How to use the IBM Application Security on Cloud service

Welcome to IBM Application Security on Cloud, a subscription-based service that helps secure your organization’s Web, desktop, and mobile applications by detecting dozens of today’s most pervasive published security threats. This service makes it simple to scan your apps and eliminate vulnerabilities from your applications before they go live in production. It’s easy to get a free trial to play with from IBM’s Cloud Marketplace. Once you see the value in the service, you can choose a plan. Fill out this registration form. IBM will send you a confirmation e-mail. It’s easy to use Application Security on Cloud, so let’s get started! When you log in for the first time, a wizard will lead you through creating an app and a scan. I’ll create an app called “Demo”, and assign it a critical business impact. Later on I can add more specific details about this application but for now, the wizard will help me get up and running as quickly as possible. Now I can create a scan or import issues into the app. If I decide to scan a mobile application I can choose between iOS and Android. I can upload it an APK file which is what you’d upload to Google Play Store. Once you build it, you can scan it. If I want to scan a desktop application, instead of uploading my java or dotnet code to the service, I download and I are ex generator which builds a representation of my apps data flow and saves it in an IRX format. Then I simply upload that file to the service. But now I’m going to create a scan for a live web app. I’ll enter the URL and select ‘production site’. So while the scan is running, I’ll import issues from an existing pen testing scan. Before I import the issues, I need to prepare the CSV file for import. I can download this sample CIA speed bile to see the kind of issue attributes to include in my file the column headers represent the issue attributes displayed in the Application Security on Cloud service. Once I make sure that my pen testing scan file contains the correct information, I can import it and give the scan a name. I could start triaging these imported issues, but first I’m going to add some key information to the application details. I’ll add the name of the business unit, and I’ll change the testing status to ‘in progress’. Let’s take a look of the results for the scan that we just ran on our web application. At a first glance, we can see the number of total findings broken down by severity level. I’ll download the security report to get more details. I can rescan from the same tab, and my results will be overwritten with new results. Now I’m going to triage the issues in the “Demo” app. The first thing I’ll do is sort the severity column to move the information issues to the top. My organization doesn’t care about these types of issues, so I’ll mark them as noise. Next, I’ll sort the status column to get the new issues to the top of the list. This will make it easier to see the issues I have to deal with. I’ll select a couple of them and set them to an open status to indicate that they must be fixed. I’ll mark some as fixed and some as in progress. If I don’t know enough about an issue to properly triage it, I can click on the issue and get more details. Further details include CVSS metrics, the scanner and application the issue belongs to, and when it was discovered. The application view might be too granular for your CISO or security team leads. They can use the dashboard to get the big picture of their entire portfolio, and track progress toward security and risk compliance. The dashboard display defaults to show you all the business units in your portfolio, or you can focus in on each one individually. Based on your selection from the Business Unit menu, the banner area of the dashboard displays the number of applications that fall into each security risk rating category. The Security Risk Rating is a calculated value that’s derived from the severity of issues that are found in your application and the impact the application would have on the business it it is compromised or hacked. A best practice is to have most of your applications have the lowest possible security risk rating. The dashboard helps answer some pressing questions, such as: Which applications percent the highest risk? What percentage of the applications have we assessed? Are we making progress towards compliance? Most of these dashboard charts are trending charts that allow you to track your apps over time. Let’s take a closer look at the Security Risk Rating by Business Unit chart. We can see that there are some critical apps in the USA business unit, so let’s drill through to see what’s going on. Now we’re at a focused list of the apps that are in a critical state. I’ll sort the business owner column to see who I should talk to about each app. To continue triaging other apps, I can clear the filters and start fresh again. Managing application security risk is an iterative process. The IBM Application Security on Cloud service has the key capabilities to help you roll out application security across your organization. It provides the tools you need to push the problems back to your development teams to fix before production. Here are some resources you can check out for more information. Thanks for watching this video I hope you found it and formative.

Leave a Reply

Your email address will not be published. Required fields are marked *