IBM SAP International Competence Center IBM Rational AppScan deployed by SAP AG

Similar documents
IBM Rational AppScan: Application security and risk management

IBM SAP International Competence Center. Load testing SAP ABAP Web Dynpro applications with IBM Rational Performance Tester

IBM Rational AppScan: enhancing Web application security and regulatory compliance.

HP Application Security Center

Application Security from IBM Karl Snider, Market Segment Manager March 2012

Rational AppScan & Ounce Products

DANNY ALLAN, STRATEGIC RESEARCH ANALYST. A whitepaper from Watchfire

IBM SmartCloud Workload Automation

Operationalizing Application Security & Compliance

IBM Rational AppScan Source Edition

Reducing Application Vulnerabilities by Security Engineering

Service management White paper. Manage access control effectively across the enterprise with IBM solutions.

IBM Connections Cloud Security

Table of Contents. Application Vulnerability Trends Report Introduction. 99% of Tested Applications Have Vulnerabilities

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

Tivoli Automation for Proactive Integrated Service Management

IBM SAP International Competence Center. Coca-Cola Bottling Co. Consolidated utilizes SAP technical upgrade project to migrate from Oracle to IBM DB2

Web application security: automated scanning versus manual penetration testing.

El costo oculto de las aplicaciones Vulnerables. Faustino Sanchez. WW Security Sales Enablement. IBM Canada

HP WebInspect Tutorial

Security solutions White paper. Acquire a global view of your organization s security state: the importance of security assessments.

Application Security Center overview

Web application security Executive brief Managing a growing threat: an executive s guide to Web application security.

Breaking down silos of protection: An integrated approach to managing application security

Integrated Threat & Security Management.

Datacenter Management Optimization with Microsoft System Center

The Top Web Application Attacks: Are you vulnerable?

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

Web Applications The Hacker s New Target

Staying a step ahead of the hackers: the importance of identifying critical Web application vulnerabilities.

How does IBM deliver cloud security? An IBM paper covering SmartCloud Services 1

WebGoat for testing your Application Security tools

The Benefits of an Integrated Approach to Security in the Cloud

SAP Central Process Scheduling (CPS) 8.0 by Redwood

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

Web site security issues White paper November Maintaining trust: protecting your Web site users from malware.

Bank Hacking Live! Ofer Maor CTO, Hacktics Ltd. ATC-4, 12 Jun 2006, 4:30PM

Worldwide Security and Vulnerability Management Forecast and 2008 Vendor Shares

Securing the Cloud with IBM Security Systems. IBM Security Systems IBM Corporation IBM IBM Corporation Corporation

IBM Tivoli Directory Integrator

IBM Workload Automation: Major Improvements in Hybrid Cloud Workload Management, Predictive Analytics and User Experience

Log Analysis Tool for SAP NetWeaver AS Java

Risk-based solutions for managing application security

Deploying a private database cloud on z Systems

Cloud Security Who do you trust?

Learning objectives for today s session

IBM RATIONAL PERFORMANCE TESTER

Application Code Development Standards

Data Transfer Tips and Techniques

Datasheet FUJITSU Cloud Monitoring Service

IBM Security QRadar Risk Manager

IBM SAP International Competence Center. The Home Depot moves towards continuous availability with IBM System z

Black Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP

IBM Security QRadar Vulnerability Manager

Cyber Governance Preparing for the Inevitable Perimeter Breach

IBM Security QRadar Risk Manager

HP ProLiant Essentials Vulnerability and Patch Management Pack Planning Guide

Effective Software Security Management

Continuous Network Monitoring

Predictive analytics with System z

SAP NetWeaver BRM 7.3

Security for a Smarter Planet IBM Corporation All Rights Reserved.

Data Breach Risk Intelligence

How to Configure Access Control for Exchange using PowerShell Cmdlets A Step-by-Step guide

Penetration Testing Service. By Comsec Information Security Consulting

IBM Storwize V7000: For your VMware virtual infrastructure

Building Assurance Into Software Development Life- Cycle (SDLC)

Copyright Watchfire Corporation. All Rights Reserved.

Update on the SAP GUI Family. Q3/2014 Public

The Truth about False Positives

How To Use Ibm Tivoli Monitoring Software

SAP xapp Resource and Portfolio Management (SAP xrpm)

Quality Programs for Regulatory Compliance

Integrating Easy Document Management System in SAP DMS

Cybercrime myths, challenges and how to protect our business. Vladimir Kantchev Managing Partner Service Centrix

Simplify Your Windows Server Migration

Intelligent Business Operations Chapter 1: Overview & Strategy

Skybox Security Survey: Next-Generation Firewall Management

Sophistication of attacks will keep improving, especially APT and zero-day exploits

Symantec Endpoint Protection

Address IT costs and streamline operations with IBM service desk and asset management.

Protect Your Connected Business Systems by Identifying and Analyzing Threats

Lumension Endpoint Management and Security Suite (LEMSS): Patch and Remediation

Cisco Security Optimization Service

IBM Global Small and Medium Business. Keep Your IT Infrastructure and Assets Secure

White paper September Realizing business value with mainframe security management

Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks

Web Application Vulnerability Scanning. VITA Commonwealth Security & Risk Management. April 8, 2016

Web Security School Final Exam

How To Monitor Your Entire It Environment

Worldwide Security and Vulnerability Management Forecast and 2013 Vendor Shares

Mobile, Cloud, Advanced Threats: A Unified Approach to Security

Safeguarding the cloud with IBM Dynamic Cloud Security

The Value of Automated Penetration Testing White Paper

SAP Best Practices for SAP Mobile Secure Cloud Configuration March 2015

IBM Storwize Rapid Application Storage

Reducing the cost and complexity of endpoint management

Web servers and WebSphere Portal

Transcription:

IBM SAP International Competence Center IBM Rational AppScan deployed by SAP AG SAP AG / Wolfram Scheible

With IBM Rational AppScan we have efficiently automated the process of weak-point analysis. Michael Neumaier Senior Quality Specialist SAP AG IBM Rational AppScan not only helps us to avoid costs related to hacking attacks, but also reduces the manual effort needed for analysis and the costs for testing. Michael Neumaier Senior Quality Specialist SAP AG

IBM Rational AppScan deployed by SAP AG About this paper Experts estimate that the global damage caused by cyber criminals could be as much as 100 billion a year. Almost as soon as any new Web application goes online, it is registered and analyzed by automatic hacker tools. The applications and the data behind them are rarely protected by technologies such as firewalls, network scanners and intrusion detection systems. This paper looks at the steps taken by SAP AG to protect its applications using IBM Rational AppScan. Customer objectives Protect online applications by ensuring that vulnerabilities are identified and removed before deployment Cut the costs of remedial action by enhancing prerelease quality Increase customer confidence in the security of online applications Learn how to improve application design for the future IBM solution IBM Rational AppScan Standard 8.0 Customer benefits IBM Rational AppScan covers all of SAP s security test requirements and has hugely expanded its test capabilities Manual testing is being phased out, and a regular process for checking and reviewing test cases has been implemented. IBM Rational AppScan has integrated seamlessly into SAP s quality assurance processes, because it automates a component of existing workflows rather than requiring an overall process change. 3

Background, starting point and objectives SAP developers work on some 190 products, with more than 25 industry solutions in over 30 languages. Approximately 500 developers work in parallel on each new solution release. SAP has moved to a global process for software development and release, based on four business principles: Changing conditions for software development: Changed product portfolio, from a single product to a portfolio of different products. Global organization with distributed development in multiple international locations. Improved communication between customers, partners and SAP: Provide one common and consistent approach to the roll-in of customer requirements. Reflect industry scenario orientation and focus on customer business needs. Ensure alignment between internal and external stakeholders on development priorities. Industrialization of software development & re-use: The service oriented architecture fosters reuse at various levels. Aligned processes and organizations must reflect this reuse. Never-ending quality improvement: Adapted processes for a high level of software quality and optimized TCO, while at the same time reducing time-tomarket. Build the right things the right way, with planned quality along the entire product lifecycle. Business challenges and project objectives With more SAP applications being designed for use over the Internet, the company has a pressing requirement to help ensure Web application security. For the SAP team, it was important to handle the increasing volume of test work while maintaining the very high quality of the results. With manual testing, without automation, it was clear that the workload could easily become unmanageable, resulting in increased costs and carrying the risk of incorrectly tested software being brought to market. If the team could automate most of the testing procedures, this would accelerate throughput and increase testing validity. In turn, IT staff could be released to work on more important software development projects. While searching for suitable tools to test its applications predeployment, the SAP team identified a list of core requirements, including: Up-to-date functionality, including ability to combat current attack methods and vulnerability classes. Quality of the scanning technology and its ability to uncover security issues. Reliability and accuracy of the findings generated by the scanner, including false-positive handling. Usability and handling of the configuration of the scanner for very large software projects. Display and filtering of the findings, and ability to interpret findings easily. Support in the debugging, elimination or other resolution of identified vulnerabilities. Extensive reporting for different risk and compliance reports. Position and strength of the vendor in the market. Level of investment in future research and development of the security solution. 4

Technical solution The IBM Rational AppScan product family selected for use by SAP examines Web applications for known vulnerabilities during both the development phase and application operation. Rational AppScan offers highly automated scanning and analysis, and provides reports in compliance with national and international standards at the push of a button. The Rational AppScan tools also help educate developers and security staff, with integrated e-learning components designed to ensure that safe practices are embedded in coding right at the start of software development programs. The SAP team deployed IBM Rational AppScan Standard in India on a Microsoft Windows server with multiple log-on options through Windows Terminal Server, and in Germany on a standard desktop PC running Windows. For both systems, SAP runs a shared calendar where colleagues can plan their tests and machine usage, which allows many different people to run their tests without conflict. The SAP team was very satisfied with the support and technical expertise offered by IBM. Issues were processed quickly, and the recommended solutions solved problems rapidly, thanks to the high level of product competency offered by IBM. Rational AppScan includes graphical presentations of results and powerful report generation functionality, which demonstrates how the vulnerabilities are actually exploited in a Web browser. These capabilities are central to helping developers understand what the issues mean in practice. The Rational AppScan interface is so powerful that at SAP, developers are invited to online screen-sharing teleconferences where they can view the test results and issues for themselves. Motive National security Industrial espionage Monetary gain Revenge The national security agenda is rising in importance within the context of the cybersecurity discussion Damage/impact to life and property Insiders Cyber warriors Organized crime, competitors Advanced persistent threat Hackers, crackers Inside information Sophisticated tools, expertise and substantial resources Prestige and thrill Script kiddies Substantial time, tools and social engineering Curiosity Scripts, tools, web-based how-tos Adversary Figure 1: The important information and services accessible through a Web-facing application have attracted a new and far more sophisticated adversary. The motivation for these attacks is changing and maturing from curiosity to financial gain to real espionage. The techniques that hackers employ are also advancing, making them harder to prevent and detect. The arrow represents a rapid rise in the likely overall damage and impact of attacks on applications as a whole. Source: IBM Software, Rational, Technical White Paper: Designing a strategy for comprehensive Web protection, http://public.dhe.ibm.com/common/ssi/ecm/en/raw14246usen/raw14246usen.pdf 5

About Rational AppScan The Rational AppScan product portfolio provides ways to automate and industrialize the protection of networked and Web applications that collect and exchange sensitive data. Essentially, Rational AppScan software extends security analysis in the application security process and employs multiple testing techniques that result in higher-quality, more secure applications. Additional functionalities include JavaScript Analyzer, an extension of AppScan Standard developed in collaboration with IBM Research, which provides static taint analysis of JavaScript, detecting a range of client-side security issues, such as DOMbased Cross-site Scripting (XSS) where malicious JavaScript code is executed in the user s browser without sanity checks that could prevent the attack. There have been numerous documented cases of companies that spent millions of dollars recovering from cyber-attacks that could almost certainly have been prevented. Vulnerabilities in a production environment can be costly to remedy, while Rational AppScan helps to uncover and fix flaws during the development process, reducing cost and risk. Rational AppScan offers static and dynamic security testing in all stages of application development. SAP uses Rational AppScan Standard Edition, and the full product range extends to cover a variety of business needs: AppScan Build Edition embeds Web application security testing into the build management workflow. AppScan Enterprise Edition provides Web application vulnerability testing and reporting solution used to scale security testing. AppScan Express Edition delivers affordable Web application security for smaller organizations. AppScan OnDemand identifies and prioritizes Web application security vulnerabilities that may be apparent via the SaaS model. AppScan OnDemand Production Site Monitoring enables consistent and continuous monitoring for production Web content and sites for vulnerabilities via the SaaS model. The role of JavaScript in modern Web applications is becoming more important as technologies such as AJAX, HTML5 and the Dojo toolkit grow more common. The JavaScript Analyzer makes AppScan one of the first tools capable of detecting a range of client-side security issues. Until now, these issues were thought to be very common, but with no tool to find them there was no hard evidence and no way to build defenses. AppScan is also able to apply both black box and white box in the same scan. 6

Proof of validity To test the validity of the claims for Rational AppScan, SAP performed an external audit and penetration test on Duet software. The team then compared the results of the manual test against the automated findings generated by Rational AppScan. The comparison was designed to detect and reproduce the vulnerabilities discovered by the manual test, and highlight the appropriate areas of the source code. Rational AppScan succeeded in locating all the vulnerabilities discovered manually, identified additional concerns, and pinpointed the source code responsible in just a few hours. The AppScan findings are highly accurate, with very few false positives, which saves a great deal of time when evaluating an application. The audit reporting and ability to provide full traceability of errors feature high on the list of time- and costsaving functionalities. During software development itself, the developers themselves are responsible for testing. The SAP IT team provides developers with Rational AppScan testing services, which can be booked internally. For those developers who choose to test during development, the results are used during the software validation process. If the core team is involved in testing, software validation can be completed more quickly, reducing SAP s time to market with new solutions. If Rational AppScan is not involved during the software development process, developers have to run their own manual tests and provide documentation explaining why their test results are acceptable. Based on those documents, the testing team makes its plan for software validation usually a longer process than where products have involved Rational AppScan at an early stage. AppScan Standard was integrated into SAP s product development process, and the powerful reporting functionality is used to analyze results and generate recommendations for developers. For example, after an application scan with Rational AppScan, the team schedules a workshop with the development team. Rational AppScan generates an application profile with SAPspecific main issues, aimed at SAP standard requirements. With the reduced testing time and effort that using Rational AppScan provides, SAP is able to develop more Web applications more quickly, and bring them to market. As a result of these benefits, SAP purchased additional Rational AppScan licenses, expanding its footprint to eight users in total, in India, Israel and Germany. 7

Business benefits In the future, combinations of dynamic and static analyses present new possibilities for SAP. This hybrid analysis is completed using the JavaScript Analyzer. During a test, both the black box tests (the normal HTTP tests provided by AppScan Standard Edition) and white box tests (via static analysis of the JavaScript code by the JSA component) are run. The black box and white box test results are correlated through the Reporting Console. The correlation highlights specific weak points, identified by both scanning technologies. Such doubleweaknesses can be considered to be a genuine risk, to be fixed as rapidly as possible. Under the previous manual testing processes, the SAP team knew that its 60 or so test case descriptions did not cover all requirements. Manual testing is being phased out, and a regular process for checking and reviewing test cases has been implemented. With Rational AppScan, the SAP team now has a significantly higher degree of test coverage. Product complexity affects the testing processes, which can be fractions of a second or several minutes for each URL. Rational AppScan can also test by starting with an initial URL and then test all the pages that can be reached, somewhat in the manner of a search engine crawling linked Web pages. The tools include the ability to exclude or include certain pages, directories or areas of a website, and single pages can be specified for test. To accelerate testing, the IBM team implemented an adaptive approach: if test failures exceed pre-set limits, the test sequence is halted. This method reduces the time spend on test runs, accelerating total throughput and increasing efficiency. Rational AppScan has integrated seamlessly into SAP s processes, as it automates a component of existing workflows rather than requiring change. From initial adoption, usage has exploded as the benefits have become clear, particularly since the number of Web applications is growing continuously. 8

IBM Rational AppScan has a hugely positive impact on educating our developers with respect to avoiding vulnerabilities in Web applications. Michael Neumaier Senior Quality Specialist SAP AG

10

SAP, Duet and all SAP logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries. All other product and service names mentioned are the trademarks of their respective companies. SAP Forward-looking Statement Any statements contained in this document that are not historical facts are forward-looking statements as defined in the U.S. Private Securities Litigation Reform Act of 1995. Words such as anticipate, believe, estimate, expect, forecast, intend, may, plan, project, predict, should and will and similar expressions as they relate to SAP are intended to identify such forward-looking statements. SAP undertakes no obligation to publicly update or revise any forward-looking statements. All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations The factors that could affect SAP s future financial results are discussed more fully in SAP s filings with the U.S. Securities and Exchange Commission ( SEC ), including SAP s most recent Annual Report on Form 20-F filed with the SEC. Readers are cautioned not to place undue reliance on these forward-looking statements, which speak only as of their dates. 11

For more information: To learn more about the solutions from IBM and SAP, visit: ibm-sap.com For more information about SAP products and services, contact an SAP representative or visit: sap.com For more information about IBM products and services, contact an IBM representative or visit: ibm.com Contacts: IBM Stephan Rosche (stephan.rosche@de.ibm.com) For further questions please contact the IBM SAP International Competency Center via isicc@de.ibm.com Copyright IBM Corp. 2011 All Rights Reserved. IBM Deutschland GmbH D-70548 Stuttgart ibm.com Produced in Germany December 2011 IBM, the IBM logo, ibm.com, i5/os, DB2, Domino, FlashCopy, Lotus, Notes, POWER, POWER4, POWER5, POWER6, System i, System x, and Tivoli are trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol ( or ), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of other IBM trademarks is available on the Web at: http://www.ibm.com/legal/copytrade. shtml UNIX is a registered trademark of The Open Group in the United States and other countries. Linux is a trademark of Linus Torvalds in the United States, other countries, or both. Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. Other company, product or service names may be trademarks, or service marks of others. This brochure illustrates how IBM customers may be using IBM and/or IBM Business Partner technologies/services. Many factors have contributed to the results and benefits described. IBM does not guarantee comparable results. All information contained herein was provided by the featured customer/s and/or IBM Business Partner/s. IBM does not attest to its accuracy. All customer examples cited represent how some customers have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics will vary depending on individual customer configurations and conditions. This publication is for general guidance only. Photographs may show design models. SPC03379-DEEN-00

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information