Contents


Automated vulnerability scanning of web applications with Rational AppScan

Comments

As global connections increase, so do security risks

According to the IBM® X-Force® 2011 Mid-year Trend and Risk Report, 2011 can be considered "The Year of the Security Breach" due to an unprecedented number of high-profile security breaches reported throughout the first half of 2011. A more interconnected, intelligent, and instrumented cyber-world of global scope and scale leads to increased risks and dangers, with more sophisticated and difficult to manage network security attacks on enterprises and infrastructures.

The report shows that 37% of all vulnerabilities were from web application vulnerabilities during first half of 2011. Failure to secure the web applications can result in massive losses, both financially and in application performance. Most of the web-based threats occur because of code gaps in the source code that allows SQL injection, cross-site scripting (XSS), compromised session information, and so forth. Browser security is also easily circumvented if there is no strong quality assurance security enforcement. For an overview of the current application security landscape, you can download this report (please see the link in Related topics).

The IBM® Rational® AppScan® range of products automates dynamic security testing of web vulnerabilities for web applications (web services, Web 2.0) and rich Internet applications (JavaScript, Ajax, and Adobe Flash). This dynamic security testing approach spans from development to testing by scanning applications, identifying vulnerabilities, and generating reports of gaps, with remediation recommendations before applications are deployed on the web.

Rational AppScan versions cater to small, medium, or large development groups, with a comprehensive range of choices:

  • Source Edition is geared to aid development teams, and it adds source code analysis to AppScan Enterprise with static application security testing (SAST).
  • Enterprise Edition is an enterprise-class solution for application security testing and risk management with governance, collaboration, and security intelligence.
  • AppScan Tester Edition is a dynamic application security testing (DAST) solution specifically designed to integrate application security testing into a QA environment with Rational Quality Manager.
  • Standard Edition, which is a critical desktop security testing tool that is designed to automate the web vulnerability assessments. It generates both static and dynamic analysis of the vulnerabilities with corresponding fix recommendations.

In this article, we explore the capabilities of Rational AppScan Standard Edition, Version 8.5, to perform an automated security and vulnerability testing of web and web service applications. We also explore its regulatory compliance reporting capabilities as part of automated security and vulnerability testing of web and web service applications.

To explore the capabilities of AppScan Standard Edition v8.5, you will use PlantsByWebSphere v8.0.0.1, Ajax Version, an application that is included as a sample with WebSphere Feature Pack for Web 2.0 and Mobile, Version 1.1.0. Figure 1 shows the initial screen.

Plants by WebSphere sample application: Gardens of Summer
Plants by WebSphere sample application: Gardens of Summer

Note:
For details about this sample application, see the link in the Related topics section.

PlantsByWebSphere is supplied by IBM with source code. The sample application is an ideal candidate for our security and vulnerability testing exercise, because it conforms to application programming interfaces (APIs) and is not engineered with robust security as a design requirement. IBM clearly documents the disclaimer statement in the source code that is delivered. This sample can be easily configured, and the steps explained in this article can be easily replicated when exploring AppScan capabilities.

Additionally you will the HelloWorld JAX-WS web service application shown in Figure 2, deployed to IBM® WebSphere® Application Server v8.0.0.1 runtime, to further explore the capabilities of AppScan Standard Edition v8.5.

The HelloWorld JAX-WS application's business method, sayHello(), accepts a HelloReq object and returns a HelloResp, while greeting the named individual with a personal greeting message. HelloReq and HelloResp objects contain string type attributes, names name and response, respectively.

Enterprise application management view
Enterprise application management view

Automated security and vulnerability testing of a web application

First, configure a comprehensive, full scan of your PlantsByWebSphere web application, using the Scan Configuration Wizard shown in Figure 3. Before setting up the scan profile to uncover the security vulnerabilities of this web application, you want to make sure that WebSphere Application Server v8.0.0.1 is running and that the PlantsByWebSphere application is deployed to runtime and running successfully, as shown in Figure 2 (pbw-ear enterprise application status is showing a green arrow in the Application Status column).

  1. Launch Rational AppScan Standard Edition v8.5.
  2. Select File > New.

This New Scan dialog window (Figure 3) describes the wizard-based scanning available for a variety of predefined templates.

Lists recent and predefined templates
Lists recent and predefined templates

For this sample, a Comprehensive scan is selected and, as Table 1 shows, this is set up for a web application at the given URL, automatic login (with required credentials), and a full scan.

  1. Launch the Scan Configuration Wizard and specify the options listed in Table 1.
Table 1. Scan configuration options, PlantsByWebSphere web application
ScanScan configuration optionConfiguration specified
1 Predefined Template Comprehensive scan
2 Type of Scan Web application scan
3 Starting URL for Scan http://localhost:9085/PlantsByWebSphere/orderdone.jsf
4 Login Method Automatic
5 Login Credentials User name: plants@plantsbywebsphere.ibm.com
Password: plants
6 Test Policy Complete
7 Scan Start Method Start a full automatic scan

Note:
The hostname, port #, and the user credentials vary, depending on your installation and setup.

  1. Now, select the environmental setting definitions listed in Table 2.
Table 2. Environmental setting definitions, PlantsByWebSphere
Data table example
ScanEnvironmental setting definitionSetting definition specified
1 Operating System (of site being scanned) Windows
2 Web server IBM HTTP Server
3 Application Server (if any) WebSphere
4 Type of Database (if any) DB2
5 Third-Party Component (if any) Not Defined
6 Location of Site Local
7 Type of Site Test
8 Deployment Method Internally
9 Collateral Damage Potential Low Medium
10 Target Distribution High
11 Confidentiality Requirement Medium
12 Integrity Requirement Medium
13 Availability Requirement Medium

Figure 4 shows the environment definitions specified for scan configuration.

New Scan
New Scan

This is a Microsoft Windows setup. The application is running on the WebSphere Application Server and using the DB2 default database.

  1. Allow AppScan to perform the comprehensive security and vulnerability testing scan.

As Figure 5 shows, allowing AppScan to complete the comprehensive security and vulnerability scanning results in a set of security advisories, such as total number of issues (54), high (bold exclamation in square12), medium (bold exclamation in down arrow2), low (exclamation in diamond40), and informational security issues (i in square0).

Security issues, arranged by descending severity
Security issues, arranged by descending severity

The issues can be evaluated in three different views:

  • Security Issues
  • Remediation Tasks
  • Application Data

Notice that the advisories can be arranged by severity (ascending or descending) and that there is a dashboard for a chart-based representation of the vulnerabilities.

  1. Click the Report button on the AppScan desktop to generate a comprehensive report. Explore various report templates provided in the AppScan application.

Multiple customizable report templates are available in the categories listed below:

  • Security report provides a list of problems found
  • Industry Standard report provides information about compliance or noncompliance of your application
  • Regulatory Compliance report addresses compliance with legal standards (see note)
  • Delta Analysis report contains information that changed between different individual scans. This report is useful for regressive scans in order to uncover the vulnerabilities that have been fixed, vulnerabilities that have not been fixed, and vulnerabilities that have been uncovered for first time in a new scan.
  • Template-based reports, in which you use templates to define the data and the document formatting in Microsoft Word .doc styles.

Note:
The Regulatory Compliance. It comes with 40 or so compliance reports, including PCI Data Security Standard, Payment Applications Data Security (PA-DSS) [new], ISO 27001 and ISO 27002 [new], and Basel II.

Figure 6 shows an example of creating a customizable (report creator specified report options), template based (Custom Template) report.

Create Report page, Report Type tab view
Create Report page, Report Type tab view

Important:
Please see Downloadable resources for the summary report generated by this scan: AppScanPlantsByWebSphere_Scanned_Summary_Security_Report.pdf

Automated security and vulnerability testing of a web service application

Tip:
It will be helpful to explore the Open web Application Security Project (OWASP) web site to learn more about web security, get a list of high vulnerabilities, tips for remediation, and so forth (see the link in Related topics). The OWASP site also has a page dedicated to different categories of vulnerabilities, such as authentication, cryptographic, logging, and session management.

Now you're ready to configure a comprehensive, full scan of your HelloWorld web service application. Before setting up the new scan profile to uncover security vulnerabilities of this web application, make sure that WebSphere Application Server v8.0.0.1 is running and that the HelloWorld web service application is deployed to runtime and running successfully, as shown in Figure 2 (HelloWorld_V1EAR enterprise application status shows a green arrow in the Application Status column).

  1. Launch Rational AppScan Standard Edition v8.5.
  2. Select File > New> Predefined Templates > Comprehensive Scan.
Shows Full Scan Configuration under General Tasks
Shows Full Scan Configuration under General Tasks
  1. Launch the Scan ConfigurationWizard and specify the options listed in Table 3. See Figure 7.
Table 3. Scan configuration options, HelloWorld web service application
ScanOptionScan configuration option specified
1 Predefined template Comprehensive scan
2 Type of scan Web service scan
3 Location of WSDL service http://localhost:9085/HelloWorld_V1/HelloWorld_V1_HelloWorld_V1HttpService
4 Generic service client Test only
  1. Specify the environmental setting definitions listed in Table 2.
  2. Allow AppScan to perform the comprehensive security vulnerability testing scan.

Figure 8 shows the result of the successfully completed scan. After completing a scan and identifying issues, AppScan classifies issues in terms of high, medium, low or information level severities and presents the scan results in 4 tabs. The tabs are organized as Issue Information, Advisory, Fix Recommendation, and Request/Response. These tabs contain detailed information about the issue being identified, the URL that contributed to the issue being identified, the risk posed by the identified issue, a recommendation to address the risk posed by the issue or vulnerability, and the raw Request/Response exchange information.

Issue Information tab results
Issue Information tab results

When the scan is running, a progress panel indicates the current phase of the scan in real time, along with the URL and the % completed. A multiphase scan can be enabled to scan the URLs contained within the main URL. In that case, the status bar provides the status of number of URLs visited, the scanning completed on the number of them, and so on. These scans can be set to run automatically either once or periodically.

Next, you will generate a custom report by using a custom report template with the options selected that Figure 5 shows.

Please check Downloadable resources to get the summary report generated: AppScanHelloWorldWebService_Scanned_Summary_Security_Report.pdf

Suggested scanning practices

You can customize these AppScan application configuration parameters to avoid problems resulting from AppScan using excessive memory, which has the potential to result in losing all data:

  • PerformanceMonitor.RestartOnOutOfMemory
  • PerformanceMonitor\minScanTimeDurationForRestart
  1. Click Tools > Options > Advanced tab.
  2. Change these two parameters listed in the Preference Name column to these values:
    1. PerformanceMonitor.RestartOnOutOfMemory=True
    2. PerformanceMonitor\minScanTimeDurationForRestart=30 (minutes)

These customized parameters result in AppScan restarting automatically when memory usage becomes too high or when the scan ends due to low virtual memory. For details, see the links in the Related topics section.

See Figure 9 for details.

Rows for those two parameters highlighted
Rows for those two parameters highlighted

Summary

You have successfully configured Rational AppScan Standard Edition v8.5 to perform automated security vulnerability testing of PlantsByWebSphere web and HelloWorld web service applications. Additionally, you have successfully generated detailed vulnerability and remediation reports using preconfigured or customized report templates. See the link in Related topics for more information on security hardening of the WebSphere Application Server runtime environment.

The Downloadable resources section contains an installation journal guide, the generated reports, the scan export documents, the TechNote, and the sample application used in this article.

The authors gratefully acknowledge help from Karl Snider, Market Segment Manager, Application Security and Compliance, IBM Rational software. Karl performed a careful technical review of this article and provided constructive and insightful comments that helped the authors improve the quality and currency of this article.

Acknowledgements

The authors gratefully acknowledge help from Karl Snider, Market Segment Manager, Application Security and Compliance, IBM Rational software. Karl performed a careful technical review of this article and provided constructive and insightful comments that helped the authors improve the quality and currency of this article.


Downloadable resources


Related topics


Comments

Sign in or register to add and subscribe to comments.

static.content.url=http://www.ibm.com/developerworks/js/artrating/
SITE_ID=1
Zone=Rational, Security
ArticleID=780009
ArticleTitle=Automated vulnerability scanning of web applications with Rational AppScan
publish-date=12132011