Tuesday 8 November 2011

Integrating Security into the User's Gui - In this case Rational AppScan Source in AppScan Standard

Based on an SI engagement I'm currently involved in, which is focused on the integration AppScan Source and Standard findings, here is a pretty cool PoC of what we are doing there:

What you have in the screenshot above is a PoC of showing AltoroJ's findings from IBM Rational AppScan Source (a SAST/WhiteBox tool) inside the equivalent findings from AppScan Standard (a DAST/BlackBox tool).

The core idea is that we should be presenting and integrating the information that we are able to create from the multiple tools we use (+ human knowledge) into the tools that the user is more comfortable with.

So in this case we have an DAST user (typical pentester) being able to leverage the analysis created by a SAST (Static Analysis) tool.

It is also a much better way to show and present these findings to developers, since we can immediately talk about how to remediable the code.

Another massive benefit from performing security reviews this way is that it really highlights the best (and worse) of both tools (i.e. what SAST finds and DAST misses, and what DAST finds and SAST misses)

Ultimately both SAST and DAST results must match :)

If you want to see how that PoC was created inside AppScan Standard, take a look at these two blog posts: