Published on 21 Dec 2011
"IBM Rational AppScan has a hugely positive impact on educating our developers with respect to avoiding vulnerabilities in Web applications." - Michael Neumaier, Senior Quality Specialist, SAP AG
Security: Identity and Access Management, Optimizing IT
IBM Business Partner:
Experts estimate that the global damage caused by cyber criminals could be as much as €100 billion a year. Almost as soon as any new Web application goes online, it is registered and analyzed by automatic hacker tools. The applications and the data behind them are rarely protected by technologies such as firewalls, network scanners and intrusion detection systems. This paper looks at the steps taken by SAP AG to protect its applications using IBM Rational AppScan.
Protect online applications by ensuring that vulnerabilities are identified and removed before deployment. Cut the costs of remedial action by enhancing pre-release quality. Increase customer confidence in the security of online applications. Learn how to improve application design for the future.
The IBM Rational AppScan product family – selected for use by SAP – examines Web applications for known vulnerabilities during both the development phase and application operation. Rational AppScan offers highly automated scanning and analysis, and provides reports in compliance with national and international standards at the push of a button.
IBM Rational AppScan covers all of SAP’s security test requirements and has hugely expanded its test capabilities. Manual testing is being phased out, and a regular process for checking and reviewing test cases has been implemented. IBM Rational AppScan has integrated seamlessly into SAP’s quality assurance processes, because it automates a component of existing workflows rather than requiring an overall process change.
SAP developers work on some 190 products, with more than 25 industry solutions in over 30 languages. Approximately 500 developers work in parallel on each new solution release.
SAP has moved to a global process for software development and release, based on four business principles:
Changing conditions for software development:
- Changed product portfolio, from a single product to a portfolio of different products.
- Global organization with distributed development in multiple international locations.
Improved communication between customers, partners and SAP:
- Provide one common and consistent approach to the roll-in of customer requirements.
- Reflect industry scenario orientation and focus on customer business needs.
- Ensure alignment between internal and external stakeholders on development priorities.
Industrialization of software development & re-use:
- The service oriented architecture fosters reuse at various levels.
- Aligned processes and organizations must reflect this re-use.
Never-ending quality improvement:
- Adapted processes for a high level of software quality and optimized TCO, while at the same time reducing time-to-market.
- Build the right things the right way, with planned quality along the entire product lifecycle.
Business challenges and project objectives
With more SAP® applications being designed for use over the Internet, the company has a pressing requirement to help ensure Web application security. For the SAP team, it was important to handle the increasing volume of test work while maintaining the very high quality of the results.
With manual testing, without automation, it was clear that the workload could easily become unmanageable, resulting in increased costs and carrying the risk of incorrectly tested software being brought to market.
If the team could automate most of the testing procedures, this would accelerate throughput and increase testing validity. In turn, IT staff could be released to work on more important software development projects.
While searching for suitable tools to test its applications pre-deployment, the SAP team identified a list of core requirements, including:
- Up-to-date functionality, including ability to combat current attack methods and vulnerability classes.
- Quality of the scanning technology and its ability to uncover security issues.
- Reliability and accuracy of the findings generated by the scanner, including false-positive handling.
- Usability and handling of the configuration of the scanner for very large software projects.
- Display and filtering of the findings, and ability to interpret findings easily.
- Support in the debugging, elimination or other resolution of identified vulnerabilities.
- Extensive reporting for different risk and compliance reports.
- Position and strength of the vendor in the market.
- Level of investment in future research and development of the security solution.
The IBM Rational AppScan product family – selected for use by SAP – examines Web applications for known vulnerabilities during both the development phase and application operation. Rational AppScan offers highly automated scanning and analysis, and provides reports in compliance with national and international standards at the push of a button. The Rational AppScan tools also help educate developers and security staff, with integrated e-learning components designed to ensure that safe practices are embedded in coding right at the start of software development programs.
The SAP team deployed IBM Rational AppScan Standard in India on a Microsoft Windows server with multiple log-on options through Windows Terminal Server, and in Germany on a standard desktop PC running Windows. For both systems, SAP runs a shared calendar where colleagues can plan their tests and machine usage, which allows many different people to run their tests without conflict.
The SAP team was very satisfied with the support and technical expertise offered by IBM. Issues were processed quickly, and the recommended solutions solved problems rapidly, thanks to the high level of product competency offered by IBM.
Rational AppScan includes graphical presentations of results and powerful report generation functionality, which demonstrates how the vulnerabilities are actually exploited in a Web browser. These capabilities are central to helping developers understand what the issues mean in practice. The Rational AppScan interface is so powerful that at SAP, developers are invited to online screen-sharing teleconferences where they can view the test results and issues for themselves.
About Rational AppScan
The Rational AppScan product portfolio provides ways to automate and industrialize the protection of networked and Web applications that collect and exchange sensitive data. Essentially, Rational AppScan software extends security analysis in the application security process and employs multiple testing techniques that result in higher-quality, more secure applications.
There have been numerous documented cases of companies that spent millions of dollars recovering from cyber-attacks that could almost certainly have been prevented. Vulnerabilities in a production environment can be costly to remedy, while Rational AppScan helps to uncover and fix flaws during the development process, reducing cost and risk.
Rational AppScan offers static and dynamic security testing in all stages of application development. SAP uses Rational AppScan Standard Edition, and the full product range extends to cover a variety of business needs:
- AppScan Build Edition embeds Web application security testing into the build management workflow.
- AppScan Enterprise Edition provides Web application vulnerability testing and reporting solution used to scale security testing.
- AppScan Express Edition delivers affordable Web application security for smaller organizations.
- AppScan OnDemand identifies and prioritizes Web application security vulnerabilities that may be apparent via the SaaS model.
- AppScan OnDemand Production Site Monitoring enables consistent and continuous monitoring for production Web content and sites for vulnerabilities via the SaaS model.
Proof of validity
To test the validity of the claims for Rational AppScan, SAP performed an external audit and penetration test on Duet® software. The team then compared the results of the manual test against the automated findings generated by Rational AppScan. The comparison was designed to detect and reproduce the vulnerabilities discovered by the manual test, and highlight the appropriate areas of the source code.
Rational AppScan succeeded in locating all the vulnerabilities discovered manually, identified additional concerns, and pinpointed the source code responsible in just a few hours. The AppScan findings are highly accurate, with very few false positives, which saves a great deal of time when evaluating an application. The audit reporting and ability to provide full traceability of errors feature high on the list of time- and cost-saving functionalities.
AppScan Standard was integrated into SAP’s product development process, and the powerful reporting functionality is used to analyze results and generate recommendations for developers.
For example, after an application scan with Rational AppScan, the team schedules a workshop with the development team. Rational AppScan generates an application profile with SAP-specific main issues, aimed at SAP standard requirements.
During software development itself, the developers themselves are responsible for testing. The SAP IT team provides developers with Rational AppScan testing services, which can be booked internally. For those developers who choose to test during development, the results are used during the software validation process. If the core team is involved in testing, software validation can be completed more quickly, reducing SAP’s time to market with new solutions.
If Rational AppScan is not involved during the software development process, developers have to run their own manual tests and provide documentation explaining why their test results are acceptable. Based on those documents, the testing team makes its plan for software validation – usually a longer process than where products have involved Rational AppScan at an early stage.
With the reduced testing time and effort that using Rational AppScan provides, SAP is able to develop more Web applications more quickly, and bring them to market. As a result of these benefits, SAP purchased additional Rational AppScan licenses, expanding its footprint to eight users in total, in India, Israel and Germany
The black box and white box test results are correlated through the Reporting Console. The correlation highlights specific weak points, identified by both scanning technologies. Such double-weaknesses can be considered to be a genuine risk, to be fixed as rapidly as possible. Under the previous manual testing processes, the SAP team knew that its 60 or so test case descriptions did not cover all requirements. Manual testing is being phased out, and a regular process for checking and reviewing test cases has been implemented. With Rational AppScan, the SAP team now has a significantly higher degree of test coverage.
Product complexity affects the testing processes, which can be fractions of a second or several minutes for each URL. Rational AppScan can also test by starting with an initial URL and then test all the pages that can be reached, somewhat in the manner of a search engine crawling linked Web pages. The tools include the ability to exclude or include certain pages, directories or areas of a website, and single pages can be specified for test.
To accelerate testing, the IBM team implemented an adaptive approach: if test failures exceed pre-set limits, the test sequence is halted. This method reduces the time spend on test runs, accelerating total throughput and increasing efficiency.
Rational AppScan has integrated seamlessly into SAP’s processes, as it automates a component of existing workflows rather than requiring change. From initial adoption, usage has exploded as the benefits have become clear, particularly since the number of Web applications is growing continuously.
IBM products and services that were used in this case study.
Rational AppScan Standard Edition
©Copyright IBM Corp. 2011 All Rights Reserved. IBM Deutschland GmbH D-70548 Stuttgart ibm.com Produced in Germany December 2011 IBM, the IBM logo, ibm.com, i5/OS, DB2, Domino, FlashCopy, Lotus, Notes, POWER, POWER4, POWER5, POWER6, System i, System x, and Tivoli are trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or ™), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of other IBM trademarks is available on the Web at: http://www.ibm.com/legal/copytrade.shtml UNIX is a registered trademark of The Open Group in the United States and other countries. Linux is a trademark of Linus Torvalds in the United States, other countries, or both. Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. Other company, product or service names may be trademarks, or service marks of others. This brochure illustrates how IBM customers may be using IBM and/or IBM Business Partner technologies/services. Many factors have contributed to the results and benefits described. IBM does not guarantee comparable results. All information contained herein was provided by the featured customer/s and/or IBM Business Partner/s. IBM does not attest to its accuracy. All customer examples cited represent how some customers have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics will vary depending on individual customer configurations and conditions. This publication is for general guidance only. Photographs may show design models. SAP, Duet and all SAP logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries. All other product and service names mentioned are the trademarks of their respective companies. SAP Forward-looking Statement Any statements contained in this document that are not historical facts are forward-looking statements as defined in the U.S. Private Securities Litigation Reform Act of 1995. Words such as “anticipate,” “believe,” “estimate,” “expect,” “forecast,” “intend,” “may,” “plan,” “project,” “predict,” “should” and “will” and similar expressions as they relate to SAP are intended to identify such forward-looking statements. SAP undertakes no obligation to publicly update or revise any forward-looking statements. All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations The factors that could affect SAP’s future financial results are discussed more fully in SAP’s filings with the U.S. Securities and Exchange Commission (“SEC”), including SAP’s most recent Annual Report on Form 20-F filed with the SEC. Readers are cautioned not to place undue reliance on these forward-looking statements, which speak only as of their dates.