Topic
  • No replies
TonyTownsend_UVa
TonyTownsend_UVa
6 Posts

Pinned topic Heartbleed Checking

‏2014-04-10T15:50:22Z |

Hi -

 

When can we expect a version of Security App Scan Standard that will check web apps and services for the recently-disclosed Heartbleed vulnerability in OpenSSL?

 

Thanks,

Tony Townsend

University of Virginia

Updated on 2014-04-10T15:51:15Z at 2014-04-10T15:51:15Z by TonyTownsend_UVa
  • warrenm1
    warrenm1
    224 Posts

    Re: Heartbleed Checking

    ‏2014-04-10T15:58:14Z  

    The AppScan security team is currently researching how AppScan might be used to check for this and if possible a test will be added.  Initial analysis shows the scope of the changes needed may go beyond what can be added by a simple rules update so it may require an iFix/Fixpack to implement.  No ETA yet.

     

    Regards,

     

  • TonyTownsend_UVa
    TonyTownsend_UVa
    6 Posts

    Re: Heartbleed Checking

    ‏2014-04-10T16:04:14Z  

    Thanks for the quick reply - glad to know you're working on it.

     

    Tony

  • warrenm1
    warrenm1
    224 Posts

    Re: Heartbleed Checking

    ‏2014-04-22T16:16:05Z  

    Thanks for the quick reply - glad to know you're working on it.

     

    Tony

    FYI the following extension was released for AppScan Standard 9.0 to test for heartbleed.  A more formal fix is in the works for a future fixpack/iFix

    http://www-01.ibm.com/support/docview.wss?uid=swg21670871

  • TonyTownsend_UVa
    TonyTownsend_UVa
    6 Posts

    Re: Heartbleed Checking

    ‏2014-04-22T18:28:50Z  
    • warrenm1
    • ‏2014-04-22T16:16:05Z

    FYI the following extension was released for AppScan Standard 9.0 to test for heartbleed.  A more formal fix is in the works for a future fixpack/iFix

    http://www-01.ibm.com/support/docview.wss?uid=swg21670871

    Very nice- many thanks.

  • Gpro76
    Gpro76
    2 Posts

    Re: Heartbleed Checking

    ‏2014-04-23T15:34:33Z  
    • warrenm1
    • ‏2014-04-22T16:16:05Z

    FYI the following extension was released for AppScan Standard 9.0 to test for heartbleed.  A more formal fix is in the works for a future fixpack/iFix

    http://www-01.ibm.com/support/docview.wss?uid=swg21670871

    Is there a way to apply this on AppScan Enterprise?

  • MarekStepien
    MarekStepien
    85 Posts

    Re: Heartbleed Checking

    ‏2014-04-23T17:11:59Z  
    • Gpro76
    • ‏2014-04-23T15:34:33Z

    Is there a way to apply this on AppScan Enterprise?

    No, the extention (to test Heartbleed) is for AppScan Standard only.  A formal fix for AppScan Enterprise (and AppScan Standrad as well) is in the works.

    Updated on 2014-04-23T17:14:13Z at 2014-04-23T17:14:13Z by MarekStepien
  • Praxis
    Praxis
    6 Posts

    Re: Heartbleed Checking

    ‏2014-05-13T13:39:50Z  

    No, the extention (to test Heartbleed) is for AppScan Standard only.  A formal fix for AppScan Enterprise (and AppScan Standrad as well) is in the works.

    Running appscan v9.0.0.0 iFix001

    The Heartbleed test is a false positive, constantly getting the issue displayed in results of websites that are not vulnerable??

    I can't be the only one seeing this?

  • warrenm1
    warrenm1
    224 Posts

    Re: Heartbleed Checking

    ‏2014-05-14T18:51:58Z  
    • Praxis
    • ‏2014-05-13T13:39:50Z

    Running appscan v9.0.0.0 iFix001

    The Heartbleed test is a false positive, constantly getting the issue displayed in results of websites that are not vulnerable??

    I can't be the only one seeing this?

    As with any potential false positive/negative you will need to have support investigate and confirm, open a pmr and send them the scan file and Extended support logs re-testing this item.  If it is validated they can log a defect or identify if there is a config problem in your scan.

     

    Regards,