IBM® Security AppScan® Source Edition helps reduce risk exposure by integrating application security testing into the software development life cycle. This action lets organizations identify software vulnerabilities early in the life cycle so they can be eliminated before deployment. Security AppScan Source supports testing for mobile applications, including those written in Java™ code, C#, and Objective-C.
In this article, IBM Security's Derek Chowaniec explains how to configure applications for scanning, how to alter the scanning configuration of AppScan for your security needs, how to use the integrated tools to build a report, how to triage the information based on your findings, and how to configure the system to scan and analyze precompiled code. IBM Product Manager Tom Mulvehill finishes this article by showing you how to use AppScan Source to hunt down vulnerabilities in Android applications.
IBM Security's Derek Chowaniec demonstrates how to manually configure a Java application for IBM AppScan Source Edition for application scanning.
Derek demonstrates how to alter and customize existing scanning configurations for your security needs.
Derek demonstrates the tools you use to build a simple report with IBM AppScan Source. He explains how you can:
- Generate a simple set of general findings by property or criteria. You can set surrounding parameters (lines above and below the offense code) to include in your trace data and the vulnerability types to include.
- Map all findings to a predetermined set of security profiles to place your findings in a broader context.
There is a full set of easily portable formats in which you can save your reports.
Derek demonstrates the tools you use to perform security triage on applications with IBM AppScan Source. The tools are organized as four views:
- Assessment summary. You can visualize your assessment by vulnerability type, by API, by project, by file.
- Vulnerability matrix. Allows you view results by severity, as well as vulnerability type. This view also parses results by vulnerability (tells users this is definitely a problem) and exceptions (tells users this needs more examination).
- Findings. There is a list of different contexts in which you can view your findings.
- Bundles. This tool allows you to bundle your found vulnerabilities into categories.
Segments selected in one view changes the organization of information in the other views automatically, allowing you to focus on the same segment in various ways.
In this second segment, Derek continues discussing bundling as a tool to prioritize vulnerabilities and as a way of sharing information with other team members. He discusses the concept of the excluded bundle, a way of removing a group of exceptions from the workflow so they are not considered.
Derek concludes with filtering options for severity, types, classifications, and so on.
Derek mentions exclusions when discussing the vulnerability matrix. Most of the work in the reporting and triage sections of this article so far have been done after the scanning is complete, but you can set up exclusions before you scan. Exclusions set before scanning can speed up scan completion.
Exclusions can be set at different levels—you can exclude sets of issue bundles and you can exclude filters. The exclude filter tool is quite powerful. After you've tightly focused your vulnerability search by creating custom filters, you can choose to exclude all findings that match the filters or all findings that do not match the filters.
When AppScan configures an application for a scan, it compiles the application source code into an intermediate representation. But what if the source code doesn't compile? AppScan Source contains functions that allows it to scan such code as .NET assemblies, chunks of precompiled code that can be executed by the .NET runtime environment. Derek takes you on a two-part tour of how AppScan Source tools handle this type of advanced security screening.
AppScan in action securing mobile
IBM Product Manager Tom Mulvehill demonstrates how to use IBM Security AppScan Source to identify security vulnerabilities in Android applications. He explains how to isolate mobile application risks down to individual lines of code and outlines AppScan's vulnerability matrix tool. The Android application in question is a restaurant phone app.
- Visit the IBM Security AppScan Source product site to learn how you can quickly identify, understand, and fix critical web application vulnerabilities.
- Visit the Security AppScan Source resource wiki.
- Uncover technical resources to help you get the most out of Security AppScan at developerWorks.
- Start your journey to implement IT security through pragmatic, intelligent, and risk-based practices at Security on developerWorks.
- Attend a free developerWorks Live! briefing to get up-to-speed quickly on IBM products and tools as well as IT industry trends.
- Follow developerWorks on Twitter.
- Watch developerWorks on-demand demos ranging from product installation and setup demos for beginners, to advanced functionality for experienced developers.
Get products and technologies
- Details on how to download and evaluate IBM Security AppScan.
- Evaluate IBM products in the way that suits you best: Download a product trial, try a product online, or use a product in a cloud environment.
- Interact with security and AppScan experts through forums, blogs, wikis, and announcements in the IBM Security AppScan community on developerWorks.
- Get involved in the developerWorks community. Connect with other developerWorks users while exploring the developer-driven blogs, forums, groups, and wikis.