Nader Nassar, Carloa Hoyos, and Daniel J. Anderson have published a new How-To guide for testing the three types of mobile applications with IBM Security AppS
Application Security Community of Practice
CalvinPowers 120000A09D 2.184 Visualizações
Nader Nassar, Carloa Hoyos, and Daniel J. Anderson have published a new How-To guide for testing the three types of mobile applications with IBM Security AppS
SusannUlrich 120000EXRT Marcações:  application-security dynamic-analysis security static-analysis glassbox appscan 4.550 Visualizações
Back in December I posted about a new and innovative scanning approach, Glassbox testing, that is provided by the new release of AppScan.
The two primary approaches for application security testing are Black Box (or dynamic testing) and White Box (or static testing). Think of Black Box Testing as a “hacker in a box”. With this technique the scanner analyzes a web application and identifies the vulnerabilities. This approach has a number of advantages including:
But it also has some limitations such as:
Because of the limitations many organizations also execute what’s known as white-box testing where the scanner runs against the source code of the application under test. This approach has the following benefits:
But it too has some limitations which include:
A brand new white-paper has just been published which explains in more detail this new and innovative approach to application security testing. Download the Whitepaper Here
SusannUlrich 120000EXRT Marcações:  appscan rational security dynamic-analysis glassbox 7.298 Visualizações
One of the new capabilities in AppScan Standard 8.5 is something called Glass box testing. One of the limitations of traditional dynamic analysis is that the scanner is completely unaware of the inner workings of the application under test. Glass box testing addresses this limitation by leveraging a server-side agent which gathers information at runtime and sends it back to the black-box scanner.
Ory Segal discusses this new capability in detail and how it works in his blog.
SusannUlrich 120000EXRT Marcações:  appscan-enterprise appscan-source appscan-standard rational appscan 4.796 Visualizações
AppScan 8.5 was officially released on November 15th. This includes updates to AppScan Enterprise, AppScan Standard and AppScan Source editions.
Rational AppScan Standard Edition V8.5 includes the following enhancements:
Rational AppScan Enterprise Edition V8.5 includes the following enhancements:
Rational AppScan Source Edition V8.5 includes the following enhancements:
SusannUlrich 120000EXRT Marcações:  was_6.1 appscan-source security pl/sql appscan cobol t-sql 5.660 Visualizações
What's New in IBM Rational AppScan Source Edition Version 8.0 Fix Pack 1:
The Fix Pack can be downloaded from Fix Central
SusannUlrich 120000EXRT Marcações:  coding security development secure-development rational 3.977 Visualizações
One of the key messages that IBM talks to our customers about as it relates to security is the concept of "Secure by Design". This means that we want to help our customers build security in from the beginning. There's been a lot of discussion in the security community about some comments made at a recent security summit about developers and that they don't know <bleep> about security. I agree with
SusannUlrich 120000EXRT Marcações:  ase vulnerability security rational correlation static-analysis appscan-standard appscan-enterprise appscan policy-tester 4.028 Visualizações
Have you heard that the 8.0 version of AppScan Standard, AppScan Enterpise, Reporting Console and Policy Tester is now available. If you're interested in learning more about the new version I've posted a series of blogs talking about the new features.
DannyAllan 270000N1GF Marcações:  appsec appscan app-sec application-security 4.151 Visualizações
Over the past two decades, there has been a significant proliferation of computer software. This has allowed the organization to become more efficient and streamlined, eliminating the reliance on paper based processes and the need for phone based information and support. Over the last decade, this software shift has continued to evolve towards web based applications. This most recent shift has further increased organizational value and reduced costs by enabling the end consumer to be self sufficient. However, with this explosion of computer software has come both complexity and security concerns.
While software proliferation and complexity has been explosively driven by business need and market demands, security testing has not kept pace. A relatively small group of individuals, usually found within the IT organization, has voiced their concerns and attempted to implement controls to assess the risk or lack of security within the software. Over the past decades we have seen the shift in security testing. Let’s consider the stages of automated security testing and the value the organization receives in deployment, development and design.
The first types of software security testing looked at the deployment of the software. Underlying all software, web based or not, was an underlying infrastructure that supported the deployment. Security assessment technology first gave rise to the tools that addressed the need for patch management and remediation. There has been a specific trend from negative based deployment assessment tools (looking for missing patches and poor configurations) to positive based assessment tools (ensuring the compliance of the infrastructure by enforcing defined policy). Open source tools such as Nessus have provided value to the organization by looking at the underlying infrastructure and reporting on security deficiencies.
When applied directly to web based applications, security assessment tools such as IBM Rational AppScan became an important part of the organizational security landscape by performing security assessments on web applications in deployment or immediately prior to deployment. Over the past 10 years, this type of security assessment has brought, and continues to bring, tremendous value to the industry by shining a light on one of the weakest links in the defenses of the organization. It highlights the fact that most web applications contain critical vulnerabilities and the need for more and better software security education and awareness.
These first security tools, which required a running application, also focused a light on another need – to address security earlier in the software development lifecycle (SDLC). Many, if not most of the issues being reported, were vulnerabilities introduced during development. By finding and remediating these issues earlier in the SDLC, research has proven that this could lead to as much as a 100X reduction in operational cost.
While security assessments have evolved from deployment to development, this has occurred on several different fronts. Firstly, there has been an evolution towards introducing security tools to a group of people whose primary concern is building and testing software – development. This introduction has required the security industry to face two changes: security tools must not require an expert in the field to run them, and they must communicate in the language of their user. Over the past five years, this evolution in security assessment tools has become very evident. It is a trend that has expanded the number of potential resources the organization has to address the application security risk.
Secondly, automated security assessment tools could not continue to wait for a running application in order to perform the assessment. While a running application could emerge well before deployment, the industry recognized that performing assessment on the source code itself could allow for much earlier detection of vulnerabilities. The past five years have also given rise to source code analysis tools such as IBM Rational AppScan Source Edition. While there might be the mistaken notion that source code analysis tools have superseded the traditional dynamic analysis tools, the reality is that these tools are very much complimentary. While this paper is not intended to cover the strengths and weaknesses of each approach, this industry shift has brought increased value by delivering broader vulnerability coverage and bringing the development teams directly to the line of code where the vulnerability can be found.
Thirdly and lastly, we have seen another shift in the development space. In the past two to three years, application security assessment tools have become a seamless part of the SDLC process. The value this trend brings to the industry is not to be underestimated. Development teams need to be focused on development. To the extent that security tools impede this effort or distract the development teams, is the extent that it will increase organization costs and cause pushback by those that it is intended to help. With the introduction of purpose-built automated tools such as IBM Rational AppScan Build Edition, these security assessments can be performed during the development cycle in a completely seamless fashion – from the running of the security assessment, to the pushing the defect into the defect tracking system, to the re-analysis of the security issue during the next development cycle.
These three trends have been growing in momentum over the past five years until almost all enterprise organizations with an in-sourced or outsourced software development group have introduced some level of security automation during development. This momentum continues to ripple out to the medium and small business world as they recognize the need for security in deployment and development. These security tools have done an exceptional job at detecting implementation and deployment issues and continue to improve over time. However, there continues to be a deficiency in the software production space in one last area – design.
An entire class of issues have continued to exist that have not been addressed by existing security tools. These issues have to do with the design of the application and have been referred to as business level or logical security issues. As a simple example of a design level security issue, the application that allows you to reset your password by providing your username and email address is easily compromised. The traditional response to design level security issues is that automated tools are not sufficient to address these problems. I submit to you that there are multiple technologies that can aid in this third and final area of security problems, and that bring significant value to the organization.
Let’s begin with the very simply concept of prioritization or something known as the predictive threat index (PTI). Knowing that resources are limited within the organization and that not all applications represent an identical level of risk, it is important to introduce a very simple way to scale the relative risk. This can be done with a very simple 5 question survey that anyone is able to complete asking very basic questions:
Next in the design phase comes the concept of threat modeling. This concept derives from the need to delineate the specific threats that an application will face, and correlate the relevant countermeasures to each threat. The use of Rational Method Composer or free tools in the development space allows these models to be created and then reused for similar projects. Value is derived at the enterprise level in the explicit threat definition by allowing the testing teams to test specifically for these threats.
Threat modeling naturally leads to an often missed aspect of secure design – security requirements. Many software projects begin with an almost humorous requirement of, “the software must be secure.” What does this mean? How does one test for this? How does one automate the testing of this requirement? The use of tools such as Rational Requisite Pro allow the team to explicitly define security requirements in the areas of great concern – input validation, authentication, authorization, encoding, error handling, logging, etc. These requirements management tools often allow the use of templates so that the wheel need not be invented each time a project is begun, but that the design teams can quickly choose the areas that are most relevant and attach these requirements for the development teams. However, security requirements fundamentally address an area we have talked of earlier – logical security flaws. By introducing security requirements in the business logic (often stemming from the Threat Modeling), we now have specific issues to test for outside of the implementation vulnerabilities.
As many of the implementation security requirements are similar, the reuse of architectural and component level assets again becomes an essential piece of the design phase – elevating once more the need for an asset management system. The value of the Asset Management system cannot be underestimated for the enterprise. It brings efficiency to the organization by allowing them to focus on the areas where the development team could not use a proven secure architecture or component when it comes time for automated testing or code review. We have seen significant improvements to the security of software by the simple introduction of validation into some of the more common development frameworks such as .NET and Java Struts. To the extent that these secure APIs can be introduced into the common development frameworks, we will see tremendous improvement in the security of new applications being designed, developed and deployed.
Secure design will be the space in which the software community will need to move over the next three to five years. This will require collaborative enterprise environments that do not put together many different silos of technology that are unable to communicate without customization, but an application lifecycle management system that seamlessly moves the software from design, through development and into deployment – understanding and communicating the aspect of security and risk along the pathway. Only then will we deliver the high quality, compliant and secure applications that our clients demand.
At Innovate 2010 in Orlando, the message was clear: software is the invisible thread that speeds the smarter software and smarter product innovation we all need to build a smarter planet. Now, all the excitement, insight, and impact of Innovate 2010 is coming right to your desktop! The Innovate Virtual Conference will deliver many of the same sessions as the June event. You'll be able to revisit the general sessions or listen to break outs you might have missed in Orlando. You can even download the presentation PDF to follow along and share with others. You'll also be able to access many of the Innovate 2010 demos! Attendance is complimentary and includes:General Session's featuring Dr. Danny Sabbah, Walker Royce, Grady Booch, Harish Grama and more!! Plus you will have an opportunity to see the highest rated Customer Experience Sessions AND some of the BEST Technical sessions from Innovate 2010!
Register now for the Innovate Virtual Conference, below, where you can gain access to Innovate 2010 sessions and demos full of user expertise and key technical content that you can't get anywhere else now that Innovate is over.
Here is the URL for this bookmark: http://events.unisfair.com/index.jsp?eid=556&seid=4342
christianIBM 2700037AU7 Marcações:  video app-security-cop demo tutorial training 3.421 Visualizações
In this third demo video I show you how to post a blog and greatly increase its visibility through tagging.
christianIBM 2700037AU7 Marcações:  app-security-cop training tutorial video demo 3.962 Visualizações
In this second demo video I basically show a brief overview of the Rational Security Community of Practices Group and why it is beneficial to join it. Its a really neat group and if you are into security you should definitely check it out and join.
**I Updated the video to reflect the new group layout ! **
christianIBM 2700037AU7 Marcações:  tutorial demo training app-security-cop video 3.295 Visualizações
Last week I made a few demos for the Rational Security Community of Practices Group. This first one explains how to create a my DW profile and add a group to enable you to further connect with people and experts that share similar interests.
DannyAllan 270000N1GF Marcações:  appsec app-sec security application-security 1 Comentário 4.621 Visualizações
My first entry here, so I thought I would keep things short and simple ...
I frequently get asked what reference materials I suggest to learn more about application security. The answer to almost everything is of course, "It depends." In fact, it depends upon the role of the person asking. It depends on whether they want an executive overview or a granular examination of the vulnerabilities, attacks and mitigation. It depends upon whether they hope to use the material as a guide or as a reference. Below are some of the materials that stand out in my collection. (I give references to Amazon where applicable only because of their popularity - not as an official endorsement.)
For the developer wanting to learn about software security:
I know I'm going to get flack for this recommendation, but for an introduction to Web Application Security, I still like the old classic (soon to be updated in a third edition):
For the more experienced security penetration tester to think more creatively, I've recently very much enjoyed:
In terms of application security reference guides, I continue to believe that OWASP provides some of the most comprehensive guides on the market:
Finally, as I work for IBM and participate in various publications for both product and policy, I can not help but suggest some of the freely available recommended Red Guides:
If you are involved in Enterprise Application Security implementation, I strongly suggest hat final reference to the IBM Secure Engineering Framework (SEF). It outlines the best practices that we both internally deploy and externally suggest based on a decades of software design, development and delivery. Rather than making the assumption that all software development is green field work, it recognizes that most of our software and application projects are built from legacy systems that are not easily re-factored.
For my security concentration last semester I took an interesting course on the principles of Cryptography. My proffesor, Dr. Shouhuai Xu is a huge crypto enthusiast and has published many articles and papers on his experiments that I have found very interesting. This particular paper discusses memory disclosure attacks and how easy it is to aquire private keys from
allocated as well as unallocated space in memory. Cryptography is based on the assumption that the key should be kept secret and in this paper he explains how the "secret" keys of OpenSSH and Apache servers are easily compromised through data recovery in memory. Really cool stuff, a worthy read.
Cryptography has become an indispensable mechanism for securing systems, communications and applications. While offering strong protection, cryptography makes the assumption that cryptographic keys are kept absolutely secret. In general this assumption is very difficult to guarantee in real life because computers may be compromised relatively easily. In this paper we investigate a class of attacks, which exploit memory disclosure vulnerabilities to expose cryptographic keys. We demonstrate that the threat is real by formulating an attack that exposed the private key of an OpenSSH server within 1 minute, and exposed the private key of an Apache HTTP server within 5 minutes. We propose a set of techniques to address such attacks. Experimental results show that our techniques are efficient (i.e., imposing no
performance penalty) and effective — unless a large portion of allocated memory is disclosed.
Protecting Cryptographic Keys From Memory Disclosure Attacks
SamRas 2700019A7X Marcações:  learnt. app-security-cop lesson-learned lesson 3.549 Visualizações
Insecure characters are the ones which can be used for introducing Cross site scripting, SQL Injection etc vulnerabilities.