Most organizations have embraced the Web to some extent to provide user-friendly applications for employees, customers and partners. However, while Web 2.0 collaboration technologies can increase productivity, they also provide a larger attack surface for miscreants.
In its 2008 Trend and Risk Report, IBM’s Internet Security Systems X-Force group reported that 54.9 percent of all disclosed vulnerabilities in 2008 were Web application vulnerabilities, and of those Web application vulnerabilities, 74 percent had no patch by the end of 2008.
As luck would have it, IBM’s ISS team offers, alongside these statistics, a comprehensive solution that sets out to address the dangers presented by publicly available Web applications by protecting code and data through the entire life cycle of development, testing, production and upgrades. IBM’s Web Application Protection is a tightly knit combination of top-notch products, including IBM’s Rational AppScan, ISS Proventia Intrusion Protection System, SiteProtector security management console and SecurityFusion module for SiteProtector.
IBM’s Rational AppScan is a comprehensive, accurate and educational vulnerability assessment tool for securing Web applications. Rational AppScan includes high-quality information regarding each security issue detected, including video presentations, links to advisories, corrective actions, and detailed examples of vulnerable code and potentially successful attacks-all of which makes it easier to infuse security into your development processes.
The company’s Proventia IPS GX5108 is a proven network IPS preconfigured with Web application protection rules that performed well when tested under load in eWEEK Labs’ tests.
These two products, when combined under the umbrella of IBM’s Proventia Management SiteProtector software, provided much needed security insight alongside powerful mechanisms for developing and deploying secure Web applications. I recommend that organizations looking to protect their Web applications put this IBM package on their evaluation short lists. Existing IBM security customers should not hesitate to add the SecurityFusion Module to their existing SiteProtector environment.
The Proventia IPS Gx5108 is priced at $57,995. Pricing for the Proventia IPS is based on the amount of bandwidth protected and the number of protected segments. AppScan starts at $8,700 for a single-user, fixed-term license (one year); this price includes software subscription and support.
IBM Rational AppScan
It was very easy to get started with Rational AppScan. I installed the software on my Windows Vista 64 workstation without a hitch, and immediately took note of prebuilt test templates covering regular, quick-and-light, and comprehensive test scenarios. I could use one of these templates as a starting point or create my own scan from scratch.
I created my own scan by clicking New Scan, Web Application Scan (the other choice is Web Services Scan), and then assigning a start URL before training AppScan with the proper authentication mechanisms and credentials and selecting “vital few,” “invasive” or “complete” test policy options.
I started the scan on full auto, and watched as the engine spidered my test site to find all pages and build out a site tree along the left-hand column of the AppScan interface. The product’s Scan Expert started the audit with a wide range of tests, logging the vulnerabilities it located, arranged by severity, in a central window. I could scan a Web application to see if it is hosting malware or linking to a site that is.
When the scan was over, I saved the results and decided to dig deeper. The tabbed interface at the bottom of the application window held the bulk of the scan information. The tabs grew more detailed as they ran from left to right, starting with a high-level explanation of the exploit; typical ways that it could be used to hack code; links to advisories, educational videos and specific fix recommendations; and the exact request/response code that was used in the test.
The product placed all the information required to diagnose, correct and educate to prevent particular vulnerabilities from resurfacing right at my fingertips. I could designate particular alerts as false positives, and I could log defects to a common defect tracking solution, such as ClearQuest, where it would appear in a developer’s to do list complete with remediation instructions.
Reporting in AppScan is excellent-it’s fully customizable, automated, tweakable and available in a variety of formats. The product’s coolest reporting feature enabled me to develop Microsoft Word report templates that would populate themselves with AppScan data.
Proventia GX5108 IPS, SiteProtector
Proventia GX5108 IPS
IBM’s Proventia GX5108 is a 2U rack-mounted IPS device that can be equipped with eight 10/100/1000 adapters in any combination of copper or fiber port pairs. The GX5108 can protect four network segments in inline mode, comes equipped with redundant power supplies and storage, and can be clustered for high availability. Those who wish to deploy a single GX5108 can manage it through an able Web GUI. For larger deployments, the IPS can also be managed from IBM SiteProtector software, or through an outsourced management agreement with IBM Managed Security Services.
IBM Proventia Web application protection is an additional set of rules included in every Proventia IPS to help address and limit the primary sources of Web application and infrastructure attacks. Given the power of this product, I found installation and configuration to be mind-bogglingly easy. When I brought the GX5108 under management in SiteProtector, the product automatically installed recommended IBM X-Force policies (which thereafter updated automatically) and launched a Web Application Protection wizard to automate construction and implementation of additional security policies to protect custom Web applications.
I assessed the GX5108’s performance with BreakingPoint BPS 1K, a network load-generation tool known for its ability to thoroughly and accurately assess performance of security devices such as firewalls, IPSes and security switches. When configured with about 3,000 IPS rules enabled, the IBM device easily exceeded its rated 1.2G bps of total throughput with a maximum total throughput of 1.6G bps and maximum of 2.3 million concurrent TCP connections. Under a full SYN flood, the GX5108 still passed between 500M and 600M bps of legitimate traffic. I then used the full BreakingPoint strike pack (54158) to assess the GX5108’s ability to block attacks. The IPS blocked 131 of 136 Web application-specific attacks (of the overall 2,282 attacks).
Proventia Management SiteProtector
IBM Proventia Management SiteProtector is IBM’s security infrastructure management software. It’s a central console used to monitor, measure and manage agents on security devices, servers and workstations. I found it very easy to organize managed devices into groups and then set policy based on the type and severity of the event and the group of devices it affected.
As with IBM’s Rational AppScan, I found that reporting was again a strong point.
SiteProtector’s SecurityFusion module is the reporting component that fuses the individual solutions together. This free add-on component to SiteProtector typically runs on its own server and correlates vulnerability scans of applications from Rational AppScan with network intrusion events detected by the Proventia IPS GX5018.
Using the product’s graphical interface, I was able to build policies that specified which IP addresses to monitor and how to prioritize different events. Prioritization is key in developing an overall Web app security action plan. For instance, vulnerability fixes for inactive services can wait, but known, actively attacked vulnerabilities on outward-facing systems demand immediate attention.
Any security management platform of this caliber must have built-in mechanisms for ensuring and documenting regulatory compliance. Rational AppScan solutions include more than 40 standard security compliance reports, including PCI Data Security Standard, ISO 17799 and ISO 27001, HIPAA, GLBA, and Basel II.
With SecurityFusion, an organization gains a valuable tool that can measure and report compliance on such wide-ranging aspects of security as code development, server infrastructure, Web applications and network traffic. Given this wide scope, the product can provide IT departments with a rare opportunity to generate reports documenting regulatory compliance on the device, asset or code unit level, and directly show the ramifications to line-of-business activities.
Matthew D. Sarrel is executive director of Sarrel Group, an IT test lab, editorial services and consulting firm in New York.