I'm happy to announce that we have just published a new article regarding the new function AppScan Standard integrated with Application Security on Cloud.AppScan Standard 22.214.171.124 can integrate with Application Security on Cloud (ASoC). It is now possible to upload scans and templates (SCAN or SCANT files) to Application Security on Cloud to run scans.This article will introduce how to configure and run a scan in AppScan Standard to Application Security on Cloud.
Short URL for this post: http
IBM provides advance notification of End Of Support (EOS) dates allowing customers reasonable time to complete software upgrades or to refresh appliance products. To view upcoming EOS dates by product segment, click a link in the list below.
View all IBM Software EOS announcements for 2017 and 2018.
Q: What are the major Support Lifecycle milestones?
A: The major Support Lifecycle milestones are:
Q: How do you determine if your installed software is still supported?
A: Search by product name or keyword using the Supp
Q: What happens when EOS is announced?
A: Often, there is a newer version of the software available for download. In most cases, you’ll have sufficient time to plan for and install the latest version. For more information on the lifecycle stages, including EOS, view this short YouTube video on the IBM
Q: What is the standard version format for IBM Software products?
A: The full product version is expressed by a four-digit code known as the IBM Version, Release, Modification and Fix Level structure, or VRMF. View this Technote for additional information and description of each element. You may also find this Glossary of product support and maintenance terms helpful.
Q: Where can you view additional details on product updates or replacement information?
A: Using the Support Lifecycle Search, search for your product, select View for details and click the EOS announcement link to view Repl
Q: What are your options if you are unable to upgrade or refresh your current products before EOS?
A: You can request a Support Extension. Support Extensions are available for Customers who are unable to migrate to a supported version, release or appliance platform prior to EOS. For more information, visit the IBM
Q: How do you stay connected for future product announcements?
A: There are several ways to receive product announcements:
Q: How can you connect with IBM Security on social media?
Q: Where can you find more information on IBM Support policies?
A: You can view and download the IBM
The IBM Support Lifecycle Policy sets forth the minimum length of time IBM will provide security content and technical support for a product version and release. Click the applicable product segment link below to view the Support Lifecycle Policy.
Securing applications – whether on the Web, on mobile, or on desktop – is more important than ever. But many developers aren’t experts in security, and most existing security testing tools aren’t made for non-experts to use. IBM Security is lowering the barriers to application security testing with its new cloud-based security analysis services.
One of those services, IBM Static Analyzer, provides a simple way to scan your application code for security vulnerabilities and is now avai
Static Application Security Testing
Static Application Security Testing, or SAST, refers to security testing that is performed without actually executing the target application. Instead, the application’s source code or binaries are analyzed to look for potential vulnerabilities, such as the use of unsafe APIs or failure to properly validate untrusted data. Static analysis is a powerful testing technique because it directly identifies the underlying causes of vulnerabilities, without actually having to exploit them in the running application. IBM recommends combining SAST with Dynamic Application Security Testing (DAST) or Interactive Application Security Testing (IAST), to maximize the effectiveness of your testing. This blog focuses solely on SAST.
Making SAST simple
Traditionally, SAST has largely been the domain of security experts, and static analysis tools have reflected that reality. Static Analyzer marks a new approach to SAST, with a focus on making things easy.
Because Static Analyzer runs on the cloud, there’s no need for dedicated hardware and no complicated installation or configuration. Static Analyzer also simplifies the entire application testing process, from preparing the application for analysis to understanding and evaluating your results. Static Analyzer is designed to get out of the way, fitting in with the development tools you already use, and to present you with only the most relevant, actionable results.
One significant challenge with traditional SAST tools is the volume of results they produce. Many of the “issues” they find don’t actually represent exploitable vulnerabilities when the application is running in the real world. It takes time, security expertise, and knowledge of the application to figure out which of those issues need fixing, and which simply represent false positives. Static Analyzer includes a new technology called Intelligent Finding Analytics, or IFA, which combs through the results and applies machine learning to identify the findings that are most likely to represent real, actionable security issues, delivering only these most valuable results directly to developers.
Prepare, test, fix
Using Static Analyzer to secure an application involves three simple steps: Prepare, test, and fix.
To prepare your application for analysis, you need to create an intermediate representation of it, which we call an IRX file. This representation is neither the full source nor binary form of the application, but contains the information about method calls and data flow that’s required by the analysis engine to perform SAST in the cloud. It is also strongly encrypted to protect your application.
To create an IRX file, you’ll use the Static Analyzer Client Utility, which you can download the first time you use the Static Analyzer service. This lightweight utility integrates into your Maven build, Eclipse workspace, or other environments (via a command-line tool) to prepare Java applications for analysis. It automatically discovers built artifacts and creates the IRX with minimal configuration – often none at all.
Testing is as simple as dragging and dropping the IRX file into the Static Analyzer Web interface to begin the analysis. When the analysis is complete, a report is generated, listing all of the actionable issues that are discovered.
For each issue, the report includes a trace showing the vulnerable path through the application and describes the nature of the vulnerability and how to fix it. It even groups together related issues with a common fix, and suggests where that fix should go.
All of this information makes it easier for developers to understand and fix the issues identified in their applications.
Try Static Analyzer beta today
Static Analyzer is available now as a free beta on Bluemix. Currently, it supports scanning Java applications, and the Client Utility runs on Windows and Linux, with additional language and platform support to come. You can see
I'm happy to announce that we have just published a new how-
The IBM Security Ethical Hacking Team has put together a video series that demonstrates attacks from each category from OWASP’s Top 10 list. Each video includes information on how to prevent these attacks and how to use automated tools to test whether attacks are possible. These videos were initially intended for IBM internal use but have now recently been made publicly available.
You can watch all 10 videos at:
To learn more about the OWASP 10 most common application attacks and how to defend against them, register for our upcoming webinar: Avoiding Application Attacks — A Guide to Preventing the OWASP Top 10 from Happening to You.
Comment (1) Visits (4420)
Leyla Aravopoulos, Kenneth Cheung, and William Frontiero have just published a new how-to guide that shows how to use the application import feature of AppScan Source to import a deployed application's binaries into AppScan Source for static analysis. This approach avoids the typical pitfalls of static web application scanning associated with compilation features, missing libraries, etc., while improving application coverage. This how to guide will be of interest to anyone anyone who has faced challenges with traditional configuration of Static Analysis tools.
Eitan Worcel and Jonathan Cohen have released a ne
Saravana Kumar and Ashok Angadi have just published a new how-
The scan report produced by AppScan Mobile Analyzer contains a summary of the issues, classified according to the security threat level. It also provides a detailed description of the issue and recommends fixes. In addition, it displays the OWASP Top 10 threat list and indicates where the identified security vulnerability issue falls in that list.
Wei Wei Zhang, Cheng-Yu Yu and Jia Li Chen have just published a new
IBM Security AppScan Enterprise(ASE) can integrate with the IBM Rational Team Concert(RTC) for defect tracking. This article will introduce how to configure ASE with RTC, how to solve the connection problem with RTC and the problem occurred during reporting the defect from ASE to RTC.
Static analysis of source code sounds so easy at first, you load up your source code into a tool and let it crunch on the code and find the security issues. How hard could it be? Well, it turns out there's an art to wringing out the security issues from your source code. Enter Alexei Pivkine. He's just published "IBM
With so many companies deploying web services for B2B integrations and making information available to third party apps, it's more important than ever for companies to thoroughly and exhaustively test their web services for security issues. So Nilesh Ashok Panhale's new white paper "How
In this white paper, I will demonstrate how you can use AppScan's Generic Service Client (GSC) (also called 'web service explorer') effectively to explore the application's web service methods and scan the application's web service with AppScan by loading the explored content into an AppScan scan. For this exercise, we will consider SOAP web service.
The GSC provides a graphical user interface to display a web service's methods to send requests to the web service. You can specify the parameters used to invoke the methods and you can analyze the results. You can add the exploration results from the GSC into an AppScan's Explore Data.
I will help you get familiar with all options of the GSC. I have tried to keep the the documentation as compact as possible to avoid it being overly technical and difficult to follow.
Guang Dong Li, Cheng-Yu Yu, and Jia Li Chen have just published "Int
IBM Security AppScan Enterprise Edition (AppScan) offers advanced application security testing and risk management with a platform that drives governance, collaboration, and security intelligence throughout the application life cycle. While configuring and running scans using AppScan, novice security testers might encounter problems such as improper scan coverage, excessive scan times, failed or suspended scans, communication errors, and so on. The practices described in this white paper will help security testers configure and run more successful scans with IBM Security AppScan Enterprise Edition.
IBM has published a vi
This video will inspire you to do a better job managing your application security scanning.
You might also be interested in.....
Appscan provides full coverage of the OWASP Top 10 for 2013. This solution also includes support for industry-standard Transport Layer Security (TLS) protocol 1.2, and is compliant with Federal Information Publication Standard (FIPS) 140-2 and National Institute of Standards and Technology (NIST) Special Publication (SP) 800-131a.
Download a trial version of AppScan Standard.