IBM AppScan Takes Aim at Input Validation
The root cause of many cross-site scripting and SQL injection security vulnerabilities is input validation sanitation. IBMs new Rational AppScan 8 platform could help to mitigate or eliminate the problem.
Cross-site scripting (XSS) and SQL injection flaws are among the most common and lethal types of security vulnerabilities. Both sets of flaws often stem from the same root cause, which is typically some form of an input validation issue. Ensuring that input validation is done correctly is no easy task, which is where the new IBM Rational AppScan 8 platform comes into play.
The new AppScan release includes technology from IBM Research for string analysis, which may help to mitigate or eliminate XSS and SQL injection issues at the coding level, before applications ever reach production.
"The idea here is that people don't worry enough about what they do with data when it comes into an application," Jack Danahy, security executive, IBM Security Solutions, told InternetNews.com.
Danahy joined IBM as part of the acquisition of Ounce Labs in 2009, where he served as CTO. The former Ounce technology is now part of the IBM Rational AppScan Source Code Edition, which is a key part of the overall AppScan 8 update.
"In string analysis there is the capability to look at code and understand what the developer is doing with the inputted data, and then [verify] that data sanitation is happening in an appropriate way," Danahy said.
Danahy added that the challenge of input validation is all about having a better understanding of the dataset and the transformation of the types of containers that the data will go into.
Beyond sting analysis, with the AppScan 8 update, IBM is aiming to improve the integration of its dynamic and static source code analysis capabilities. With the integration comes improved capabilities for determining root cause analysis of application vulnerabilities, as well as tools to help prioritize issues that need to be fixed.
"There is a real advancement here by IBM in the combination of dynamic and static testing technologies and helping customers to prioritize what they should be fixing," Danahy said.
Hybrid dynamic and static analysis is also an area that rival HP is going after, as well. HP recently acquired static analysis vendor Fortify and is in the process of developing a new generation of hybrid dynamic and static analysis solutions.
Danahy noted that IBM isn't specifically targeting HP with the AppScan 8 platform, but rather the broader market opportunity.
"The biggest challenge for me is about taking what we've got and making it super usable, integrated and non-disruptive as organizations get religion and try to become secure by design," Danahy said.
August 17, 2010
HP buys static analysis vendor Fortify, bolstering its development analysis portfolio and raising the stakes against IBM.