Published on 24-Jan-2008
Validated on 07 Jul 2009
"AppScan has increased our team’s productivity by enabling us to auto-mate very complex and time-consuming activi-ties as well as help substantially increase our level of quality, security and regula-tory assurance. —" - André Hiotis, technology security officer, NAV CANADA
Customer:
NAV Canada
Industry:
Government
Deployment country:
Canada
Overview
NAV CANADA takes advantage of IBM Rational AppScan software to address the security and compliance of its online applications
Business need:
To stay ahead of emerging risks and maintain a security-rich flow of business-critical information across internal stakeholders and airline customers, NAV CANADA needed to adopt the latest Web application security technology.
Solution:
NAV CANADA utilizes a compre-hensive solution—based on IBM Rational® AppScan® software—that automates security and compliance-related issue testing of its core Web applications, and that easily integrates into its software development lifecycle.
Benefits:
NAV CANADA helped enhance the security of its Web applications through best practices such as regular scanning and testing for vulnerabilities throughout the software development lifecycle. Plus, thanks to pervasive solution adoption, the productivity of employ-ees responsible for application development, security and quality assurance was improved.
Case Study
NAV CANADA is Canada’s civil air navigation services provider. With operations from coast to coast, the organization provides air traffic control, flight information, weather briefings, aeronautical information services, airport advisory services and elec-tronic navigation. To help keep services in the Canadian skies safe and efficient, NAV CANADA runs an extensive infrastructure consisting of 7 control centers, 42 control towers, 60 flight service stations, 7 flight information centers and more than 1,000 ground-based navigational aids across the country. NAV CANADA is increasingly using Web portal technology to consolidate a wealth of air-travel-related information for its customers and its employees.
Navigating above and beyond today’s online security challenges
To coordinate information exchange across internal groups and with exter-nal customers, NAV CANADA adopted an information dashboard for its clients—which include airlines, airline dispatchers and airport authorities—based on Web portal technology. The NAV CANADA portal includes several Web-based applications that enable the organization to carry out business- critical activities such as:
- Tracking aircraft ground activities at selected Canadian airports, and analyzing ground activities at the airport.
- Analyzing traffic density from flight plans, position reports, weather data and schedules, and displaying track listings, track loading and other information on the Internet.
- Projecting daily workloads at Canadian airports.
- Managing and reporting air traffic flow.
For NAV CANADA, Web security had become more important than ever. Web 2.0 technology makes applications more dynamic and user friendly, but it can also make them more vulnerable to dangerous exploitation. “With new techniques for Web attacks continuously evolving and becoming more complex, it becomes extremely difficult for anyone to monitor applications without an automated process,” explains André Hiotis, technology security officer for NAV CANADA.
To address this growing trend and stay ahead of potential threats, NAV CANADA’s technology security team had to take proactive measures to help manage the security of its online applications. In addition, the organization needed a way to help manage its regulatory compliance efforts related to financial reporting applications, which, under securities regulations, must be certified by NAV CANADA’s executive officers.
Charting a course for better-protected online business applications
After researching and evaluating vulnerability assessment products such as network, database, application and Web applications, NAV CANADA’s technology security team determined it needed a solution that would provide:
- Comprehensive vulnerability detection.
- Strong reporting and remediation features.
- Strong compliance analysis.
- Protocol and Web application technologies support.
- Ease of use.
According to Hiotis, after a thorough evaluation of its options, the company chose a solution centered on AppScan technology. “After a competitive analysis of Web application security products, the technology in AppScan best met the overall criteria within our environment,” says Hiotis. As part of the evaluation process, Hiotis consulted industry analyst research. Ultimately, he cited the AppScan solution’s ease of use as a key differentiator, as it would allow developers to test applications without adding more work. Plus, staff could use additional features as necessary to address assurance of security and compliance.
A new horizon: improved productivity through automation
Prior to implementing the AppScan software, NAV CANADA had been extremely diligent in testing the functionality of its applications. While testing for security and vulnerabilities was a high priority, it took a lot of time and drained resources. However, according to Hiotis, the new solution helped alleviate these frustrations. “AppScan has increased our team’s productivity by enabling us to automate very complex and time-consuming activities as well as help substantially increase our level of quality, security and regulatory assurance,” comments Hiotis.
Smooth skies ahead, thanks to best practices and strong adoption rates
With AppScan software, NAV CANADA has adopted a practice of regularly scanning Web applications for security vulnerabilities during development—before allowing them to be deployed on live production systems.
Plus, NAV CANADA’s technology security team has built an internal testing service around AppScan capabilities. Developers submit their applications to the technology security team, which, in turn, runs tests and provides developers with reports indicating high-, medium- and low-level risks, as well as fix recommendations. Because the software enables quick turnaround, the security team suggests that even the smallest application change go through the AppScan test process before being rereleased.
Moreover, Hiotis says that adoption by developers has been successful, noting that they have started to ask for their own copies of the AppScan software. “The ease of use and the clear fix recommendations are part of the reason that developers have accepted the AppScan solution,” says Hiotis. “They understand that the scans ultimately lighten their workloads, provide a level of assurance and mean that they won’t need to spend hours making security changes after they have finished building the applications.
For more information
To learn more about IBM Rational AppScan software, contact your IBM representative or IBM Business Partner, or visit:
ibm.com/software/rational/offerings/testing/webapplicationsecurity
Products and services used
IBM products and services that were used in this case study.
Software:
Rational AppScan Standard Edition
Legal Information
© Copyright IBM Corporation 2007 IBM CorporationSoftware GroupRoute 100Somers, NY 10589U.S.A. Produced in the United States of America12-07All Rights Reserved. AppScan, IBM, the IBM logo and Rational are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. Other company, product and service names may be trademarks or registered trademarks or service marks of others. The information contained in this documentation is provided for informational purposes only. While efforts were made to verify the completeness and accuracy of the information contained in this documentation, it is provided “as is” without warranty of any kind, express or implied. In addition, this information is based on IBM’s current product plans and strategy, which are subject to change by IBM without notice. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this documentation or any other documentation. Nothing contained in this documentation is intended to, nor shall have the effect of, creating any warranties or representations from IBM (or its suppliers or licensors), or altering the terms and conditions of the applicable license agreement governing the use of IBM software. IBM customers are responsible for ensuring their own compliance with legal requirements. It is the customer’s sole responsibility to obtain advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer’s business and any actions the customer may need to take to comply with such laws. RAC14013-USEN-00
