Friday, August 8, 2008

WebApp Security Test tool - IBM Rational AppScan

This is part 3 (after Introduction, HP Application Security Center) of the series on web application security test tools. This week, I invited IBM to present their offering called IBM Rational AppScan.
  • Formally Watchfire Corporation before its acquisition in July 2007.
  • Does not have a code analyzer component like HP. [Edit: Will have one in the upcoming version come Sept 2008 as pointed out by Chris.]
  • Run-time analyzer comes in three flavors:

    1. Standard Edition
      • Targeted at standalone usage scenarios.
      • Black-box testing tool (does not require source code but requires a running system).
      • Underlying implementation technology independent.
      • Works by crawling an entire website (link depth and type is configurable) after been given a root URL.
      • Suggests common fixes when vulnerabilities are found but cannot automatically fix them. (Obviously since it has no knowledge or access to the underlying code!)
      • Will not be able to detect threats on pages that are not explicitly defined in the test, exist as links in the website or directories that do not allow listing.
      • Supports legal and regulatory compliance by scanning against well known policies (e.g. Sarbanes-Oxley, HIPAA, PCI Data Security Standard, OWASP Top Ten) and generate the necessary reports.
      • Requires regular updates to keep up with latest threat signatures (like anti-virus software).
      • Must run full suite of tests after an update as the tool is unable to determine the delta.
      • Includes a whole bunch of advanced tools for penetration testers.
      • Supports only Windows Platform for running the tool.

    2. Tester Edition
      • Targeted as part of the Quality Assurance process usage.
      • Contains same features as the Standard Edition plus the following.
      • Automatic test creation, modification and maintenance capabilities to enable testing and remediation.

    3. Enterprise Edition
      • Targeted at multi-user environments.
      • Contains same features as the Standard Edition plus the following.
      • Centralized test management and reporting, remote scanning administration.
      • Continuous monitoring and aggregation of metrics to ensure remediation and trend improvement over time.
      • Sophisticated dashboards and flexible reporting views to provide enterprise-wide visibility of risks and remediation progress.
      • Web based access for users.
      • Supports only Windows Platform for server components.


Christopher M. Ensey said...

You might want to look at Rational software analyzer for the code scan part. We have a full integration with it in the Sept 08 release of AppScan Developers Edition which works as part of an eclipse or RAD plugin with all the same security and code quality testing features of both products.

Christopher M. Ensey said...

... also I would say its worth mentioning that AppScan owns the IP for the scan engine that HP licenses for its product. If you look at the way WebInspect utilizes the engine the results are more prone to false positives and extraneous messages that will not assist in the security assessment process. The real richness of the two products comes down to speed of scanning and the quality of remediation information.

Sidney said...

Chris, Thanks for the comments. Weird that the IBM consultant that came down to present the solution to us did not mention the code analyzer. Maybe the news haven't been pushed to this part of the world yet.

As for your second comment, I will certainly make a note of it during the POC stage. You have certainly reinforced my point on putting the products through a real world test in order to differentiate them. It's not about how many features a product (claim to) have but how well they are implemented!

Christopher M. Ensey said...

Great point about the feature claims. Good luck with your POC!