Monday 12 May 2008

Web Application Security: AppScan Tutorial

Recently I was approached to write a security tutorial for the IBM developerWorks website, specifically about IBM Rational AppScan. AppScan is the leading commercial Web Application (and infrastructure) vulnerability scanning tool, which IBM acquired from WatchFire last year. I ended up writing a fairly lengthy tutorial, 7000 words plus, which goes to explain why my blog entries have been relative sparse in recent weeks.

The Tutorial is called; “Create secure Java applications productively, Part 2” has been uploaded on the IBM developerWorks website.

http://www.ibm.com/developerworks/edu/r-dw-r-appscan2.html.

Or you may download a copy directly from here r-appscan2-pdf.pdf

The tutorial follows on from an initial tutorial, which involved the creation of an Internet facing Java Web Application using IBM Rational Application Developer and Data Studio. To briefly sum up my Tutorial there is a Web Application Security Overview, how to install AppScan, how to configure a scan, interrupting the scan results, fixing web vulnerabilities and producing reports.

The importance of using a tool like AppScan to test and check web applications becomes clear when you consider the increasing number of attacks and actual data breaches occurring at the web application layer, as opposed to the traditional attacks at the network layer. For instance today I find most people I speak with have now heard of Web Application vulnerability terms like Cross Site Scripting (XSS) and SQL Injection attacks, as opposed to the situation a couple of years back, yet still these sorts of issues aren't being testing or resolved by web app developers.

In recent times there has been an explosion of web applications (yes so the called web 2.0 - go on I said it!), with many organisations taking advantage of writing web applications not only to save a bundle on development cost, but so their applications can be placed on the Internet to meet an increased demand of sharing and accessing information.

If you are producing an Internet based web application which processes or holds sensitive information, you have a duty of care to ensure your web application is properly tested against as many security vulnerabilities as possible during the development cycle. Although a product like AppScan can never guarantee 100% security (BTW nothing can!), in my view it can significantly reduce the number of web application vulnerabilities within the final web application code and thus reduce the risk of the web application and its information being exploited.

If you are interested in Web Application Security, read the first section of the tutorial or visit websites sites such as http://www.owasp.org/ or http://www.webappsec.org

27 comments:

Anonymous said...

Well written tutorial! Thanks for sharing.

SecurityExpert said...

Thanks for the positive comments, it encourages me to write more!

Anonymous said...

Great stuff. Keep writing...

Anonymous said...

Could not get to the tutorial. The IBM link is broken and the direct link contains a pdf with a lot of stuff missing. Could you correct this, or post a working link please - Thanks.

SecurityExpert said...

The link is still working, it is probably because you haven't signed into IBM website, which is required to access it.

I have just accessed it with the following direct link, but note I'm logged into the IBM site.

https://www6.software.ibm.com/developerworks/education/r-appscan2/

I hope that helps, if you still have issues drop me an Email and Email the actual PDF to you.

Thanks

Dave

PS IBM Rational AppScan is still my favourite Web Application Vulnerability scanning tool.

SecurityExpert said...

Further Update: I have updated the PDF hosted on my site.

http://www.itsecurityexpert.co.uk/downloads/r-appscan2-pdf.pdf

Looks like the PDF file had corrupted, but it has now been restored, thanks for letting me know

Unknown said...

Hi Friend

Such a Nice post

web development company

Thanks
Royal

smitha said...

It was just amazing information sharing and it's helpful for everyone.
- http://www.zaphonprom.com/

William Wagner said...

Security is the most important thing to remember in creating a website. Thanks for the info.

long island seo

web design company said...

That was really a helpful tutorial about the web application tutorial.It will be really interesting to know about.Thanks for sharing !

Anonymous said...

Security, especially in today's influx of hackers, is a main concern among web developers.

White Label SEO

Web Design Services said...

It's really amazing and informative post. It's very useful for every people so i am thankful to you for sharing such a helpful knowledge with us.
- web design services

Cameron said...

I've been using tools to ensure my website security, but I'll try this out. Thanks for sharing!

web hosting uk said...

I've been using tools to ensure my website security, but I'll try this out. Thanks for sharing!

reseller hosting services said...

Scanning an app over the network can be done using Cloud. I think the power of cloud can almost do everything.

cleaners edinburgh said...

This text is worth everyone's attention. Your views truly open my mind.

Website Development Company said...

nice information i love this type of post and i also share this my friends and Website Development Company.

Unknown said...

Thanks for contributing your important time to post such an interesting & useful collection.It would be knowledgeable & resources are always of great need to everyone. Please keep continue sharing.

Website development Kansas City

Unknown said...

This app scan tutorial is best for learning. I learn lots of things from here. Web apps developers service

zohaib said...

ssayist for Mac. You can without much of a stretch alter content, pictures and connections. It will naturally identify the textual style, size, and haziness of the first content, so you can make alters effortlessly. Š”ollaboratŠµ with customers and colleagues by adding notes and remarks to

zohaib said...

From the primary archive you select, PDF Expert springs vigorously with smooth looking over and quick Select the most applicable format to rapidly fulfill your assignment, regardless of whether you analyze100 page contracts or read a short article.have to deal with a bountiful measure of diary articles, and

Asad Ali said...

Really helpful. Thanks

notepad++ windows 7 said...

Thanks for making and sharing this wonderful blog. i like it allot .

White Label SEO said...

Great informative blog. Thank you so much to share. I will share it with my friends too.

Jonny Kumar said...

I am very thankful to you as your article has given me lots of ideas. Such great information you have shared through this article, it is a really helpful technique. You did a really good job. Thank for sharing. Keep up the good work

White Label SEO Services said...

Thank you, this is a great article on cybersecurity. Cybersecurity is one of the most prominent issues in the current Era. The threats keep on increasing and we are constantly needing to look more closely towards being secure on the internet.

Jeriel Cameo said...

Thanks for this tutorial! Cybersecurity is important because it protects all categories of data from theft and damage.