IBM Security AppScan Source for Analysis Version 9.0.3.3. User Guide IBM

IBM Security AppScan Source for Analysis Version 9.0.3.3 User Guide IBM

IBM Security AppScan Source for Analysis Version 9.0.3.3 User Guide IBM

(C) Copyright IBM Corp. and its licensors 2003, 2016. All Rights Reserved. IBM, the IBM logo, ibm.com Rational, AppScan, Rational Team Concert, WebSphere and ClearQuest are trademarks or registered trademarks of International Business Machines Corp. registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the web at Copyright and trademark information at http://www.ibm.com/legal/copytrade.shtml. Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both. Microsoft, Windows, Windows NT and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries or both. Unix is a registered trademark of The Open Group in the United States and other countries. Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates. This program includes: Jacorb 2.3.0, Copyright 1997-2006 The JacORB project; and XOM1.0d22, Copyright 2003 Elliotte Rusty Harold, each of which is available under the Gnu Library General Public License (LGPL), a copy of which is available in the Notices file that accompanied this program.

Contents Chapter 1. Introduction to AppScan Source for Analysis.......... 1 Introduction to IBM Security AppScan Source... 1 United States government regulation compliance. 2 What's New in AppScan Source........ 4 What's New in AppScan Source Version 9.0.3.3.. 4 What's New in AppScan Source Version 9.0.3.2.. 5 What's New in AppScan Source Version 9.0.3.1.. 6 What's New in AppScan Source Version 9.0.3.. 6 Migrating to the current version of AppScan Source 9 Migrating from Version 9.0.2........ 10 Migrating from Version 9.0........ 11 Migrating from Version 8.7........ 11 AppScan Source for Analysis overview..... 13 Workflow............... 13 Important concepts............ 14 Classifications............ 15 Logging in to AppScan Enterprise Server from AppScan Source products......... 15 Enabling Common Access Card (CAC) authentication............ 17 Changing AppScan Source user passwords... 19 AppScan Enterprise Server SSL certificates... 19 AppScan Source and accessibility....... 20 Notices................ 20 Copyright............... 23 Chapter 2. Configuring applications and projects............ 25 AppScan Source application and project files... 25 Configuring applications.......... 28 Creating a new application with the New Application Wizard........... 29 Using the Application Discovery Assistant to create applications and projects....... 30 Adding an existing application....... 33 Adding multiple applications....... 34 Importing existing Java applications from Apache Tomcat and WebSphere Application Server Liberty profile application servers...... 35 Adding an Eclipse or Eclipse-based product workspace.............. 37 Configuring your development environment for Eclipse and Rational Application Developer for WebSphere Software (RAD) projects...... 38 Eclipse or Application Developer updates... 38 Eclipse workspace importers: Eclipse or Rational Application Developer for WebSphere Software (RAD) preference configuration....... 39 Creating a new project for an application.... 39 Adding an existing project........ 40 Adding multiple projects......... 42 Adding a new Arxan project........ 43 Adding a new ASP project........ 44 Adding a new C/C++ project....... 45 Adding a new COBOL project....... 47 Adding a new ColdFusion project...... 47 Adding a new Java or JavaServer Page (JSP) project............... 48 Adding a new JavaScript project...... 55 Adding a new.net Assembly project.... 56 Adding a new Pattern Based project..... 56 Adding a new Perl project........ 57 PHP project configuration........ 58 Adding a new PL/SQL project....... 68 Adding a new T-SQL project....... 68 Adding a new Visual Basic project...... 69 Copying projects............ 70 Modifying application and project properties... 70 Global attributes............. 71 Application attributes........... 71 Removing applications and projects...... 72 Explorer view............. 72 Chapter 3. Preferences........ 79 General preferences............ 79 AppScan Enterprise Console preferences..... 81 Application server preferences for JavaServer Page compilation.............. 83 Tomcat............... 83 WebLogic 8, 9, 11, and 12......... 83 WebSphere Application Server....... 84 Defining variables............ 85 Enabling defect tracking with preferences.... 85 Rational ClearQuest preferences...... 86 Quality Center preferences........ 87 Rational Team Concert preferences..... 89 Team Foundation Server preferences..... 90 Eclipse workspace importers: Eclipse or Rational Application Developer for WebSphere Software (RAD) preference configuration........ 90 Email................ 91 Java and JavaServer Pages......... 91 Knowledgebase articles.......... 92 Project file extensions........... 92 Chapter 4. Scanning source code and managing assessments....... 95 Scanning source code........... 95 Scanning all applications......... 95 Scanning one or more applications..... 96 Scanning one or more projects....... 96 Scanning one or more files........ 96 Re-scanning code........... 97 Scan considerations........... 97 Managing scan configurations....... 99 Excluding a file from a scan....... 105 Cancelling or stopping a scan....... 106 Copyright IBM Corp. 2003, 2016 iii

AppScan Source for Analysis and AppScan Source for Development (Eclipse plug-in) component prerequisite on Linux...... 107 Managing My Assessments......... 107 Publishing assessments.......... 108 Registering applications and projects for publishing to AppScan Source....... 108 Publishing assessments to AppScan Source.. 109 Publishing assessments to the AppScan Enterprise Console.......... 110 Saving assessments........... 114 Automatically saving assessments..... 114 Removing assessments from My Assessments.. 115 Defining variables............ 115 Defining variables when publishing and saving 116 Example: Defining variables....... 116 Chapter 5. Triage and analysis.... 119 Displaying findings........... 120 The AppScan Source triage process...... 122 Sample triage............. 123 Triage with filters............ 125 Using AppScan Source predefined filters... 129 Creating and managing filters....... 134 Applying filters........... 139 Triage with exclusions.......... 141 The scope of exclusions......... 141 Specifying exclusions.......... 141 Marking findings as exclusions in a findings table............... 142 Re-including findings that have been marked as exclusions............. 142 Example: Specifying filter exclusions.... 142 Specifying bundle exclusions from the Properties view............ 143 Triage with bundles........... 144 Creating bundles........... 144 Adding findings to existing bundles..... 145 Viewing findings in bundles....... 146 Saving bundles to file......... 146 Submitting bundles to defect tracking and by email............... 147 Adding notes to bundles........ 147 Modifying findings........... 147 Making modifications from a findings table.. 148 Modifying findings in the Finding Detail view 149 Removing finding modifications...... 151 Comparing findings........... 152 Comparing two assessments in the Assessment Diff view.............. 152 Comparing two assessments from the main menu bar.............. 152 Finding differences between assessments in the My Assessments and Published Assessments views............... 153 Custom findings............ 153 Creating a custom finding in the Properties view............... 154 Creating custom findings in a findings view.. 155 Creating custom findings in the source code editor............... 156 Resolving security issues and viewing remediation assistance............... 156 Analyzing source code in an editor..... 157 Supported annotations and attributes..... 158 Chapter 6. AppScan Source trace... 161 AppScan Source trace scan results...... 161 Validation and encoding......... 162 Searching AppScan Source traces...... 162 Input/output tracing........... 163 Using the Trace view........... 163 Input/output stacks in the Trace view.... 164 Analyzing source code in an editor..... 166 Validation and encoding scope....... 167 Creating custom rules from an AppScan Source trace................ 168 Code examples for tracing......... 170 Example 1: From source to sink...... 170 Example 2: Modified from source to sink... 171 Example 3: Different source and sink files... 176 Example 4: Validation in depth...... 177 Chapter 7. AppScan Source for Analysis and defect tracking..... 179 Enabling defect tracking with preferences.... 179 Rational ClearQuest preferences...... 179 Quality Center preferences........ 180 Rational Team Concert preferences..... 182 Team Foundation Server preferences..... 183 Integrating HP Quality Center and AppScan Source for Analysis.............. 183 Submitting findings to Quality Center.... 183 Tracking findings submitted to Quality Center 184 AppScan Source finding information in Quality Center............... 184 Integrating Rational ClearQuest and AppScan Source for Analysis........... 184 Submitting findings to Rational ClearQuest.. 185 Submitting defects to Rational ClearQuest... 185 Integrating Rational Team Concert and AppScan Source for Analysis........... 185 Submitting defects to Rational Team Concert 186 Rational Team Concert SSL certificates.... 186 Integrating Microsoft Team Foundation Server and AppScan Source for Analysis........ 187 Submitting defects to Microsoft Team Foundation Server........... 187 Working with submitted defects....... 188 Submitting bundles to defect tracking and by email 188 Tracking defects through email (sending findings by email)............... 188 Chapter 8. Findings reports and audit reports.............. 191 Creating findings reports......... 191 AppScan Source reports.......... 193 Creating an AppScan Source custom report.. 194 CWE/SANS Top 25 2011 report...... 195 DISA Application Security and Development STIG V3R10 report.......... 195 iv IBM Security AppScan Source for Analysis: User Guide

Open Web Application Security Project (OWASP) Top 10 2013 report....... 195 Open Web Application Security Project (OWASP) Mobile Top 10 report...... 196 Payment Card Industry Data Security Standard (PCI DSS) Version 3.0 report....... 196 Software Security Profile report...... 196 Chapter 9. Creating custom reports 197 Report Editor............. 197 Report Layout tab........... 198 Categories tab............ 199 Preview tab............. 200 Generating custom reports......... 201 Designing a report from an existing custom report............... 201 Including categories in the report...... 201 Previewing the report......... 202 Saving the report template........ 202 Chapter 10. Customizing the vulnerability database and pattern rules............... 203 Extending the AppScan Source Security Knowledgebase............. 203 Creating custom rules......... 204 Using the Custom Rules wizard...... 204 Likelihood rule attributes........ 209 Customizing input/output tracing through AppScan Source trace.......... 210 Customizing with pattern-based rules..... 210 Pattern rule sets........... 210 Pattern rules............. 212 Applying pattern rules and rule sets..... 216 Chapter 11. Extending the application server import framework...... 227 Chapter 12. AppScan Source for Analysis samples......... 231 Chapter 13. The AppScan Source for Analysis work environment..... 233 The AppScan Source for Analysis workbench... 233 Main menu.............. 235 File menu............. 235 Edit menu............. 239 Scan menu............. 240 Tools menu............. 241 Admin menu............ 241 View menu............. 242 Perspective menu........... 242 Help menu............. 243 Toolbars............... 243 Hover help.............. 243 Status bar.............. 244 Chapter 14. Views......... 245 Configuration views........... 245 Custom Rules view.......... 245 Explorer view............ 245 Pattern Rule Library view........ 250 Properties view............ 251 Scan Configuration view........ 259 Report Editor............ 261 Views that assist with scan output...... 265 Console view............ 265 Metrics view............ 265 My Assessments view......... 266 Published Assessments view....... 267 Views that assist with triage........ 268 Assessment Diff view......... 268 Custom Findings view......... 268 Views with findings.......... 269 Sources and Sinks view......... 276 Views that allow you to investigate a single finding 277 Finding Detail view.......... 277 Remediation Assistance view....... 279 Trace view............. 280 Views that allow you to work with assessments 281 Assessment Summary view........ 281 Filter Editor view........... 282 Vulnerability Matrix view........ 283 Bundles view............. 285 Bundle view............. 285 Glossary............. 291 A................. 291 B................. 291 C................. 291 D................. 292 E................. 292 F................. 292 L................. 292 P................. 292 R................. 292 S................. 292 T................. 293 V................. 293 W................. 293 X................. 293 Notices.............. 295 Index............... 299 Contents v

vi IBM Security AppScan Source for Analysis: User Guide

Chapter 1. Introduction to AppScan Source for Analysis This section describes how AppScan Source for Analysis fits into the total AppScan Source solution and provides a basis for understanding the software assurance workflow. Introduction to IBM Security AppScan Source IBM Security AppScan Source delivers maximum value to every user in your organization who plays a role in software security. Whether a security analyst, quality assurance professional, developer, or executive, the AppScan Source products deliver the functionality, flexibility, and power you need - right to your desktop. The product set includes: v AppScan Source for Analysis: Workbench to configure applications and projects, scan code, analyze, triage, and take action on priority vulnerabilities. v AppScan Source for Automation: Allows you to automate key aspects of the AppScan Source workflow and integrate security with build environments during the software development life cycle. v AppScan Source for Development: Developer plug-ins integrate many AppScan Source for Analysis features into Microsoft Visual Studio, the Eclipse workbench, and Rational Application Developer for WebSphere Software (RAD). This allows software developers to find and take action on vulnerabilities during the development process. The Eclipse plug-in allows you to scan source code for security vulnerabilities - and you can scan IBM MobileFirst Platform projects with the Eclipse plug-in. To enhance the value of AppScan Source within your organization, the products include these components: v AppScan Source Security Knowledgebase: In-context intelligence on each vulnerability, offering precise descriptions about the root cause, severity of risk, and actionable remediation advice. v AppScan Enterprise Server: Most AppScan Source products and components must communicate with an AppScan Enterprise Server. Without one, you can use AppScan Source for Development in local mode - but features such as custom rules, shared scan configurations, and shared filters will be unavailable. The server provides centralized user management capabilities and a mechanism for sharing assessments via the AppScan Source Database. The server includes an optional Enterprise Console component. If your administrator installs this component, you can publish assessments to it from AppScan Source for Analysis, AppScan Source for Automation, and the AppScan Source command line interface (CLI). The Enterprise Console offers a variety of tools for working with your assessments - such as reporting features, issue management, trend analysis, and dashboards. Note: AppScan Enterprise Server is not supported on OS X. If you have a basic server license, the server may only be accessed by up to ten (10) concurrent connections from AppScan products. With a premium server license, unlimited connections are allowed. Copyright IBM Corp. 2003, 2016 1

Important: When scanning, AppScan Enterprise Server and AppScan Source clients (except AppScan Source for Development) both require a direct connection to the AppScan Source Database (either soliddb or Oracle). This Software Offering does not use cookies or other technologies to collect personally identifiable information. Translated national languages The AppScan Source user interfaces are available in these languages: v English v Brazilian Portuguese v Simplified Chinese v Traditional Chinese v German v Spanish v French v Italian v Japanese v Korean v Russian United States government regulation compliance Compliance with United States government security and information technology regulations help to remove sales impediments and roadblocks. It also provides a proof point to prospects worldwide that IBM is working to make their products the most secure in the industry. This topic lists the standards and guidelines that AppScan Source supports. v Internet Protocol Version 6 (IPv6) v Federal Information Processing Standard (FIPS) v National Institute of Standards and Technology (NIST) Special Publication (SP) 800-131a on page 3 v Windows 7 machines that are configured to use the United States Government Configuration Baseline (USGCB) on page 4 Internet Protocol Version 6 (IPv6) AppScan Source is enabled for IPv6, with these exceptions: v Inputting IPv6 numerical addresses is not supported and a host name must be entered instead. Inputting IPv4 numerical addresses is supported. v IPv6 is not supported when connecting to Rational Team Concert. Federal Information Processing Standard (FIPS) On Windows and Linux platforms that are supported by AppScan Source, AppScan Source supports FIPS Publication 140-2, by using a FIPS 140-2 validated cryptographic module and approved algorithms. On OS X platforms that are supported by AppScan Source, manual steps are needed to operate in FIPS 140-2 mode. 2 IBM Security AppScan Source for Analysis: User Guide

To learn background information about AppScan Source FIPS compliance - and to learn how to enable and disable AppScan Source FIPS 140-2 mode, see these technotes: v Operating AppScan Source version 8.7 or later in FIPS 140-2 mode on OS X v How to enable/disable/verify FIPS 140-2 mode in AppScan Source (Linux and Windows) v Background information about AppScan Source version 8.7 or later FIPS 140-2 support National Institute of Standards and Technology (NIST) Special Publication (SP) 800-131a NIST SP 800-131A guidelines provide cryptographic key management guidance. These guidelines include: v Key management procedures. v How to use cryptographic algorithms. v Algorithms to use and their minimum strengths. v Key lengths for secure communications. Government agencies and financial institutions use the NIST SP 800-131A guidelines to ensure that the products conform to specified security requirements. NIST SP 800-131A is supported only when AppScan Source is operating in FIPS 140-2 mode. To learn about enabling and disabling AppScan Source FIPS 140-2 mode, see Federal Information Processing Standard (FIPS) on page 2. Important: If the AppScan Enterprise Server that you will connect to is enabled for NIST 800-131a compliance, you must set AppScan Source to force Transport Layer Security V1.2. If Transport Layer Security V1.2 is not forced, connections to the server will fail. v If you are not installing the AppScan Source Database (for example, you are only installing client components), you can force Transport Layer Security V1.2 by modifying <data_dir>\config\ounce.ozsettings (where <data_dir> is the location of your AppScan Source program data, as described in Installation and user data file locations on page 286)). In this file, locate this setting: <Setting name="tls_protocol_version" read_only="false" default_value="0" value="0" description="minor Version of the TLS Connection Protocol" type="text" display_name="tls Protocol Version" display_name_id="" available_values="0:1:2" hidden="false" force_upgrade="false" /> In the setting, change value="0" to value="2" and then save the file. v If you are installing the AppScan Source Database, you force Transport Layer Security V1.2 in the IBM Security AppScan Enterprise Server Database Configuration tool after installing both AppScan Source and the Enterprise Server. Chapter 1. Introduction to AppScan Source for Analysis 3

Windows 7 machines that are configured to use the United States Government Configuration Baseline (USGCB) AppScan Source supports scanning applications on Windows 7 machines that are configured with the USGCB specification. Note: On machines that are configured with the USGCB specification, AppScan Source does not support defect tracking system integration with HP Quality Center or Rational ClearQuest. What's New in AppScan Source Explore these new features that have been added to AppScan Source - and note any features and capabilities that have been deprecated in this release. v What's New in AppScan Source Version 9.0.3.3 v What's New in AppScan Source Version 9.0.3.2 on page 5 v What's New in AppScan Source Version 9.0.3.1 on page 6 v What's New in AppScan Source Version 9.0.3 on page 6 What's New in AppScan Source Version 9.0.3.3 v New platform and integration solution support v Enhanced and new scanning support on page 5 v New installation file name for Windows on page 5 v Common Access Card (CAC) support on Windows on page 5 v DISA Application Security and Development STIG V3R10 report support on page 5 New platform and integration solution support As of AppScan Source Version 9.0.3.3: v Microsoft Windows 10 is now a supported operating system. This includes Windows 10 Education, Enterprise, and Pro editions. Note: On Windows 10, the AppScan Source installer (AppScanSrc_Installer.exe file) must be run in Windows 7 compatibility mode. On Windows 10, you must also set the AppScan_Uninstaller.exe file to run in Windows 7 compatibility mode before uninstalling AppScan Source. This file is located in <install_dir>\uninstall_appscan\appscan_uninstaller.exe (where <install_dir> is the location of your AppScan Source installation, as described in Installation and user data file locations on page 286). See http://www.ibm.com/support/docview.wss?uid=swg21696098 for more information. Windows 10 support is affected by the issue described in http://www.ibm.com/support/docview.wss?uid=swg21689814. v If you are connecting to an AppScan Enterprise Server Version 9.0.3.1 or higher, the IBM Security AppScan Source Database can be installed to an Oracle 12c database. Important: If you have an existing installation of AppScan Source that utilizes an Oracle 11g database, and you want to upgrade to Oracle 12c, you must upgrade AppScan Source before upgrading the Oracle database. 4 IBM Security AppScan Source for Analysis: User Guide

v Tomcat 8 is now included in the installation of AppScan Source. v Visual Studio 2015 solution and project files can now be scanned in AppScan Source for Analysis, AppScan Source for Automation, and the AppScan Source command line interface. If you have.sln or.vcproj files that have been created in Visual Studio 2015, these files can be imported and scanned when using AppScan Source for Analysis, AppScan Source for Automation, or the AppScan Source command line interface on Windows. Note: Applying the AppScan Source for Development Visual Studio plug-in to Visual Studio 2015 is not supported. v Xcode 7.3 for Objective-C (for ios applications only) is now a supported compiler on OS X (support for Xcode 7.3 is retroactive to AppScan Source Version 9.0.3.2). Enhanced and new scanning support v PHP Versions 5.5 and 5.6 can now be scanned on Windows and Linux in IBM Security AppScan Source for Analysis, IBM Security AppScan Source for Automation, and the IBM Security AppScan Source command line interface (CLI). v When using AppScan Source to scan Java, @ValidatorMethod, @CallbackMethod, and @SuppressSecurityTrace method-level annotations are now supported. New installation file name for Windows On Windows, the installation file name has changed from setup.exe to AppScanSrc_Installer.exe. Common Access Card (CAC) support on Windows The Common Access Card (http://www.cac.mil) is the standard identification for active duty uniformed service personnel, Selected Reserve, DoD civilian employees, and eligible contractor personnel in the United States. It is used to enable physical access to buildings and controlled spaces, and provides access to DoD computer networks and systems. The CAC can be used for access into computers and networks that are equipped with various smart card readers. When it is inserted into the reader, the device asks the user for a PIN. If you are running AppScan Source on Windows and connecting to an AppScan Enterprise Server Version 9.0.3.1 ifix-001 or higher that is enabled for Common Access Card (CAC) authentication, AppScan Source now supports CAC authentication. DISA Application Security and Development STIG V3R10 report support AppScan Source now supports the Defense Information Systems Agency (DISA) Application Security and Development Security Technical Implementation Guide (STIG) V3R10 report. What's New in AppScan Source Version 9.0.3.2 AppScan Source and AppScan Enterprise version compatibility Some versions of AppScan Source no longer require that AppScan Source and AppScan Enterprise version and release levels match when publishing to the Chapter 1. Introduction to AppScan Source for Analysis 5

AppScan Enterprise Console. See http://www.ibm.com/support/ docview.wss?uid=swg21975211 to learn which versions of AppScan Source and AppScan Enterprise are compatible when publishing assessments. This change is retroactive to some previous versions of AppScan Source, as described in http://www.ibm.com/support/docview.wss?uid=swg21975211. What's New in AppScan Source Version 9.0.3.1 v New integration solution support v Scanning WAR and EAR files in AppScan Source for Automation and the AppScan Source command line interface (CLI) New integration solution support As of AppScan Source Version 9.0.3.1: v Tomcat 8 is now supported for compiling Java and JSP. Note: Operating system support is dependent on the operating system supported by individual compilers. v Xcode 7.0, 7.1, and 7.2 for Objective-C (for ios applications only) are now supported compilers on OS X. Scanning WAR and EAR files in AppScan Source for Automation and the AppScan Source command line interface (CLI) The openapplication (oa) command in the CLI can now be used to open WAR and EAR files. In addition, these files can be scanned in AppScan Source for Automation using the ScanApplication command. What's New in AppScan Source Version 9.0.3 v New platform and integration solution support v Scan configuration enhancements on page 7 v New rule attributes allow you to identify high severity definitive security findings more accurately on page 7 v Automatic lost sink resolution allows for better scan results on page 8 v Enhanced and new scanning support on page 8 v Capabilities and features that are no longer supported in AppScan Source Version 9.0.3 on page 9 New platform and integration solution support As of AppScan Source Version 9.0.3, these operating systems are supported: v Red Hat Enterprise Linux Version 6 Updates 6 and 7 v OS X Version 10.11. Support for OS X Version 10.11 is retroactive to AppScan Source Version 9.0.2, with the limitation described in http://www.ibm.com/ support/docview.wss?uid=swg21968948 (this limitation only affects AppScan Source Version 9.0.2). In addition: v Xcode 6.3 and 6.4 for Objective-C (for ios applications only) are now supported compilers on OS X (support for Xcode 6.3 and 6.4 is retroactive to AppScan Source Version 9.0.2). Note that some limitations exist for Xcode 6.3 and 6.4 6 IBM Security AppScan Source for Analysis: User Guide

support. Please see http://www.ibm.com/support/ docview.wss?uid=swg21962208 for details. These limitations do not apply to AppScan Source Version 9.0.3.1 and higher. v The AppScan Source for Development Eclipse plug-in now integrates with IBM MobileFirst Platform Foundation Version 7.1. You can now scan IBM MobileFirst Platform Version 7.1 projects, applications, environments, and HTML files in AppScan Source products. v Rational Application Developer for WebSphere Software (RAD) Version 9.1.1 project files and workspaces can be scanned - and the AppScan Source for Development (Eclipse plug-in) can be applied to RAD Version 9.1.1. v Eclipse Version 4.5 project files and workspaces (Java and IBM MobileFirst Platform only) can be scanned - and the AppScan Source for Development (Eclipse plug-in) can be applied to Eclipse Version 4.5. v IBM WebSphere Application Server Version 8.5.5 is now supported for compiling Java and JSP. Note: Operating system support is dependent on the operating system supported by individual compilers. Scan configuration enhancements The Scan Configuration view has been redesigned and now offers these key features: v The ability to specify filters. v Setting the type of analysis to perform during a scan. This includes taint-flow analysis and pattern-based analysis. AppScan Source now includes these built-in scan configurations: Web preview scan, Web quick scan, Web balanced scan, and Web deep scan New rule attributes allow you to identify high severity definitive security findings more accurately This release of AppScan Source introduces the Attribute.Likelihood.High and Attribute.Likelihood.Low attributes. These attributes have been added to the built-in rules and can also be used when creating custom rules. In AppScan Source, likelihood represents the probability or chance that a security finding can be exploited. AppScan Source takes the definition of likelihood that is presented at https://www.owasp.org/index.php/ OWASP_Risk_Rating_Methodology#Step_2:_Factors_for_Estimating_Likelihood, and refines it by determining likelihood based on trace properties. Given a set of trace properties - for example, Source API name, Source API type, Source Technology, or Source Mechanism - AppScan Source determines the likelihood that a trace can or will be exploited using a specific vulnerability in the future. Likelihood is tied to the source element of a trace. A source is an input to the program, such as a file, servlet request, console input, or socket. For most input sources, the data returned is unbounded in terms of content and length. When an input is unchecked, it is considered a source of taint. Likelihood examples include: Chapter 1. Introduction to AppScan Source for Analysis 7

v Given a trace with an HTTP source (for example, Request.getQueryString) and a cross-site scripting sink (for example, Response.write), a high likelihood is determined, thereby raising the confidence of the finding. v Given a trace with a system property source (for example, getproperty) and a cross-site scripting sink (for example, Response.write), a low likelihood is determined, thereby lowering the confidence of the finding. Likelihood is used to identify high priority actionable findings that must be acted on or fixed immediately. It is tied to highly-exploitable sources of taint and can provide you with a more fine-grained approach for classifying findings. Likelihood is stored as an attribute that is tied to a source of taint, in the AppScan Source vulnerability database. The feature is available out-of-the-box. We have conducted extensive research in order to determine the likelihood factor for sources. Using the Custom Rules Wizard, you can add likelihood information to new sources of taint that you add to your rule base. This will improve the classification of findings generated from a scan and, in turn, improve the efficiency of your overall triage workflow. In the Custom Rules Wizard, there are two values (High and Low) that you can set for the Likelihood property. A value of High means that the source is very susceptible to taint. In other words, the barrier to taint entering the system is very low making it easy for attackers to submit malicious data either manually or in an automated fashion. A value of Low means that the barrier to entering malicious data through this source is very high. This could mean that in order for taint to be introduced to the source, an attacker would have to have insider knowledge of the system and have permissions to operate on the victim's network. Note: As a result of these rule attributes, if you have generated assessments in previous versions of AppScan Source, you may find that findings classifications for the same source has changed when it is scanned in Version 9.0.3. For more information, and to learn how to disable these rule attributes, see the migration considerations regarding these changes. Automatic lost sink resolution allows for better scan results AppScan Source now tries to resolve lost sinks in traces by automatically inferring markup for lost sink methods such as getters, setters, and methods that return boolean values. This allows for a more thorough analysis of your code and improved lost sink resolution. Note: As a result of this feature, if you have generated assessments in previous versions of AppScan Source, you may notice a change in findings results for lost sinks that were not resolved. For more information, and to learn how to disable automatic markup generation, see the migration considerations regarding these changes. Enhanced and new scanning support v PHP Version 5.4 can now be scanned on Windows and Linux in IBM Security AppScan Source for Analysis, IBM Security AppScan Source for Automation, and the IBM Security AppScan Source command line interface (CLI). v AppScan Source now includes built-in support for the Spring MVC 4 framework. v Java scanning optimizations: 8 IBM Security AppScan Source for Analysis: User Guide

When scanning JavaServer Pages, you now have the option of scanning precompiled class files instead of compiling them during a scan. To scan precompiled class files in the AppScan Source for Development Eclipse plug-in, configure your project for security scanning (select Security Analysis > Configure Scan > Configure Projects for Security) and select the Precompiled classes check box. To scan precompiled class files in IBM Security AppScan Source for Analysis, select the Precompiled classes check box in one of these locations: - The Project Dependencies tab in the project properties. - The Java Project Dependencies page when creating a new project or application. When scanning Java, AppScan Source will now scan Java files and Java byte code with missing dependencies or compilation errors. If there are missing dependencies or compilation errors, information about them will be written to a log file. With this information, you can then add the dependencies to your project properties, re-scan, and achieve full coverage for scan results. v As of AppScan Source Version 9.0.3, header locations and configuration options are determined more accurately when Xcode projects are imported and scanned. This change introduces the use of xcodebuild -dry-run to obtain every file's build configuration, so there may be a pause at the beginning of scans while AppScan Source determines file configurations before proceeding. Capabilities and features that are no longer supported in AppScan Source Version 9.0.3 As of AppScan Source Version 9.0.3: v OS X Version 10.8 is no longer a supported operating system. v Xcode Version 4.6 is no longer supported. Scanning Objective-C projects with this version of Xcode is no longer supported. v Eclipse Version 3.6 and 3.7 project files and workspaces are no longer supported - and the AppScan Source for Development (Eclipse plug-in) can no longer be applied to Eclipse Versions 3.6 and 3.7. v Rational Application Developer for WebSphere Software (RAD) Version 8.0.x project files and workspaces are no longer supported - and the IBM Security AppScan Source for Development plug-in for IBM Rational Application Developer for WebSphere Software (RAD) can no longer be applied to RAD Version 8.0.x. v IBM Rational Team Concert Versions 3.0 and 3.0.1 are no longer supported defect tracking systems. v WebSphere Application Server Version 6.1 is no longer a supported application server. v Support for scanning PHP Versions 4.x up to 5.2 is deprecated. Migrating to the current version of AppScan Source This topic contains migration information for changes that have gone into this version of AppScan Source. If you are upgrading from an older version of AppScan Source, be sure to note the changes for the version of AppScan Source that you are upgrading and all versions leading up to this current version. v Migrating from Version 9.0.2 on page 10 v Migrating from Version 9.0 on page 11 v Migrating from Version 8.7 on page 11 Chapter 1. Introduction to AppScan Source for Analysis 9

Migrating from Version 9.0.2 v New rule attributes may result in findings classification changes in existing scans v Automatic lost sink generation New rule attributes may result in findings classification changes in existing scans After Version 9.0.2, Attribute.Likelihood.High and Attribute.Likelihood.Low rule attributes were introduced. When these attributes are used, AppScan Source can more accurately determine if findings are definitive and/or suspect. As a result, if you scan source code in AppScan Source Version 9.0.2 or earlier, you may find that some findings classifications will change when the same source code is scanned in product versions after 9.0.2. This will be most noticeable for findings related to highly exploitable web sources - or for property or environment sources that are less exploitable. These rule attributes are used by default. You can disable them, as follows: 1. Open <data_dir>\config\ipva.ozsettings in a text editor (where <data_dir> is the location of your AppScan Source program data, as described in Installation and user data file locations on page 286). Locate the allow_likelihood setting in the file. This setting will look similar to: <Setting name="allow_likelihood" value="true" default_value="true" description="allow the processing of the Likelihood attributes to help determine trace confidence based on the source API" display_name="allow Likelihood" type="bool" /> In this setting, modify the value attribute. If the attribute is set to true, this setting will be on. If it is set to false, AppScan Source will not use these rule attributes during scans. 2. Save the file after you have modified this setting and start or restart AppScan Source. Automatic lost sink generation After Version 9.0.2, automatic lost sink resolution was introduced for traces that end in getters/setters and methods that return boolean values. This is done by automatically inferring markup for these application programming interfaces (API). As a result, if you scan source code in AppScan Source Version 9.0.2 or earlier, you may notice changes in findings results that contained unresolved lost sinks when the same source code is scanned in product versions after 9.0.2. Automatic markup generation is on by default. You can disable it if you want to use other means of lost sink resolution such as custom rules, as follows: 1. Open <data_dir>\config\ipva.ozsettings in a text editor (where <data_dir> is the location of your AppScan Source program data, as described in Installation and user data file locations on page 286). Locate the automatic_lost_sink_resolution setting in the file. This setting will look similar to: 10 IBM Security AppScan Source for Analysis: User Guide

<name="automatic_lost_sink_resolution" value="true" default_value="true" description="this setting tries to perform automatic lost sink resolution by assuming taint propagation for getters, setters and APIs which return boolean with no arguments." display_name="auto Lost Sink Resolution" type="bool" /> In this setting, modify the value attribute. If the attribute is set to true, this setting will be on. If it is set to false, AppScan Source will not automatically generate markup for these methods. 2. Save the file after you have modified this setting and start or restart AppScan Source. Migrating from Version 9.0 AppScan Enterprise Server authentication: Migration considerations for replacement of the IBM Rational Jazz user authentication component with IBM WebSphere Liberty v Migrating from an Enterprise Server that only has local Jazz users: In this upgrade scenario, the former Jazz users will appear in the AppScan Source Database as AppScan Enterprise Server users, however, they will not be valid. These users can be removed from the Database - or they can be converted to AppScan Source users if you follow the instructions in http://www.ibm.com/ support/docview.wss?uid=swg21686347 for enabling that conversion. v Migrating from an Enterprise Server that was configured with LDAP: During the Enterprise Server upgrade, you have the option of configuring the Enterprise Server with LDAP again. If you do this, existing users will still work in AppScan Source. v Migrating from an Enterprise Server that was configured with Windows authentication: If your Enterprise Server was configured with Windows authentication, existing users will work in AppScan Source, provided the new Enterprise Server Liberty is configured to use Windows authentication. Migrating from Version 8.7 v Changes to findings classifications v Default settings changes that will improve scan coverage on page 12 v Restoring AppScan Source predefined filters from previous versions on page 13 Changes to findings classifications After Version 8.7, findings classifications changed. This table lists the old classifications mapped to the new classifications: Table 1. Findings classification changes Findings classifications prior to AppScan Source Version 8.8 Vulnerability Type I Exception Type II Exception Classifications as of AppScan Source Version 8.8 Definitive security finding Suspect security finding Scan coverage finding Chapter 1. Introduction to AppScan Source for Analysis 11

An example of these changes can be seen in the Vulnerability Matrix view. As of Version 8.8, the view looks like this: Default settings changes that will improve scan coverage As of AppScan Source Version 8.8: v The default value of show_informational_findings in scan.ozsettings has changed from true to false. v The default value of wafl_globals_tracking in ipva.ozsettings has changed from false to true. This setting enables AppScan Source to find dataflow between different components of a framework-based application (for example, dataflow from a controller to a view). The change to show_informational_findings will result in assessments not including findings with a severity level of Info by default. 12 IBM Security AppScan Source for Analysis: User Guide

Note: If you have scan configurations that were created prior to Version 8.8 that did not explicitly set values for these settings, the scan configurations will now use their new default values. Restoring AppScan Source predefined filters from previous versions In AppScan Source Version 8.8, predefined filters were improved to provide better scan results. If you need to continue using the predefined filters from older versions of AppScan Source (archived filters are listed in AppScan Source predefined filters (Version 8.7.x and earlier) on page 132), follow the instructions in Restoring archived predefined filters on page 133. AppScan Source for Analysis overview Workflow AppScan Source for Analysis is a tool for analyzing code and providing specific information about source code vulnerabilities in critical systems. AppScan Source for Analysis lets you centrally manage your software risk across multiple applications, or even your entire portfolio. You can scan source code, triage, and eliminate vulnerabilities before they become a liability to your organization. AppScan Source for Analysis provides audit and quality assurance teams with tools to scan source code, triage results, and submit flaws to defect tracking systems. Armed with in-context intelligence from the AppScan Source Security Knowledgebase, analysts, auditors, managers, and developers can: v Scan selected source code on-demand to locate critical vulnerabilities v Receive precise remediation advice and invoke their preferred development environment and code editor directly from analysis v Trace tainted data through a precise, interactive call graph from input to output v Enforce coding policies, verifying approved input validation and encoding routines through AppScan Source trace v Learn and implement secure programming best practices during software development After installation, deployment, and user management, the AppScan Source workflow consists of these basic steps. 1. Set security requirements: A manager or security expert defines vulnerabilities and how to judge criticality. 2. Configure applications: Organize applications and projects. 3. Scan: Run the analysis against the target application to identify vulnerabilities. 4. Triage and analyze results: Security-minded staff study results to prioritize remediation workflow and separate real vulnerabilities from potential ones, allowing triage on critical issues to begin immediately. Isolate the issues you need to fix first. 5. Customize the Knowledgebase: Customize the AppScan Source Security Knowledgebase to address internal policies. 6. Publish scan results: Add scan results to the AppScan Source Database or publish them to the AppScan Enterprise Console. Chapter 1. Introduction to AppScan Source for Analysis 13

7. Assign remediation tasks: Assign defects to the development team to resolve vulnerabilities. 8. Resolve issues: Eliminate vulnerabilities by rewriting code, removing flaws, or adding security functions. 9. Verify fixes: The code is scanned again to assure that vulnerabilities are eliminated. Configure AppScan Source for Analysis Monitor Enterprise Console Scan AppScan Source for Analysis AppScan Source for Automation AppScan Source for Development Triage AppScan Source for Analysis AppScan Enterprise Server Remediate AppScan Source for Analysis AppScan Source for Remediation AppScan Source for Development Assign AppScan Source for Analysis Important concepts Before you begin to use or administer AppScan Source, you should become familiar with fundamental AppScan Source concepts. This section defines basic AppScan Source terminology and concepts. Subsequent chapters repeat these definitions to help you understand their context in AppScan Source for Analysis. AppScan Source for Analysis scans source code for vulnerabilities and produces findings. Findings are the vulnerabilities identified during a scan, and the result of a scan is an assessment. A bundle is a named collection of individual findings and is stored with an application. Applications, their attributes, and projects are created and organized in AppScan Source for Analysis: v Applications: An application contains one or more projects and their related attributes. v Projects: A project consists of a set of files (including source code) and their related information (such as configuration data). A project is always part of an application. v Attributes: An attribute is a characteristic of an application that helps organize the scan results into meaningful groupings, such as by department or project leader. You define attributes in AppScan Source for Analysis. The principal activity of AppScan Source for Analysis is to scan source code and analyze vulnerabilities. Assessments provide an analysis of source code for vulnerabilities including: 14 IBM Security AppScan Source for Analysis: User Guide

v Severity: High, medium, or low, indicating the level of risk v Vulnerability Type: Vulnerability category, such as SQL Injection or Buffer Overflow v File: Code file in which the finding exists v API/Source: The vulnerable call, showing the API and the arguments passed to it v Method: Function or method from which the vulnerable call is made v Location: Line and column number in the code file that contains the vulnerable API v Classification: Security finding or scan coverage finding. For more information, see Classifications. Classifications Findings are classified by AppScan Source to indicate whether they are security or scan coverage findings. Security findings represent actual or likely security vulnerabilities - whereas scan coverage findings represent areas where configuration could be improved to provide better scan coverage. Each finding falls into one of these classifications: v Definitive security finding: A finding that contains a definitive design, implementation, or policy violation that presents an opportunity for an attacker to cause the application to operate in an unintended fashion. This attack could result in unauthorized access, theft, or corruption of data, systems, or resources. Every definitive security finding is fully articulated, and the specific underlying pattern of the vulnerable condition is known and described. v Suspect security finding: A finding that indicates a suspicious and potentially vulnerable condition that requires additional information or investigation. A code element or structure that can create a vulnerability when used incorrectly. A suspect finding differs from a definitive finding because there is some unknown condition that prevents a conclusive determination of vulnerability. Examples of this uncertainty can be the use of dynamic elements, or of library functions for which the source code is not available. As a result, there is an additional level of research that is required to confirm or reject a suspect finding as definitive. v Scan coverage finding: Findings that represent areas where configuration could be improved to provide better scan coverage (for example, lost sink findings). Note: In some cases, a classification of None may be used to denote a classification that is neither a security finding nor a scan coverage finding. Logging in to AppScan Enterprise Server from AppScan Source products Most AppScan Source products and components require a connection to an AppScan Enterprise Server. The server provides centralized user management capabilities and a mechanism for sharing assessments via the AppScan Source Database. When you launch AppScan Source for Analysis, you are prompted to authenticate to an AppScan Enterprise Server. If you are running AppScan Source for Development in server mode, you are prompted to authenticate to an AppScan Chapter 1. Introduction to AppScan Source for Analysis 15