IBM Rational AppScan

In my last post, I introduced my role as Solution Engineer for our IBM partnership and how many exciting solutions we have coming out in our partnership.  Today I’m going to briefly cover one of our latest releases, the IBM Rational AppScan parser.

AppScan

Rational softwareIBM’s Rational AppScan implements the latest scanning technology to test your web applications for vulnerabilities.  I’ve run this scanner many times and the complexity and depth of its scans is mind boggling.  There are something like 30,000 tests that it can run in comprehensive mode, looking for all types of attacks against a website.  When launching a new application or reviewing your security on an existing site, an investment like Rational AppScan may save your entire organization enormous amounts of pain and expense.

So how does AppScan work? You simply point it at your website and go. During a recent test, I tested a sample ecommerce site (designed to have flaws) and found over 129 problems, 37 of them critical exploits such as SQL injection and cross-site scripting.  The beautiful thing with AppScan is that you simply see exactly where the exploit took place, how to repeat it and how to mitigate it.  It’s an amazing tool and you should definitely check out the trial.

Once you have your scan, the next step is to fix the issues.  In the example above, the 37 vulnerabilities might take days or weeks to solve. And that doesn’t even address the four dozen other medium and low priority issues.  So how do you help speed this along?  This is where BIG-IP ASM enters the picture.  As of version 11.1, our IBM AppScan integration allows you to export your reports from AppScan, import them into ASM and immediately remediate the critical problems.  In my test, I was able to remediate 21 out of the 37 critical vulnerabilities, leaving just a small handful to be worked on by the developers.

Published Dec 28, 2011
Version 1.0
  • Nojan_Moshiri_1's avatar
    Nojan_Moshiri_1
    Historic F5 Account
    A small edit to the blog, I inadvertantly said F5 ASM and IBM AppScan integration was available as of version 11.0 when I should have said version 11.1. I have corrected this in the blog.

     

  • Nojan_Moshiri_1's avatar
    Nojan_Moshiri_1
    Historic F5 Account
    Eduardo, unfortunately the trial version of AppScan will not let you scan arbitrary sites. But I'm sure a Rational sales rep could help you out with a full-blown trial.

     

     

    If you'd like a further review of ASM, be sure to drop me a line.