IBM Security AppScan Source for Analysis Version User Guide IBM

Transcription

1 IBM Security AppScan Source for Analysis Version User Guide IBM

2

3 IBM Security AppScan Source for Analysis Version User Guide IBM

4 (C) Copyright IBM Corp. and its licensors 2003, All Rights Reserved. IBM, the IBM logo, ibm.com Rational, AppScan, Rational Team Concert, WebSphere and ClearQuest are trademarks or registered trademarks of International Business Machines Corp. registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the web at Copyright and trademark information at Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both. Microsoft, Windows, Windows NT and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries or both. Unix is a registered trademark of The Open Group in the United States and other countries. Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates. This program includes: Jacorb 2.3.0, Copyright The JacORB project; and XOM1.0d22, Copyright 2003 Elliotte Rusty Harold, each of which is available under the Gnu Library General Public License (LGPL), a copy of which is available in the Notices file that accompanied this program.

5 Contents Chapter 1. Introduction to AppScan Source for Analysis Introduction to IBM Security AppScan Source... 1 United States government regulation compliance. 2 What's New in AppScan Source What's New in AppScan Source Version What's New in AppScan Source Version What's New in AppScan Source Version What's New in AppScan Source Version Migrating to the current version of AppScan Source 9 Migrating from Version Migrating from Version Migrating from Version AppScan Source for Analysis overview Workflow Important concepts Classifications Logging in to AppScan Enterprise Server from AppScan Source products Enabling Common Access Card (CAC) authentication Changing AppScan Source user passwords AppScan Enterprise Server SSL certificates AppScan Source and accessibility Notices Copyright Chapter 2. Configuring applications and projects AppScan Source application and project files Configuring applications Creating a new application with the New Application Wizard Using the Application Discovery Assistant to create applications and projects Adding an existing application Adding multiple applications Importing existing Java applications from Apache Tomcat and WebSphere Application Server Liberty profile application servers Adding an Eclipse or Eclipse-based product workspace Configuring your development environment for Eclipse and Rational Application Developer for WebSphere Software (RAD) projects Eclipse or Application Developer updates Eclipse workspace importers: Eclipse or Rational Application Developer for WebSphere Software (RAD) preference configuration Creating a new project for an application Adding an existing project Adding multiple projects Adding a new Arxan project Adding a new ASP project Adding a new C/C++ project Adding a new COBOL project Adding a new ColdFusion project Adding a new Java or JavaServer Page (JSP) project Adding a new JavaScript project Adding a new.net Assembly project Adding a new Pattern Based project Adding a new Perl project PHP project configuration Adding a new PL/SQL project Adding a new T-SQL project Adding a new Visual Basic project Copying projects Modifying application and project properties Global attributes Application attributes Removing applications and projects Explorer view Chapter 3. Preferences General preferences AppScan Enterprise Console preferences Application server preferences for JavaServer Page compilation Tomcat WebLogic 8, 9, 11, and WebSphere Application Server Defining variables Enabling defect tracking with preferences Rational ClearQuest preferences Quality Center preferences Rational Team Concert preferences Team Foundation Server preferences Eclipse workspace importers: Eclipse or Rational Application Developer for WebSphere Software (RAD) preference configuration Java and JavaServer Pages Knowledgebase articles Project file extensions Chapter 4. Scanning source code and managing assessments Scanning source code Scanning all applications Scanning one or more applications Scanning one or more projects Scanning one or more files Re-scanning code Scan considerations Managing scan configurations Excluding a file from a scan Cancelling or stopping a scan Copyright IBM Corp. 2003, 2016 iii

6 AppScan Source for Analysis and AppScan Source for Development (Eclipse plug-in) component prerequisite on Linux Managing My Assessments Publishing assessments Registering applications and projects for publishing to AppScan Source Publishing assessments to AppScan Source Publishing assessments to the AppScan Enterprise Console Saving assessments Automatically saving assessments Removing assessments from My Assessments Defining variables Defining variables when publishing and saving 116 Example: Defining variables Chapter 5. Triage and analysis Displaying findings The AppScan Source triage process Sample triage Triage with filters Using AppScan Source predefined filters Creating and managing filters Applying filters Triage with exclusions The scope of exclusions Specifying exclusions Marking findings as exclusions in a findings table Re-including findings that have been marked as exclusions Example: Specifying filter exclusions Specifying bundle exclusions from the Properties view Triage with bundles Creating bundles Adding findings to existing bundles Viewing findings in bundles Saving bundles to file Submitting bundles to defect tracking and by Adding notes to bundles Modifying findings Making modifications from a findings table Modifying findings in the Finding Detail view 149 Removing finding modifications Comparing findings Comparing two assessments in the Assessment Diff view Comparing two assessments from the main menu bar Finding differences between assessments in the My Assessments and Published Assessments views Custom findings Creating a custom finding in the Properties view Creating custom findings in a findings view Creating custom findings in the source code editor Resolving security issues and viewing remediation assistance Analyzing source code in an editor Supported annotations and attributes Chapter 6. AppScan Source trace AppScan Source trace scan results Validation and encoding Searching AppScan Source traces Input/output tracing Using the Trace view Input/output stacks in the Trace view Analyzing source code in an editor Validation and encoding scope Creating custom rules from an AppScan Source trace Code examples for tracing Example 1: From source to sink Example 2: Modified from source to sink Example 3: Different source and sink files Example 4: Validation in depth Chapter 7. AppScan Source for Analysis and defect tracking Enabling defect tracking with preferences Rational ClearQuest preferences Quality Center preferences Rational Team Concert preferences Team Foundation Server preferences Integrating HP Quality Center and AppScan Source for Analysis Submitting findings to Quality Center Tracking findings submitted to Quality Center 184 AppScan Source finding information in Quality Center Integrating Rational ClearQuest and AppScan Source for Analysis Submitting findings to Rational ClearQuest Submitting defects to Rational ClearQuest Integrating Rational Team Concert and AppScan Source for Analysis Submitting defects to Rational Team Concert 186 Rational Team Concert SSL certificates Integrating Microsoft Team Foundation Server and AppScan Source for Analysis Submitting defects to Microsoft Team Foundation Server Working with submitted defects Submitting bundles to defect tracking and by 188 Tracking defects through (sending findings by ) Chapter 8. Findings reports and audit reports Creating findings reports AppScan Source reports Creating an AppScan Source custom report CWE/SANS Top report DISA Application Security and Development STIG V3R10 report iv IBM Security AppScan Source for Analysis: User Guide

7 Open Web Application Security Project (OWASP) Top report Open Web Application Security Project (OWASP) Mobile Top 10 report Payment Card Industry Data Security Standard (PCI DSS) Version 3.0 report Software Security Profile report Chapter 9. Creating custom reports 197 Report Editor Report Layout tab Categories tab Preview tab Generating custom reports Designing a report from an existing custom report Including categories in the report Previewing the report Saving the report template Chapter 10. Customizing the vulnerability database and pattern rules Extending the AppScan Source Security Knowledgebase Creating custom rules Using the Custom Rules wizard Likelihood rule attributes Customizing input/output tracing through AppScan Source trace Customizing with pattern-based rules Pattern rule sets Pattern rules Applying pattern rules and rule sets Chapter 11. Extending the application server import framework Chapter 12. AppScan Source for Analysis samples Chapter 13. The AppScan Source for Analysis work environment The AppScan Source for Analysis workbench Main menu File menu Edit menu Scan menu Tools menu Admin menu View menu Perspective menu Help menu Toolbars Hover help Status bar Chapter 14. Views Configuration views Custom Rules view Explorer view Pattern Rule Library view Properties view Scan Configuration view Report Editor Views that assist with scan output Console view Metrics view My Assessments view Published Assessments view Views that assist with triage Assessment Diff view Custom Findings view Views with findings Sources and Sinks view Views that allow you to investigate a single finding 277 Finding Detail view Remediation Assistance view Trace view Views that allow you to work with assessments 281 Assessment Summary view Filter Editor view Vulnerability Matrix view Bundles view Bundle view Glossary A B C D E F L P R S T V W X Notices Index Contents v

8 vi IBM Security AppScan Source for Analysis: User Guide

9 Chapter 1. Introduction to AppScan Source for Analysis This section describes how AppScan Source for Analysis fits into the total AppScan Source solution and provides a basis for understanding the software assurance workflow. Introduction to IBM Security AppScan Source IBM Security AppScan Source delivers maximum value to every user in your organization who plays a role in software security. Whether a security analyst, quality assurance professional, developer, or executive, the AppScan Source products deliver the functionality, flexibility, and power you need - right to your desktop. The product set includes: v AppScan Source for Analysis: Workbench to configure applications and projects, scan code, analyze, triage, and take action on priority vulnerabilities. v AppScan Source for Automation: Allows you to automate key aspects of the AppScan Source workflow and integrate security with build environments during the software development life cycle. v AppScan Source for Development: Developer plug-ins integrate many AppScan Source for Analysis features into Microsoft Visual Studio, the Eclipse workbench, and Rational Application Developer for WebSphere Software (RAD). This allows software developers to find and take action on vulnerabilities during the development process. The Eclipse plug-in allows you to scan source code for security vulnerabilities - and you can scan IBM MobileFirst Platform projects with the Eclipse plug-in. To enhance the value of AppScan Source within your organization, the products include these components: v AppScan Source Security Knowledgebase: In-context intelligence on each vulnerability, offering precise descriptions about the root cause, severity of risk, and actionable remediation advice. v AppScan Enterprise Server: Most AppScan Source products and components must communicate with an AppScan Enterprise Server. Without one, you can use AppScan Source for Development in local mode - but features such as custom rules, shared scan configurations, and shared filters will be unavailable. The server provides centralized user management capabilities and a mechanism for sharing assessments via the AppScan Source Database. The server includes an optional Enterprise Console component. If your administrator installs this component, you can publish assessments to it from AppScan Source for Analysis, AppScan Source for Automation, and the AppScan Source command line interface (CLI). The Enterprise Console offers a variety of tools for working with your assessments - such as reporting features, issue management, trend analysis, and dashboards. Note: AppScan Enterprise Server is not supported on OS X. If you have a basic server license, the server may only be accessed by up to ten (10) concurrent connections from AppScan products. With a premium server license, unlimited connections are allowed. Copyright IBM Corp. 2003,

10 Important: When scanning, AppScan Enterprise Server and AppScan Source clients (except AppScan Source for Development) both require a direct connection to the AppScan Source Database (either soliddb or Oracle). This Software Offering does not use cookies or other technologies to collect personally identifiable information. Translated national languages The AppScan Source user interfaces are available in these languages: v English v Brazilian Portuguese v Simplified Chinese v Traditional Chinese v German v Spanish v French v Italian v Japanese v Korean v Russian United States government regulation compliance Compliance with United States government security and information technology regulations help to remove sales impediments and roadblocks. It also provides a proof point to prospects worldwide that IBM is working to make their products the most secure in the industry. This topic lists the standards and guidelines that AppScan Source supports. v Internet Protocol Version 6 (IPv6) v Federal Information Processing Standard (FIPS) v National Institute of Standards and Technology (NIST) Special Publication (SP) a on page 3 v Windows 7 machines that are configured to use the United States Government Configuration Baseline (USGCB) on page 4 Internet Protocol Version 6 (IPv6) AppScan Source is enabled for IPv6, with these exceptions: v Inputting IPv6 numerical addresses is not supported and a host name must be entered instead. Inputting IPv4 numerical addresses is supported. v IPv6 is not supported when connecting to Rational Team Concert. Federal Information Processing Standard (FIPS) On Windows and Linux platforms that are supported by AppScan Source, AppScan Source supports FIPS Publication 140-2, by using a FIPS validated cryptographic module and approved algorithms. On OS X platforms that are supported by AppScan Source, manual steps are needed to operate in FIPS mode. 2 IBM Security AppScan Source for Analysis: User Guide

11 To learn background information about AppScan Source FIPS compliance - and to learn how to enable and disable AppScan Source FIPS mode, see these technotes: v Operating AppScan Source version 8.7 or later in FIPS mode on OS X v How to enable/disable/verify FIPS mode in AppScan Source (Linux and Windows) v Background information about AppScan Source version 8.7 or later FIPS support National Institute of Standards and Technology (NIST) Special Publication (SP) a NIST SP A guidelines provide cryptographic key management guidance. These guidelines include: v Key management procedures. v How to use cryptographic algorithms. v Algorithms to use and their minimum strengths. v Key lengths for secure communications. Government agencies and financial institutions use the NIST SP A guidelines to ensure that the products conform to specified security requirements. NIST SP A is supported only when AppScan Source is operating in FIPS mode. To learn about enabling and disabling AppScan Source FIPS mode, see Federal Information Processing Standard (FIPS) on page 2. Important: If the AppScan Enterprise Server that you will connect to is enabled for NIST a compliance, you must set AppScan Source to force Transport Layer Security V1.2. If Transport Layer Security V1.2 is not forced, connections to the server will fail. v If you are not installing the AppScan Source Database (for example, you are only installing client components), you can force Transport Layer Security V1.2 by modifying <data_dir>\config\ounce.ozsettings (where <data_dir> is the location of your AppScan Source program data, as described in Installation and user data file locations on page 286)). In this file, locate this setting: <Setting name="tls_protocol_version" read_only="false" default_value="0" value="0" description="minor Version of the TLS Connection Protocol" type="text" display_name="tls Protocol Version" display_name_id="" available_values="0:1:2" hidden="false" force_upgrade="false" /> In the setting, change value="0" to value="2" and then save the file. v If you are installing the AppScan Source Database, you force Transport Layer Security V1.2 in the IBM Security AppScan Enterprise Server Database Configuration tool after installing both AppScan Source and the Enterprise Server. Chapter 1. Introduction to AppScan Source for Analysis 3

12 Windows 7 machines that are configured to use the United States Government Configuration Baseline (USGCB) AppScan Source supports scanning applications on Windows 7 machines that are configured with the USGCB specification. Note: On machines that are configured with the USGCB specification, AppScan Source does not support defect tracking system integration with HP Quality Center or Rational ClearQuest. What's New in AppScan Source Explore these new features that have been added to AppScan Source - and note any features and capabilities that have been deprecated in this release. v What's New in AppScan Source Version v What's New in AppScan Source Version on page 5 v What's New in AppScan Source Version on page 6 v What's New in AppScan Source Version on page 6 What's New in AppScan Source Version v New platform and integration solution support v Enhanced and new scanning support on page 5 v New installation file name for Windows on page 5 v Common Access Card (CAC) support on Windows on page 5 v DISA Application Security and Development STIG V3R10 report support on page 5 New platform and integration solution support As of AppScan Source Version : v Microsoft Windows 10 is now a supported operating system. This includes Windows 10 Education, Enterprise, and Pro editions. Note: On Windows 10, the AppScan Source installer (AppScanSrc_Installer.exe file) must be run in Windows 7 compatibility mode. On Windows 10, you must also set the AppScan_Uninstaller.exe file to run in Windows 7 compatibility mode before uninstalling AppScan Source. This file is located in <install_dir>\uninstall_appscan\appscan_uninstaller.exe (where <install_dir> is the location of your AppScan Source installation, as described in Installation and user data file locations on page 286). See for more information. Windows 10 support is affected by the issue described in v If you are connecting to an AppScan Enterprise Server Version or higher, the IBM Security AppScan Source Database can be installed to an Oracle 12c database. Important: If you have an existing installation of AppScan Source that utilizes an Oracle 11g database, and you want to upgrade to Oracle 12c, you must upgrade AppScan Source before upgrading the Oracle database. 4 IBM Security AppScan Source for Analysis: User Guide

13 v Tomcat 8 is now included in the installation of AppScan Source. v Visual Studio 2015 solution and project files can now be scanned in AppScan Source for Analysis, AppScan Source for Automation, and the AppScan Source command line interface. If you have.sln or.vcproj files that have been created in Visual Studio 2015, these files can be imported and scanned when using AppScan Source for Analysis, AppScan Source for Automation, or the AppScan Source command line interface on Windows. Note: Applying the AppScan Source for Development Visual Studio plug-in to Visual Studio 2015 is not supported. v Xcode 7.3 for Objective-C (for ios applications only) is now a supported compiler on OS X (support for Xcode 7.3 is retroactive to AppScan Source Version ). Enhanced and new scanning support v PHP Versions 5.5 and 5.6 can now be scanned on Windows and Linux in IBM Security AppScan Source for Analysis, IBM Security AppScan Source for Automation, and the IBM Security AppScan Source command line interface (CLI). v When using AppScan Source to method-level annotations are now supported. New installation file name for Windows On Windows, the installation file name has changed from setup.exe to AppScanSrc_Installer.exe. Common Access Card (CAC) support on Windows The Common Access Card ( is the standard identification for active duty uniformed service personnel, Selected Reserve, DoD civilian employees, and eligible contractor personnel in the United States. It is used to enable physical access to buildings and controlled spaces, and provides access to DoD computer networks and systems. The CAC can be used for access into computers and networks that are equipped with various smart card readers. When it is inserted into the reader, the device asks the user for a PIN. If you are running AppScan Source on Windows and connecting to an AppScan Enterprise Server Version ifix-001 or higher that is enabled for Common Access Card (CAC) authentication, AppScan Source now supports CAC authentication. DISA Application Security and Development STIG V3R10 report support AppScan Source now supports the Defense Information Systems Agency (DISA) Application Security and Development Security Technical Implementation Guide (STIG) V3R10 report. What's New in AppScan Source Version AppScan Source and AppScan Enterprise version compatibility Some versions of AppScan Source no longer require that AppScan Source and AppScan Enterprise version and release levels match when publishing to the Chapter 1. Introduction to AppScan Source for Analysis 5

14 AppScan Enterprise Console. See docview.wss?uid=swg to learn which versions of AppScan Source and AppScan Enterprise are compatible when publishing assessments. This change is retroactive to some previous versions of AppScan Source, as described in What's New in AppScan Source Version v New integration solution support v Scanning WAR and EAR files in AppScan Source for Automation and the AppScan Source command line interface (CLI) New integration solution support As of AppScan Source Version : v Tomcat 8 is now supported for compiling Java and JSP. Note: Operating system support is dependent on the operating system supported by individual compilers. v Xcode 7.0, 7.1, and 7.2 for Objective-C (for ios applications only) are now supported compilers on OS X. Scanning WAR and EAR files in AppScan Source for Automation and the AppScan Source command line interface (CLI) The openapplication (oa) command in the CLI can now be used to open WAR and EAR files. In addition, these files can be scanned in AppScan Source for Automation using the ScanApplication command. What's New in AppScan Source Version v New platform and integration solution support v Scan configuration enhancements on page 7 v New rule attributes allow you to identify high severity definitive security findings more accurately on page 7 v Automatic lost sink resolution allows for better scan results on page 8 v Enhanced and new scanning support on page 8 v Capabilities and features that are no longer supported in AppScan Source Version on page 9 New platform and integration solution support As of AppScan Source Version 9.0.3, these operating systems are supported: v Red Hat Enterprise Linux Version 6 Updates 6 and 7 v OS X Version Support for OS X Version is retroactive to AppScan Source Version 9.0.2, with the limitation described in support/docview.wss?uid=swg (this limitation only affects AppScan Source Version 9.0.2). In addition: v Xcode 6.3 and 6.4 for Objective-C (for ios applications only) are now supported compilers on OS X (support for Xcode 6.3 and 6.4 is retroactive to AppScan Source Version 9.0.2). Note that some limitations exist for Xcode 6.3 and IBM Security AppScan Source for Analysis: User Guide

15 support. Please see docview.wss?uid=swg for details. These limitations do not apply to AppScan Source Version and higher. v The AppScan Source for Development Eclipse plug-in now integrates with IBM MobileFirst Platform Foundation Version 7.1. You can now scan IBM MobileFirst Platform Version 7.1 projects, applications, environments, and HTML files in AppScan Source products. v Rational Application Developer for WebSphere Software (RAD) Version project files and workspaces can be scanned - and the AppScan Source for Development (Eclipse plug-in) can be applied to RAD Version v Eclipse Version 4.5 project files and workspaces (Java and IBM MobileFirst Platform only) can be scanned - and the AppScan Source for Development (Eclipse plug-in) can be applied to Eclipse Version 4.5. v IBM WebSphere Application Server Version is now supported for compiling Java and JSP. Note: Operating system support is dependent on the operating system supported by individual compilers. Scan configuration enhancements The Scan Configuration view has been redesigned and now offers these key features: v The ability to specify filters. v Setting the type of analysis to perform during a scan. This includes taint-flow analysis and pattern-based analysis. AppScan Source now includes these built-in scan configurations: Web preview scan, Web quick scan, Web balanced scan, and Web deep scan New rule attributes allow you to identify high severity definitive security findings more accurately This release of AppScan Source introduces the Attribute.Likelihood.High and Attribute.Likelihood.Low attributes. These attributes have been added to the built-in rules and can also be used when creating custom rules. In AppScan Source, likelihood represents the probability or chance that a security finding can be exploited. AppScan Source takes the definition of likelihood that is presented at OWASP_Risk_Rating_Methodology#Step_2:_Factors_for_Estimating_Likelihood, and refines it by determining likelihood based on trace properties. Given a set of trace properties - for example, Source API name, Source API type, Source Technology, or Source Mechanism - AppScan Source determines the likelihood that a trace can or will be exploited using a specific vulnerability in the future. Likelihood is tied to the source element of a trace. A source is an input to the program, such as a file, servlet request, console input, or socket. For most input sources, the data returned is unbounded in terms of content and length. When an input is unchecked, it is considered a source of taint. Likelihood examples include: Chapter 1. Introduction to AppScan Source for Analysis 7

16 v Given a trace with an HTTP source (for example, Request.getQueryString) and a cross-site scripting sink (for example, Response.write), a high likelihood is determined, thereby raising the confidence of the finding. v Given a trace with a system property source (for example, getproperty) and a cross-site scripting sink (for example, Response.write), a low likelihood is determined, thereby lowering the confidence of the finding. Likelihood is used to identify high priority actionable findings that must be acted on or fixed immediately. It is tied to highly-exploitable sources of taint and can provide you with a more fine-grained approach for classifying findings. Likelihood is stored as an attribute that is tied to a source of taint, in the AppScan Source vulnerability database. The feature is available out-of-the-box. We have conducted extensive research in order to determine the likelihood factor for sources. Using the Custom Rules Wizard, you can add likelihood information to new sources of taint that you add to your rule base. This will improve the classification of findings generated from a scan and, in turn, improve the efficiency of your overall triage workflow. In the Custom Rules Wizard, there are two values (High and Low) that you can set for the Likelihood property. A value of High means that the source is very susceptible to taint. In other words, the barrier to taint entering the system is very low making it easy for attackers to submit malicious data either manually or in an automated fashion. A value of Low means that the barrier to entering malicious data through this source is very high. This could mean that in order for taint to be introduced to the source, an attacker would have to have insider knowledge of the system and have permissions to operate on the victim's network. Note: As a result of these rule attributes, if you have generated assessments in previous versions of AppScan Source, you may find that findings classifications for the same source has changed when it is scanned in Version For more information, and to learn how to disable these rule attributes, see the migration considerations regarding these changes. Automatic lost sink resolution allows for better scan results AppScan Source now tries to resolve lost sinks in traces by automatically inferring markup for lost sink methods such as getters, setters, and methods that return boolean values. This allows for a more thorough analysis of your code and improved lost sink resolution. Note: As a result of this feature, if you have generated assessments in previous versions of AppScan Source, you may notice a change in findings results for lost sinks that were not resolved. For more information, and to learn how to disable automatic markup generation, see the migration considerations regarding these changes. Enhanced and new scanning support v PHP Version 5.4 can now be scanned on Windows and Linux in IBM Security AppScan Source for Analysis, IBM Security AppScan Source for Automation, and the IBM Security AppScan Source command line interface (CLI). v AppScan Source now includes built-in support for the Spring MVC 4 framework. v Java scanning optimizations: 8 IBM Security AppScan Source for Analysis: User Guide

17 When scanning JavaServer Pages, you now have the option of scanning precompiled class files instead of compiling them during a scan. To scan precompiled class files in the AppScan Source for Development Eclipse plug-in, configure your project for security scanning (select Security Analysis > Configure Scan > Configure Projects for Security) and select the Precompiled classes check box. To scan precompiled class files in IBM Security AppScan Source for Analysis, select the Precompiled classes check box in one of these locations: - The Project Dependencies tab in the project properties. - The Java Project Dependencies page when creating a new project or application. When scanning Java, AppScan Source will now scan Java files and Java byte code with missing dependencies or compilation errors. If there are missing dependencies or compilation errors, information about them will be written to a log file. With this information, you can then add the dependencies to your project properties, re-scan, and achieve full coverage for scan results. v As of AppScan Source Version 9.0.3, header locations and configuration options are determined more accurately when Xcode projects are imported and scanned. This change introduces the use of xcodebuild -dry-run to obtain every file's build configuration, so there may be a pause at the beginning of scans while AppScan Source determines file configurations before proceeding. Capabilities and features that are no longer supported in AppScan Source Version As of AppScan Source Version 9.0.3: v OS X Version 10.8 is no longer a supported operating system. v Xcode Version 4.6 is no longer supported. Scanning Objective-C projects with this version of Xcode is no longer supported. v Eclipse Version 3.6 and 3.7 project files and workspaces are no longer supported - and the AppScan Source for Development (Eclipse plug-in) can no longer be applied to Eclipse Versions 3.6 and 3.7. v Rational Application Developer for WebSphere Software (RAD) Version 8.0.x project files and workspaces are no longer supported - and the IBM Security AppScan Source for Development plug-in for IBM Rational Application Developer for WebSphere Software (RAD) can no longer be applied to RAD Version 8.0.x. v IBM Rational Team Concert Versions 3.0 and are no longer supported defect tracking systems. v WebSphere Application Server Version 6.1 is no longer a supported application server. v Support for scanning PHP Versions 4.x up to 5.2 is deprecated. Migrating to the current version of AppScan Source This topic contains migration information for changes that have gone into this version of AppScan Source. If you are upgrading from an older version of AppScan Source, be sure to note the changes for the version of AppScan Source that you are upgrading and all versions leading up to this current version. v Migrating from Version on page 10 v Migrating from Version 9.0 on page 11 v Migrating from Version 8.7 on page 11 Chapter 1. Introduction to AppScan Source for Analysis 9

18 Migrating from Version v New rule attributes may result in findings classification changes in existing scans v Automatic lost sink generation New rule attributes may result in findings classification changes in existing scans After Version 9.0.2, Attribute.Likelihood.High and Attribute.Likelihood.Low rule attributes were introduced. When these attributes are used, AppScan Source can more accurately determine if findings are definitive and/or suspect. As a result, if you scan source code in AppScan Source Version or earlier, you may find that some findings classifications will change when the same source code is scanned in product versions after This will be most noticeable for findings related to highly exploitable web sources - or for property or environment sources that are less exploitable. These rule attributes are used by default. You can disable them, as follows: 1. Open <data_dir>\config\ipva.ozsettings in a text editor (where <data_dir> is the location of your AppScan Source program data, as described in Installation and user data file locations on page 286). Locate the allow_likelihood setting in the file. This setting will look similar to: <Setting name="allow_likelihood" value="true" default_value="true" description="allow the processing of the Likelihood attributes to help determine trace confidence based on the source API" display_name="allow Likelihood" type="bool" /> In this setting, modify the value attribute. If the attribute is set to true, this setting will be on. If it is set to false, AppScan Source will not use these rule attributes during scans. 2. Save the file after you have modified this setting and start or restart AppScan Source. Automatic lost sink generation After Version 9.0.2, automatic lost sink resolution was introduced for traces that end in getters/setters and methods that return boolean values. This is done by automatically inferring markup for these application programming interfaces (API). As a result, if you scan source code in AppScan Source Version or earlier, you may notice changes in findings results that contained unresolved lost sinks when the same source code is scanned in product versions after Automatic markup generation is on by default. You can disable it if you want to use other means of lost sink resolution such as custom rules, as follows: 1. Open <data_dir>\config\ipva.ozsettings in a text editor (where <data_dir> is the location of your AppScan Source program data, as described in Installation and user data file locations on page 286). Locate the automatic_lost_sink_resolution setting in the file. This setting will look similar to: 10 IBM Security AppScan Source for Analysis: User Guide

19 <name="automatic_lost_sink_resolution" value="true" default_value="true" description="this setting tries to perform automatic lost sink resolution by assuming taint propagation for getters, setters and APIs which return boolean with no arguments." display_name="auto Lost Sink Resolution" type="bool" /> In this setting, modify the value attribute. If the attribute is set to true, this setting will be on. If it is set to false, AppScan Source will not automatically generate markup for these methods. 2. Save the file after you have modified this setting and start or restart AppScan Source. Migrating from Version 9.0 AppScan Enterprise Server authentication: Migration considerations for replacement of the IBM Rational Jazz user authentication component with IBM WebSphere Liberty v Migrating from an Enterprise Server that only has local Jazz users: In this upgrade scenario, the former Jazz users will appear in the AppScan Source Database as AppScan Enterprise Server users, however, they will not be valid. These users can be removed from the Database - or they can be converted to AppScan Source users if you follow the instructions in support/docview.wss?uid=swg for enabling that conversion. v Migrating from an Enterprise Server that was configured with LDAP: During the Enterprise Server upgrade, you have the option of configuring the Enterprise Server with LDAP again. If you do this, existing users will still work in AppScan Source. v Migrating from an Enterprise Server that was configured with Windows authentication: If your Enterprise Server was configured with Windows authentication, existing users will work in AppScan Source, provided the new Enterprise Server Liberty is configured to use Windows authentication. Migrating from Version 8.7 v Changes to findings classifications v Default settings changes that will improve scan coverage on page 12 v Restoring AppScan Source predefined filters from previous versions on page 13 Changes to findings classifications After Version 8.7, findings classifications changed. This table lists the old classifications mapped to the new classifications: Table 1. Findings classification changes Findings classifications prior to AppScan Source Version 8.8 Vulnerability Type I Exception Type II Exception Classifications as of AppScan Source Version 8.8 Definitive security finding Suspect security finding Scan coverage finding Chapter 1. Introduction to AppScan Source for Analysis 11

20 An example of these changes can be seen in the Vulnerability Matrix view. As of Version 8.8, the view looks like this: Default settings changes that will improve scan coverage As of AppScan Source Version 8.8: v The default value of show_informational_findings in scan.ozsettings has changed from true to false. v The default value of wafl_globals_tracking in ipva.ozsettings has changed from false to true. This setting enables AppScan Source to find dataflow between different components of a framework-based application (for example, dataflow from a controller to a view). The change to show_informational_findings will result in assessments not including findings with a severity level of Info by default. 12 IBM Security AppScan Source for Analysis: User Guide

21 Note: If you have scan configurations that were created prior to Version 8.8 that did not explicitly set values for these settings, the scan configurations will now use their new default values. Restoring AppScan Source predefined filters from previous versions In AppScan Source Version 8.8, predefined filters were improved to provide better scan results. If you need to continue using the predefined filters from older versions of AppScan Source (archived filters are listed in AppScan Source predefined filters (Version 8.7.x and earlier) on page 132), follow the instructions in Restoring archived predefined filters on page 133. AppScan Source for Analysis overview Workflow AppScan Source for Analysis is a tool for analyzing code and providing specific information about source code vulnerabilities in critical systems. AppScan Source for Analysis lets you centrally manage your software risk across multiple applications, or even your entire portfolio. You can scan source code, triage, and eliminate vulnerabilities before they become a liability to your organization. AppScan Source for Analysis provides audit and quality assurance teams with tools to scan source code, triage results, and submit flaws to defect tracking systems. Armed with in-context intelligence from the AppScan Source Security Knowledgebase, analysts, auditors, managers, and developers can: v Scan selected source code on-demand to locate critical vulnerabilities v Receive precise remediation advice and invoke their preferred development environment and code editor directly from analysis v Trace tainted data through a precise, interactive call graph from input to output v Enforce coding policies, verifying approved input validation and encoding routines through AppScan Source trace v Learn and implement secure programming best practices during software development After installation, deployment, and user management, the AppScan Source workflow consists of these basic steps. 1. Set security requirements: A manager or security expert defines vulnerabilities and how to judge criticality. 2. Configure applications: Organize applications and projects. 3. Scan: Run the analysis against the target application to identify vulnerabilities. 4. Triage and analyze results: Security-minded staff study results to prioritize remediation workflow and separate real vulnerabilities from potential ones, allowing triage on critical issues to begin immediately. Isolate the issues you need to fix first. 5. Customize the Knowledgebase: Customize the AppScan Source Security Knowledgebase to address internal policies. 6. Publish scan results: Add scan results to the AppScan Source Database or publish them to the AppScan Enterprise Console. Chapter 1. Introduction to AppScan Source for Analysis 13

22 7. Assign remediation tasks: Assign defects to the development team to resolve vulnerabilities. 8. Resolve issues: Eliminate vulnerabilities by rewriting code, removing flaws, or adding security functions. 9. Verify fixes: The code is scanned again to assure that vulnerabilities are eliminated. Configure AppScan Source for Analysis Monitor Enterprise Console Scan AppScan Source for Analysis AppScan Source for Automation AppScan Source for Development Triage AppScan Source for Analysis AppScan Enterprise Server Remediate AppScan Source for Analysis AppScan Source for Remediation AppScan Source for Development Assign AppScan Source for Analysis Important concepts Before you begin to use or administer AppScan Source, you should become familiar with fundamental AppScan Source concepts. This section defines basic AppScan Source terminology and concepts. Subsequent chapters repeat these definitions to help you understand their context in AppScan Source for Analysis. AppScan Source for Analysis scans source code for vulnerabilities and produces findings. Findings are the vulnerabilities identified during a scan, and the result of a scan is an assessment. A bundle is a named collection of individual findings and is stored with an application. Applications, their attributes, and projects are created and organized in AppScan Source for Analysis: v Applications: An application contains one or more projects and their related attributes. v Projects: A project consists of a set of files (including source code) and their related information (such as configuration data). A project is always part of an application. v Attributes: An attribute is a characteristic of an application that helps organize the scan results into meaningful groupings, such as by department or project leader. You define attributes in AppScan Source for Analysis. The principal activity of AppScan Source for Analysis is to scan source code and analyze vulnerabilities. Assessments provide an analysis of source code for vulnerabilities including: 14 IBM Security AppScan Source for Analysis: User Guide

23 v Severity: High, medium, or low, indicating the level of risk v Vulnerability Type: Vulnerability category, such as SQL Injection or Buffer Overflow v File: Code file in which the finding exists v API/Source: The vulnerable call, showing the API and the arguments passed to it v Method: Function or method from which the vulnerable call is made v Location: Line and column number in the code file that contains the vulnerable API v Classification: Security finding or scan coverage finding. For more information, see Classifications. Classifications Findings are classified by AppScan Source to indicate whether they are security or scan coverage findings. Security findings represent actual or likely security vulnerabilities - whereas scan coverage findings represent areas where configuration could be improved to provide better scan coverage. Each finding falls into one of these classifications: v Definitive security finding: A finding that contains a definitive design, implementation, or policy violation that presents an opportunity for an attacker to cause the application to operate in an unintended fashion. This attack could result in unauthorized access, theft, or corruption of data, systems, or resources. Every definitive security finding is fully articulated, and the specific underlying pattern of the vulnerable condition is known and described. v Suspect security finding: A finding that indicates a suspicious and potentially vulnerable condition that requires additional information or investigation. A code element or structure that can create a vulnerability when used incorrectly. A suspect finding differs from a definitive finding because there is some unknown condition that prevents a conclusive determination of vulnerability. Examples of this uncertainty can be the use of dynamic elements, or of library functions for which the source code is not available. As a result, there is an additional level of research that is required to confirm or reject a suspect finding as definitive. v Scan coverage finding: Findings that represent areas where configuration could be improved to provide better scan coverage (for example, lost sink findings). Note: In some cases, a classification of None may be used to denote a classification that is neither a security finding nor a scan coverage finding. Logging in to AppScan Enterprise Server from AppScan Source products Most AppScan Source products and components require a connection to an AppScan Enterprise Server. The server provides centralized user management capabilities and a mechanism for sharing assessments via the AppScan Source Database. When you launch AppScan Source for Analysis, you are prompted to authenticate to an AppScan Enterprise Server. If you are running AppScan Source for Development in server mode, you are prompted to authenticate to an AppScan Chapter 1. Introduction to AppScan Source for Analysis 15