![Close [x]](http://dw1.s81c.com/i/c.gif){kind=small}
As global connections increase, so do security risks
According to the IBM® X-Force® 2011 Mid-year Trend and Risk Report, 2011 can be considered "The Year of the Security Breach" due to an unprecedented number of high-profile security breaches reported throughout the first half of 2011. A more interconnected, intelligent, and instrumented cyber-world of global scope and scale leads to increased risks and dangers, with more sophisticated and difficult to manage network security attacks on enterprises and infrastructures.
The report shows that 37% of all vulnerabilities were from web application vulnerabilities during first half of 2011. Failure to secure the web applications can result in massive losses, both financially and in application performance. Most of the web-based threats occur because of code gaps in the source code that allows SQL injection, cross-site scripting (XSS), compromised session information, and so forth. Browser security is also easily circumvented if there is no strong quality assurance security enforcement. For an overview of the current application security landscape, you can download this report (please see the link in Resources).
The IBM® Rational® AppScan® range of products automates dynamic security testing of web vulnerabilities for web applications (web services, Web 2.0) and rich Internet applications (JavaScript, Ajax, and Adobe Flash). This dynamic security testing approach spans from development to testing by scanning applications, identifying vulnerabilities, and generating reports of gaps, with remediation recommendations before applications are deployed on the web.
Rational AppScan versions cater to small, medium, or large development groups, with a comprehensive range of choices:
- Source Edition is geared to aid development teams, and it adds source code analysis to AppScan Enterprise with static application security testing (SAST).
- Enterprise Edition is an enterprise-class solution for application security testing and risk management with governance, collaboration, and security intelligence.
- AppScan Tester Edition is a dynamic application security testing (DAST) solution specifically designed to integrate application security testing into a QA environment with Rational Quality Manager.
- Standard Edition, which is a critical desktop security testing tool that is designed to automate the web vulnerability assessments. It generates both static and dynamic analysis of the vulnerabilities with corresponding fix recommendations.
In this article, we explore the capabilities of Rational AppScan Standard Edition, Version 8.5, to perform an automated security and vulnerability testing of web and web service applications. We also explore its regulatory compliance reporting capabilities as part of automated security and vulnerability testing of web and web service applications.
To explore the capabilities of AppScan Standard Edition v8.5, you will use PlantsByWebSphere v8.0.0.1, Ajax Version, an application that is included as a sample with WebSphere Feature Pack for Web 2.0 and Mobile, Version 1.1.0. Figure 1 shows the initial screen.
Figure 1. PlantsByWebSphere v8.0.0.1 web application, Ajax Version
Note:
For details about this sample application, see the link in the Resources section.
PlantsByWebSphere is supplied by IBM with source code. The sample application is an ideal candidate for our security and vulnerability testing exercise, because it conforms to application programming interfaces (APIs) and is not engineered with robust security as a design requirement. IBM clearly documents the disclaimer statement in the source code that is delivered. This sample can be easily configured, and the steps explained in this article can be easily replicated when exploring AppScan capabilities.
Additionally you will the HelloWorld JAX-WS web service application shown in Figure 2, deployed to IBM® WebSphere® Application Server v8.0.0.1 runtime, to further explore the capabilities of AppScan Standard Edition v8.5.
The HelloWorld JAX-WS application's business method, sayHello(), accepts a HelloReq object and returns a HelloResp, while greeting the named individual with a personal greeting message. HelloReq and HelloResp objects contain string type attributes, names name and response, respectively.
Figure 2. HelloWorld JAX-WS web service application
Automated security and vulnerability testing of a web application
First, configure a comprehensive, full scan of your PlantsByWebSphere web application, using the Scan Configuration Wizard shown in Figure 3. Before setting up the scan profile to uncover the security vulnerabilities of this web application, you want to make sure that WebSphere Application Server v8.0.0.1 is running and that the PlantsByWebSphere application is deployed to runtime and running successfully, as shown in Figure 2 (pbw-ear enterprise application status is showing a green arrow in the Application Status column).
- Launch Rational AppScan Standard Edition v8.5.
- Select File > New.
This New Scan dialog window (Figure 3) describes the wizard-based scanning available for a variety of predefined templates.
Figure 3. New scan, PlantsByWebSphere web application
For this sample, a Comprehensive scan is selected and, as Table 1 shows, this is set up for a web application at the given URL, automatic login (with required credentials), and a full scan.
- Launch the Scan Configuration Wizard and specify the options listed in Table 1.
Table 1. Scan configuration options, PlantsByWebSphere web application
| Scan | Scan configuration option | Configuration specified |
|---|---|---|
| 1 | Predefined Template | Comprehensive scan |
| 2 | Type of Scan | Web application scan |
| 3 | Starting URL for Scan | http://localhost:9085/PlantsByWebSphere/orderdone.jsf |
| 4 | Login Method | Automatic |
| 5 | Login Credentials | User name: plants@plantsbywebsphere.ibm.com Password: plants |
| 6 | Test Policy | Complete |
| 7 | Scan Start Method | Start a full automatic scan |
Note:
The hostname, port #, and the user credentials vary, depending on your
installation and setup.
- Now, select the environmental setting definitions listed in Table 2.
Table 2. Environmental setting definitions, PlantsByWebSphere
| Scan | Environmental setting definition | Setting definition specified |
|---|---|---|
| 1 | Operating System (of site being scanned) | Windows |
| 2 | Web server | IBM HTTP Server |
| 3 | Application Server (if any) | WebSphere |
| 4 | Type of Database (if any) | DB2 |
| 5 | Third-Party Component (if any) | Not Defined |
| 6 | Location of Site | Local |
| 7 | Type of Site | Test |
| 8 | Deployment Method | Internally |
| 9 | Collateral Damage Potential | Low Medium |
| 10 | Target Distribution | High |
| 11 | Confidentiality Requirement | Medium |
| 12 | Integrity Requirement | Medium |
| 13 | Availability Requirement | Medium |
Figure 4 shows the environment definitions specified for scan configuration.
Figure 4. New Scan, PlantsByWebSphere web application scan configuration
This is a Microsoft Windows setup. The application is running on the WebSphere Application Server and using the DB2 default database.
- Allow AppScan to perform the comprehensive security and vulnerability testing scan.
As Figure 5 shows, allowing AppScan to complete the comprehensive security and vulnerability scanning
results in a set of security advisories, such as total number of issues (54), high (
12), medium
(
2), low (
40), and informational security issues (
0).
Figure 5. Scan results, PlantsByWebSphere web application
The issues can be evaluated in three different views:
- Security Issues
- Remediation Tasks
- Application Data
Notice that the advisories can be arranged by severity (ascending or descending) and that there is a dashboard for a chart-based representation of the vulnerabilities.
- Click the Report button on the AppScan desktop to generate a comprehensive report. Explore various report templates provided in the AppScan application.
Multiple customizable report templates are available in the categories listed below:
- Security report provides a list of problems found
- Industry Standard report provides information about compliance or noncompliance of your application
- Regulatory Compliance report addresses compliance with legal standards (see note)
- Delta Analysis report contains information that changed between different individual scans. This report is useful for regressive scans in order to uncover the vulnerabilities that have been fixed, vulnerabilities that have not been fixed, and vulnerabilities that have been uncovered for first time in a new scan.
- Template-based reports, in which you use templates to define the data and the document formatting in Microsoft Word .doc styles.
Note:
The Regulatory Compliance. It comes with 40 or so compliance reports,
including PCI Data Security Standard, Payment Applications Data Security (PA-DSS) [new], ISO 27001 and
ISO 27002 [new], and Basel II.
Figure 6 shows an example of creating a customizable (report creator specified report options), template based (Custom Template) report.
Figure 6. Custom report template options specified
Important:
Please see Downloads for the summary report
generated by this scan: AppScanPlantsByWebSphere_Scanned_Summary_Security_Report.pdf
Automated security and vulnerability testing of a web service application
Tip:
It will be helpful to explore the Open web Application Security Project
(OWASP) web site to learn more about web security, get a list of high vulnerabilities, tips for
remediation, and so forth (see the link in Resources). The OWASP site also has
a page dedicated to different categories of vulnerabilities, such as authentication, cryptographic,
logging, and session management.
Now you're ready to configure a comprehensive, full scan of your HelloWorld web service application. Before setting up the new scan profile to uncover security vulnerabilities of this web application, make sure that WebSphere Application Server v8.0.0.1 is running and that the HelloWorld web service application is deployed to runtime and running successfully, as shown in Figure 2 (HelloWorld_V1EAR enterprise application status shows a green arrow in the Application Status column).
- Launch Rational AppScan Standard Edition v8.5.
- Select File > New > Predefined Templates > Comprehensive Scan.
Figure 7. New scan, HelloWorld JAX-WS web service application
- Launch the Scan Configuration Wizard and specify the options listed in Table 3. See Figure 7.
Table 3. Scan configuration options, HelloWorld web service application
| Scan | Option | Scan configuration option specified |
|---|---|---|
| 1 | Predefined template | Comprehensive scan |
| 2 | Type of scan | Web service scan |
| 3 | Location of WSDL service | http://localhost:9085/HelloWorld_V1/HelloWorld_V1_HelloWorld_V1HttpService |
| 4 | Generic service client | Test only |
- Specify the environmental setting definitions listed in Table 2.
- Allow AppScan to perform the comprehensive security vulnerability testing scan.
Figure 8 shows the result of the successfully completed scan. After completing a scan and identifying issues, AppScan classifies issues in terms of high, medium, low or information level severities and presents the scan results in 4 tabs. The tabs are organized as Issue Information, Advisory, Fix Recommendation, and Request/Response. These tabs contain detailed information about the issue being identified, the URL that contributed to the issue being identified, the risk posed by the identified issue, a recommendation to address the risk posed by the issue or vulnerability, and the raw Request/Response exchange information.
Figure 8. Scan result, HelloWorld web service application
When the scan is running, a progress panel indicates the current phase of the scan in real time, along with the URL and the % completed. A multiphase scan can be enabled to scan the URLs contained within the main URL. In that case, the status bar provides the status of number of URLs visited, the scanning completed on the number of them, and so on. These scans can be set to run automatically either once or periodically.
Next, you will generate a custom report by using a custom report template with the options selected that Figure 5 shows.
Please check Downloads to get the summary report generated: AppScanHelloWorldWebService_Scanned_Summary_Security_Report.pdf
You can customize these AppScan application configuration parameters to avoid problems resulting from AppScan using excessive memory, which has the potential to result in losing all data:
- PerformanceMonitor.RestartOnOutOfMemory
- PerformanceMonitor\minScanTimeDurationForRestart
- Click Tools > Options > Advanced tab.
- Change these two parameters listed in the Preference Name column to these values:
- PerformanceMonitor.RestartOnOutOfMemory=True
- PerformanceMonitor\minScanTimeDurationForRestart=30 (minutes)
These customized parameters result in AppScan restarting automatically when memory usage becomes too high or when the scan ends due to low virtual memory. For details, see the links in the Resources section.
See Figure 9 for details.
Figure 9. Suggested AppScan configuration parameters
You have successfully configured Rational AppScan Standard Edition v8.5 to perform automated security vulnerability testing of PlantsByWebSphere web and HelloWorld web service applications. Additionally, you have successfully generated detailed vulnerability and remediation reports using preconfigured or customized report templates. See the link in Resources for more information on security hardening of the WebSphere Application Server runtime environment.
The Downloads section contains an installation journal guide, the generated reports, the scan export documents, the TechNote, and the sample application used in this article.
The authors gratefully acknowledge help from Karl Snider, Market Segment Manager, Application Security and Compliance, IBM Rational software. Karl performed a careful technical review of this article and provided constructive and insightful comments that helped the authors improve the quality and currency of this article.
The authors gratefully acknowledge help from Karl Snider, Market Segment Manager, Application Security and Compliance, IBM Rational software. Karl performed a careful technical review of this article and provided constructive and insightful comments that helped the authors improve the quality and currency of this article.
| Description | Name | Size | Download method |
|---|---|---|---|
| Plants summary security report | AppScanPlantsByWebSphere_Scanned_Summary_Security_Report.pdf | 148KB | HTTP |
| Hello World summary security report | AppScanHelloWorldWebService_Scanned_Summary_Security_Report.pdf | 148KB | HTTP |
| Rational AppScan techical note | AppScan_TechNote.pdf | 88KB | HTTP |
| Hello World | HelloWorld_V1EAR.zip | 12KB | HTTP |
Information about download methods Get Adobe® Reader®
Learn
- Links to information mentioned in this article:
- Download the IBM X-Force 2011 Mid-year Trend and Risk Report, Executive Summary.
- Visit the Open Web Application Security Project (OWASP), especially the Vulnerability category.
- Visit Rational AppScan Standard Edition - An edition of IBM Rational AppScan for advanced web application security scanning - http://www-01.ibm.com/software/awdtools/appscan/standard/
- Read this IBM TechNote if Rational AppScan stops and displays an "AppScan has reached its predefined memory limit" message.
- See Getting Started with PlantsByWebSphere, Ajax Version for more information about the sample application used in this article.
- Read WebSphere Application Server v7 advanced security hardening, Part 1: Overview and approach to security hardening and Part 2: Advanced security considerations.
- Check the developerWorks AppScan page and the AppScan product line web page to find the editions that interest you most.
- Explore the Altoro Mutual
demonstration-only site, which shows you the application vulnerability scanning capabilities of Rational AppScan Standard
Edition
- Visit the Rational
software area on developerWorks for technical resources and best practices for Rational Software
Delivery Platform products.
- Stay current with developerWorks technical
events and webcasts focused on a variety of IBM products and IT industry topics.
- Attend a free developerWorks Live! briefing to get up-to-speed quickly on IBM products and tools, as well as IT industry trends.
- Watch developerWorks on-demand demos, ranging from product installation and setup demos for beginners to advanced functionality for experienced developers.
- Improve your skills. Check the Rational training and certification
catalog, which includes many types of courses on a wide range of topics. You can take some of them
anywhere, any time, and many of the "Getting Started" ones are free.
Get products and technologies
- Download Rational AppScan to try
it now.
- Evaluate IBM software in the way that suits
you best: Download it for a trial, try it online, use it in a cloud environment, or spend a few hours in
the SOA Sandbox learning
how to implement service-oriented architecture efficiently.
Discuss
- Join the Rational AppScan and AppScan
Enterprise forum and the Rational AppScan Developer
Edition forum to ask questions and participate in discussions.
- Rate or review Rational software. It's quick and easy. Really.
- Share your knowledge and help others who use Rational software by writing a
developerWorks article. Find out what makes a good developerWorks article and how to proceed.
- Follow Rational software on Facebook, Twitter (@ibmrational), and YouTube, and add your comments and
requests.
- Ask and answer questions and increase your expertise when you get
involved in the Rational forums,
cafés, and wikis.
- Get social about thought leadership. Join the Rational community to share your Rational software
expertise and get connected with your peers.
Bhargav Perepa is a WebSphere architect and IT specialist for the IBM Federal Software Group in the Washington D.C. area. Previously, he was a developer in the WebSphere Development Lab in Austin and gained Smalltalk and C++ development experience at IBM in Chicago. Bhargav holds a master's degree in computer science from the Illinois Institute of Technology, in Chicago, and an MBA degree from the University of Texas, Austin.
Sujatha Perepa is a software client architect with IBM Federal Sales and Distribution in Washington D.C. metro area. She is a Senior Certified IT Architect and is the lead architect for the National Security and Justice and Dept of State agencies. Sujatha routinely addresses and recommends Security solutions for Federal agencies. She has dual graduate degrees in Applied Electronics and MBA in Information Systems (Stuart School of Business – Chicago).
