You will not hear sound until the host opens the audio line. 10/27/17 What's new in AppScan Standard 9.0.3.7 IBM Security support Open Mic To hear the WebEx audio, select an option in the Audio Connection dialog or by access the Communicate > Audio Connection menu option. To ask a question by voice, you must either Call In or have a microphone on your device. You will not hear sound until the host opens the audio line. For more information, visit: http://ibm.biz/WebExOverview_SupportOpenMic Author notes: <please delete these instructions before presenting> This is the IBM Security Default Template for both internal and external use. It’s aspect ratio is 16:10 and measures 10 x 6.25”. This template was created in Microsoft PowerPoint 365 Pro Plus 2016. Template files (saved with the file extension .potx) contain slide designs and customized layouts and are stored in your Microsoft templates folder* To save your new template as your default template for future use: Click “File / Save as” and choose “PowerPoint template (.potx) from the pull down menu” Rename file to, “Blank.potx” and click “Save” (file will then be stored to the default template location) Themes provide a complete slide design that can be applied to your existing presentation, including background designs, font styles, colors, and layouts To save your new template’s theme file; click “View / Slide Master / Themes” On the Themes pull down menu, select, “Save Current Theme” This new Theme file is how you apply the new template design to your existing presentations For more information, visit: Office.com / PowerPoint / Support Copy your existing source slides in slide sorter view Paste special by right-clicking in slide sorter view of destination file or template Select “Keep source formatting” This helps to ensure your slides retain their existing styles Each slide needs to be adjusted by doing the following in “Normal view” Select body content except title and footer by (Control “A”; then select title and footers while holding shift key) Cut remaining selected body content (Control “X”) Reset slide layout using new template layouts Paste slide content back onto slide (Control “V”) Learn more about using templates, visit: Office.com / PowerPoint / Support NOTICE: BY PARTICIPATING IN THIS CALL, YOU GIVE YOUR IRREVOCABLE CONSENT TO IBM TO RECORD ANY STATEMENTS THAT YOU MAY MAKE DURING THE CALL, AS WELL AS TO IBM’S USE OF SUCH RECORDING IN ANY AND ALL MEDIA, INCLUDING FOR VIDEO POSTINGS ON YOUTUBE. IF YOU OBJECT, PLEASE DO NOT CONNECT TO THIS CALL. October 15, 2017 1 1

10/27/17 Scheduled Open Mics Nov 29th (today) - What's new in AppScan Standard version 9.0.3.7 Dec 6th, 2017 - What's new in AppScan Enterprise version 9.0.3.7 Jan 17th, 2018 - How to automate scanning with AppScan Enterprise Feb 21st, 2018 - How to transfer a scan from AppScan Standard to ASE Mar 21st, 2018 - How AppScan explores applications (ABE, RBE) 2 2

Panelists today: Ronen Bachar – Dev manager AppScan Standard 10/27/17 Panelists today: Ronen Bachar – Dev manager AppScan Standard Tammy Gelles – Dev lead in AppScan team Idan Slonimsky – Dev in AppScan team Aviv Feinstein – Dev in AppScan team Chen Ulmer – L3/Dev in AppScan team Joe Kiggen – Moderator – AppScan L2 Manager 3 3

Agenda What's new in AppScan Standard version 9.0.3.7 10/27/17 Agenda What's new in AppScan Standard version 9.0.3.7 released on November 15, 2017 Improved Session Detection UI New License Manager Explore data import Login export OS support: Supports Windows Server 2016 Refresh Web Services test policy Tests for “Apache Struts 2” vulnerabilities 4 4

Improved Session Detection UI 10/27/17 Improved Session Detection UI A couple of improvements in the Scan Configuration > Login Management > Details dialog. 1) A drop-down menu is added to Detection Pattern to suggest other strings that are candidates for in-session pattern, in case the current one is problematic. The pattern candidates are derived by comparing the “in-session request” response in it’s recorded “logged-in” state and as “logged-out” (AppScan sends the request in the background without session id’s in order to make the comparison) 5 5

Improved Session Detection UI 2) The Select Detection Pattern dialog is improved. (accessible from the Advanced pattern selection button) The improved dialog helps choosing a new in-session pattern. Now you will see the in-session request and response (when logged in), next to the out-of-session request and response you would get when logged out. The dialog also includes the new in-session pattern candidates drop down (described on the previous page), so you can easily select a new pattern. Helpful remarks, with suggestions, have been added to the top of the dialog. A pager enables you to scroll between requests without leaving the dialog. Advanced users can check if AppScan correctly handled the session id’s by looking at the request AppScan sent as “logged-out”. If the session id’s were not removed from the request, you might have a problem in the session id’s\custom headers configuration.

Select Detection Pattern dialog with a good pattern example

Select Detection Pattern dialog with a bad pattern example

10/27/17 New License Manager AppScan uses RCL (Rational Common Licensing) for license management. In AppScan Standard 9.0.3.6 and before, LKAD (an RCL tool) is used to point AppScan to its licenses. - LKAD takes over 500 MB in AppScan installation - LKAD has few defects and some installation problems In AppScan Standard 9.0.3.7, LKAD is replaced with License Manager. License Manager works directly with the RCL APIs. 9 9

New License Manager 10/27/17 The main panel of the License Manager is available under: Help > License > Open AppScan License Manager In the panel, you will see all available AppScan Standard licenses (which have been configured in the License Configuration dialog) 10 10

New License Manager 10/27/17 The License Configuration dialog (accessible by clicking the License Configuration button on the mail panel) allows you to configure from where you want to pull licenses: - a Node-Locked license by selecting a file - a floating license by providing a host and port for a License Server Note: You can specify multiple license files or License Servers. 11 11

New License Manager Additional information: 10/27/17 New License Manager Additional information: AppScan Standard 9.0.3.7 does NOT use LKAD. AppScan will use only licenses configured with License Manager. On upgrade from a previous version of AppScan Standard, AppScan will automatically import the LKAD license configuration into License Manager. The size of the AppScan installation file will drop by over 500 MB. Node-Locked License file name can’t contain characters in other languages (only ASCII chars are supported) 12 12

Explore data import .har (HTTP Archive) .dast.config or .config 10/27/17 Explore data import AppScan Standard 9.0.3.7 supports the following traffic files formats when importing data with File > Import > Explore Data .har (HTTP Archive) .dast.config or .config .exd (supported in previous versions of AppScan) Appscan cmd supports new traffic files format as well, for instance: AppScanCMD.exe /manual_explore_file myFile.har 13 13

Explore data import Added value: 10/27/17 Explore data import Added value: The .har format is well known. It can be created easily with common browsers, e.g. Chrome, Firefox. It is easier now to record traffic with a third party tool, and then importing it to AppScan. The .dast.config file can be created with AppScan proxy server tool (not bundled with AppScan Standard) Note: The .config format is the same as the .dast.config format. Contains one or more .har files. 14 14

10/27/17 Login Export When you export a login recording, the file will include now - configured custom headers, - form filler fields, and - HTTP authentication information, in addition to session management information as previously. This will allow the login to work better. Note: When importing a login recording with a new property, the property will be added to the existing Form Fill. Old properties will remain, and their values will be updated from the login file. 15 15

Tests for “Apache Struts 2” vulnerabilities 10/27/17 AppScan Standard includes tests for the following Appache Struts 2 command execution vulnerabilities: - CVE-2017-5638 - CVE-2017-9805 - CVE-2017-9791 These tests are controllable via the test policy: 16 16

Questions for the panel 10/27/17 Questions for the panel Now is your opportunity to ask questions of our panelists. To ask a question now: Raise your hand by clicking Raise Hand. The Raise Hand icon appears next to your name in the Attendees panel on the right in the WebEx Event. The host will announce your name and unmute your line. or Type a question in the box below the Ask drop-down menu in the Q&A panel. Select All Panelists from the Ask drop-down-menu. Click Send. Your message is sent and appears in the Q&A panel. To ask a question after this presentation: You are encouraged to participate in the dW Answers forum: https://developer.ibm.com/answers/topics/appscan-standard 17 17

Where do you get more information? 10/27/17 Where do you get more information? Questions on this or other topics can be directed to the productforum: https://developer.ibm.com/answers/topics/appscan-standard AppScan Standard 9.0.3.7 download link: http://www.ibm.com/support/docview.wss?uid=swg27050461 AppScan Standard versions available: http://www.ibm.com/support/docview.wss?uid=swg21971041 Security Learning Academy: www.SecurityLerningAcademy.com Useful links: Get started with IBM Security Support IBM Support Portal | Sign up for “My Notifications” FREE learning resources on the Security Learning Academy Follow us: 18 18

19 Mandatory closing slide with copyright and legal disclaimers. 19 10/27/17 Mandatory closing slide with copyright and legal disclaimers. 19 19

What's new in AppScan Standard 9.0.3.7 20