IBM® Security Systems Division Ready for IBM Security Intelligence Validation requirements document for IBM Security AppScan Family Please visit the Ready for IBM Security Intelligence software validation site for assistance, enablement support, and current copy of this document: http://www.ibm.com/partnerworld/rfisi Validated solution integrations and extensions can be found in the Ready for IBM Security Intelligence Showcase http://www.ibm.com/partnerworld/rfisisolutions Send documents to pwisv@us.ibm.com, “Ready for IBM Security Intelligence” in subject line. Document Version 3 Table of Contents Introduction ........................................................................................................................ 3 Items required to complete validation ................................................................................ 4 Validation contact information .......................................................................................... 5 Solution to be validated ...................................................................................................... 6 Solution overview .................................................................................................................................. 6 Integration requirements .................................................................................................... 7 Architecture and overview ..................................................................................................................... 7 Solution integration details ................................................................................................ 8 Integration exceptions ........................................................................................................ 9 Resources.......................................................................................................................... 10 Validation Requirements Document IBM Security AppScan Family Page 2 of 10 Introduction Ready for IBM Security Intelligence program validates partner integrations with IBM Security software and represents the solution integrations in the IBM Security section of the Ready for IBM Security Intelligence Showcase. This includes partners working to complete Industry Frameworks, Solution Initiatives, and Specialties or other offerings with a dependency on validating integrations with IBM Security Software. This document provides the steps and validation requirements for demonstrating integrations with the IBM Security AppScan family of products. A brief overview of the integration points are provided, along with the testing, documentation and demonstration results needed to verify and validate the solution integration. Reference the following resources for assistance. For further assistance contact our IBM Security AppScan validation specialist Dan Schofield, dan.schofield@uk.ibm.com Ready for IBM Security Intelligence Resources Ready for IBM Security Intelligence Home Getting Started with the Ready for IBM Security Intelligence program Ready for IBM Security Intelligence integration points and resources Ready for IBM Security Intelligence DeveloperWorks Homepage Ready for IBM Security Intelligence Message Board IBM PartnerWorld Contact Services assistance getting started Ready for IBM Security Intelligence Showcase Program Manager Contact IBM Security Communities best practices and scenarios IBM Service Management Connect IBM Software Access Catalog download IBM Security software IBM PartnerWorld option support assistance with listed products Validation Requirements Document IBM Security AppScan Family http://www.ibm.com/partnerworld/rfisi https://www.ibm.com/partnerworld/wps/servlet/Content Handler/isv_com_dvm_techval_security_start https://www.ibm.com/partnerworld/wps/servlet/Content Handler/isv_com_dvm_techval_security_integration http://ibm.co/rfisi https://www.ibm.com/developerworks/mydeveloperwork s/groups/service/forum/topics?communityUuid=85cce0f 0-581e-4b9e-9da8-b57c4a257949&ps=10&page=0 US Number: 800-426-9990, 770-858-5052, e-mail: pwisv@us.ibm.com, ask for Ready for IBM Security Intelligence assistance. http://www.ibm.com/partnerworld/rfisisolutions Russ Warren, russell.warren@us.ibm.com Other Resources http://www.ibm.com/developerworks/security/communit y.html https://www.ibm.com/developerworks/servicemanageme nt/srm/index.html http://www.ibm.com/isv/welcome/softmall.html Voice US Number: 800-426-9990, 770-858-5052, Remote e-mail: https://www.ibm.com/isv/tech/member/index.html Page 3 of 10 Items required to complete validation To validate your IBM Security AppScan family based integration and include the solution highlight in the Ready for IBM Security Intelligence Showcase, the following items must be submitted to the validation lab at pwisv@us.ibm.com. Please consult the Ready for IBM Security Intelligence software validation Web site for guidance and details concerning the validation process at https://www.ibm.com/partnerworld/wps/servlet/ContentHandler/isv_com_dvm_techval_security Items required for validation Final validation Final version of this document representing the solution integration requirements document being validated Ready for IBM Security Intelligence. Need to document and identify the classes and interfaces used. Test plan report Document containing use scenarios, data points, and information on the solution integration with IBM Security AppScan Will be used when reviewing test results and files, performing the validation, and during the solution integration demonstration. Integration Setup Solution setup or administration documentation, or a portion of a Information document providing information customers would use to setup or configure the integration between your solution and IBM Security AppScan Should include items in IBM Security AppScan that need to be customized to make the integration work. Demonstration A remote demonstration or captured demo to walk through the integration scenarios with IBM Security AppScan. Ready for IBM Security Integration highlights (solution overview, requirements, contacts) used Intelligence Showcase for the Ready for IBM Security Intelligence Showcase entry (http://www.ibm.com/partnerworld/rfisisolutions). This should include a company logo that can be used (Recommended size 100 x 50). Web page To include your solution integration reference in the Ready for IBM Security Intelligence Showcase (http://www.ibm.com/partnerworld/rfisisolutions), you need to provide a Web page link highlighting the solution integration. Also, encourage using the Ready for IBM Security Intelligence logo mark on your Web page, solution material, at conferences and on other marketing material. Validation Requirements Document IBM Security AppScan Family Page 4 of 10 Validation contact information Please complete ALL the fields below to provide the validation project contact information. Submitted by: Title/Position: Company: Address: Telephone: Fax: E-mail: IBM Security AppScan Standard V8 IBM Security AppScan Standard V8 IBM Security Product: IBM Security AppScan Source V8 IBM Security AppScan Source V9 IBM Security AppScan Enterprise V8 IBM Security AppScan Enterprise V9 Your Solution Name and Version: Global Solution Directory URL: Current Date: Anticipated Solution Start Date: Anticipated Solution Completion Date: Validation Requirements Document IBM Security AppScan Family 201X/mm/dd 201X/mm/dd 201X/mm/dd Page 5 of 10 Solution to be validated Solution overview Please fill in the auto-sizing text box below to provide the validation lab a technical overview of the application or solution, the integration points and solution to be validated. To be filled in. Validation Requirements Document IBM Security AppScan Family Page 6 of 10 Integration requirements This section provides an overview of the Ready for IBM Security Intelligence validation requirements for each of the products in the IBM Security AppScan familt. The next section “Integration Options for Validation” will allow you to identify the configuration and pertinent platforms used by your offering for validation. Architecture and overview This following diagram shows the overall architecture of the IBM Security AppScan Family IBM Security AppScan Standard Edition delivers the desktop solution for automating web application security testing. Used by penetration testers and security auditors, as well as QA and development. Output from AppScan Standard can be used as input into Partner system to provide further specialised analysis or defect tracking. IBM Security AppScan Enterprise Edition is a web-based, multi-user solution that provides centralized application security scanning, data consolidation and reporting, remediation capabilities, executive dashboards, compliance reporting, and seamless integration with AppScan Standard Edition. Using the XML/SOAP REST API Business Partners can integrate with AppScan Enterprise to enable vulnerability information to be used in other security systems to mitigate the risks of attack until fixes can be made in the applications. IBM Security AppScan Source Edition automates the analysis of source code to identify vulnerabilities and facilitate their remediation by integrating with development processes and tools, including build systems and IDEs. Validation Requirements Document IBM Security AppScan Family Page 7 of 10 Solution integration details This section is used for you to describe the solution integration items and methods used with IBM Security AppScan. The requested information is required and will be used as a “benchmark” to proceed with the validation. Check each integration type you will use to integrate your solution with IBM Security AppScan Specify each operating system platform the integration supports. AppScan Product / Integration Point AppScan Standard Extensions Framework AppScan Standard CLI AppScan Standard Pyscan/Utilities AppScan Enterprise REST API AppScan Source CLI AppScan Source for Automation OS platforms Yes No Yes No Yes No Yes No Yes No Yes No Windows 2003 Solaris Linux Windows 2008 HP/UX AIX Other (Specify) Use the following area to provide a functional overview of the integration with the proposed data flows for the above selected interfaces and integration points. Highlight any high level business rules that are applicable along with the communication/protocol format being used. Critical would be information where the transaction or data exchanged meets specific compliance issues and concerns. It may be beneficial to insert a data flow diagram (like a Visio or PowerPoint) showing the interchange of data and the specific criteria that the interchange needs to address to work with the external system. Sufficient information is needed to assess the flow of information through the interfaces. Note: No need to duplicate information if some of this will be placed in the requested Integration Guide. Validation Requirements Document IBM Security AppScan Family Page 8 of 10 Integration exceptions Use this section to note any exceptions to the Integration Requirements that should be considered for this integration. Also List any additional considerations or system impact not explicitly stated previously. May include, but not limited to: database changes, application functionality, or any task that affects the integration but is outside the scope of this estimate. Information will be review and discussed during validation. Validation Requirements Document IBM Security AppScan Family Page 9 of 10 Resources Use the following information and resource links to assist with setting up and integrating with the IBM Security AppScan family of products IBM Security AppScan Homepage IBM Security AppScan Standard Documentation IBM Security AppScan Source Documentation IBM Security AppScan Enterprise Documentation Application Security Community of Practice Support Portal DeveloperWorks Security Community Ready for IBM Security Enablement Resources Validation Requirements Document IBM Security AppScan Family http://www-01.ibm.com/software/awdtools/appscan/ http://pic.dhe.ibm.com/infocenter/apsshelp/v8r7m0/index.jsp http://pic.dhe.ibm.com/infocenter/appsrc/v8r7m0/index.jsp http://pic.dhe.ibm.com/infocenter/asehelp/v8r7m0/index.jsp https://www.ibm.com/developerworks/mydeveloperworks/blog s/242fafe4-766c-4c93-bb7d-3d2a5ee1cbd6/?lang=en http://www947.ibm.com/support/entry/portal/overview/software/security_ systems/ibm_security_appscan_family http://www.ibm.com/developerworks/security/community.htm l https://www.ibm.com/partnerworld/page/isv_com_dvm_techv al_security Page 10 of 10