IBM Security Appscan Source for Analysis: User Guide for OS X Edit Menu
Total Page:16
File Type:pdf, Size:1020Kb
IBM Security AppScan Source for Analysis Version 9.0.0.1 User Guide for OS X IBM Security AppScan Source for Analysis Version 9.0.0.1 User Guide for OS X (C) Copyright IBM Corp. and its licensors 2003, 2014. All Rights Reserved. IBM, the IBM logo, ibm.com Rational, AppScan, Rational Team Concert, WebSphere and ClearQuest are trademarks or registered trademarks of International Business Machines Corp. registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the web at Copyright and trademark information at http://www.ibm.com/legal/copytrade.shtml. Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both. Microsoft, Windows, Windows NT and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries or both. Unix is a registered trademark of The Open Group in the United States and other countries. Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates. This program includes: Jacorb 2.3.0, Copyright 1997-2006 The JacORB project; and XOM1.0d22, Copyright 2003 Elliotte Rusty Harold, each of which is available under the Gnu Library General Public License (LGPL), a copy of which is available in the Notices file that accompanied this program. Contents Chapter 1. Introduction to AppScan AppScan Enterprise Console preferences.....47 Source for Analysis..........1 Application server preferences for JavaServer Page Introduction to IBM Security AppScan Source . 1 compilation ..............48 United States government regulation compliance . 2 Tomcat ...............49 What's New in AppScan Source ........4 WebLogic 8, 9, 11, and 12 .........49 What's New in AppScan Source Version 9.0.0.1 . 4 WebSphere Application Server .......49 What's New in AppScan Source Version 9.0 . 4 Defining variables ............50 Migrating to AppScan Source Version 9.0 from Enabling defect tracking with preferences ....51 Version 8.7 ...............6 Rational Team Concert preferences .....51 AppScan Source for Analysis overview .....8 Eclipse workspace importers: Eclipse preference Workflow ...............8 configuration ..............53 Important concepts ............9 Email ................53 Classifications ............10 Java and JavaServer Pages .........54 Logging in to AppScan Enterprise Server from Knowledgebase articles ..........54 AppScan Source products..........11 Project file extensions ...........54 Changing your password .........11 AppScan Enterprise Server SSL certificates . 12 Chapter 4. Scanning source code and AppScan Source and accessibility .......12 managing assessments .......57 Legal notices for IBM Security AppScan Source V9.0 Scanning source code ...........57 documentation .............13 Scanning all applications .........58 Copyright ...............15 Scanning one or more applications .....58 Scanning one or more projects .......58 Chapter 2. Configuring applications Scanning one or more files ........59 and projects ............17 Re-scanning code ...........59 AppScan Source application and project files . 17 Managing scan configurations .......59 Configuring applications ..........19 Excluding a file from a scan ........64 Creating a new application with the New Cancelling or stopping a scan .......64 Application Wizard...........20 Managing My Assessments .........65 Using the Application Discovery Assistant to Publishing assessments ..........65 create applications and projects .......21 Registering applications and projects for Adding an existing application .......24 publishing to AppScan Source .......65 Adding multiple applications .......24 Publishing assessments to AppScan Source . 66 Adding an Eclipse or Eclipse-based product Publishing assessments to the AppScan workspace ..............25 Enterprise Console ...........68 Configuring your development environment for Saving assessments ............71 Eclipse and Rational Application Developer for Automatically saving assessments ......71 WebSphere Software (RAD) projects ......26 Removing assessments from My Assessments . 72 Eclipse or Application Developer updates . 26 Defining variables ............72 Eclipse workspace importers: Eclipse preference Defining variables when publishing and saving 73 configuration .............26 Example: Defining variables ........73 Creating a new project for an application ....27 Adding an existing project ........28 Chapter 5. Triage and analysis ....75 Adding multiple projects .........29 Displaying findings............76 Adding a new JavaScript project ......30 The AppScan Source triage process ......78 Adding a new Java or JavaServer Page (JSP) Triage with filters ............79 project ...............31 Using AppScan Source predefined filters . 83 Copying projects ............37 Creating and managing filters .......87 Modifying application and project properties . 37 Applying filters globally .........91 Global attributes.............38 Determining applied filters ........91 Application attributes ...........38 Triage with exclusions ...........92 Removing applications and projects ......39 The scope of exclusions .........92 Explorer view .............39 Specifying exclusions ..........92 Marking findings as exclusions in a findings Chapter 3. Preferences ........45 table................93 General preferences............45 © Copyright IBM Corp. 2003, 2014 iii Re-including findings that have been marked as Resolving Rational Team Concert server exclusions ..............93 mismatches .............129 Example: Specifying filter exclusions .....93 Rational Team Concert SSL certificates ....129 Specifying bundle exclusions from the Properties Working with submitted defects .......130 view................94 Submitting bundles to defect tracking and by email 130 Triage with bundles ...........94 Tracking defects through email (sending findings Creating bundles ...........94 by email) ...............130 Adding findings to existing bundles .....95 Viewing findings in bundles ........96 Chapter 8. Findings reports and audit Saving bundles to file ..........96 reports ..............133 Submitting bundles to defect tracking and by Creating findings reports .........133 email ...............97 AppScan Source reports ..........135 Adding notes to bundles .........97 Creating an AppScan Source custom report . 136 Modifying findings ............98 CWE/SANS Top 25 2011 report ......137 Making modifications from a findings table . 98 DISA Application Security and Development Modifying findings in the Finding Detail view . 99 STIG V3R6 report ...........137 Removing finding modifications ......101 Open Web Application Security Project Comparing findings ...........102 (OWASP) Top 10 2013 report .......137 Comparing two assessments in the Assessment Open Web Application Security Project Diff view ..............103 (OWASP) Mobile Top 10 report ......138 Comparing two assessments from the main Payment Card Industry Data Security Standard menu bar..............103 (PCI DSS) Version 1.1 and Version 2.0 reports . 138 Finding differences between assessments in the Software Security Profile report ......138 My Assessments and Published Assessments views ...............103 Custom findings ............103 Chapter 9. Creating custom reports 139 Creating a custom finding in the Properties Report Editor .............139 view ...............104 Report Layout tab ...........140 Creating custom findings in a findings view . 105 Categories tab ............141 Creating custom findings in the source code Preview tab .............142 editor ...............106 Generating custom reports .........143 Resolving security issues and viewing remediation Designing a report from an existing custom assistance...............106 report ...............143 Analyzing source code in an editor .....107 Including categories in the report......143 Supported annotations and attributes .....108 Previewing the report .........144 Saving the report template ........144 Chapter 6. AppScan Source trace. 109 AppScan Source trace scan results ......109 Chapter 10. Customizing the Validation and encoding.........110 vulnerability database and scan rules . 145 Searching AppScan Source traces ......110 Extending the AppScan Source Security Input/output tracing ...........111 Knowledgebase.............145 Using the Trace view ...........111 Creating custom rules .........146 Input/output stacks in the Trace view ....112 Using the Custom Rules wizard ......146 Analyzing source code in an editor .....114 Customizing input/output tracing through Validation and encoding scope .......115 AppScan Source trace ..........150 Creating custom rules from an AppScan Source Customizing with pattern-based scan rules . 150 trace ................116 Scan rule sets ............151 Code examples for tracing .........118 Searching for text patterns ........152 Example 1: From source to sink ......118 Defining scan rules for analysis ......152 Example 2: Modified from source to sink . 119 Applying scan rules and scan rule sets ....162 Example 3: Different source and sink files . 124 Example 4: Validation in depth ......125 Chapter 11. AppScan Source for Analysis samples .........165 Chapter 7. AppScan Source for Analysis and defect tracking .....127 Chapter 12. The AppScan Source for Enabling defect tracking with preferences ....127 Analysis work environment .....167 Rational Team Concert preferences .....127 The AppScan Source for Analysis workbench. 167 Integrating