Implementing an AppScan Enterprise-based Web Security Solution

Design and implementation notes

Learn to design and implement an installation of AppScan Enterprise that enables multiple business units within a company to have separate, independent instances of AppScan Enterprise from a single installation.

Share:

Lalitha Saravana Prasad (lsaravan@in.ibm.com), Team Lead, IBM Security Scanning Service, IBM

Photo of Lalitha Saravana PrasadLalitha Saravana Prasad has over 13 years of experience in areas of networking, protocol testing, security product testing, and web application security testing. She is the key member in designing and hosting the IBM Security Scanning Service (ISSS) which is a centralized AppScan Enterprise-based security scanning service within IBM. She also spoke about ASE Best practices in the QSE forum.



Adarsh Thampan, Development Manager, IBM

Photo of Adarsh ThampanAdarsh Thampan has worked on designing, implementing, and managing the IBM Security Scanning Service (ISSS) which is a centralized AppScan Enterprise-based security scanning service within IBM. He published a white paper on "Porting applications to Linux on IBM System z." He is a co-author of the developerWorks article "Implement POSIX Semaphore APIs using System V Semaphores APIs."



11 February 2014

AppScan Standard Trial

AppScan Standard Trial

IBM Security AppScan is a leading application security testing suite that is designed to help manage vulnerability testing throughout the software development lifecycle. IBM Security AppScan automates vulnerability assessments and scans and tests for all common web application vulnerabilities including SQL-injection, cross-site scripting, buffer overflow, and new flash/flex application and Web 2.0 exposure scans.

Appscan provides full coverage of the Open Web Application Security Project (OWASP) Top 10 for 2013. Our solution also includes support for industry-standard Transport Layer Security (TLS) protocol 1.2, and is compliant with Federal Information Publication Standard (FIPS) 140-2 and National Institute of Standards and Technology (NIST) Special Publication (SP) 800-131a.

Download a trial version of AppScan Standard.

Overview

Image of white paper title page A large enterprise might consist of multiple business units where each unit is responsible for ensuring web application security. With a separate instance IBM® Security AppScan® Enterprise (ASE), each business unit can scan its web assets to find vulnerabilities in their web assets. Setting up a separate installation of AppScan Enterprise for each business unit can be costly in terms of hardware, maintenance, and labor.

Efficiency improves when the enterprise requires each business unit to scan its web assets from a centralized ASE-based scanner that is made available across all business units. The centralized scanner must provide for data isolation between the business units to keep the scans of individual business units confidential.

To achieve this confidentiality, the enterprise provides a separate instance and isolated database to each business unit from a single install of ASE.

This white paper describes design and implementation notes to implement a centralized ASE-based web security scanning service that provides data isolation, user isolation, and Dynamic Application Security Testing (DAST) agent multiplexing for a typical enterprise.

Resources

Comments

developerWorks: Sign in

Required fields are indicated with an asterisk (*).


Need an IBM ID?
Forgot your IBM ID?


Forgot your password?
Change your password

By clicking Submit, you agree to the developerWorks terms of use.

 


The first time you sign into developerWorks, a profile is created for you. Information in your profile (your name, country/region, and company name) is displayed to the public and will accompany any content you post, unless you opt to hide your company name. You may update your IBM account at any time.

All information submitted is secure.

Choose your display name



The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerWorks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

Required fields are indicated with an asterisk (*).

(Must be between 3 – 31 characters.)

By clicking Submit, you agree to the developerWorks terms of use.

 


All information submitted is secure.

Dig deeper into Security on developerWorks


static.content.url=http://www.ibm.com/developerworks/js/artrating/
SITE_ID=1
Zone=Security
ArticleID=962115
ArticleTitle=Implementing an AppScan Enterprise-based Web Security Solution
publish-date=02112014