Watchfire AppScan

1. Watchfire AppScan Web Application Security Software Omen Wild September 2007

2. AppScan Overview • What is AppScan? • Software used by web developers, content managers, database administrators, and system administrators to check web applications for vulnerabilities • How is AppScan used? • AppScan can be deployed in variety of application instances, including test, development and production

3. AppScan Functionality • Site crawl • Finds all linked pages • Site check • Attacks web forms • SQL Injection • Cross Site Scripting (XSS) • Buffer Overflows • Extensive reports

4. User Endorsement • Brian Biehle • Supports the Academic Senate • Scanned MySenate • “You also have my full endorsement of AppScan and its effectiveness to uncover areas within a site that may pose security risks. The recommendations for resolving the issues within the reports generated from the scan have been very helpful as well.”

5. AppScan Project Status • UC Davis purchased Watchfire AppScan per existing UCOP agreement. The agreement includes: • 25 licenses for configuration, scanning and reporting features • 25 licenses for computer-based training • On-site training for administrators and license holders • Hardware is in place • Working with vendor for installation and training

6. Implementation Plan & Estimated Timeline • October 1 - 15: Watchfire staff available for implementation planning • October 15 – November 2: Watchfire staff on-site for implementation assistance • October 22 – 26: Watchfire staff on site for training • While this timeline my change slightly, AppScan on-site training will be completed no later than mid-November 2007

7. Next Steps • Finalize license distribution plan and process • Finalize training strategy and timeline • Develop and implement communication plan

8. Questions?