Monday, 12 May 2008

Web Application Security: AppScan Tutorial

Recently I was approached to write a security tutorial for the IBM developerWorks website, specifically about IBM Rational AppScan. AppScan is the leading commercial Web Application (and infrastructure) vulnerability scanning tool, which IBM acquired from WatchFire last year. I ended up writing a fairly lengthy tutorial, 7000 words plus, which goes to explain why my blog entries have been relative sparse in recent weeks.

The Tutorial is called; “Create secure Java applications productively, Part 2” has been uploaded on the IBM developerWorks website.

http://www.ibm.com/developerworks/edu/r-dw-r-appscan2.html.

Or you may download a copy directly from here r-appscan2-pdf.pdf

The tutorial follows on from an initial tutorial, which involved the creation of an Internet facing Java Web Application using IBM Rational Application Developer and Data Studio. To briefly sum up my Tutorial there is a Web Application Security Overview, how to install AppScan, how to configure a scan, interrupting the scan results, fixing web vulnerabilities and producing reports.

The importance of using a tool like AppScan to test and check web applications becomes clear when you consider the increasing number of attacks and actual data breaches occurring at the web application layer, as opposed to the traditional attacks at the network layer. For instance today I find most people I speak with have now heard of Web Application vulnerability terms like Cross Site Scripting (XSS) and SQL Injection attacks, as opposed to the situation a couple of years back, yet still these sorts of issues aren't being testing or resolved by web app developers.

In recent times there has been an explosion of web applications (yes so the called web 2.0 - go on I said it!), with many organisations taking advantage of writing web applications not only to save a bundle on development cost, but so their applications can be placed on the Internet to meet an increased demand of sharing and accessing information.

If you are producing an Internet based web application which processes or holds sensitive information, you have a duty of care to ensure your web application is properly tested against as many security vulnerabilities as possible during the development cycle. Although a product like AppScan can never guarantee 100% security (BTW nothing can!), in my view it can significantly reduce the number of web application vulnerabilities within the final web application code and thus reduce the risk of the web application and its information being exploited.

If you are interested in Web Application Security, read the first section of the tutorial or visit websites sites such as http://www.owasp.org/ or http://www.webappsec.org

27 comments:

  1. Well written tutorial! Thanks for sharing.

    ReplyDelete
  2. Thanks for the positive comments, it encourages me to write more!

    ReplyDelete
  3. Great stuff. Keep writing...

    ReplyDelete
  4. Could not get to the tutorial. The IBM link is broken and the direct link contains a pdf with a lot of stuff missing. Could you correct this, or post a working link please - Thanks.

    ReplyDelete
  5. The link is still working, it is probably because you haven't signed into IBM website, which is required to access it.

    I have just accessed it with the following direct link, but note I'm logged into the IBM site.

    https://www6.software.ibm.com/developerworks/education/r-appscan2/

    I hope that helps, if you still have issues drop me an Email and Email the actual PDF to you.

    Thanks

    Dave

    PS IBM Rational AppScan is still my favourite Web Application Vulnerability scanning tool.

    ReplyDelete
  6. Further Update: I have updated the PDF hosted on my site.

    http://www.itsecurityexpert.co.uk/downloads/r-appscan2-pdf.pdf

    Looks like the PDF file had corrupted, but it has now been restored, thanks for letting me know

    ReplyDelete
  7. It was just amazing information sharing and it's helpful for everyone.
    - http://www.zaphonprom.com/

    ReplyDelete
  8. Security is the most important thing to remember in creating a website. Thanks for the info.

    long island seo

    ReplyDelete
  9. That was really a helpful tutorial about the web application tutorial.It will be really interesting to know about.Thanks for sharing !

    ReplyDelete
  10. Security, especially in today's influx of hackers, is a main concern among web developers.

    White Label SEO

    ReplyDelete
  11. It's really amazing and informative post. It's very useful for every people so i am thankful to you for sharing such a helpful knowledge with us.
    - web design services

    ReplyDelete
  12. I've been using tools to ensure my website security, but I'll try this out. Thanks for sharing!

    ReplyDelete
  13. I've been using tools to ensure my website security, but I'll try this out. Thanks for sharing!

    ReplyDelete
  14. Scanning an app over the network can be done using Cloud. I think the power of cloud can almost do everything.

    ReplyDelete
  15. This text is worth everyone's attention. Your views truly open my mind.

    ReplyDelete
  16. nice information i love this type of post and i also share this my friends and Website Development Company.

    ReplyDelete
  17. Thanks for contributing your important time to post such an interesting & useful collection.It would be knowledgeable & resources are always of great need to everyone. Please keep continue sharing.

    Website development Kansas City

    ReplyDelete
  18. This app scan tutorial is best for learning. I learn lots of things from here. Web apps developers service

    ReplyDelete
  19. ssayist for Mac. You can without much of a stretch alter content, pictures and connections. It will naturally identify the textual style, size, and haziness of the first content, so you can make alters effortlessly. Š”ollaboratŠµ with customers and colleagues by adding notes and remarks to

    ReplyDelete
  20. From the primary archive you select, PDF Expert springs vigorously with smooth looking over and quick Select the most applicable format to rapidly fulfill your assignment, regardless of whether you analyze100 page contracts or read a short article.have to deal with a bountiful measure of diary articles, and

    ReplyDelete
  21. Thanks for making and sharing this wonderful blog. i like it allot .

    ReplyDelete
  22. Great informative blog. Thank you so much to share. I will share it with my friends too.

    ReplyDelete
  23. I am very thankful to you as your article has given me lots of ideas. Such great information you have shared through this article, it is a really helpful technique. You did a really good job. Thank for sharing. Keep up the good work

    ReplyDelete
  24. Thank you, this is a great article on cybersecurity. Cybersecurity is one of the most prominent issues in the current Era. The threats keep on increasing and we are constantly needing to look more closely towards being secure on the internet.

    ReplyDelete
  25. Thanks for this tutorial! Cybersecurity is important because it protects all categories of data from theft and damage.

    ReplyDelete

Any comments with weblinks, or promoting/advertising company products and services will be rejected