Monday, 12 May 2008

Web Application Security: AppScan Tutorial

Recently I was approached to write a security tutorial for the IBM developerWorks website, specifically about IBM Rational AppScan. AppScan is the leading commercial Web Application (and infrastructure) vulnerability scanning tool, which IBM acquired from WatchFire last year. I ended up writing a fairly lengthy tutorial, 7000 words plus, which goes to explain why my blog entries have been relative sparse in recent weeks.

The Tutorial is called; “Create secure Java applications productively, Part 2” has been uploaded on the IBM developerWorks website.

http://www.ibm.com/developerworks/edu/r-dw-r-appscan2.html.

Or you may download a copy directly from here r-appscan2-pdf.pdf

The tutorial follows on from an initial tutorial, which involved the creation of an Internet facing Java Web Application using IBM Rational Application Developer and Data Studio. To briefly sum up my Tutorial there is a Web Application Security Overview, how to install AppScan, how to configure a scan, interrupting the scan results, fixing web vulnerabilities and producing reports.

The importance of using a tool like AppScan to test and check web applications becomes clear when you consider the increasing number of attacks and actual data breaches occurring at the web application layer, as opposed to the traditional attacks at the network layer. For instance today I find most people I speak with have now heard of Web Application vulnerability terms like Cross Site Scripting (XSS) and SQL Injection attacks, as opposed to the situation a couple of years back, yet still these sorts of issues aren't being testing or resolved by web app developers.

In recent times there has been an explosion of web applications (yes so the called web 2.0 - go on I said it!), with many organisations taking advantage of writing web applications not only to save a bundle on development cost, but so their applications can be placed on the Internet to meet an increased demand of sharing and accessing information.

If you are producing an Internet based web application which processes or holds sensitive information, you have a duty of care to ensure your web application is properly tested against as many security vulnerabilities as possible during the development cycle. Although a product like AppScan can never guarantee 100% security (BTW nothing can!), in my view it can significantly reduce the number of web application vulnerabilities within the final web application code and thus reduce the risk of the web application and its information being exploited.

If you are interested in Web Application Security, read the first section of the tutorial or visit websites sites such as http://www.owasp.org/ or http://www.webappsec.org

22 comments:

Bogdan Dragomir said...

Well written tutorial! Thanks for sharing.

Dave Whitelegg CISSP said...

Thanks for the positive comments, it encourages me to write more!

Anonymous said...

Great stuff. Keep writing...

Anonymous said...

Could not get to the tutorial. The IBM link is broken and the direct link contains a pdf with a lot of stuff missing. Could you correct this, or post a working link please - Thanks.

Dave Whitelegg said...

The link is still working, it is probably because you haven't signed into IBM website, which is required to access it.

I have just accessed it with the following direct link, but note I'm logged into the IBM site.

https://www6.software.ibm.com/developerworks/education/r-appscan2/

I hope that helps, if you still have issues drop me an Email and Email the actual PDF to you.

Thanks

Dave

PS IBM Rational AppScan is still my favourite Web Application Vulnerability scanning tool.

Dave Whitelegg said...

Further Update: I have updated the PDF hosted on my site.

http://www.itsecurityexpert.co.uk/downloads/r-appscan2-pdf.pdf

Looks like the PDF file had corrupted, but it has now been restored, thanks for letting me know

royal said...

Hi Friend

Such a Nice post

web development company

Thanks
Royal

smitha said...

It was just amazing information sharing and it's helpful for everyone.
- http://www.zaphonprom.com/

William said...

Security is the most important thing to remember in creating a website. Thanks for the info.

long island seo

web design company said...

That was really a helpful tutorial about the web application tutorial.It will be really interesting to know about.Thanks for sharing !

resort reservations said...

it was just informative news and thanks for sharing such a useful information.
- resort reservations

Anonymous said...

Security, especially in today's influx of hackers, is a main concern among web developers.

White Label SEO

Web Design Services said...

It's really amazing and informative post. It's very useful for every people so i am thankful to you for sharing such a helpful knowledge with us.
- web design services

Cameron said...

I've been using tools to ensure my website security, but I'll try this out. Thanks for sharing!

web hosting uk said...

I've been using tools to ensure my website security, but I'll try this out. Thanks for sharing!

reseller hosting services said...

Scanning an app over the network can be done using Cloud. I think the power of cloud can almost do everything.

pivotal crm said...

really amazing blog and I was thankful to you for sharing such a useful information.
- Pivotal CRM

cleaners edinburgh said...

This text is worth everyone's attention. Your views truly open my mind.

Website Development Company said...

nice information i love this type of post and i also share this my friends and Website Development Company.

Graham Flaherty said...

Thanks for contributing your important time to post such an interesting & useful collection.It would be knowledgeable & resources are always of great need to everyone. Please keep continue sharing.

Website development Kansas City

James Martin said...

This app scan tutorial is best for learning. I learn lots of things from here. Web apps developers service

Dev Soft said...


An offshore software development company provides various solutions to the western world at a price effective price.
The businesses don't compromise with the standard and even end the work at intervals timeframe.
intégrateur et expertise développement offshore sur Lyon