Automated vulnerability scanning of web applications with Rational AppScan

This article uses two examples to explain how to use Rational AppScan Standard Edition v8.5 for automated security vulnerability testing of web and web service applications. The authors also set the stage for examples to explore the regulatory compliance reporting capabilities.

Bhargav Perepa (bvperepa@us.ibm.com), WebSphere Architect and Certified IT Specialist, IBM

Author photoBhargav Perepa is a WebSphere architect and IT specialist for the IBM Federal Software Group in the Washington D.C. area. Previously, he was a developer in the WebSphere Development Lab in Austin and gained Smalltalk and C++ development experience at IBM in Chicago. Bhargav holds a master's degree in computer science from the Illinois Institute of Technology, in Chicago, and an MBA degree from the University of Texas, Austin.


developerWorks Contributing author
        level

Sujatha Perepa (perepa@us.ibm.com), Software Client Architect, IBM

author photoSujatha Perepa is a software client architect with IBM Federal Sales and Distribution in Washington D.C. metro area. She is a Senior Certified IT Architect and is the lead architect for the National Security and Justice and Dept of State agencies. Sujatha routinely addresses and recommends Security solutions for Federal agencies. She has dual graduate degrees in Applied Electronics and MBA in Information Systems (Stuart School of Business – Chicago).



13 December 2011

Also available in Chinese

As global connections increase, so do security risks

According to the IBM® X-Force® 2011 Mid-year Trend and Risk Report, 2011 can be considered "The Year of the Security Breach" due to an unprecedented number of high-profile security breaches reported throughout the first half of 2011. A more interconnected, intelligent, and instrumented cyber-world of global scope and scale leads to increased risks and dangers, with more sophisticated and difficult to manage network security attacks on enterprises and infrastructures.

The report shows that 37% of all vulnerabilities were from web application vulnerabilities during first half of 2011. Failure to secure the web applications can result in massive losses, both financially and in application performance. Most of the web-based threats occur because of code gaps in the source code that allows SQL injection, cross-site scripting (XSS), compromised session information, and so forth. Browser security is also easily circumvented if there is no strong quality assurance security enforcement. For an overview of the current application security landscape, you can download this report (please see the link in Resources).

The IBM® Rational® AppScan® range of products automates dynamic security testing of web vulnerabilities for web applications (web services, Web 2.0) and rich Internet applications (JavaScript, Ajax, and Adobe Flash). This dynamic security testing approach spans from development to testing by scanning applications, identifying vulnerabilities, and generating reports of gaps, with remediation recommendations before applications are deployed on the web.

Rational AppScan versions cater to small, medium, or large development groups, with a comprehensive range of choices:

  • Source Edition is geared to aid development teams, and it adds source code analysis to AppScan Enterprise with static application security testing (SAST).
  • Enterprise Edition is an enterprise-class solution for application security testing and risk management with governance, collaboration, and security intelligence.
  • AppScan Tester Edition is a dynamic application security testing (DAST) solution specifically designed to integrate application security testing into a QA environment with Rational Quality Manager.
  • Standard Edition, which is a critical desktop security testing tool that is designed to automate the web vulnerability assessments. It generates both static and dynamic analysis of the vulnerabilities with corresponding fix recommendations.

In this article, we explore the capabilities of Rational AppScan Standard Edition, Version 8.5, to perform an automated security and vulnerability testing of web and web service applications. We also explore its regulatory compliance reporting capabilities as part of automated security and vulnerability testing of web and web service applications.

To explore the capabilities of AppScan Standard Edition v8.5, you will use PlantsByWebSphere v8.0.0.1, Ajax Version, an application that is included as a sample with WebSphere Feature Pack for Web 2.0 and Mobile, Version 1.1.0. Figure 1 shows the initial screen.

Plants by WebSphere sample application: Gardens of Summer

Larger view of Figure 1.

Note:
For details about this sample application, see the link in the Resources section.

PlantsByWebSphere is supplied by IBM with source code. The sample application is an ideal candidate for our security and vulnerability testing exercise, because it conforms to application programming interfaces (APIs) and is not engineered with robust security as a design requirement. IBM clearly documents the disclaimer statement in the source code that is delivered. This sample can be easily configured, and the steps explained in this article can be easily replicated when exploring AppScan capabilities.

Additionally you will the HelloWorld JAX-WS web service application shown in Figure 2, deployed to IBM® WebSphere® Application Server v8.0.0.1 runtime, to further explore the capabilities of AppScan Standard Edition v8.5.

The HelloWorld JAX-WS application's business method, sayHello(), accepts a HelloReq object and returns a HelloResp, while greeting the named individual with a personal greeting message. HelloReq and HelloResp objects contain string type attributes, names name and response, respectively.

Enterprise application management view

Automated security and vulnerability testing of a web application

First, configure a comprehensive, full scan of your PlantsByWebSphere web application, using the Scan Configuration Wizard shown in Figure 3. Before setting up the scan profile to uncover the security vulnerabilities of this web application, you want to make sure that WebSphere Application Server v8.0.0.1 is running and that the PlantsByWebSphere application is deployed to runtime and running successfully, as shown in Figure 2 (pbw-ear enterprise application status is showing a green arrow in the Application Status column).

  1. Launch Rational AppScan Standard Edition v8.5.
  2. Select File > New.

This New Scan dialog window (Figure 3) describes the wizard-based scanning available for a variety of predefined templates.

Lists recent and predefined templates

For this sample, a Comprehensive scan is selected and, as Table 1 shows, this is set up for a web application at the given URL, automatic login (with required credentials), and a full scan.

  1. Launch the Scan Configuration Wizard and specify the options listed in Table 1.
Table 1. Scan configuration options, PlantsByWebSphere web application
ScanScan configuration optionConfiguration specified
1 Predefined Template Comprehensive scan
2 Type of Scan Web application scan
3 Starting URL for Scan http://localhost:9085/PlantsByWebSphere/orderdone.jsf
4 Login Method Automatic
5 Login Credentials User name: plants@plantsbywebsphere.ibm.com
Password: plants
6 Test Policy Complete
7 Scan Start Method Start a full automatic scan

Note:
The hostname, port #, and the user credentials vary, depending on your installation and setup.

  1. Now, select the environmental setting definitions listed in Table 2.
Table 2. Environmental setting definitions, PlantsByWebSphere
Data table example
ScanEnvironmental setting definitionSetting definition specified
1 Operating System (of site being scanned) Windows
2 Web server IBM HTTP Server
3 Application Server (if any) WebSphere
4 Type of Database (if any) DB2
5 Third-Party Component (if any) Not Defined
6 Location of Site Local
7 Type of Site Test
8 Deployment Method Internally
9 Collateral Damage Potential Low Medium
10 Target Distribution High
11 Confidentiality Requirement Medium
12 Integrity Requirement Medium
13 Availability Requirement Medium

Figure 4 shows the environment definitions specified for scan configuration.

New Scan

Larger view of Figure 4.

This is a Microsoft Windows setup. The application is running on the WebSphere Application Server and using the DB2 default database.

  1. Allow AppScan to perform the comprehensive security and vulnerability testing scan.

As Figure 5 shows, allowing AppScan to complete the comprehensive security and vulnerability scanning results in a set of security advisories, such as total number of issues (54), high (bold exclamation in square12), medium (bold exclamation in down arrow2), low (exclamation in diamond40), and informational security issues (i in square0).

Security issues, arranged by descending severity

Larger view of Figure 5.

The issues can be evaluated in three different views:

  • Security Issues
  • Remediation Tasks
  • Application Data

Notice that the advisories can be arranged by severity (ascending or descending) and that there is a dashboard for a chart-based representation of the vulnerabilities.

  1. Click the Report button on the AppScan desktop to generate a comprehensive report. Explore various report templates provided in the AppScan application.

Multiple customizable report templates are available in the categories listed below:

  • Security report provides a list of problems found
  • Industry Standard report provides information about compliance or noncompliance of your application
  • Regulatory Compliance report addresses compliance with legal standards (see note)
  • Delta Analysis report contains information that changed between different individual scans. This report is useful for regressive scans in order to uncover the vulnerabilities that have been fixed, vulnerabilities that have not been fixed, and vulnerabilities that have been uncovered for first time in a new scan.
  • Template-based reports, in which you use templates to define the data and the document formatting in Microsoft Word .doc styles.

Note:
The Regulatory Compliance. It comes with 40 or so compliance reports, including PCI Data Security Standard, Payment Applications Data Security (PA-DSS) [new], ISO 27001 and ISO 27002 [new], and Basel II.

Figure 6 shows an example of creating a customizable (report creator specified report options), template based (Custom Template) report.

Create Report page, Report Type tab view

Important:
Please see Downloads for the summary report generated by this scan: AppScanPlantsByWebSphere_Scanned_Summary_Security_Report.pdf


Automated security and vulnerability testing of a web service application

Tip:
It will be helpful to explore the Open web Application Security Project (OWASP) web site to learn more about web security, get a list of high vulnerabilities, tips for remediation, and so forth (see the link in Resources). The OWASP site also has a page dedicated to different categories of vulnerabilities, such as authentication, cryptographic, logging, and session management.

Now you're ready to configure a comprehensive, full scan of your HelloWorld web service application. Before setting up the new scan profile to uncover security vulnerabilities of this web application, make sure that WebSphere Application Server v8.0.0.1 is running and that the HelloWorld web service application is deployed to runtime and running successfully, as shown in Figure 2 (HelloWorld_V1EAR enterprise application status shows a green arrow in the Application Status column).

  1. Launch Rational AppScan Standard Edition v8.5.
  2. Select File > New> Predefined Templates > Comprehensive Scan.
Shows Full Scan Configuration under General Tasks
  1. Launch the Scan ConfigurationWizard and specify the options listed in Table 3. See Figure 7.
Table 3. Scan configuration options, HelloWorld web service application
ScanOptionScan configuration option specified
1 Predefined template Comprehensive scan
2 Type of scan Web service scan
3 Location of WSDL service http://localhost:9085/HelloWorld_V1/HelloWorld_V1_HelloWorld_V1HttpService
4 Generic service client Test only
  1. Specify the environmental setting definitions listed in Table 2.
  2. Allow AppScan to perform the comprehensive security vulnerability testing scan.

Figure 8 shows the result of the successfully completed scan. After completing a scan and identifying issues, AppScan classifies issues in terms of high, medium, low or information level severities and presents the scan results in 4 tabs. The tabs are organized as Issue Information, Advisory, Fix Recommendation, and Request/Response. These tabs contain detailed information about the issue being identified, the URL that contributed to the issue being identified, the risk posed by the identified issue, a recommendation to address the risk posed by the issue or vulnerability, and the raw Request/Response exchange information.

Issue Information tab results

Larger view of Figure 8.

When the scan is running, a progress panel indicates the current phase of the scan in real time, along with the URL and the % completed. A multiphase scan can be enabled to scan the URLs contained within the main URL. In that case, the status bar provides the status of number of URLs visited, the scanning completed on the number of them, and so on. These scans can be set to run automatically either once or periodically.

Next, you will generate a custom report by using a custom report template with the options selected that Figure 5 shows.

Please check Downloads to get the summary report generated: AppScanHelloWorldWebService_Scanned_Summary_Security_Report.pdf


Suggested scanning practices

You can customize these AppScan application configuration parameters to avoid problems resulting from AppScan using excessive memory, which has the potential to result in losing all data:

  • PerformanceMonitor.RestartOnOutOfMemory
  • PerformanceMonitor\minScanTimeDurationForRestart
  1. Click Tools > Options > Advanced tab.
  2. Change these two parameters listed in the Preference Name column to these values:
    1. PerformanceMonitor.RestartOnOutOfMemory=True
    2. PerformanceMonitor\minScanTimeDurationForRestart=30 (minutes)

These customized parameters result in AppScan restarting automatically when memory usage becomes too high or when the scan ends due to low virtual memory. For details, see the links in the Resources section.

See Figure 9 for details.

Rows for those two parameters highlighted

Larger view of Figure 9.


Summary

You have successfully configured Rational AppScan Standard Edition v8.5 to perform automated security vulnerability testing of PlantsByWebSphere web and HelloWorld web service applications. Additionally, you have successfully generated detailed vulnerability and remediation reports using preconfigured or customized report templates. See the link in Resources for more information on security hardening of the WebSphere Application Server runtime environment.

The Downloads section contains an installation journal guide, the generated reports, the scan export documents, the TechNote, and the sample application used in this article.

The authors gratefully acknowledge help from Karl Snider, Market Segment Manager, Application Security and Compliance, IBM Rational software. Karl performed a careful technical review of this article and provided constructive and insightful comments that helped the authors improve the quality and currency of this article.


Acknowledgements

The authors gratefully acknowledge help from Karl Snider, Market Segment Manager, Application Security and Compliance, IBM Rational software. Karl performed a careful technical review of this article and provided constructive and insightful comments that helped the authors improve the quality and currency of this article.


Downloads

DescriptionNameSize
Plants summary security reportAppScanPlantsByWebSphere_Scanned_Summary_Security_Report.pdf148KB
Hello World summary security reportAppScanHelloWorldWebService_Scanned_Summary_Security_Report.pdf148KB
Rational AppScan techical note AppScan_TechNote.pdf88KB
Hello WorldHelloWorld_V1EAR.zip12KB

Resources

Learn

Get products and technologies

Discuss

Comments

developerWorks: Sign in

Required fields are indicated with an asterisk (*).


Need an IBM ID?
Forgot your IBM ID?


Forgot your password?
Change your password

By clicking Submit, you agree to the developerWorks terms of use.

 


The first time you sign into developerWorks, a profile is created for you. Information in your profile (your name, country/region, and company name) is displayed to the public and will accompany any content you post, unless you opt to hide your company name. You may update your IBM account at any time.

All information submitted is secure.

Choose your display name



The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerWorks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

Required fields are indicated with an asterisk (*).

(Must be between 3 – 31 characters.)

By clicking Submit, you agree to the developerWorks terms of use.

 


All information submitted is secure.

Dig deeper into Rational software on developerWorks


static.content.url=http://www.ibm.com/developerworks/js/artrating/
SITE_ID=1
Zone=Rational, Security
ArticleID=780009
ArticleTitle=Automated vulnerability scanning of web applications with Rational AppScan
publish-date=12132011