0 évaluation0% ont trouvé ce document utile (0 vote)
42 vues17 pages
Security Team Integrate web application Security in the SDLC 7 AppScan Enterprise -Key Features and Benefits Increase visibility and better understand enterprise risks Easily distribute reports Control the access to information Enable Development and QA to perform testing during SDLC Control what applications each user can test.
Security Team Integrate web application Security in the SDLC 7 AppScan Enterprise -Key Features and Benefits Increase visibility and better understand enterprise risks Easily distribute reports Control the access to information Enable Development and QA to perform testing during SDLC Control what applications each user can test.
Security Team Integrate web application Security in the SDLC 7 AppScan Enterprise -Key Features and Benefits Increase visibility and better understand enterprise risks Easily distribute reports Control the access to information Enable Development and QA to perform testing during SDLC Control what applications each user can test.
Introduction to AppScan Enterprise 2 Contents The Application Security Problem What is AppScan Enterprise? Main Features How does AppScan Enterprise work? Key Concepts and Terminology User Interface Tour 3 Network Server Web Applications The Web Application Security Reality % of Attacks % of Dollars 75% 10% 25% 90% Sources: Gartner, Watchfire Security Spending of All Attacks on I nformation Security Are Directed to the Web Application Layer 75% 75% of All Web Applications Are Vulnerable 2/3 2/3 4 Web Application Security Challenges Difficulty Managing 3 rd Party Vendors Difficulty Managing 3 rd Party Vendors 5 5 5 Not Monitoring Deployed Applications Not Monitoring Deployed Applications 4 4 4 Catching Problems Late in the Cycle Catching Problems Late in the Cycle 3 3 3 Lack of Control and Visibility Lack of Control and Visibility 2 2 2 Security Team Has Become a Bottleneck Security Team Has Become a Bottleneck 1 1 1 5 Web Application Security Evolution Web Application Security Evolution Strategic Strategic Strategic Strategic Strategic Enterprise-Wide Scalable Solution Solving The Problem Requires a Strategic Approach Tactical Tactical Manual Efforts, Desktop Audit Tools 2-3 Internal Security Experts Outsourced Outsourced Consultants Pen Testing Unaware Unaware 6 SCALE SCALE Reuse and Run Multiple Scans Across Applications I NFORM I NFORM Push Reports to Developers, QA, and Non-Security Staff MONI TOR MONI TOR Manage Problem Resolution Through Trending Reports AppScan Enterprise AppScan Enterprise AppScan Enterprise What is AppScan Enterprise? Security Team Integrate Web Application Security in the SDLC 7 AppScan Enterprise Key Features & Benefits Increase visibility and better understand enterprise risks Controlled, Web-based Report Distribution Controlled, Web-based Report Distribution 3 3 3 Controlled, Web-based Application Testing Controlled, Web-based Application Testing 2 2 2 1 1 1 Enterprise Metrics and Visibility Enterprise Metrics and Visibility Easily distribute reports Control the access to information Enable Development and QA to perform testing during SDLC Control what applications each user can test 4 4 4 Issue Management Issue Management Focus on fixing issues, not just finding issues 8 Multiple Report Levels Dashboards Report Pack Summaries Detailed Reports About thisReports 9 Report Categories Inventory Reports Broken Links Hosts Pages etc. Security Reports Application Security Issues Infrastructure Security Issues Remediation Tasks Security Risk Assessment Compliance Reports Safe Harbour Sarbanes-Oxley Act (SOX) Visa CISP etc. 10 User Roles and Access Permissions Security Manager Pen Tester Developer Compliance Officer AppScan Enterprise Control access to information Assign user roles Specify what applications a user can scan Specify what types of tests a user can perform 11 What does AppScan Enterprise test for? Network Operating System Applications Database Web Server Web Server Configuration Third-party Components Web Applications AppScan Enterprise 12 How does AppScan Enterprise work? Traverses a web application Approaches an application as a black-box Tests by sending modified HTTP requests Thousands of tests for identifying hundreds of vulnerabilities HTTP Request HTTP Response Web Servers Application Databases Web Application 13 AppScanEnterprise Architecture Clients AppScan Enterprise Target Sites 14 Terminology Content Scan J ob Infrastructure Scan J ob Import J ob Report Pack Dashboard Folder 15 Jobs, Report Packs, Reports & Dashboards Job4 Infrastructure Scan Job2 Security Data Import Job1 Security Scan Global Scan Data Job3 Security Scan Reports Report Pack 1 Report Pack 2 Report Pack 3 Dashboard 1 Dashboard 2 16 Web-Based User Interface Enter your user name and password Navigate to AppScan Enterprise, e.g. http:/ / aseserver/ appscan 17 Quick Scan vs. Advanced View The UI mode is set in the users properties Quick Scan View Makes it easier to create a scan by abstracting complexity Leverages scan templates created by the administrator Reduces the scan configuration time Suitable for developers, QA specialists who create ad-hoc scans Advanced View Exposes all scan options Suitable for administrators and advanced users