With the whole world becoming virtual, the Security has become very important factor like never before. Up until recently, 'Hacking' worried only prime websites with large online business transactions. But nowadays, even users and owners of social networking sites (the CEO of Facebook isn't spared too) could be victims of profile hacking,
Even the biggest IT player like IBM felt need to build, new security business group overnight, dedicated solely to handle this purpose
Here's the look at various reports that were doing the rounds in media about this topic:
" 90% of sites are vulnerable to application attacks (Watchfire®)"
"78% percent of easily exploitable vulnerabilities affected Web applications (Symantec™)"
"80% of organizations will experience an application security incident by 2020 (Gartner)"
Well, that’s a lot of vulnerable web sites. Isn't it?
But still, one may ask, why invest in testing now instead of just responding to an attack after it happens?
To answer this question, lets look at all the negative impact it will have. Such as
- Loss of customer confidence & hence harm to your brand
- Disturbance to your online means of revenue collection
- Related legal fees
- Unnecessary Media attention
Hence in software design, security is becoming increasingly an important parameter as applications become more frequently accessible over networks( & are vulnerable to a wide variety of threats)
But, not all these vulnerability testing can be done manually. As there are various permutations & combinations, by which an hack or attack can happen.
In this scenario, IBM® Rational® AppScan Enterprise tool is indeed a life-saver. This tool is used for the security assessment. It could be used to test Web Application or a Web Service from security perspective
AppScan Enterprise Edition scans for vulnerabilities by traversing an application similarly to the way a user browses a Web site.
It starts from the home page or some other entry point, as defined by the user, and follows all of the links. Each page is analyzed and, based on the characteristics of the page, AppScan sends a number of tests.
The tests are sent in the form of HTTP requests. AppScan determines the presence of vulnerabilities based on the responses from the Web server. The application is treated as a black box, and AppScan communicates with it just like a browser does.
AppScan has thousands of built-in tests and checks for hundreds of different types of vulnerabilities.
IBM® Rational® AppScan has various other editions too, to name basic ones:
- Enterprise Edition: For web application & web services security testing
- Source Edition: This edition, scans, the source code itself, & accordingly recommends the secured code practices
- Build Edition: This edition, is designed to find, any security hole, while building, or packaging the code files.
Considering various dimensions involved in this type of testing, Appscan provides very comprehensive reporting for user's assessment. User can view report in three different views, namely
Security Issues - It lists all the issues found
Remediation Tasks - It also provide the remediable steps that need to be taken
Application Data - It lists the testdata it used during testing
It also has the 'Delta Analysis' feature, by which report is compared between two sets of scan results and it highlights the difference in security issues discovered.
I was part of IBM Security Role & policy Modeler 1.0 product development. & I am proud to say, Appscan really helped us make our product less vulnerable to such security threats.
To know about the latest Appscan V 8.5 & more, Please visit the link: http://www-01.ibm.com/software/awdtools/appscan/
IBM Security Systems - India User Group
Matching: vulnerability X