®
IBM Software Group
© 2007 IBM Corporation
Operationalizing Application Security &
What is the cost of a defect?
During the
coding phase
$25/defect
During the build
phase
$100/defect
Once released as
a product
$16,000/defect
During the
QA/Testing phase
$450/defect
The increasing costs of fixing a defect….
80% of development costs are spent
identifying and correcting defects!
IBM Software Group | Rational software
Embed security testing into the development environment and workflow Seamlessly add security
testing alongside functional & performance testing Dashboard provides filtered
relevant data for more informed decision-making
Full traceability for security issue prioritization CISO Tester Developer Build Manager QA Manager
Automated security tests embedded into the build
process
All test assets and results
in one repository
Rational AppScan
Quality processenactmentRational AppScan Developer & Build Editions raise the industry bar
Enabling the Operationalization of Security Testing
Enable the Security
Testing Organization
Rational AppScan Standard Edition Rational AppScan Enterprise Edition Requires web application security
subject matter expertise
Single-step security testing (no additional oversight required as expertise is built-in)
Eliminates training requirements for non-security experts
Control, Monitor, Collaborate and Report Web Application Security Testing
Embed Security
Testing in the SDLC
Rational AppScan Developer Edition Rational AppScan Build Edition
Rational AppScan Tester Edition Rational AppScan Standard Edition Rational AppScan Reporting Console
Implement environment-specific security testing solution for select stakeholders
Alleviates security testing bottleneck downstream
Increases security awareness across the organization (code security improvement, vulnerability awareness)
Enables a more efficient process for on-time and on-budget application
development
Outsource Security
Testing
Rational AppScan OnDemand Rational AppScan Security Consulting
Outsource web application security infrastructure or testing
Enables immediate identification for sources of online risk without the necessary time and investment for in-house training and resources
IBM Software Group | Rational software
Embedding Security in the Development Lifecycle
Primary goals for Web Application Security
1.
Manage Online risk with security audits
2.
Realize process efficiencies with testing coverage
occurring early in the development lifecycle
Security Auditors Challenge
Accountable for managing organizational risk through on-line activity
Limited resources (by budget or skillset) to provide timely security
testing coverage
The result is a bottleneck that impacts development release cycles
The Solution
Engage more testers earlier in the development lifecycle
Security tools are being pitched to developers
Security tools require security expertise and don’t address the developer use case
Lack necessary process integration to enable success
Current static analysis suffers from accuracy and efficiency shortcomings
Creating doubt and pushback from development organizations
No solution provides viable mix of blackbox & whitebox technology
High cost of static analysis-only offerings
High cost yet still incomplete solutions
Lack of training
Developers are not mandated or motivated to train on secure code practices
Priority remains on building functionality
IBM Software Group | Rational software
Challenge: Building software securely from the ground up
Security Auditors need to enable more testers in the process, but software developers are
not trained to be security experts, nor can they meet new development demands
Niche security testing teams have been performing audits before code can pass to production
These teams cannot keep up with the demand from hundreds of developers pushing new applications
frequently > as a result software releases are delayed or risk is introduced
Need to engage more testers earlier in the process
Need to make it simple for non-security professionals
How do we get more resources to provide
more security testing for our applications
How do we make it easier
to identify security vulnerabilities?
How can I ensure our developers are
implementing our corporate policies?
Development does not like us halting releases due
to security issues. How can I give them back control?
Solution: Utilize offerings designed for the development environment to
identify and fix security issues early in the development process, and turn the
security audit into the final check, not the first step
Rational AppScan Developer Edition & AppScan Build Edition provide
security and compliance checks
Combination of Static Code Analysis and Dynamic Analysis provide non-security professionals in development the ability to accurately check for security defects in code Designed for the developers uses case to seamlessly fit security testing into the
development workflow
AppScan Build Edition embeds automated security testing into the build process
Provides remediation advice to simplify ability to fix security issues
High accuracy security issue identification that developers can understand and fix
Includes embedded security issue training
Bite-sized training modules allow developers to quickly understand the security issue and make appropriate fix
Facilitates non-disruptive adoption of security testing solutions to improve application
IBM Rational AppScan Developer Edition
IBM Rational AppScan Build Edition
IBM Software Group | Rational software
Expertise:
Development is not focused on or trained to address security issues. Not having security expertise makes the development adoption of security testing a challenge. For development to be effective solutions must be designed for and for non-security professionals and fit the developers use case, thereby improving accuracy and efficiency and avoiding disruption.Cost/time:
The push to move more business services online places greater demand on limited security testing resources to achieve testing coverage. Tools that naturally fit into the development process provide lifecycle efficiencies as security issues are now identified and addressed much earlier in the process.Compliance:
Embedding security testing into development processes and systems supports the same governance requirements inherent in development & testing organizations, but the added risk of a security vulnerabilities demands stringent governance processes to log, track & ensure remediation of identified security issues.Bottom line – Development adoption of
security testing results in more secure
software with on-time release schedules
Development is critical to the security challenge
Addressing organizational security testing requirements
Enable more testers in the process to alleviate the security bottleneck
Powered by automation
Collaborative life cycle
Govern software delivery
Development & Security Analysts
collaborate
to achieve
greater testing coverage earlier in the development process.
Automate
security testing as part of the normal code-build
process within existing development environments,
eliminating the need for non-security personnel to learn new
or advanced security tools
Govern
the process of issue remediation by providing the
ability to log security issues directly into defect tracking tools
Rational AppScan Developer Edition & AppScan Build Edition
can be embedded into the development process
Rational AppScan Developer Edition & AppScan Build Edition
can be embedded into the development process
®
IBM Software Group
© 2007 IBM Corporation
Rational AppScan Developer & Build
Rational AppScan Developer Edition and Build Edition Themes
Designed for Developers, not Security Auditors
Self-Serve – No Security Expertise Required
Natural fit into the Development Lifecycle Process
& Tools
Best Web Application Security Analysis
Total Potential
Total Potential
Security Issues
Security Issues
Dynamic
Dynamic
Analysis
Analysis
Static
Static
Analysis
Analysis
Runtime
Runtime
Analysis
Analysis
Enable more people to contribute to security testing
coverage with solutions for specific use cases
Use case offerings facilitate the adoption of security
with minimal disruption to existing objectives Business Outcome
IBM Software Group | Rational software
Analysis Techniques Used
Static Code Analysis <> Whitebox
- Looking at the code for issues (code-level scanning)
Dynamic Analysis <> Blackbox
- Sending tests to a functioning application
String Analysis
-IBM patent pending code analysis technique
- Code analysis version of “Scan Expert” for efficient configuration of scan to enable accurate results
Composite Analysis
-Blend of all testing techniques for improved accuracy of reporting
-Leverage strengths and overcomes weaknesses of each individual
technique
Runtime Analysis
- Monitoring behavior for feedback while application is running at a detailed level to tell where a vulnerability exists in the execution code
Accuracy
Source free
Code coverage
HTTP awareness only
Multi components support
Requires deployed application
Code/path coverage
Limited to given code
More than HTTP validations
Support partial applications
Support per language/framework
No need to deploy application
Black Box
AppScan DE
White Box
Few Prerequisites
Over approximation
IBM Software Group | Rational software
String Analysis
IBM patent-pending technology
Potentially game-changing technology in code-analysis
Existing white-box offerings use Taint Analysis
Requires configuration, dependent on both knowledge of code & security expertise to be
done accurately
Inaccurate configuration results in volumes of false positives
String Analysis automates configuration
Removes largest driver of inaccurate results of static code analysis
Simplifies use for developers (for non-security experts)
Taint analysis measures
whether
an input is tainted, string analysis can determine
exactly
how
it is tainted
String Analysis vs. Taint Analysis
Accurate out-of-the-box:No need to define what the sanitizers are
Users must spend a long time configuring sanitizersConfiguration
String Analysis can validate the correctness of user-defined sanitizers The entire analysis is based on correct user configurationConfiguration
Validation
Supports No support; Users have to change their code to scan it.Validators
“Self-serve” solution underlines high confidence results; developer can trust results to be real Many “low confidence” results that require security professionals to verifyResult confidence
Allows improved and accurate analysis to pin point specific issues Restricted to identify taint onlyAdvanced
Supports No support; Users have to change their code to scan it.Inline sanitizers
String Analysis
Taint Analysis
IBM Software Group | Rational software
Why Buy…
Broadest suite of offerings to
support security testing across the
development lifecycle
Only web application security testing
solution to provide combined code,
dynamic, runtime and string analysis
Broadest set of security compliance
reporting
Integration with Rational portfolio
allowing security to become a
natural part of the software
development process
R&D backed by IBM’s $1.5B annual
investment in security
Designed for Developers, not Auditors
Designed for developer efficiency & addresses non-security expertise
Enable both centralized and broad security testing (“Test before check in” model)
Best Application Security Analysis
Includes multiple analysis techniques - leverages strengths of all techniques & overcomes weaknesses
Emphasis on Accuracy (low FP) & Actionable Results
Self-Serve Security Testing for Developers
Detailed results include all you need to know
Remediation view turns risk into tasks
Detailed Fix Recommendations clarify required actions
Built-in & accompanying training supports self-serve
Naturally fits into the SDLC process
Minimize disruption
Scale to large number of users
Support collaboration within development
Integrate with development tools
Highlights
What is AppScan Developer Edition?
A solution created to empower developers with the ability to
invoke Web application security testing within their development environment
Designed as a complement to the Rational AppScan family of security testing solutions, it enables the development
organization to address the volumes of security issues that can be introduced in code.
Supports existing developer and build environment use cases for efficient and non-disruptive adoption of security testing with IDE & build server integrations
What does it do?
Provides security and compliance checks using static code analysis for security vulnerabilities,
Enables developers (who are not security experts) address security defects early in development process where the cost of fixing issues is least expensive
Comprehensive Security Analysis
Next-Generation Accuracy
Unparalleled Ease of Use
Identification of line-of-code
Self-Serve Security Testing for
Developers
Seamless Integration into the
Development Process
Complete the Rational AppScan
End-to-End security solution
IBM Software Group | Rational software
Build
Code
QA
Security
AppScan Standard Ed
(desktop)
Typical Customer Adoption To Date
AppScan Enterprise user
(web client)
IBM Rational Web Based Training for AppScan
IBM Rational AppScan Enterprise / Reporting Console
Automate Security / Compliance testing in
the Build Process Build security testing
into the IDE
Security / compliance testing incorporated into testing &
remediation workflows
Security and Compliance Testing, oversight, control,
policy, in-depth tests
Market Maturity
Rational
BuildForge Rational Quality Manager
Rational Application Developer Rational Software Analyzer Rational ClearCase
Rational ClearQuest / Defect Management
IBM Rational AppScan Ecosystem
AppScan Enterprise user
(web client) AppScan Build Ed
(scanning agent)
IBM Rational Web Based Training for AppScan
AppScan Standard Ed (desktop) AppScan Developer Ed (desktop) AppScan Ent. QuickScan
(web client) AppScan Tester Ed (scanning agent)
(QA clients)
AppScan Enterprise / Reporting Console
AppScan Enterprise / Reporting Console
CODE
Build security testing into the IDE*
BUILD
Automate Security / Compliance testing in the Build Process
QA
Security / compliance testing incorporated into testing &
remediation workflows
SECURITY
Security & Compliance Testing, oversight, control, policy, auditsIBM Software Group | Rational software
The New IBM Rational AppScan Ecosystem
AppScan Enterprise user
(web client) AppScan Build Ed
(scanning agent)
IBM Rational Web Based Training for AppScan
AppScan Standard Ed (desktop) AppScan Developer Ed (desktop) AppScan Ent. QuickScan
(web client) AppScan Tester Ed (scanning agent)
(QA clients)
Rational
BuildForge Rational Quality Manager
Rational Application Developer Rational Software Analyzer Rational ClearCase
Rational ClearQuest / Defect Management
AppScan Enterprise / Reporting Console
AppScan Enterprise / Reporting Console
Code
Build security testing into the IDE*
Build
Automate Security / Compliance testing in the Build Process
QA
Security / compliance testing incorporated into testing &
remediation workflows
Security
Security & Compliance Testing, oversight, control, policy, audits
AppScan Developer Edition - Proactive Use Case
1. Developer Writes Code
2. Developer Tests Changes
Using AppScan DE
3. Developer Fixes or Logs Issues
4. Developer Checks in Code
IBM Software Group | Rational software
AppScan Developer Edition - Reactive Use-Case
1. Developer receives Defect *
(preferably with scan file)
2. Developer loads scan or
reproduces issue using AppScan DE
3. Developer Fixes Issue In Code
4. Developer Re-Tests using AppScan Dev Ed
5. Developer checks in fix and updates defect
* Defect originating from other developer, QA or Build System
Rational AppScan Value Propositions
Customer Pain:
Client has acquired a web application testing desktop point product being run by a security auditor.
Limited licenses or resources performing the testing have created a bottleneck by the security team, and it is impeding the deployment of applications.
Value for Customer
IBM Rational AppScanportfolio of web
application security testing solutions enables software development stakeholders from
development, build management and QA to share in the security testing responsibility and alleviated the resource limitations of the security team.
Unlike
Competition who are lacking IBM’s investment in security which allows IBM to lead with the broadest and most advanced security testing and lack the customer experience to enable customer success
Customer Pain:
Client needs the development organization to address the process inefficiencies and project delays resulting from security testing bottleneck occurring late in the development process.
Value for Customer
IBM Rational AppScan Developer Edand
Rational AppScan Build Edprovide security
testing solutions that are designed for development use cases to enable security testing for
non-security experts
The offerings allow for the identification and remediation of security issues much earlier in the development process, resulting in a more efficient process and projects delivered on time.
Unlike
Competition who are lacking breadth and strength of testing techniques to provide the necessary efficiencies and accuracy for development to be successful with security testing
®
IBM Software Group
© 2007 IBM Corporation