Eng Loaay Alkherbawy IBM Security Solutions Consultant Email

Eng. Loaay Alkherbawy IBM Security Solutions Consultant Email: loaay. alkherbawy@gmail. com Phone: 01012200755

Security App. Scan Standard Over View and Installation

Web Applications Overview Frontend Backend

Web Application Security Attackers try to manipulate requests sent to your backend in order to retrieve unauthorized data, or to stop your service. Those attacks uses different methodologies in order to achieve their goals SQL Injection Cross site scripting Buffer Overflow

Application Security Testing

Application Security Testing Techniques Static Testing Source Code Assessment Techniques Dynamic Testing Web Application URL Tampering HTTP messages Results and Output HTTP messages (exploit requests) Lines of code Scan Input Taint analysis and pattern matching

Advanced Scanning Techniques

Security App. Scan Overview

Security App. Scan Components

Security App. Scan Enterprise Server Has a centralized environment for managing application security and risk for multiple applications Provides collaboration between security, development, and testing teams to remediate vulnerabilities and reduce risk Provides an enterprise-wide view of application security and compliance risk with more than 40 report templates for measuring compliance, trending, and key performance indicators Provides correlation and triage security testing results from dynamic (black box) and static (white box) scans

Security App. Scan Enterprise Dynamic Analysis Scanner Provides advanced application security testing by applying dynamic (black box) analysis Runs multiple concurrent scans on a single server Includes scale security testing to cover numerous applications by running multiple privacy assessments of websites. Uses dynamic analysis scanners to identify personally identifiable information (PII) collection points and verify that security safeguards are in place when collecting and transmitting customer data

Security App. Scan Source Runs source code analysis to identify the latest security threats with static (white box) analysis Facilitates quick analysis and provides recommended corrections in the IDE Includes automated security testing in build environments Provides static analysis for quality and non-security defects to improve overall code quality and predictability by identifying and resolving potential coding errors early in the software development lifecycle

Security App. Scan Standard Has a desktop application for security analysts and penetration testers Provides advanced security testing that is based primarily on dynamic (black box) analysis, but also includes static analysis for client-side Java. Script Includes glass-box testing with runtime analysis that applies an internal agent to monitor application behavior during a dynamic test, provide more accurate test results, and identify specific lines of code Includes coverage of the latest Internet applications and web technologies, such as web services, SOAP, Adobe Flash, and Ajax

Security App. Scan Standard Overview

What is Security App. Scan Standard ? Is a web application security testing tool Automates vulnerability assessments SQL injection, cross-site scripting, buffer overflow Automates security analysis to detect exploitable vulnerabilities by using dynamic analysis Provides security during development Is an integrated testing solution for developers, quality assurance, penetration testers, security, and compliance stakeholders Supports governance, reporting, and dashboards

Security App. Scan Standard workflow

Security App. Scan Standard features Automatic crawling and session management Java. Script and Ajax web crawling Adobe Flash and Flex crawling Multiple-step operations Glass box-assisted crawling Manual exploration for complex application coverage

Security App. Scan Standard features (continued) Authentication and communication Customizable crawler that supports nonstandard web applications Content-based view of the application and scan results Customized error page detection Automatic web address rewriting support Sharing of scan configuration, data, and templates

Web 2. 0, Java. Script, Ajax, and Adobe Flash

Testing capabilities Covers all relevant WASC threat classes Mimics smart hacker parameter tampering techniques Has current information in test database Uses hybrid analysis technology for glass box testing Has malware analysis that detects malicious content

Testing capabilities (continued) Provides privilege escalation testing for both horizontal and vertical escalation Has tests that are specific to Adobe Flash and Flex Uses hybrid SAST and DAST for Java. Script detecting client- side issues Includes SOAP web services tests

Web Services Scanning SOAP web services assessment Support for common SOAP WS standards Dedicated SOAP web services testing suites for three application tiers

Supported Soap Standards WS-Security v 1. 1 WS-Addressing SOAP attachments (MIME/DIME) XML Encryption XML Signatures Username tokens SOAP with timestamps

Reporting capabilities and integrations

Additional functions Manual explore Privilege escalation tests • Exclude or include paths Pattern search tests Scheduling scans Exporting scan results

Software Development Life Cycle

SDLC

Use of App. Scan in lifecycle