Forum for those Learning about Leading IBM Application Security Tricks, Scripts and Tools and Kits for AppScan Source for Analysis ...Customizing, Integrating, Sniffing, Snooping and Hijacking your way to joy.
The AppScan Appliance – Proof Of
Concept Architecture and Application Security Process
Following some great feedback I
received on my previous post regarding the concept of an AppScan Security Appliance, How The Mainframe Can Transform Application Security , I want to further define a
potential high level architecture along with a set of processes for
integration into the application development life cycle. The goal here is to
start down the path towards a Proof Of Concept including a prototype in order to demonstrate what I believe will be a very powerful mechanism to start shifting away from the proven-not-to-scale technologies and proven-not-to-work standalone security tools.
At the most fundamental level, the
AppScan Appliance will enable an enterprise to implement application
security into it's development organization and across it's existing
application portfolio by alleviating the two most common and crushing
Customization of the security
tools to a specific application's use of web development
frameworks (Struts, Spring, MVC, etc.) and also it's set of server
and client side technologies in order to obtain a high degree of
confidence in the attack surface coverage, data flow visibility
and functional modeling, which together will yield accurate
and complete, highly defensible results.
Integration of all the necessary
security tool components directly into a developers' IDE of
choice, providing all the necessary information to locate,
evaluate, fix and re-test the vulnerability – while minimizing
the disruption (time, space, CPU, installations, processes, etc.)
to the organization's development desktops, build and testing
environments and, crucially, planning and release schedules.
In order to accomplish this, the
Appliance will serve several key functions:
→ Act as the central repository
for all application security data including source code, raw
analysis data, attack profile, risk ratings, mitigation controls,
correlated results, etc.
→ Host the server portions of all
relevant security, analysis and reporting software used by the
in-house Security, Development and Management Entities.
→ Allow IBM Security Services to
perform a range of functions from simple integration and
deployment services to the complete management of static and
dynamic scanning of an application portfolio, including results
verification, correlation, remediation consultation, training and
mentoring of the development and security staff.
Some Key IBM Security Technologies to be incorporated into The Appliance:
AppScan Source, Standard and
→ Once configured, Source scans
can be scheduled or event triggered
→ Dynamic scans can be run
internally, remotely or by a 3rd party
Ounce Continuous Integration Environment (OCI)
→ Complex rules for filtering and
reporting with plug-ins to popular CI tools
Secure Web Collaboration Portal
(customized WebSphere Portal hosted internally)
→ Developers upload their
source code, fix build / scanning errors and generate the IPVA
→ Build Management teams can
use integrate scanning clients into existing build environment
or integrate OCI with their Source Code Control System for full
→ Verification and Correlation
of results is done through tool assisted manual review,
automated testing and customized scripting.
→ Integration with existing
Defect Tracking Systems, SEIM, Reporting or Analytics platforms
allows for each stakeholder to access the relevant data and
tools necessary for their role through the same web interface.
So I wonder what exactly the process for acquisition of a new school, fully loaded mainframe is these days?