IBM Rational AppScan and IBM ISS Proventia IPS GX5108 combine proactive application vulnerability scanning with live IPS attack reports to provide powerful Web application protection.
Most organizations have embraced the Web to some extent to provide
user-friendly applications for employees, customers and partners. However,
while Web 2.0 collaboration technologies can increase productivity, they also
provide a larger attack surface for miscreants.
In its 2008 Trend and Risk Report, IBM's
Internet Security Systems X-Force group reported that 54.9 percent of all
disclosed vulnerabilities in 2008 were Web application vulnerabilities, and of those
Web application vulnerabilities, 74 percent had no patch by the end of 2008.
As luck would have it, IBM's ISS team
offers, alongside these statistics, a comprehensive solution that sets out to
address the dangers presented by publicly available Web applications by
protecting code and data through the entire life cycle of development, testing,
production and upgrades. IBM's Web
Application Protection is a tightly knit combination of top-notch products,
including IBM's Rational AppScan, ISS
Proventia Intrusion Protection System, SiteProtector security management
console and SecurityFusion module for SiteProtector.
IBM's Rational AppScan is a
comprehensive, accurate and educational vulnerability assessment tool for
securing Web applications. Rational AppScan includes high-quality information
regarding each security issue detected, including video presentations, links to
advisories, corrective actions, and detailed examples of vulnerable code and
potentially successful attacks-all of which makes it easier to infuse security
into your development processes.
The company's Proventia IPS GX5108 is a
proven network IPS preconfigured with Web
application protection rules that performed well when tested under load in
eWEEK Labs' tests.
These two products, when combined under the umbrella of IBM's
Proventia Management SiteProtector software, provided much needed security
insight alongside powerful mechanisms for developing and deploying secure Web
applications. I recommend that organizations looking to protect their Web
applications put this IBM package on their
evaluation short lists. Existing IBM
security customers should not hesitate to add the SecurityFusion Module to
their existing SiteProtector environment.
The Proventia IPS Gx5108 is priced at
$57,995. Pricing for the Proventia IPS is
based on the amount of bandwidth protected and the number of protected
segments. AppScan starts at $8,700 for a single-user, fixed-term license (one
year); this price includes software subscription and support.
IBM Rational AppScan
IBM's Rational AppScan provides
application scanning coverage for the latest Web 2.0 technologies, including
It was very easy to get started with Rational AppScan. I installed the
software on my Windows Vista 64 workstation without a hitch, and immediately
took note of prebuilt test templates covering regular, quick-and-light, and
comprehensive test scenarios. I could use one of these templates as a starting
point or create my own scan from scratch.
I created my own scan by clicking New Scan, Web Application Scan (the other
choice is Web Services Scan), and then assigning a start URL before training
AppScan with the proper authentication mechanisms and credentials and
selecting "vital few," "invasive" or "complete" test policy options.
I started the scan on full auto, and watched as the engine spidered my test
site to find all pages and build out a site tree along the left-hand column of
the AppScan interface. The product's Scan Expert started the audit with a wide
range of tests, logging the vulnerabilities it located, arranged by severity,
in a central window. I could scan a Web application to see if it is hosting
malware or linking to a site that is.
When the scan was over, I saved the results and decided to dig deeper. The
tabbed interface at the bottom of the application window held the bulk of the
scan information. The tabs grew more detailed as they ran from left to right,
starting with a high-level explanation of the exploit; typical ways that it
could be used to hack code; links to advisories, educational videos
and specific fix recommendations; and the exact request/response code that
was used in the test.
The product placed all the information required to diagnose, correct and
educate to prevent particular vulnerabilities from resurfacing right at my
fingertips. I could designate particular alerts as false positives, and I could
log defects to a common defect tracking solution, such as ClearQuest, where it
would appear in a developer's to do list complete with remediation
Reporting in AppScan is excellent-it's fully customizable, automated,
tweakable and available in a variety of formats. The product's coolest
reporting feature enabled me to develop Microsoft Word report templates that
would populate themselves with AppScan data.
Matthew D. Sarrel, CISSP, is a network security,product development, and technical marketingconsultant based in New York City. He is also a gamereviewer and technical writer. To read his opinions on games please browse http://games.mattsarrel.com and for more general information on Matt, please see http://www.mattsarrel.com.