AppScan Prep

NCI uses Appscan—previously IBM AppScan, previously Rational AppScan, previously Sanctum AppScan—in order to detect vulnerabilities in web-accessible APIs and sites. In order to deploy an EDRN portal at the NCI, the software must pass an AppScan test with no critical or high vulnerabilities (or must provide rationale for why detected vulnerabilities are false positives).

Because the testing is thorough and thoroughly intrusive, a number of preparation steps must be completed in order to

• Minimize the testing that needs to be done; there is no need to test all 1000 biomarker pages and all of their variations when one biomarker page will do.
• Shelter the impact of the testing from the outside world; some testing can trigger email notifications, for example, and thousands of them, effectively clogging a hapless user's inbox when on travel on a mobile device.

Database

The starting database for any AppScan test should be edrn-lite.tbz, not edrn-full.tbz, for obvious reasons.

The AppScan and CBIIT teams recommend backing up the database before initiating the scan but there is no need as we can always restore from edrn-lite.tbz.

Control Panel

You'll need to log into the portal with a management-level user and visit the Plone Overview control panel and make the following settings:

1. Visit the Content Rules panel and ensure content rules are disabled globally.
2. Visit the Mail panel and set the mail server to non.exist.int; the misspelling of "nonexistent" is intentional.
3. Visit the Site panel and delete the Analytics JavaScript.

Make sure to save all changes on each panel.

AppScan User

Because the tests are intrusive (and since we need to limit what a compromised account can do), we need to allow the AppScan to log into the site with a user account. Create an AppScan user by starting ApacheDirectoryStudio, connecting to ldaps://edrn.jpl.nasa.gov and create a new user in the "dc=edrn,dc=jpl,dc=nasa,dc=gov" branch of the directory tree.

The entry's values should be as follows:

• objectClass: edrnPerson
• objectClass: inetOrgPerson
• objectClass: organizationalPerson
• objectClass: person
• objectClass: top
• cn: App Scan
• description: Account for conducting AppScans
• mail: your own email address
• sn: Scan
• telephoneNumber: your own telephone number
• uid: appScan
• userPassword: a password of your choice using the "crypt" algorithm

Note: there may already be an appscan user; if this is the case, simply change the values to match and note the new password.

Test logging in with this username and password. You will also need to send this username and password encrypted (the JPL large file transfer service is handy for this) to Mikol Ware.

Starting the Scan

To begin scanning, submit a ticket by visiting ServiceNow:

1. Log in (upper right) with your NIH username and password.
2. From the "Services" menu, choose "IT Security", then "Request AppScan Assessment".
3. Fill in the fields as follows:
   • Requested for: your name
   • Organizational affiliation: NCI DCP CBRG
   • Phone: your phone
   • Building: NON-NIH
   • Email: your NIH email
   • Room: blank
   • Request Details:
     • Application name: EDRN
     • Tier: Dev
     • Priority: Moderate
     • URL: https://edrn-dev-aws.nci.nih.gov/
     • Application POC: your name
     • Does this application require a login? Yes

Add a note about the encrypted email (sent above) to the ticket and submit it.