IBM Application Security Insider

Over the years we've had many cases where AppScan users approached our support teams with what they claimed were false positive reports. But when our security experts looked into the details, they turned out to be actual security problems. It happens. We refer to such cases as perceived false positives. These are cases where AppScan found correct issues, but failed to communicate them to the users clearly enough.

At the end of the day, our end users are just people. If AppScan fails to explain itself clearly, it's our problem, not the user's. It's important that we find ways to explain our security findings clearly, simply, and in a convincing way.

So when we set out to write the JSA component in AppScan, we looked for a fresh new way of presenting static analysis results in a manner that is readable and understandable in the simplest possible way.

Some background: the kind of results we deal with involve a data-flow trace. This is somewhat similar to a debugger stack trace, but showing a sequence of locations in source code where data flows through. How do you visualize such data?

In the security industry we’ve been dealing with Cross-Site Scripting (XSS) vulnerabilities for more than a decade now. It is still the #2 web application vulnerability according to OWASP TOP 10. Our friends at IBM X-Force show that XSS vulnerabilities appear in 41% of applications out there.

What is XSS? In a nutshell, it allows a bad guy to perform actions on your behalf. The hacker does that by injecting JavaScript that your browser executes when you view the page. Just imagine how bad that could be if it happened on your banking site, social network or your web mail provider.

Since it is clear that XSS isn’t going away, IBM is shipping a brand new XSS detection mechanism in the latest release of IBM Security AppScan 8.6. The new XSS Analyzer applies human-like learning techniques, allowing it to find vulnerabilities that were previously undetectable by automatic scanners.