IBM AppScan Source is a static application security testing (SAST) tool that scans source code to identify vulnerabilities like SQL injection and cross-site scripting. It has components for analysis, development, remediation, and automation. It can be deployed as a standard desktop tool, in a small workgroup, or in an enterprise environment integrated with other tools. AppScan Source features include importing apps, configuring scans, viewing results, and generating reports. It aims to help security analysts, developers, and organizations identify and fix issues to prevent data breaches and other security problems.
Unlocking the Future of AI Agents with Large Language Models
IBM AppScan Source: The SAST Solution
1. IBM AppScan Source
The SAST solution
Thuc X.Vu <thuc@labsofthings.com>
Reseacher, founder of IoT and Data processing Labs
Vietsoftware International Inc.
Website: http://labsofthings.com/
2. IBM AppScan Solution2 Vietsoftware International Inc.
Agenda
Understanding what AppScan Source is
AppScan Source components
Deployment models
Features and Tooling
Workflow
DEMO
3. IBM AppScan Solution3 Vietsoftware International Inc.
Understanding what AppScan Source is
AppScan Source is a static application security testing
(SAST) solution.
Scans application source code for security vulnerabilities:
SQL injection, command injection, cross-site scripting, buffer
overflow
These vulnerabilities are exploitable weaknesses in code
that lead to:
1. Loss of reputation
2. Loss of money
3. A breach or an exposure of sensitive information
4. Business noncompliance
AppScan Source enables organizations to proactively
identify and mitigate security risk.
4. IBM AppScan Solution5 Vietsoftware International Inc.
AppScan Source components
Source for Analysis, Source for Development, Source
for Remediation, Source for Automation
1. AppScan Source for Automation
Allow Build Teams to execute Scans at Build time
Command line tooling and build tools allow for ease of
automation
Assessment Publishing and Reporting directly from
Automation
5. IBM AppScan Solution6 Vietsoftware International Inc.
AppScan Source components (Cont.)
2. AppScan Source for Development
Allow Developers to perform Security Scans
Plugins supplied for IDE
Remediate Vulnerabilities
3. AppScan Source for Analysis
Allow Security Analysts to Configure Applications for
SAST Scanning, Optimize Scan Configuration to Focus
on Vulnerable Source Code
Analyze, isolate, and take action on priority vulnerabilities.
Provides security analysts, QA managers, and
development managers with fast time-to-results.
6. IBM AppScan Solution7 Vietsoftware International Inc.
AppScan Source components (Cont.)
AppScan Source Database
An out-of-the-box database that persists the AppScan
Source Security Knowledgebase data, assessment
data, and application/project inventory.
AppScan Source command line interface
(CLI) client
Provides command line access to various AppScan
Source functions to enable integration, automation, and
scripting.
Plugins for Make, Ant, and Maven allow the
configuration process to be
automated
7. IBM AppScan Solution8 Vietsoftware International Inc.
AppScan Source Edition Products vs Roles
8. IBM AppScan Solution9 Vietsoftware International Inc.
Agenda
Understanding what AppScan Source is
AppScan Source components
Deployment models
Features and Tooling
Workflow
DEMO
10. IBM AppScan Solution11 Vietsoftware International Inc.
Standard desktop deployment (Cont.)
Used in small organization, for a security
analyst/auditor who performs security
assessments
No defect tracking system integration or build
integration
Using the AppScan Source administrative
account, and no LDAP Directory Server
integration
12. IBM AppScan Solution13 Vietsoftware International Inc.
Small workgroup deployment (Cont.)
Used in small to moderate organization
Dedicated to different roles: Administrator,
Manager, Security Analyst, Developer
Build Automation server integration
14. IBM AppScan Solution15 Vietsoftware International Inc.
Enterprise workgroup deployment (Cont.)
Integrate with Defect tracking system
Authentication with LDAP integration
15. IBM AppScan Solution16 Vietsoftware International Inc.
Agenda
Understanding what AppScan Source is
AppScan Source components
Deployment models
Features and Tooling
Workflow
DEMO
16. IBM AppScan Solution17 Vietsoftware International Inc.
AppScan Source Features and Tooling
Configuration perspective:
- Import existing applications from IDEs
- Configure AppScan Source applications and projects
- Scan code
- Create and manage applications, projects, and
attributes
Triage perspective:
- View scan results to prioritize remediation workflow
- Organize findings
- Filter findings
- Promote, demote, and dispatch findings for
remediation
Analysis perspective:
- Drill down to individual findings
- Track data flow visually though the source code (trace)
- Access contextual remediation assistance
- Generate Reports
17. IBM AppScan Solution18 Vietsoftware International Inc.
Agenda
Understanding what AppScan Source is
AppScan Source components
Deployment models
Features and Tooling
Workflow
DEMO
19. IBM AppScan Solution20 Vietsoftware International Inc.
Security Analyst Workflow
Security Professionals using AppScan Source for Security:
Total time: 2-3 weeks / application
• Applications are scanned once per year or less
• Minimal carry-over for subsequent scans
20. IBM AppScan Solution21 Vietsoftware International Inc.
Developer Workflow
Any developer using AppScan Source for Development:
Total Time: ½ - 1 day
•Developers cannot develop while scanning (can take hours)
•Developers are not security experts
•Scan workflow interrupts agile workflows
21. IBM AppScan Solution22 Vietsoftware International Inc.
Agenda
Understanding what AppScan Source is
AppScan Source components
Deployment models
Features and Tooling
Workflow
DEMO
22. IBM AppScan Solution23 Vietsoftware International Inc.
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise
technology users to select only those vendors with the highest ratings. Gartner research publications consist of the
opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all
warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness
for a particular purpose
Magic Quadrant for Application
Security Testing
Neil MacDonald, Joseph Feiman
July 2, 2013
This Magic Quadrant graphic was published by Gartner, Inc. as
part of a larger research note and should be evaluated in the
context of the entire report. The link to the Gartner report is
available upon request from IBM.
“The market for application security testing
is changing rapidly. Technology trends,
such as mobile applications, advanced
Web applications and dynamic
languages, are forcing the need to
combine dynamic and static testing
capabilities, which is reshaping the overall
market.”
Gartner has recognized IBM as a leader in the
Magic Quadrant for Application Security Testing
(AST)
23. IBM AppScan Solution24 Vietsoftware International Inc.
Additional Information
Documents
EMA Impact Brief - IBM Security AppScan 8.7 Adds Support for iOS Mobile Apps
https://www14.software.ibm.com/webapp/iwm/web/signup.do?source=swg-
WW_Security_Organic&S_PKG=ov14494&S_TACT=102PW29W
AppScan Source Data Sheet
http://public.dhe.ibm.com/common/ssi/ecm/en/rad14105usen/RAD14105USEN.PDF
AppScan Standard Data Sheet:
http://public.dhe.ibm.com/common/ssi/ecm/en/rad14019usen/RAD14019USEN.PDF
AppScan Enterprise Data Sheet
ftp://public.dhe.ibm.com/common/ssi/ecm/en/rad14113usen/RAD14113USEN.PDF
Posts
2013 Gartner Application Security Testing MQ and the Evolution of Software Security
http://securityintelligence.com/2013-gartner-application-security-testing-mq-and-the-evolution-of-software-security/
Gartner Publishes 2013 Magic Quadrant for Application Security Testing (AST)
http://securityintelligence.com/gartner-magic-quadrant-for-application-security-testing-2013/
Podcasts
2013 Gartner Magic Quadrant for Application Security Testing
http://www.blogtalkradio.com/calebbarlow/2013/07/25/2013-gartner-magic-quadrant-for-application-security-testing
Application + Threat + Security intelligence = Priceless
http://www.blogtalkradio.com/calebbarlow/2012/08/13/threat-application-security-intelligence-priceless
Taking Application Security from the Whiteboard to Reality
http://www.blogtalkradio.com/calebbarlow/2012/06/11/taking-application-security-from-the-whiteboard-to-reality
24. IBM AppScan Solution25 Vietsoftware International Inc.
Videos
Overview of IBM Security AppScan
http://www.youtube.com/watch?v=9R4IjZpKt8I
How College Board is Building Security into Application Development
http://www.youtube.com/watch?v=TtqhlcTnbg8
Building Better, More Secure Applications
http://www.youtube.com/watch?v=UcN2uUolgKk
Using Application Security Testing to Increase Deployment Speed
http://www.youtube.com/watch?v=VImy3ilYUSk
IBM Security AppScan 8.7 for iOS mobile application support
http://www.youtube.com/watch?v=I73tbAmJIGw
IBM Security AppScan 8.7 for iOS Applications
http://www.youtube.com/watch?v=egnEH-GGQEI
IBM Security AppScan: Analysis Perspective
http://www.youtube.com/watch?v=UZD53ZgV848
25. IBM AppScan Solution26 Vietsoftware International Inc.
Credits
Implemented IBM Appscan for customers in Vietnam:
Vietcombank; VietinBank; Vietnam Customs
Some presentations on Enterprise Mobile Solution, IoT,
Security, payment at
http://www.slideshare.net/papaiking/
26. IBM AppScan Solution27 Vietsoftware International Inc.
Smarter security for a smarter planet