Web Application Security: AppScan Tutorial
Recently I was approached to write a security tutorial for the IBM developerWorks website, specifically about IBM Rational AppScan. AppScan is the leading commercial Web Application (and infrastructure) vulnerability scanning tool, which IBM acquired from WatchFire last year. I ended up writing a fairly lengthy tutorial, 7000 words plus, which goes to explain why my blog entries have been relative sparse in recent weeks.
The Tutorial is called; “Create secure Java applications productively, Part 2” has been uploaded on the IBM developerWorks website.
http://www.ibm.com/developerworks/edu/r-dw-r-appscan2.html.
Or you may download a copy directly from here r-appscan2-pdf.pdf
The tutorial follows on from an initial tutorial, which involved the creation of an Internet facing Java Web Application using IBM Rational Application Developer and Data Studio. To briefly sum up my Tutorial there is a Web Application Security Overview, how to install AppScan, how to configure a scan, interrupting the scan results, fixing web vulnerabilities and producing reports.
The importance of using a tool like AppScan to test and check web applications becomes clear when you consider the increasing number of attacks and actual data breaches occurring at the web application layer, as opposed to the traditional attacks at the network layer. For instance today I find most people I speak with have now heard of Web Application vulnerability terms like Cross Site Scripting (XSS) and SQL Injection attacks, as opposed to the situation a couple of years back, yet still these sorts of issues aren't being testing or resolved by web app developers.
In recent times there has been an explosion of web applications (yes so the called web 2.0 - go on I said it!), with many organisations taking advantage of writing web applications not only to save a bundle on development cost, but so their applications can be placed on the Internet to meet an increased demand of sharing and accessing information.
If you are producing an Internet based web application which processes or holds sensitive information, you have a duty of care to ensure your web application is properly tested against as many security vulnerabilities as possible during the development cycle. Although a product like AppScan can never guarantee 100% security (BTW nothing can!), in my view it can significantly reduce the number of web application vulnerabilities within the final web application code and thus reduce the risk of the web application and its information being exploited.
If you are interested in Web Application Security, read the first section of the tutorial or visit websites sites such as http://www.owasp.org/ or http://www.webappsec.org
Labels: Web app application security watchfire ibm rational tutorial developerworks
posted by Dave Whitelegg @ 19:57
6 Comments
Links to this post
6 Comments:
Well written tutorial! Thanks for sharing.
Thanks for the positive comments, it encourages me to write more!
Great stuff. Keep writing...
Could not get to the tutorial. The IBM link is broken and the direct link contains a pdf with a lot of stuff missing. Could you correct this, or post a working link please - Thanks.
The link is still working, it is probably because you haven't signed into IBM website, which is required to access it.
I have just accessed it with the following direct link, but note I'm logged into the IBM site.
https://www6.software.ibm.com/developerworks/education/r-appscan2/
I hope that helps, if you still have issues drop me an Email and Email the actual PDF to you.
Thanks
Dave
PS IBM Rational AppScan is still my favourite Web Application Vulnerability scanning tool.
Further Update: I have updated the PDF hosted on my site.
http://www.itsecurityexpert.co.uk/downloads/r-appscan2-pdf.pdf
Looks like the PDF file had corrupted, but it has now been restored, thanks for letting me know
Post a Comment
Links to this post:
Create a Link
<< Home