App Security Scanner: My Cloud Database App Is Secure

Over the past few years, I have written a couple cloud-based apps. Most of them have a database backend. I know - to a good degree - how to secure the database system. I have some background in secure software engineering. And I trust the cloud providers like IBM to secure the platform and runtime environment. Today, I wanted to get feedback on the overall web app security and tested the Application Security on Cloud service offered in the IBM Cloud Platform. Here is what I did and the results.

Overview

The IBM Application Security on Cloud service allows you to analyze the security of mobile applications (iOS and Android), web apps, and even those behind a (corporate) firewall. You can choose between dynamic and static analysis. As part of the dynamic scan, the "live" application is accessed similarly to how a regular user or hacker would do it. The static analysis is performed on the source code.

In my case, I wanted to assess the security of an existing web application hosted on the IBM Cloud Platform with a custom domain and so I chose the dynamic analysis.

Setup and Scan

Because the security assessment is a cloud-based service, the setup is quick and simple. Once I had provisioned the service, all I had to do was to select between the different applications and then scan types, provide the URL for my web application, and verify that I am allowed to perform the scan.

To assess the security of a web application, the scan service needs to crawl and access the publicly available pages and, optionally, use credentials to use the web app like to a regular user. In order to prevent abusing the Application Security on Cloud service, it asks for verification that I am allowed to perform the analysis. This can be done by placing a verification file into a folder of the web app or by an email with a verification link to the administrator of the (sub-)domain. I selected the email and could choose between the domain or subdomain level. In the email I received were details about who requested the scan for which host, how to obtain additional information if needed, and the verification link to click.

After the necessary click, I could start the security scan. The dashboard provided status information, but it is not necessary to actively monitor the scan. Once it is completed a service email is sent out. I waited for it and then quickly opened the dashboard. Here is what I got:

Security Results

As you can see, my application does not have any significant security issues. To learn more about the low and informational issues that were found in the scan I downloaded the report as a PDF document. A snippet of the overview page is shown below:
In the free plan of the Application Security on Cloud service, the report only has a couple pages with the result overview. The paid service has detailed information about the found security issues along with recommendations on to how to tackle the issues. To get an impression of what is included in those reports, the documentation offers sample security reports for download.

Based on the security assessment I now know that my web app hosted on the IBM Cloud Platform (Bluemix) is free from well-known security wholes and relatively secure. Great for peace of mind and as feedback to my coding skills and those who contributed to the code libraries and modules that were used.

If you have feedback, suggestions, or questions about this post, please reach out to me on Twitter (@data_henrik) or LinkedIn.