IBM SAP International Competence Center IBM Rational AppScan deployed by SAP AG SAP AG / Wolfram Scheible
With IBM Rational AppScan we have efficiently automated the process of weak-point analysis. Michael Neumaier Senior Quality Specialist SAP AG IBM Rational AppScan not only helps us to avoid costs related to hacking attacks, but also reduces the manual effort needed for analysis and the costs for testing. Michael Neumaier Senior Quality Specialist SAP AG
IBM Rational AppScan deployed by SAP AG About this paper Experts estimate that the global damage caused by cyber criminals could be as much as 100 billion a year. Almost as soon as any new Web application goes online, it is registered and analyzed by automatic hacker tools. The applications and the data behind them are rarely protected by technologies such as firewalls, network scanners and intrusion detection systems. This paper looks at the steps taken by SAP AG to protect its applications using IBM Rational AppScan. Customer objectives Protect online applications by ensuring that vulnerabilities are identified and removed before deployment Cut the costs of remedial action by enhancing prerelease quality Increase customer confidence in the security of online applications Learn how to improve application design for the future IBM solution IBM Rational AppScan Standard 8.0 Customer benefits IBM Rational AppScan covers all of SAP s security test requirements and has hugely expanded its test capabilities Manual testing is being phased out, and a regular process for checking and reviewing test cases has been implemented. IBM Rational AppScan has integrated seamlessly into SAP s quality assurance processes, because it automates a component of existing workflows rather than requiring an overall process change. 3
Background, starting point and objectives SAP developers work on some 190 products, with more than 25 industry solutions in over 30 languages. Approximately 500 developers work in parallel on each new solution release. SAP has moved to a global process for software development and release, based on four business principles: Changing conditions for software development: Changed product portfolio, from a single product to a portfolio of different products. Global organization with distributed development in multiple international locations. Improved communication between customers, partners and SAP: Provide one common and consistent approach to the roll-in of customer requirements. Reflect industry scenario orientation and focus on customer business needs. Ensure alignment between internal and external stakeholders on development priorities. Industrialization of software development & re-use: The service oriented architecture fosters reuse at various levels. Aligned processes and organizations must reflect this reuse. Never-ending quality improvement: Adapted processes for a high level of software quality and optimized TCO, while at the same time reducing time-tomarket. Build the right things the right way, with planned quality along the entire product lifecycle. Business challenges and project objectives With more SAP applications being designed for use over the Internet, the company has a pressing requirement to help ensure Web application security. For the SAP team, it was important to handle the increasing volume of test work while maintaining the very high quality of the results. With manual testing, without automation, it was clear that the workload could easily become unmanageable, resulting in increased costs and carrying the risk of incorrectly tested software being brought to market. If the team could automate most of the testing procedures, this would accelerate throughput and increase testing validity. In turn, IT staff could be released to work on more important software development projects. While searching for suitable tools to test its applications predeployment, the SAP team identified a list of core requirements, including: Up-to-date functionality, including ability to combat current attack methods and vulnerability classes. Quality of the scanning technology and its ability to uncover security issues. Reliability and accuracy of the findings generated by the scanner, including false-positive handling. Usability and handling of the configuration of the scanner for very large software projects. Display and filtering of the findings, and ability to interpret findings easily. Support in the debugging, elimination or other resolution of identified vulnerabilities. Extensive reporting for different risk and compliance reports. Position and strength of the vendor in the market. Level of investment in future research and development of the security solution. 4
Technical solution The IBM Rational AppScan product family selected for use by SAP examines Web applications for known vulnerabilities during both the development phase and application operation. Rational AppScan offers highly automated scanning and analysis, and provides reports in compliance with national and international standards at the push of a button. The Rational AppScan tools also help educate developers and security staff, with integrated e-learning components designed to ensure that safe practices are embedded in coding right at the start of software development programs. The SAP team deployed IBM Rational AppScan Standard in India on a Microsoft Windows server with multiple log-on options through Windows Terminal Server, and in Germany on a standard desktop PC running Windows. For both systems, SAP runs a shared calendar where colleagues can plan their tests and machine usage, which allows many different people to run their tests without conflict. The SAP team was very satisfied with the support and technical expertise offered by IBM. Issues were processed quickly, and the recommended solutions solved problems rapidly, thanks to the high level of product competency offered by IBM. Rational AppScan includes graphical presentations of results and powerful report generation functionality, which demonstrates how the vulnerabilities are actually exploited in a Web browser. These capabilities are central to helping developers understand what the issues mean in practice. The Rational AppScan interface is so powerful that at SAP, developers are invited to online screen-sharing teleconferences where they can view the test results and issues for themselves. Motive National security Industrial espionage Monetary gain Revenge The national security agenda is rising in importance within the context of the cybersecurity discussion Damage/impact to life and property Insiders Cyber warriors Organized crime, competitors Advanced persistent threat Hackers, crackers Inside information Sophisticated tools, expertise and substantial resources Prestige and thrill Script kiddies Substantial time, tools and social engineering Curiosity Scripts, tools, web-based how-tos Adversary Figure 1: The important information and services accessible through a Web-facing application have attracted a new and far more sophisticated adversary. The motivation for these attacks is changing and maturing from curiosity to financial gain to real espionage. The techniques that hackers employ are also advancing, making them harder to prevent and detect. The arrow represents a rapid rise in the likely overall damage and impact of attacks on applications as a whole. Source: IBM Software, Rational, Technical White Paper: Designing a strategy for comprehensive Web protection, http://public.dhe.ibm.com/common/ssi/ecm/en/raw14246usen/raw14246usen.pdf 5
About Rational AppScan The Rational AppScan product portfolio provides ways to automate and industrialize the protection of networked and Web applications that collect and exchange sensitive data. Essentially, Rational AppScan software extends security analysis in the application security process and employs multiple testing techniques that result in higher-quality, more secure applications. Additional functionalities include JavaScript Analyzer, an extension of AppScan Standard developed in collaboration with IBM Research, which provides static taint analysis of JavaScript, detecting a range of client-side security issues, such as DOMbased Cross-site Scripting (XSS) where malicious JavaScript code is executed in the user s browser without sanity checks that could prevent the attack. There have been numerous documented cases of companies that spent millions of dollars recovering from cyber-attacks that could almost certainly have been prevented. Vulnerabilities in a production environment can be costly to remedy, while Rational AppScan helps to uncover and fix flaws during the development process, reducing cost and risk. Rational AppScan offers static and dynamic security testing in all stages of application development. SAP uses Rational AppScan Standard Edition, and the full product range extends to cover a variety of business needs: AppScan Build Edition embeds Web application security testing into the build management workflow. AppScan Enterprise Edition provides Web application vulnerability testing and reporting solution used to scale security testing. AppScan Express Edition delivers affordable Web application security for smaller organizations. AppScan OnDemand identifies and prioritizes Web application security vulnerabilities that may be apparent via the SaaS model. AppScan OnDemand Production Site Monitoring enables consistent and continuous monitoring for production Web content and sites for vulnerabilities via the SaaS model. The role of JavaScript in modern Web applications is becoming more important as technologies such as AJAX, HTML5 and the Dojo toolkit grow more common. The JavaScript Analyzer makes AppScan one of the first tools capable of detecting a range of client-side security issues. Until now, these issues were thought to be very common, but with no tool to find them there was no hard evidence and no way to build defenses. AppScan is also able to apply both black box and white box in the same scan. 6
Proof of validity To test the validity of the claims for Rational AppScan, SAP performed an external audit and penetration test on Duet software. The team then compared the results of the manual test against the automated findings generated by Rational AppScan. The comparison was designed to detect and reproduce the vulnerabilities discovered by the manual test, and highlight the appropriate areas of the source code. Rational AppScan succeeded in locating all the vulnerabilities discovered manually, identified additional concerns, and pinpointed the source code responsible in just a few hours. The AppScan findings are highly accurate, with very few false positives, which saves a great deal of time when evaluating an application. The audit reporting and ability to provide full traceability of errors feature high on the list of time- and costsaving functionalities. During software development itself, the developers themselves are responsible for testing. The SAP IT team provides developers with Rational AppScan testing services, which can be booked internally. For those developers who choose to test during development, the results are used during the software validation process. If the core team is involved in testing, software validation can be completed more quickly, reducing SAP s time to market with new solutions. If Rational AppScan is not involved during the software development process, developers have to run their own manual tests and provide documentation explaining why their test results are acceptable. Based on those documents, the testing team makes its plan for software validation usually a longer process than where products have involved Rational AppScan at an early stage. AppScan Standard was integrated into SAP s product development process, and the powerful reporting functionality is used to analyze results and generate recommendations for developers. For example, after an application scan with Rational AppScan, the team schedules a workshop with the development team. Rational AppScan generates an application profile with SAPspecific main issues, aimed at SAP standard requirements. With the reduced testing time and effort that using Rational AppScan provides, SAP is able to develop more Web applications more quickly, and bring them to market. As a result of these benefits, SAP purchased additional Rational AppScan licenses, expanding its footprint to eight users in total, in India, Israel and Germany. 7
Business benefits In the future, combinations of dynamic and static analyses present new possibilities for SAP. This hybrid analysis is completed using the JavaScript Analyzer. During a test, both the black box tests (the normal HTTP tests provided by AppScan Standard Edition) and white box tests (via static analysis of the JavaScript code by the JSA component) are run. The black box and white box test results are correlated through the Reporting Console. The correlation highlights specific weak points, identified by both scanning technologies. Such doubleweaknesses can be considered to be a genuine risk, to be fixed as rapidly as possible. Under the previous manual testing processes, the SAP team knew that its 60 or so test case descriptions did not cover all requirements. Manual testing is being phased out, and a regular process for checking and reviewing test cases has been implemented. With Rational AppScan, the SAP team now has a significantly higher degree of test coverage. Product complexity affects the testing processes, which can be fractions of a second or several minutes for each URL. Rational AppScan can also test by starting with an initial URL and then test all the pages that can be reached, somewhat in the manner of a search engine crawling linked Web pages. The tools include the ability to exclude or include certain pages, directories or areas of a website, and single pages can be specified for test. To accelerate testing, the IBM team implemented an adaptive approach: if test failures exceed pre-set limits, the test sequence is halted. This method reduces the time spend on test runs, accelerating total throughput and increasing efficiency. Rational AppScan has integrated seamlessly into SAP s processes, as it automates a component of existing workflows rather than requiring change. From initial adoption, usage has exploded as the benefits have become clear, particularly since the number of Web applications is growing continuously. 8
IBM Rational AppScan has a hugely positive impact on educating our developers with respect to avoiding vulnerabilities in Web applications. Michael Neumaier Senior Quality Specialist SAP AG
10
SAP, Duet and all SAP logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries. All other product and service names mentioned are the trademarks of their respective companies. SAP Forward-looking Statement Any statements contained in this document that are not historical facts are forward-looking statements as defined in the U.S. Private Securities Litigation Reform Act of 1995. Words such as anticipate, believe, estimate, expect, forecast, intend, may, plan, project, predict, should and will and similar expressions as they relate to SAP are intended to identify such forward-looking statements. SAP undertakes no obligation to publicly update or revise any forward-looking statements. All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations The factors that could affect SAP s future financial results are discussed more fully in SAP s filings with the U.S. Securities and Exchange Commission ( SEC ), including SAP s most recent Annual Report on Form 20-F filed with the SEC. Readers are cautioned not to place undue reliance on these forward-looking statements, which speak only as of their dates. 11
For more information: To learn more about the solutions from IBM and SAP, visit: ibm-sap.com For more information about SAP products and services, contact an SAP representative or visit: sap.com For more information about IBM products and services, contact an IBM representative or visit: ibm.com Contacts: IBM Stephan Rosche (stephan.rosche@de.ibm.com) For further questions please contact the IBM SAP International Competency Center via isicc@de.ibm.com Copyright IBM Corp. 2011 All Rights Reserved. IBM Deutschland GmbH D-70548 Stuttgart ibm.com Produced in Germany December 2011 IBM, the IBM logo, ibm.com, i5/os, DB2, Domino, FlashCopy, Lotus, Notes, POWER, POWER4, POWER5, POWER6, System i, System x, and Tivoli are trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol ( or ), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of other IBM trademarks is available on the Web at: http://www.ibm.com/legal/copytrade. shtml UNIX is a registered trademark of The Open Group in the United States and other countries. Linux is a trademark of Linus Torvalds in the United States, other countries, or both. Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. Other company, product or service names may be trademarks, or service marks of others. This brochure illustrates how IBM customers may be using IBM and/or IBM Business Partner technologies/services. Many factors have contributed to the results and benefits described. IBM does not guarantee comparable results. All information contained herein was provided by the featured customer/s and/or IBM Business Partner/s. IBM does not attest to its accuracy. All customer examples cited represent how some customers have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics will vary depending on individual customer configurations and conditions. This publication is for general guidance only. Photographs may show design models. SPC03379-DEEN-00