You will not hear sound until the host opens the audio line. 10/27/17 What's new in AppScan Enterprise 9.0.3.7 IBM Security support Open Mic To hear the WebEx audio, select an option in the Audio Connection dialog or by access the Communicate > Audio Connection menu option. To ask a question by voice, you must either Call In or have a microphone on your device. You will not hear sound until the host opens the audio line. For more information, visit: http://ibm.biz/WebExOverview_SupportOpenMic Author notes: <please delete these instructions before presenting> This is the IBM Security Default Template for both internal and external use. It’s aspect ratio is 16:10 and measures 10 x 6.25”. This template was created in Microsoft PowerPoint 365 Pro Plus 2016. Template files (saved with the file extension .potx) contain slide designs and customized layouts and are stored in your Microsoft templates folder* To save your new template as your default template for future use: Click “File / Save as” and choose “PowerPoint template (.potx) from the pull down menu” Rename file to, “Blank.potx” and click “Save” (file will then be stored to the default template location) Themes provide a complete slide design that can be applied to your existing presentation, including background designs, font styles, colors, and layouts To save your new template’s theme file; click “View / Slide Master / Themes” On the Themes pull down menu, select, “Save Current Theme” This new Theme file is how you apply the new template design to your existing presentations For more information, visit: Office.com / PowerPoint / Support Copy your existing source slides in slide sorter view Paste special by right-clicking in slide sorter view of destination file or template Select “Keep source formatting” This helps to ensure your slides retain their existing styles Each slide needs to be adjusted by doing the following in “Normal view” Select body content except title and footer by (Control “A”; then select title and footers while holding shift key) Cut remaining selected body content (Control “X”) Reset slide layout using new template layouts Paste slide content back onto slide (Control “V”) Learn more about using templates, visit: Office.com / PowerPoint / Support NOTICE: BY PARTICIPATING IN THIS CALL, YOU GIVE YOUR IRREVOCABLE CONSENT TO IBM TO RECORD ANY STATEMENTS THAT YOU MAY MAKE DURING THE CALL, AS WELL AS TO IBM’S USE OF SUCH RECORDING IN ANY AND ALL MEDIA, INCLUDING FOR VIDEO POSTINGS ON YOUTUBE. IF YOU OBJECT, PLEASE DO NOT CONNECT TO THIS CALL. December 6, 2017 1 1 1

Scheduled Open Mics: Recorded Open Mic: 10/27/17 Dec 6th (today) - What's new in AppScan Enterprise version 9.0.3.7 Jan 17th, 2018 - How to automate scanning with AppScan Enterprise Feb 21st, 2018 - How to transfer a scan from AppScan Standard to ASE Mar 21st, 2018 - How AppScan explores applications (ABE, RBE) Recorded Open Mic: Nov 29th, 2017 - What's new in AppScan Standard version 9.0.3.7 2 2 2

10/27/17 Panelists today: Billy Weber – Product Management Director, Application Security Pradeep Shashidhar – Technical Lead Engineer, AppScan Enterprise Joe Kiggen – Moderator, AppScan L2 Manager 3 3 3

Agenda Security rules updates and APAR fixes 10/27/17 What's new in AppScan Enterprise version 9.0.3.7 released on November 28, 2017 Security rules updates and APAR fixes Scanning Engine enhancements Scan Automation with Proxy Server New REST API services HAR support Other improvements 4 4 4

Security rules updates and APAR fixes 10/27/17 A number of updates to Security rules in AppScan Enterprise 9.0.3.7 The security rules include now tests for the following “Apache Struts 2 command execution” vulnerabilities: - CVE-2017-5638 - CVE-2017-9805 - CVE-2017-9791 The full list of APAR fixed can be found in: AppScan Enterprise 9.0.3 Fix List 5 5 5

Scanning Engine Enhancements 10/30/17 Scanning Engine Enhancements AppScan Enterprise Scanning Engine in-sync with AppScan Standard Engine Improved Cross-Site Scripting testing: XSS tests sent using a browser Enables finding new vulnerabilities that were not found before Executed only when traditional tests fail to improve performance Improved Automatic Login:  Various techniques were added to increase the success of Automatic Login Improved Action-Based Crawling:  Action-based crawling is more accurate and thorough, increasing application coverage. Improved scan accuracy:  A variety of security rule updates reduce false positive results. If a traditional XXS test fails, the test is automatically sent again using an actual browser. This approach enables finding additional vulnerabilities that were not found before. 6 6

Scan Automation with Proxy Server 12/05/17 Scan Automation with Proxy Server Goal (of Scan Automation): Enable a simple way to create scans in AppScan Enterprise based on functional test automation traffic. Solution: A centralized service that includes a proxy that can be automated to perform the traffic recording and can be integrated with scanning services such as ASE. Capture HTTP traffic from any functional testing efforts/tools (e.g. Selenium) in order to improve coverage of security scans 7 IBM SECURITY

Tested Web Application Scan Automation with Proxy Server A new Proxy Server component enables traffic recording in HAR (HTTP Archive) format. With AppScan REST API you can create and manipulate scans based on AppScan Standard scan templates (.scant files). Test Automation REST API: Start Proxy Stop Proxy Get Traffic Proxy Server Web Server Selenium Proxy Proxy AppScan Enterprise Tested Web Application REST API: Update .scant Update Traffic …

Scan Automation with Proxy Server Proxy Server includes two main components: - Web Server – A web Server which listens to REST API requests - Proxy – A recording proxy with a command line interface The user sends REST API requests to the Web Server and the Web Server runs the Proxy. REST API: Start Proxy Stop Proxy Get Traffic Proxy Server Web Server Proxy Proxy

Scan Automation with Proxy Server Web Server A central, cross-platform server based on Node.js User can choose the listening port (default 8383) Activated by REST API with the following requests: Start Proxy – starts a recording proxy on a defined or random port Stop Proxy – stops the recording of the specific proxy and closes it Recording – get the recording from a specific proxy. Certificate - download the proxy's root certificate public key in PEM format (to avoid SSL warnings). Import root certificate – Import the user’s root certificate – Detailed documentation at http://<web_server_ip>:8383 Web Server

Scan Automation with Proxy Server Proxy - Listens on a specified port or a random port - Multiple proxy instances can be used for parallel recordings - Records traffic in HTTP Archive (.HAR) format - The output is a .dast.config file which is a zip file containing the .HAR files - Supports chained proxy including conditions (configurable in proxy.chain file) - Supports HTTPS - Root Certificate is dynamically created (uniquely) and can be downloaded by the user and be installed on his machine (to avoid SSL warnings) - The proxy will automatically close when 60 minutes of inactivity has been detected (can be changed in the file Settings.json in the installation folder) Proxy Proxy

10/30/17 New REST API services The following services were added in ASE 9.0.3.7 and 9.0.3.5 iFix2 (for scans based on AppScan Standard templates): Create a new scan using an AppScan Standard template. Update any configuration item of a scan. Update credentials of recorded Action-Based Login. Import explore data of the following formats: EXD, HAR, HTD, and DAST.CONFIG Import traffic file including login requests for Request-Based Login. 12 12

HAR Support HAR traffic files supported also in Scan management REST API: API to upload manual explore traffic to a scan is: /services/folderitems/<fiid>/httptrafficdata API to upload recorded login sequence is: /services/folderitems/<fiid>/recordedlogindata Support import of HTTP Archive traffic (HAR) from any source: HAR file recorded with the Proxy Server HAR file recorded by any other tool like the browsers.

Other improvements Pull scan statistics in real time. (9035 iFix 2) 10/30/17 REST APIs services: Pull scan statistics in real time. (9035 iFix 2) Pull detailed scan log after a scan is complete. (9035 iFix 2) Includes latest JRE 1.8 SR5 Import issues exported from AppScan Source in OZASMT format 14 14

10/30/17 Other improvements Export issues from Security Reports in Excel format from Monitor tab. 15 15

Questions for the panel 10/27/17 Questions for the panel Now is your opportunity to ask questions of our panelists. To ask a question now: Raise your hand by clicking Raise Hand. The Raise Hand icon appears next to your name in the Attendees panel on the right in the WebEx Event. The host will announce your name and unmute your line. or Type a question in the box below the Ask drop-down menu in the Q&A panel. Select All Panelists from the Ask drop-down-menu. Click Send. Your message is sent and appears in the Q&A panel. To ask a question after this presentation: You are encouraged to participate in the dW Answers forum: https://developer.ibm.com/answers/topics/appscan-enterprise 16 16 16

Where do you get more information? 10/27/17 Where do you get more information? Questions on this or other topics can be directed to the product forum: https://developer.ibm.com/answers/topics/appscan-enterprise AppScan Enterprise 9.0.3.7 download link: http://www.ibm.com/support/docview.wss?uid=swg24044228 AppScan Enterprise versions available: http://www.ibm.com/support/docview.wss?uid=swg21971043 Security Learning Academy: www.SecurityLerningAcademy.com Useful links: Get started with IBM Security Support IBM Support Portal | Sign up for “My Notifications” FREE learning resources on the Security Learning Academy Follow us: 17 17 17

18 18 Mandatory closing slide with copyright and legal disclaimers. 18 10/27/17 Mandatory closing slide with copyright and legal disclaimers. 18 18 18

What's new in AppScan Enterprise 9.0.3.7 19 19