Before you start

Security is about protecting your valuable assets. Some of the most important assets your organization owns are in the form of information, such as intellectual property, strategic plans, and customer data. Protecting this information is critical for your organization to continue to operate, be competitive, and meet regulatory requirements.

Introduction

IBM Application Security on Cloud (ASoC) is a SaaS solution for all application security testing needs. It consolidates all IBM Security’s testing capabilities into a single service that provides a uniform experience for all technologies. IBM Security ASoC can scan web, mobile, and desktop applications using dynamic and static techniques.

Dynamic Analysis: ASoC performs security scans for web-applications for production, staging and development environments. For development environments it is aided by Private Site Scanning technology to scan applications not accessible to the open Internet. See Dynamic analysis
Static Analysis: ASoC performs security scans for web and desktop applications. Its Static Analysis includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA). IFA can dramatically reduce the manual effort of triaging security findings to focus only on positive, high-value issues. ICA helps reduce, or avoid entirely, the complex configuration required in other technologies, improving scan accuracy automatically. See Static analysis
Mobile Analysis: ASoC performs runtime security analysis for both Android and iOS apps. By simply uploading the application image (APK or IPA files) a runtime analysis is performed, and issues found are provided with reproduction instructions for ease of debugging and resolution. As with dynamic analysis, pre-production mobile apps with service backends accessible only within the organization can be tested using the Private Site Scanning technology. See Mobile analysis
Open Source Analysis: ASoC identifies open source packages that are used in the application, reports those that have known vulnerabilities, and offers remediation advice. Open source testing can be run alone or as part of a static scan. See Open Source testing

ASoC has a web UI that enables all its functionality. However, IDE and automation systems plugins can also be used, so interaction with the service itself is not required if it is not needed. Developers, for example, remain in their own Integrated Development Environment (IDE) without having to go back-and-forth between the IDE and the browser. The IDE plugins also enable code interactions that would be impossible using the web UI.

To complement its functionality, ASoC also exposes a comprehensive set of REST APIs which drive operations in ASoC. This is makes ASoC ideal for integration into automation environments. Customers can compose their own workflows using the REST APIs, rather than being tied to an ASoC workflow.

ASoC aids security policy compliance. By using predefined policies, or defining custom policies, it is easy to identity which applications are non-compliant and require attention. By filtering according to defined policies, issue fixes can be prioritized. Instead of getting lost in a sea of issues, filtering according to specific policies helps prioritize fixes to target specific compliances.

ASoC also lets you run Personal Scans, that appear in the list of scans for an application, but whose scan data is not merged with the rest of the application results. This enables developers to run scans without the issues found appearing in the overall application data. The results of personal scans can thus be examined for critical issues before the code is pushed to the main code stream.

ASoC helps leverage all scanning capabilities to scan many types of applications, manage the security compliance of the whole organization, and automate security scanning operations.

Demo applications

You can try out ASoC using our Sample applications and scripts.

Recent updates

You can learn about new features and recent updates to ASoC in Recent updates.