Cloud Application Security |
Overview
The IBM Application Security on Cloud service allows to analyse the security of mobile applications (iOS and Android), web apps and even those behind a (corporate) firewall. You can choose between dynamic and static analysis. As part of the dynamic scan the "live" application is accessed similar to how a regular user or hacker would do it. The static analysis is performed on the source code.In my case I wanted to assess the security of an existing web application hosted on the IBM Cloud Platform with a custom domain and hence chose the dynamic analysis.
Setup and Scan
Because the security assessment is a cloud-based service, the setup is quick and simple. Once I had provisioned the service, all I had to do is to select between the different application and then scan types, provide the URL for my web application and verify that I am allowed to perform the scan.To assess the security of a web application, the scan service needs to crawl abd access the publicly available pages and, optionally, use credentials to use the web app similar to a regular user. In order to prevent abusing the Application Security on Cloud service it asks for verification that I am allowed to perform the analysis. This can be done by placing a verification file into a folder of the web app or by an email with verification link to the administrator of the (sub-)domain. I selected the email and could choose between the domain or subdomain level. In the email I received were details about who requested the scan for which host, how to obtain additional information if needed and the verification link to click.
After the necessary click I could start the security scan. The dashboard provided status information, but it is not necessary to actively monitor the scan. Once it is completed a service email is sent out. I waited for it and then quickly opened the dashboard. Here is what I got:
Application Security Scan Completed |
Security Results
Results of Security Scan |
In the free plan of the Application Security on Cloud service the report only has a couple pages with the result overview. The paid service has detailed information about the found security issues along with recommendations on to how tackle the issues. To get an impression of what is included in those reports, the documentation offers sample security reports for download.
Based on the security assessment I now know that my web app hosted on the IBM Cloud Platform (Bluemix) is free from well-known security wholes and relatively secure. Great for peace of mind and as feedback to my coding skills and those who contributed to the code libraries and modules that were used.
If you have feedback, suggestions, or questions about this post, please reach out to me on Twitter (@data_henrik) or LinkedIn.