As suggested by its very name, Application Security on Cloud (ASoC) is a cloud-based service. It features a Web-Application Dynamic Analysis Security scanner that lives outside the organization network.
ASoC can scan publicly available web applications easily. However, development and test applications typically are deployed inside the organization, behind the firewall and/or inside labs. To scan these applications, use Private Site Scanning (PSS).
How to achieve Private Site Scanning from the Cloud
The obvious but arduous and expensive solution is to add network components, such as VPNs and proxies, or change the network to allow the scanner access into the organizational network. This is not ideal and is frowned upon by CSOs and IT security teams.
The ASoC PSS solution requires no special hardware or changes to the customer’s network that might introduce additional risk. The ASoC PSS client is set up in the customer’s network and requires only outgoing access to the Internet (directly or via proxy) and access to the site being scanned. This client can be installed on any machine in the organization and requires relatively few resources.
PSS is part of the AppScan Presence package which provides capabilities such as a recording proxy and uses the service to receive instructions from the ASoC service.
ASoC PSS consists of two endpoints which create a secured (TLS-encrypted) TCP/IP tunnel.
In ASoC, mark the tested application as a PSS and select the location of the AppScan Presence to use. After that everything is automatic.
Security considerations with ASoC PSS
ASoC enables security scanning, so security considerations were key in developing and implementing the ASoC PSS solution. ASoC developers focused on the security of the customer’s network and the security of the tunnel connection.
As noted, PSS does not require any changes to the customer’s network: no special concessions are required by the PSS tunnel client. This allows you to apply the organizational security policies on the host machine running the PSS tunnel client. Additionally, there are no changes required to the organizational firewall, such as allowing incoming connections on certain ports or IP addresses.
Each Presence instance has a unique key that serves as its ID. The key is used to identify the Presence instance and provide it with the correct scan tasks. The key can be renewed at any time, and so can conform to organizational security policies that require periodic updates. Once a key is renewed on the server, the Presence instance stops receiving tasks until the key is physically placed on the Presence machine.
To secure the connection at the PSS level, it is crucial that the tunnel server and tunnel client can trust each other to prevent external access to the private network from an unvalidated location. When a scan is ready to run and the tunnel server is started, PSS generates two certificates: one for itself and one for the client.
The server certificate along with the client-side certificate and private key are passed to the tunnel client, along with the scan task details (via the secured communication between the Presence service and the SaaS service). The tunnel client and tunnel server can then validate the identity of the remote connection. The certificates are invalidated once the scan is completed, and are never reused, even for rescanning.
All this put together, Application Security on Cloud Private Site Scanning provides a mechanism to leverage cloud-based security scanners to scan applications deployed within an organization in a simple and secure manner.
HCL Technologies Products and Platforms