Welcome to the Application Security Community of Practice. Our mission is to openly share resources and expertise in the domain of application security in order to enhance the overall knowledge and capabilities of the community.
Tag your tweets #ibmsecurity | Take me to videos and pictures tagged #ibmsecurityl
Darrel Rader 270002AASK Tags:  appscan course rational training news wbt security 2 Comments 4,891 Views
If you're interested in learning about AppScan and Policy Tester, click on the link below to take a free Web-based training course. If you have comments about this class, please come back and share your thoughts.
Here is the URL for this bookmark: http://www-304.ibm.com/jct03001c/services/learning/ites.wss/us/en?pageType=page&c=N393208U51330A24
One of the new capabilities in AppScan Standard 8.5 is something called Glass box testing. One of the limitations of traditional dynamic analysis is that the scanner is completely unaware of the inner workings of the application under test. Glass box testing addresses this limitation by leveraging a server-side agent which gathers information at runtime and sends it back to the black-box scanner.
Ory Segal discusses this new capability in detail and how it works in his blog.
SusannUlrich 120000EXRT Tags:  was_6.1 appscan-source security pl/sql appscan cobol t-sql 4,296 Views
What's New in IBM Rational AppScan Source Edition Version 8.0 Fix Pack 1:
The Fix Pack can be downloaded from Fix Central
Darrel Rader 270002AASK Tags:  tutorial article podcast news success-story app-security-cop workshop whitepaper course webcast application-security appsec demo announcement lesson-learned cop-news event presentation security 1 Comment 4,190 Views
This is a test blog entry. It has been tagged with multiple tags just to get our feeds started.
Darrel Rader 270002AASK Tags:  security communities-of-practice growth rational app-security-cop 1 Comment 3,291 Views
This is my first real blog entry in this community of practice. I say community ... right now, its pretty empty and not very exciting. It's like we've just built a house and we're not quite moved in yet. As we all know, just like a house is not a home, this community space is only a space. It's the people that make a community of practice work.
My experience with building communities of practice over the last several years indicates that you need 2 types of members (actually, you can break this down further ... but let's keep it simple for now)
Here is a whiteboard diagram that we use to show how this all works.
As you can see from the diagram, the more members we have in our network, the more collective knowledge we build and the more value we collectively create.
Did you know that there are over 330K people that are part of the My DeveloperWorks world??? ... and that number is growing at a rate of about 1000 new members a day. So my question is how many of you (330K+ people) are passionate about or interested in the domain of application security. If you are interested in being part of the group that cares and feeds for this community, please let us know by adding a comment here to this blog. If you just want to learn from others, please join us. Also, please help us spread the word.
To learn more about our community, click here.
One last thing .... Please be patient with us as we get this started ... we still need to touch up some areas. If you don't see something of value ... please wait a week or 2 and come back.
For my security concentration last semester I took an interesting course on the principles of Cryptography. My proffesor, Dr. Shouhuai Xu is a huge crypto enthusiast and has published many articles and papers on his experiments that I have found very interesting. This particular paper discusses memory disclosure attacks and how easy it is to aquire private keys from
allocated as well as unallocated space in memory. Cryptography is based on the assumption that the key should be kept secret and in this paper he explains how the "secret" keys of OpenSSH and Apache servers are easily compromised through data recovery in memory. Really cool stuff, a worthy read.
Cryptography has become an indispensable mechanism for securing systems, communications and applications. While offering strong protection, cryptography makes the assumption that cryptographic keys are kept absolutely secret. In general this assumption is very difficult to guarantee in real life because computers may be compromised relatively easily. In this paper we investigate a class of attacks, which exploit memory disclosure vulnerabilities to expose cryptographic keys. We demonstrate that the threat is real by formulating an attack that exposed the private key of an OpenSSH server within 1 minute, and exposed the private key of an Apache HTTP server within 5 minutes. We propose a set of techniques to address such attacks. Experimental results show that our techniques are efficient (i.e., imposing no
performance penalty) and effective — unless a large portion of allocated memory is disclosed.
Protecting Cryptographic Keys From Memory Disclosure Attacks
SusannUlrich 120000EXRT Tags:  appscan-standard appscan-source appscan-enterprise rational appscan 3,271 Views
AppScan 8.5 was officially released on November 15th. This includes updates to AppScan Enterprise, AppScan Standard and AppScan Source editions.
Rational AppScan Standard Edition V8.5 includes the following enhancements:
Rational AppScan Enterprise Edition V8.5 includes the following enhancements:
Rational AppScan Source Edition V8.5 includes the following enhancements:
My first entry here, so I thought I would keep things short and simple ...
I frequently get asked what reference materials I suggest to learn more about application security. The answer to almost everything is of course, "It depends." In fact, it depends upon the role of the person asking. It depends on whether they want an executive overview or a granular examination of the vulnerabilities, attacks and mitigation. It depends upon whether they hope to use the material as a guide or as a reference. Below are some of the materials that stand out in my collection. (I give references to Amazon where applicable only because of their popularity - not as an official endorsement.)
For the developer wanting to learn about software security:
I know I'm going to get flack for this recommendation, but for an introduction to Web Application Security, I still like the old classic (soon to be updated in a third edition):
For the more experienced security penetration tester to think more creatively, I've recently very much enjoyed:
In terms of application security reference guides, I continue to believe that OWASP provides some of the most comprehensive guides on the market:
Finally, as I work for IBM and participate in various publications for both product and policy, I can not help but suggest some of the freely available recommended Red Guides:
If you are involved in Enterprise Application Security implementation, I strongly suggest hat final reference to the IBM Secure Engineering Framework (SEF). It outlines the best practices that we both internally deploy and externally suggest based on a decades of software design, development and delivery. Rather than making the assumption that all software development is green field work, it recognizes that most of our software and application projects are built from legacy systems that are not easily re-factored.
SusannUlrich 120000EXRT Tags:  application-security dynamic-analysis security static-analysis glassbox appscan 2,941 Views
Back in December I posted about a new and innovative scanning approach, Glassbox testing, that is provided by the new release of AppScan.
The two primary approaches for application security testing are Black Box (or dynamic testing) and White Box (or static testing). Think of Black Box Testing as a “hacker in a box”. With this technique the scanner analyzes a web application and identifies the vulnerabilities. This approach has a number of advantages including:
But it also has some limitations such as:
Because of the limitations many organizations also execute what’s known as white-box testing where the scanner runs against the source code of the application under test. This approach has the following benefits:
But it too has some limitations which include:
A brand new white-paper has just been published which explains in more detail this new and innovative approach to application security testing. Download the Whitepaper Here
Darrel Rader 270002AASK Tags:  rational quickview application-security about-us security app-security-cop 2,809 Views
Darrel Rader 270002AASK Tags:  security webcast application-security app-security-cop appsec 2,696 Views
The proliferation of malware designed to infiltrate computer systems without the owners informed consent has become one of the most challening security issues facing users today. But who owns this problem? Is it consumer who visits a Web site that is unknowingly hosting embedded malware, or is it the responsibility of the Web site owner to better protect its visitors against these types of attacks?
Join IBM for a one-hour web presentation where we will discuss this issue and introduce new technique that combine IBM Rational AppScan & ISS technologies to scan to identify unwanted, embedded malware. We will include background material about deep scanning and malware identification, and suggest ways Malware Scanning can help protect organizations -- and your visitors -- from this growing concern.
Here is the URL for this bookmark: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?lang=en_US&source=dw-c-wcsdpr&S_PKG=071609
Over the past two decades, there has been a significant proliferation of computer software. This has allowed the organization to become more efficient and streamlined, eliminating the reliance on paper based processes and the need for phone based information and support. Over the last decade, this software shift has continued to evolve towards web based applications. This most recent shift has further increased organizational value and reduced costs by enabling the end consumer to be self sufficient. However, with this explosion of computer software has come both complexity and security concerns.
While software proliferation and complexity has been explosively driven by business need and market demands, security testing has not kept pace. A relatively small group of individuals, usually found within the IT organization, has voiced their concerns and attempted to implement controls to assess the risk or lack of security within the software. Over the past decades we have seen the shift in security testing. Let’s consider the stages of automated security testing and the value the organization receives in deployment, development and design.
The first types of software security testing looked at the deployment of the software. Underlying all software, web based or not, was an underlying infrastructure that supported the deployment. Security assessment technology first gave rise to the tools that addressed the need for patch management and remediation. There has been a specific trend from negative based deployment assessment tools (looking for missing patches and poor configurations) to positive based assessment tools (ensuring the compliance of the infrastructure by enforcing defined policy). Open source tools such as Nessus have provided value to the organization by looking at the underlying infrastructure and reporting on security deficiencies.
When applied directly to web based applications, security assessment tools such as IBM Rational AppScan became an important part of the organizational security landscape by performing security assessments on web applications in deployment or immediately prior to deployment. Over the past 10 years, this type of security assessment has brought, and continues to bring, tremendous value to the industry by shining a light on one of the weakest links in the defenses of the organization. It highlights the fact that most web applications contain critical vulnerabilities and the need for more and better software security education and awareness.
These first security tools, which required a running application, also focused a light on another need – to address security earlier in the software development lifecycle (SDLC). Many, if not most of the issues being reported, were vulnerabilities introduced during development. By finding and remediating these issues earlier in the SDLC, research has proven that this could lead to as much as a 100X reduction in operational cost.
While security assessments have evolved from deployment to development, this has occurred on several different fronts. Firstly, there has been an evolution towards introducing security tools to a group of people whose primary concern is building and testing software – development. This introduction has required the security industry to face two changes: security tools must not require an expert in the field to run them, and they must communicate in the language of their user. Over the past five years, this evolution in security assessment tools has become very evident. It is a trend that has expanded the number of potential resources the organization has to address the application security risk.
Secondly, automated security assessment tools could not continue to wait for a running application in order to perform the assessment. While a running application could emerge well before deployment, the industry recognized that performing assessment on the source code itself could allow for much earlier detection of vulnerabilities. The past five years have also given rise to source code analysis tools such as IBM Rational AppScan Source Edition. While there might be the mistaken notion that source code analysis tools have superseded the traditional dynamic analysis tools, the reality is that these tools are very much complimentary. While this paper is not intended to cover the strengths and weaknesses of each approach, this industry shift has brought increased value by delivering broader vulnerability coverage and bringing the development teams directly to the line of code where the vulnerability can be found.
Thirdly and lastly, we have seen another shift in the development space. In the past two to three years, application security assessment tools have become a seamless part of the SDLC process. The value this trend brings to the industry is not to be underestimated. Development teams need to be focused on development. To the extent that security tools impede this effort or distract the development teams, is the extent that it will increase organization costs and cause pushback by those that it is intended to help. With the introduction of purpose-built automated tools such as IBM Rational AppScan Build Edition, these security assessments can be performed during the development cycle in a completely seamless fashion – from the running of the security assessment, to the pushing the defect into the defect tracking system, to the re-analysis of the security issue during the next development cycle.
These three trends have been growing in momentum over the past five years until almost all enterprise organizations with an in-sourced or outsourced software development group have introduced some level of security automation during development. This momentum continues to ripple out to the medium and small business world as they recognize the need for security in deployment and development. These security tools have done an exceptional job at detecting implementation and deployment issues and continue to improve over time. However, there continues to be a deficiency in the software production space in one last area – design.
An entire class of issues have continued to exist that have not been addressed by existing security tools. These issues have to do with the design of the application and have been referred to as business level or logical security issues. As a simple example of a design level security issue, the application that allows you to reset your password by providing your username and email address is easily compromised. The traditional response to design level security issues is that automated tools are not sufficient to address these problems. I submit to you that there are multiple technologies that can aid in this third and final area of security problems, and that bring significant value to the organization.
Let’s begin with the very simply concept of prioritization or something known as the predictive threat index (PTI). Knowing that resources are limited within the organization and that not all applications represent an identical level of risk, it is important to introduce a very simple way to scale the relative risk. This can be done with a very simple 5 question survey that anyone is able to complete asking very basic questions:
Next in the design phase comes the concept of threat modeling. This concept derives from the need to delineate the specific threats that an application will face, and correlate the relevant countermeasures to each threat. The use of Rational Method Composer or free tools in the development space allows these models to be created and then reused for similar projects. Value is derived at the enterprise level in the explicit threat definition by allowing the testing teams to test specifically for these threats.
Threat modeling naturally leads to an often missed aspect of secure design – security requirements. Many software projects begin with an almost humorous requirement of, “the software must be secure.” What does this mean? How does one test for this? How does one automate the testing of this requirement? The use of tools such as Rational Requisite Pro allow the team to explicitly define security requirements in the areas of great concern – input validation, authentication, authorization, encoding, error handling, logging, etc. These requirements management tools often allow the use of templates so that the wheel need not be invented each time a project is begun, but that the design teams can quickly choose the areas that are most relevant and attach these requirements for the development teams. However, security requirements fundamentally address an area we have talked of earlier – logical security flaws. By introducing security requirements in the business logic (often stemming from the Threat Modeling), we now have specific issues to test for outside of the implementation vulnerabilities.
As many of the implementation security requirements are similar, the reuse of architectural and component level assets again becomes an essential piece of the design phase – elevating once more the need for an asset management system. The value of the Asset Management system cannot be underestimated for the enterprise. It brings efficiency to the organization by allowing them to focus on the areas where the development team could not use a proven secure architecture or component when it comes time for automated testing or code review. We have seen significant improvements to the security of software by the simple introduction of validation into some of the more common development frameworks such as .NET and Java Struts. To the extent that these secure APIs can be introduced into the common development frameworks, we will see tremendous improvement in the security of new applications being designed, developed and deployed.
Secure design will be the space in which the software community will need to move over the next three to five years. This will require collaborative enterprise environments that do not put together many different silos of technology that are unable to communicate without customization, but an application lifecycle management system that seamlessly moves the software from design, through development and into deployment – understanding and communicating the aspect of security and risk along the pathway. Only then will we deliver the high quality, compliant and secure applications that our clients demand.
In this second demo video I basically show a brief overview of the Rational Security Community of Practices Group and why it is beneficial to join it. Its a really neat group and if you are into security you should definitely check it out and join.
**I Updated the video to reflect the new group layout ! **
Web application security issues continue to be a top priority. The only real solution is to build security into Web applications from the start. Secure coding practices and developer security tools help to preempt these issues through early discovery. IBM® Rational® AppScan® Source Edition integrates Web application security testing into development, and Web-based education tools help non-security experts find, understand, and fix security issues. This workshop show you how to use the IBM Rational AppScan family in various stages of the development lifecycle to achieve these goals.
Here is the URL for this bookmark: http://www.ibm.com/developerworks/offers/techbriefings/details/hacking2.html?S_TACT=107A727W&S_CMP=TCHBRF#download
Darrel Rader 270002AASK Tags:  webcast security application-security app-security-cop 2,505 Views
Join us for a one-hour Web seminar where members of our security research team will discuss these techniques, highlight how their approaches to vulnerability detection compliment one another and share best practices for embedding application security testing across the software development lifecycle.
Here is the URL for this bookmark: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?lang=en_US&source=dw-c-wcsdpr&S_PKG=110609