DZone
Security Zone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
  • Refcardz
  • Trend Reports
  • Webinars
  • Zones
  • |
    • Agile
    • AI
    • Big Data
    • Cloud
    • Database
    • DevOps
    • Integration
    • IoT
    • Java
    • Microservices
    • Open Source
    • Performance
    • Security
    • Web Dev
DZone > Security Zone > App Security Scanner: My Cloud Database App Is Secure

App Security Scanner: My Cloud Database App Is Secure

If the app you developed hosts its data in the cloud, how can you be sure that the data is safe? Read on to see what one dev did.

Henrik Loeser user avatar by
Henrik Loeser
·
Oct. 25, 17 · Security Zone · Analysis
Like (2)
Save
Tweet
2.25K Views

Join the DZone community and get the full member experience.

Join For Free

Over the past few years, I have written a couple cloud-based apps. Most of them have a database backend. I know - to a good degree - how to secure the database system. I have some background in secure software engineering. And I trust the cloud providers like IBM to secure the platform and runtime environment. Today, I wanted to get feedback on the overall web app security and tested the Application Security on Cloud service offered in the IBM Cloud Platform. Here is what I did and the results.

Overview

The IBM Application Security on Cloud service allows you to analyze the security of mobile applications (iOS and Android), web apps, and even those behind a (corporate) firewall. You can choose between dynamic and static analysis. As part of the dynamic scan, the "live" application is accessed similarly to how a regular user or hacker would do it. The static analysis is performed on the source code.

In my case, I wanted to assess the security of an existing web application hosted on the IBM Cloud Platform with a custom domain and so I chose the dynamic analysis.

Setup and Scan

Because the security assessment is a cloud-based service, the setup is quick and simple. Once I had provisioned the service, all I had to do was to select between the different applications and then scan types, provide the URL for my web application, and verify that I am allowed to perform the scan.

To assess the security of a web application, the scan service needs to crawl and access the publicly available pages and, optionally, use credentials to use the web app like to a regular user. In order to prevent abusing the Application Security on Cloud service, it asks for verification that I am allowed to perform the analysis. This can be done by placing a verification file into a folder of the web app or by an email with a verification link to the administrator of the (sub-)domain. I selected the email and could choose between the domain or subdomain level. In the email I received were details about who requested the scan for which host, how to obtain additional information if needed, and the verification link to click.

After the necessary click, I could start the security scan. The dashboard provided status information, but it is not necessary to actively monitor the scan. Once it is completed a service email is sent out. I waited for it and then quickly opened the dashboard. Here is what I got:

Application Security Scan Completed

Security Results

As you can see, my application does not have any significant security issues. To learn more about the low and informational issues that were found in the scan I downloaded the report as a PDF document. A snippet of the overview page is shown below:Image title
In the free plan of the Application Security on Cloud service, the report only has a couple pages with the result overview. The paid service has detailed information about the found security issues along with recommendations on to how to tackle the issues. To get an impression of what is included in those reports, the documentation offers sample security reports for download.

Based on the security assessment I now know that my web app hosted on the IBM Cloud Platform (Bluemix) is free from well-known security wholes and relatively secure. Great for peace of mind and as feedback to my coding skills and those who contributed to the code libraries and modules that were used.

If you have feedback, suggestions, or questions about this post, please reach out to me on Twitter (@data_henrik) or LinkedIn.

security mobile app Cloud database Web Service Application security IBM Cloud

Published at DZone with permission of Henrik Loeser. See the original article here.

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • Ultra-Fast Microservices: When Microstream Meets Payara
  • Why I'm Choosing Pulumi Over Terraform
  • Deployment of Low-Latency Solutions in the Cloud
  • Java: Why Core-to-Core Latency Matters

Comments

Security Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • MVB Program
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends:

DZone.com is powered by 

AnswerHub logo