import. 5 Resources View a video about triaging issues: Visit the Common Vulnerabilities and Exposures website to find more about CVE Ids. About the Author Anton Barua is a software developer on the IBM Security AppScan Enterprise development team. Prior to this, he was a research assistant in the Queen's Reliable Software Technology Group at Queen's University, Kingston, Canada, where his research focused on the security of web browser extensions.