Filter by products, topics, and types of content

(442 Products)

(773 Topics)

(20 Industries)

(15 Types)

1 - 54 of 54 results
Show Summaries | Hide Summaries
View Results
Title none Type none Date down
Scan your app to find and fix OWASP Top 10 - 2017 vulnerabilities
Today's modern web applications are more than a match for most desktop PC applications and continue to push boundaries by taking advantage of limitless cloud services. But more powerful web applications means more complicated code, and the more complicated the code, the greater the risk of coding flawswhich can lead to serious security vulnerabilities within the application. Web application vulnerabilities face exploitation by relentless malicious actors, bent on profiteering from data theft, or gaining online notoriety by causing mischief. This article looks at securing web applications by adopting industry best application development practices, such as the OWASP Top 10 and using web application vulnerability scanning tools, like IBM Rational AppScan.
Also available in: Russian  
Articles 12 Dec 2017
Validating CSRF vulnerabilities reported by automated scanners
This tutorial covers how to manually validate cross-site request forgery (CSRF) vulnerabilities that can be reported by an automated security scanner, such as IBM AppScan. Most automated scanners, including IBM AppScan, do not accurately report CSRF vulnerabilities, as they are built on predefined rules and cannot completely determine the legitimacy of certain types of vulnerabilities like CSRF. To validate such issues, one needs to manually reproduce the vulnerability and decide whether it is indeed true or a false alarm. This tutorial is a step-by-step guide to reproduce and validate the reported CSRF vulnerabilities by using a custom-made flow chart and also provides guidance on using the open source tool "CSRF Tester" that provides a rich functionality to validate such vulnerabilities. 
Articles 27 Nov 2017
Identify and avoid false positives with IBM AppScan
IBM Security AppScan is a tool that performs dynamic security scanning of web applications and services to identify the security vulnerabilities that are present in applications. Along with valid vulnerabilities, an automated scanning tool can also report vulnerabilities that turn out to be invalid upon further manual analysis. These "vulnerabilities" are commonly known as false positives. In this article, we discuss some common false positives reported by AppScan and provide guidance on how a tester can validate whether the reported issue is a false positive or not. Additionally, the article explains how to avoid such false positives from being reported by making the proper configuration changes to the AppScan tool.
Also available in: Japanese  
Articles 31 Aug 2016
Assess the vulnerability of an enterprise's applications and network
This tutorial describes effective ways of conducting vulnerability assessments of web applications and networks in any organization and illustrates how to proactively defend against cyber attacks using a combination of enterprise-grade and trustworthy vulnerability scanners such as Tenable Nessus Scanner and IBM Security AppScan Enterprise.
Tutorial 23 Aug 2016
Put Bluemix AppScan results into Bluemix Track & Plan
Scan a Bluemix application by using the AppScan Dynamic Analyzer, and then send the scan results to the Track & Plan defect tracking service.
Also available in: Chinese   Japanese  
Articles 27 Jul 2015
Custom Test Creator
This extension allows users to extend the tests executed by AppScan.
Downloads 22 Jun 2015
Find cross-site scripting errors in your Bluemix application with AppScan Dynamic Analyzer
In this short demo video, Ori Pomerantz shows a Bluemix application that has a cross-site scripting error in it. Then he shows how to add the AppScan Dynamic Analyzer service to the application and run a scan. He shows that the scan report detects the cross-site scripting error and provides guidance on how to fix it.
Articles 06 May 2015
Mail-E-Vent
Mail-E-Vent adds the ability of sending email notifications to Security AppScan. Users can configure which events will trigger an email, as well the ability to send a PDF report at the end of the scan.
Downloads 27 Apr 2015
Speak and Scan
This eXtension uses the Microsoft Win32 Speech API (SAPI) to make IBM Security AppScan speak in human voice when certain events occur during scan. You can configure what voices will be used through the Windows text-to-speech (TTS) engine.
Downloads 27 Apr 2015
OWASP top 10 vulnerabilities
Look at the top 10 web application security risks worldwide as determined by the Open Web Application Security Project. Then discover how IBM Security AppScan helps website administrators find, correct, and avoid these and other web security threats.
Articles 20 Apr 2015
IBM Security AppScan Source Quick Process Guide
Discover an easy-to-understand process you can use to produce comprehensive, dependable, and actionable security findings using IBM Security AppScan Source. The process described in this tutorial helps security auditors and developers take their AppScan Source scan results to the next level, by customizing AppScan Source to their organization's application technologies and enforcing their application security policies, using tools already available in AppScan Source.
Articles 11 Sep 2014
Optimize your AppScan Enterprise scans
The practices described in this white paper will help security testers configure and run more successful scans with IBM Security AppScan Enterprise Edition.
Articles 08 Aug 2014
Improve application scanning efficiency with IBM Security AppScan
In this security community white paper, Ori Pomerantz demonstrates how to filter the pages scanned by AppScan Standard (or Enterprise) to avoid scanning different versions of the same page when they are distinguished by parameter values.
Articles 22 Jul 2014
IBM Security AppScan
Download a free trial version of IBM Security AppScan Standard Edition, a leading web application security testing tool that automates vulnerability assessments and scans and tests for all common Web application vulnerabilities including SQL-injection, cross-site scripting and buffer overflow.
Also available in: Chinese   Portuguese   Spanish  
Trial Downloads 21 Jul 2014
Streamline your organization's mobile application security testing program with IBM Security AppScan Source 9.0
Many applications today are written for mobile devices. These applications are developed and released at a rapid speed. Yet the security of many of these applications remains a major concern. AppScan Source 9.0 streamlines your organization’s mobile application security testing with the introduction of local mode, integration with IBM Worklight, and by expanding its support of the Mac platform.
Also available in: Russian  
Articles 17 Jun 2014
AppScan 9.0 Standard Report Templates: Modifying reports with Microsoft Word
In this white paper you learn to export report templates from AppScan Standard, modify them with Microsoft Word, and import them back to AppScan Standard. This feature, new in Version 9.0, makes it easy to customize reports.
Articles 19 May 2014
Create an application inventory with AppScan Enterprise
Learn how to build a centralized, authoritative inventory of all the applications in your enterprise and track their security posture and compliance status from IBM Security AppScan Enterprise.
Articles 28 Apr 2014
Manage application security across the organization with IBM Security AppScan Enterprise
In this demonstration video, watch a real-world example of how to manage application security risk across an enterprise.
Articles 21 Apr 2014
Prevent cross-site request forgery: Know the hidden danger in your browser tabs
Explore two strategies to help prevent cross-site request forgery attacks as you review a detailed, step-by-step cross-site request forgery attack scenario. Also, look at some issues for scanning tools as they try to find cross-site request forgery vulnerabilities.
Also available in: Chinese   Russian   Japanese  
Articles 25 Mar 2014
Importing .scan files into AppScan Enterprise
IBM Security AppScan Enterprise is deployed at organization level within an enterprise to provide application scanning and centralized dashboard reporting about the scans findings. Security testers often install IBM Security AppScan> Standard on their laptop and desktop computers to scan applications because AppScan Standard is more flexible and portable. To provide a complete picture of the scan results in the AppScan Enterprise dashboard, the security testers must import their scan results from AppScan Standard to AppScan Enterprise. This document describes the step-by-step instructions for importing and exporting .scan file formats from AppScan Standard to AppScan Enterprise.
Articles 11 Mar 2014
Silently install IBM Security AppScan Enterprise 8.7.x
Administrators can silently upgrade or install the IBM AppScan Enterprise for Microsoft Windows from the command prompt. User notification is disabled during the silent installation, except in error cases such as notification of failed prerequisites. A silent installation uses the same installation program that the graphical user interface (GUI) version uses. Instead of displaying a wizard interface, the silent installation reads all of your responses from parameters that you pass to the command line. This document gives the response file and also details on how to use it for silent installation.
Articles 04 Mar 2014
Implementing an AppScan Enterprise-based Web Security Solution
Learn to design and implement an installation of AppScan Enterprise that enables multiple business units within a company to have separate, independent instances of AppScan Enterprise from a single installation.
Articles 11 Feb 2014
Fight against SQL injection attacks
In the world of security exploits, one vulnerability, although easily resolved, is number one on the OWASP top 10: the Structured Query Language (SQL) injection attack. Although this class has existed since 1995, it remains one of the most prevalent attacks on web assets. Get to know the SQL injection attack and discover how it's carried out on a production website. Then learn how to test a website for this class of vulnerability by using IBM Security AppScan Standard.
Also available in: Russian   Japanese  
Articles 04 Feb 2014
Automated security testing with IBM Security AppScan Enterprise 8.7 and Selenium IDE
Learn how quality assurance testers seeking increased automation within the software development life cycle can leverage IBM Security AppScan Enterprise and the Selenium IDE browser plug-in for Firefox to include dynamic application security testing in their functional tests.
Articles 02 Dec 2013
Multiplex IBM Security AppScan Enterprise
IBM Security AppScan Enterprise is a powerful tool that lets web application developers scan their web applications for vulnerabilities. Because different business units use different applications and have different needs, Security AppScan Enterprise installations are often segmented by business unit. However, a large enterprise might consist of multiple business units, making separate installations costly in hardware, maintenance, and labor. That's where a feature called multiplexing comes in. In this article, learn how to design and implement a multiplexing solution for a centralized IBM Security AppScan Enterprise setup.
Articles 22 Oct 2013
System security and practical penetration testing
Evolving vulnerabilities in web-facing applications are a growing and troublesome trend. This fact, coupled with a growing community of cybercriminals and hacktivists, means that your applications could be the next new example of a high-profile breach. Discover some of the tools the hacking community uses, and learn how you can protect yourself against them.
Also available in: Russian  
Articles 24 Sep 2013
Static and dynamic testing in the software development life cycle
Yesterday, the idea of application security was mostly an afterthought. But given the plethora of news on hacking and underground economies for exploits, security testing is now an integral part of the software development life cycle. This article explores two aspects of security testing and the open source tools that simplify their execution.
Articles 26 Aug 2013
IBM Security AppScan Source: Explore functions
This is a summary guide to learn the basics of using IBM Security AppScan Source Edition. Derek Chowaniec will show you how to configure applications for scanning, alter the scanning configuration for your security needs, use the integrated tools to build a report, triage the information based on your findings, and configure the system to scan and analyze precompiled code. Tom Mulvehill shows you how to hunt down vulnerabilities in Android applications.
Articles 11 Jul 2013
Optimize security by combining data from across the infrastructure
Learn how IBM Security provides the best security insight by combining data from across an organization's entire infrastructure.
Articles 09 Jul 2013
IBM Security AppScan Standard: Scan and analyze results
This is a summary guide to getting started scanning for web application vulnerabilities with IBM Security AppScan Standard Edition and analyzing the results. Watch a video demonstration to learn how to configure AppScan for a dynamic scan of a new application. Follow a case study that demonstrates using AppScan Standard to scan and test two web applications. Watch a five-step process to help you analyze the results of your scan. Then watch a real-life scenario in which AppScan Standard is used (with AppScan Source) to establish embedded security analysis. A bonus is also included: An AppScan Standard guide to testing mobile applications.
Articles 19 Jun 2013
Introduction to Manual Explorer in IBM Security AppScan Enterprise 8.7
IBM Security AppScan Enterprise V8.7 includes the new Manual Explorer tool, which helps security analysts find more URLs and explore pages that are difficult to explore with automated explorer tools. The Security AppScan Enterprise team has improved the Manual Explorer to address some drawbacks of the earlier plug-in. Currently, Security AppScan Enterprise V8.7 supports both the Manual Explorer tool and the Manual Explore plug-in. In this article, learn about the new Manual Explorer tool by using step-by-step instructions to install and configure the tool.
Articles 21 May 2013
Secure your mobile applications
With the explosive growth in the mobile ecosystem, mobile application security is a huge concern. New mobile application designs require new ways of testing to ensure data safety. In this article, explore different aspects of mobile application security. With hands-on examples, learn to use IBM Security AppScan Standard with mobile user agents and with emulators and actual devices for Android and iOS.
Also available in: Russian  
Articles 16 Apr 2013
Case study: AppScan security scan of Rational Focal Point
Using IBM Rational Focal Point as an example, Shivakumar Patil describes using IBM Security AppScan Standard edition to test web-based applications and their external endpoints, such as SOAP and REST web services.
Articles 29 Jan 2013
Introduction to AppScan Policies
IBM Security Appscan is a tool that provides automated security scanning to web applications. Each scan policy within IBM Security AppScan covers a particular aspect of the application security. Using the right policy produces optimal scanning results and reduces false positives. In this article, get an overview of IBM Security AppScan policies, and learn which policy is optimal based on the type of application and its stage of development. The article also provides a side-by-side policy comparison that details each scan policy that is offered by the IBM Security AppScan tool.
Articles 13 Nov 2012
Craft a SaaS-oriented web application vulnerability mitigation policy
Organizations depend on web-based software to run business processes, conduct transactions, and deliver services to customers; when deadlines loom, the business may get frantic and sacrifice security features in order to move the application more quickly into production. This reaction often results in a substandard application. A more proactive solution is to establish a Software as a Service (SaaS)-oriented web application vulnerability mitigation policy (complete with a SaaS-based app-vulnerability scanner) that will anticipate application trouble spots and contain several pre-configured solutions to repair them. The author provides a roadmap to such a policy and illustrate using a scanner tool in the form of IBM Rational AppScan products.
Also available in: Chinese   Japanese   Portuguese  
Articles 27 Jun 2012
Craft a SaaS-oriented vulnerability mitigation policy
Many businesses and industries depend on web-based software to run business processes, conduct transactions, and deliver services to customers. When a deadline looms, organizations may get frantic and sacrifice secure features to bring the application into production. This is a fast (and reactive) solution that results in a usually defective application. A better, proactive solution is to create a SaaS-oriented web application vulnerability mitigation policy (and employ a SaaS-based vulnerability scanner) into place that anticipates application vulnerabilities and has several solutions to repair them ready to go. The author will provide a roadmap to such a policy and illustrate using a scanner tool in the form of IBM Rational AppScan products.
Also available in: Chinese   Russian   Japanese  
Articles 12 Jan 2012
Automated vulnerability scanning of web applications with Rational AppScan
This article uses two examples to explain how to use Rational AppScan Standard Edition v8.5 for automated security vulnerability testing of web and web service applications. The authors also set the stage for examples to explore the regulatory compliance reporting capabilities.
Also available in: Chinese  
Articles 13 Dec 2011
Web 2.0 desktop and mobile application security design
Most attempted attacks are directed to web applications. These attacks focus on the most common vulnerabilities, which include cross-site scripting, SQL injection, parameter tampering, cookie poisoning, and information leakage. Traditional perimeter defenses, such as firewalls and intrusion detection systems, will not prevent this kind of attack, because these exploit program vulnerabilities. This article describes the most common vulnerabilities and possible countermeasures and explains the value of automated security scanning in the development process to produce secure applications.
Also available in: Chinese   Russian   Spanish  
Articles 21 Jun 2011
Planning a security strategy: Three core questions to ask
Security teams are overwhelmed by the increasing need to safeguard their information assets. Simultaneously, CEOs are thinking of how to cost-effectively ensure security across their organizations that often span geographic borders. They all want a simple answer to a complex question: Where do I begin? That's what this article is about.
Also available in: Chinese  
Articles 29 Oct 2009
What's new in IBM Rational Software Analyzer Version 7.1
Learn about the new software integration, programming language support, and technology support in Version 7.1 of IBM Rational Software Analyzer. This extensible software helps you review software code, identify bugs, and enforce code quality policy early in the software development cycle, when problems are easier and less expensive to correct.
Also available in: Chinese   Spanish  
Articles 14 Jul 2009
Tivoli Access Manager and Rational AppScan
Managing security is a critical part of building and maintaining a modern IT infrastructure. IBM offers several complementary offerings in Security Governance, Risk Management and Compliance to help clients manage the security of their complex IT environments. IBM Tivoli Access Manager for e-Business is a market leading software solution in IBM's Identity and Access Management portfolio for managing enterprise web based authentication, authorization and single sign-on. IBM now offers a market leading web application security scanner software offering called IBM Rational AppScan. This article will compare and contrast the two offerings as they relate to IBM's security operations strategy and examine what security benefits each brings to the enterprise environment. A number of scenarios will be presented to highlight the roles of each of the software solutions and how they complement each others capabilities.
Articles 03 Feb 2009
HTTPScout
This eXtension launches (the ultra-useful) Nmap port scanner and attempts to locate open ports on the scanned Web server, that speak HTTP or HTTPS. Once the port scan is done, HTTPScout will add the HTTP-speaking ports to the current scan configuration. This eXtension is useful to discover additional HTTP applications on the same server (e.g. web based administration consoles) and add them to the scan automatically.
Downloads 13 Jan 2009
Test Positive
This tool can be used to view any vulnerability outside IBM Security AppScan.
Downloads 13 Jan 2009
Event Logger
You can use this eXtension to decide which IBM Security AppScan event will be logged to a textual file that you define.
Downloads 13 Jan 2009
AXE (XmlExport)
AXE (Automatic XML Export) automatically exports scan results into XML to a specified location, when the scan is over. The export location can either be a local drive or a network shared drive. This eXtension can become handy if you are using 3rd party software that consumes IBM Security AppScan results on a regular basis.
Downloads 13 Jan 2009
IBM Security AppScan Reporter for Microsoft PowerPoint (beta)
This eXtension creates executive summary presentations from scan results based on user templates.
Downloads 13 Jan 2009
Non-Vulnerable XMLExport
This eXtension exports the non-vulnerable scan results into XML to a specified location.
Downloads 13 Jan 2009
Developing secure Web applications: An introduction to IBM Rational AppScan Developer Edition
This article focuses on the role developers should play in improving Web application security, and details how IBM Rational AppScan Developer Edition enables them to do so. Rational AppScan Developer Edition is the first to offer all of the dominant security analysis technologies in one product (dynamic analysis, static analysis, runtime analysis, and string analysis), and is the first to tap into the potential of using these techniques together (composite analysis).
Also available in: Chinese   Russian  
Articles 16 Sep 2008
Best practices for SOA nonfunctional testing
In the course of developing a Service-Oriented Architecture (SOA) application, your organization will most likely have nonfunctional requirements (NFRs) that need significant implementation and testing. Shiv Asthana describes the best practices you should adhere to when testing nonfunctional requirements for applications built as part of an SOA environment.
Also available in: Chinese  
Articles 28 Aug 2008
Brasil: Segurança na Web é com IBM Rational Appscan
Varredura de Segurança de Aplicativo da Web: Resultados abrangentes e recursos personalizáveis
Articles 20 Aug 2008
Create secure Java applications productively, Part 2
This is the second in a two-part tutorial series on creating secure Java-based Web applications using Rational Application Developer, Data Studio and Rational AppScan. In Part 1 you developed a Java Web application with Rational Application Developer, and then deployed the application on WebSphere Application Server with Java Server Pages (JSP). This tutorial shows you how to scan the Wealth application created in Part 1 using Rational AppScan to discover and fix all known Web security vulnerabilities. It also shows how to re-scan your application and generate reports.
Tutorial 04 May 2008
Create secure Java applications productively, Part 1
This is the first in a two-part tutorial series creating secure Java-based Web applications using Rational Application Developer, Data Studio and Rational AppScan. This first tutorial begins by showcasing how Data Studio with pureQuery can increase the efficiency of your database-driven Web development. You will be developing a Java Web application with Rational Application Developer, and then with Java Server Pages (JSP) you will deploy the application on WebSphere Application Server.
Also available in: Chinese  
Tutorial 14 Apr 2008
IBM Rational AppScan: Hacking Web applications by using cookie poisoning
This article explains why session management and session management security are complex tasks, which is why they are usually left for commercial products to handle. The article describes how the tokens are generated for two commercial application engines. The author then analyzes the strength of each mechanism, explains its weakness, and demonstrates how such weakness can be exploited to execute an impersonation and privacy breach attack. He also discusses the feasibility of the attack. Lastly, he recommends an approach to session management that separates the security from the functionality, with the latter carried out by application engines, but the former provided by a dedicated application security product.
Also available in: Chinese  
Articles 01 Apr 2008
IBM Rational AppScan: Cross-site scripting explained
Learn how hackers launch a cross-site scripting (XSS) attack, what damage it does (and doesn't), how to detect them, and how prevent your Web site and your site visitors from these malicious invasions of privacy and security.
Also available in: Chinese  
Articles 25 Mar 2008
1 - 54 of 54 results
Show Summaries | Hide Summaries