1 / 19

NOTICE : BY PARTICIPATING IN THIS CALL, YOU GIVE YOUR

To hear the WebEx audio, select an option in the Audio Connection dialog or by access the Communicate > Audio Connection menu option. To ask a question by voice, you must either Call In or have a microphone on your device. You will not hear sound until the host opens the audio line.

edithc
Download Presentation

NOTICE : BY PARTICIPATING IN THIS CALL, YOU GIVE YOUR

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. To hear the WebEx audio, select an option in the Audio Connection dialog or by access the Communicate > Audio Connection menu option. To ask a question by voice, you must either Call In or have a microphone on your device. You will not hear sound until the host opens the audio line. For more information, visit:http://ibm.biz/WebExOverview_SupportOpenMic What's new in AppScan Enterprise 9.0.3.7 IBM Security support Open Mic NOTICE: BY PARTICIPATING IN THIS CALL, YOU GIVE YOUR IRREVOCABLE CONSENT TO IBM TO RECORD ANY STATEMENTS THAT YOU MAY MAKE DURING THE CALL, AS WELL AS TO IBM’S USE OF SUCH RECORDING IN ANY AND ALL MEDIA, INCLUDING FOR VIDEO POSTINGS ON YOUTUBE. IF YOU OBJECT, PLEASE DO NOT CONNECT TO THIS CALL. December 6, 2017

  2. Scheduled Open Mics: Dec 6th (today) - What's new in AppScan Enterprise version 9.0.3.7 Jan 17th, 2018 - How to automate scanning with AppScan Enterprise Feb 21st, 2018 - How to transfer a scan from AppScan Standard to ASE Mar 21st, 2018 - How AppScan explores applications (ABE, RBE) Recorded Open Mic: Nov 29th, 2017 - What's new in AppScan Standard version 9.0.3.7

  3. Panelists today: Billy Weber – Product Management Director, Application Security Pradeep Shashidhar – Technical Lead Engineer, AppScan Enterprise Joe Kiggen – Moderator, AppScan L2 Manager

  4. Agenda What's new in AppScan Enterprise version 9.0.3.7 released on November 28, 2017 • Security rules updates and APAR fixes • Scanning Engine enhancements • Scan Automation with Proxy Server • New REST API services • HAR support • Other improvements

  5. Security rules updates and APAR fixes • A number of updates to Security rules in AppScan Enterprise 9.0.3.7 • The security rules include now tests for the following “Apache Struts 2 command execution” vulnerabilities: - CVE-2017-5638 - CVE-2017-9805 - CVE-2017-9791 • The full list of APAR fixed can be found in:AppScan Enterprise 9.0.3 Fix List

  6. Scanning Engine Enhancements • AppScan Enterprise Scanning Engine in-sync with AppScan Standard Engine • Improved Cross-Site Scripting testing: • XSS tests sent using a browser • Enables finding new vulnerabilities that were not found before • Executed only when traditional tests fail to improve performance • Improved Automatic Login: • Various techniques were added to increase the success of Automatic Login • Improved Action-Based Crawling: • Action-based crawling is more accurate and thorough, increasing application coverage. • Improved scan accuracy: • A variety of security rule updates reduce false positive results.

  7. Scan Automation with Proxy Server • Goal (of Scan Automation): Enable a simple way to create scans in AppScan Enterprise based on functional test automation traffic. • Solution: A centralized service that includes a proxy that can be automated to perform the traffic recording and can be integrated with scanning services such as ASE.

  8. Scan Automation with Proxy Server A new Proxy Server component enables traffic recording in HAR (HTTP Archive) format. With AppScan REST API you can create and manipulate scans based on AppScan Standard scan templates (.scant files). Test Automation Proxy Server REST API: • Start Proxy • Stop Proxy • Get Traffic Web Server Selenium Proxy Proxy AppScan Enterprise Tested Web Application REST API: • Update .scant • Update Traffic • …

  9. Scan Automation with Proxy Server • Proxy Server includes two main components: - Web Server – A web Server which listens to REST API requests- Proxy – A recording proxy with a command line interfaceThe user sends REST API requests to the Web Server and the Web Server runs the Proxy. Proxy Server REST API: • Start Proxy • Stop Proxy • Get Traffic Web Server Proxy Proxy

  10. Scan Automation with Proxy Server • Web Server • A central, cross-platform server based on Node.js • User can choose the listening port (default 8383) • Activated by REST API with the following requests: • Start Proxy – starts a recording proxy on a defined or random port • Stop Proxy – stops the recording of the specific proxy and closes it • Recording – get the recording from a specific proxy. • Certificate - download the proxy's root certificate public key in PEM format (to avoid SSL warnings). • Import root certificate – Import the user’s root certificate – Detailed documentation at http://<web_server_ip>:8383 Web Server

  11. Scan Automation with Proxy Server • Proxy- Listens on a specified port or a random port- Multiple proxy instances can be used for parallel recordings- Records traffic in HTTP Archive (.HAR) format- The output is a .dast.config file which is a zip file containing the .HAR files- Supports chained proxy including conditions (configurable in proxy.chain file)- Supports HTTPS- Root Certificate is dynamically created (uniquely) and can be downloaded by the user and be installed on his machine (to avoid SSL warnings)- The proxy will automatically close when 60 minutes of inactivity has been detected (can be changed in the file Settings.json in the installation folder) Proxy Proxy

  12. New REST API services • The following services were added in ASE 9.0.3.7 and 9.0.3.5 iFix2 (for scans based on AppScan Standard templates): • Create a new scan using an AppScan Standard template. • Update any configuration item of a scan. • Update credentials of recorded Action-Based Login. • Import explore data of the following formats: EXD, HAR, HTD, and DAST.CONFIG • Import traffic file including login requests for Request-Based Login.

  13. HAR Support • HAR traffic files supported also in Scan management REST API: • API to upload manual explore traffic to a scan is: /services/folderitems/<fiid>/httptrafficdata • API to upload recorded login sequence is: /services/folderitems/<fiid>/recordedlogindata • Support import of HTTP Archive traffic (HAR) from any source: • HAR file recorded with the Proxy Server • HAR file recorded by any other tool like the browsers.

  14. Other improvements • REST APIs services: • Pull scan statistics in real time. (9035 iFix 2) • Pull detailed scan log after a scan is complete. (9035 iFix 2) • Includes latest JRE 1.8 SR5 • Import issues exported from AppScan Source in OZASMT format

  15. Other improvements • Export issues from Security Reports in Excel format from Monitor tab.

  16. Questions for the panel Now is your opportunity to ask questions of our panelists. To ask a question now: Raise your hand by clicking Raise Hand. The Raise Hand icon appears next to your name in the Attendees panel on the right in the WebEx Event. The host will announce your name and unmute your line. or Type a question in the box below the Ask drop-down menu in the Q&A panel. Select All Panelists from the Ask drop-down-menu. Click Send. Your message is sent and appears in the Q&A panel. To ask a question after this presentation: You are encouraged to participate in the dW Answers forum: https://developer.ibm.com/answers/topics/appscan-enterprise

  17. Where do you get more information? Questions on this or other topics can be directed to the product forum: https://developer.ibm.com/answers/topics/appscan-enterprise AppScan Enterprise 9.0.3.7 download link: http://www.ibm.com/support/docview.wss?uid=swg24044228 AppScan Enterprise versions available: http://www.ibm.com/support/docview.wss?uid=swg21971043 Security Learning Academy: www.SecurityLerningAcademy.com Useful links: Get started with IBM Security Support IBM Support Portal | Sign up for “My Notifications” FREE learning resources on the Security Learning Academy Follow us:

  18. What's new in AppScan Enterprise 9.0.3.7

More Related