AppScan QA & Audit FAQs
Web Application Development & Testing
Home
Solutions
  - AppShield™
  - AppShield Appliance
  - AppScan™
    - Develop
    - Testing
    - Deployment
    - FAQ
    - FREE Trial
    - Detailed Information
  - AppScan™DE
  - AppAudit
  - Whitepapers
Demos
Partners
Inside Sanctum
Web Perversion
Customers
News & Events
Support & Training
Contact Us
Gov't Legislation
and Compliance
AppScan QA & Audit FAQs — Web Application Development & Testing   Knowledge Center

  1. Why should security testing be done as a part of the application development and testing process?
  2. How do I integrate security testing into test plans?
  3. How do I write and modify security test scripts with AppScan?
  4. How do I report security defects to developers with AppScan?
  5. How do I measure the ROI of security testing during the QA process versus doing it at a different point in the process?
  6. I already write scripts that check for data validation, do I need AppScan?
 
Why should security testing be done as a part of the application development and testing process?
 

There are two sources of application defects:

  • External: Common Web Vulnerabilities (CWVs) are the result of flawed programming or misconfiguration of 3rd Party software (e.g. web servers and CGI scripts)
  • Internal: Application-Specific Vulnerabilities (ASVs) are created during application design and development

Today, companies must identify security defects in their applications in every case, but how and when companies do so depends completely on the source of the security defects. Catching and fixing ASVs during the development and testing of applications reduces dramatically the cost of fixing these types of security defects. One estimate is that it costs seven times more to fix a defect once the application's been deployed than it would have if it had been caught during the pre-deployment testing process.

Integrating AppScan into existing testing processes is simple because:

  • AppScan creates, modifies, and manages tests automatically
  • AppScan is scriptable so that testers can build security testing into existing test scripts
  • AppScan's results can be exported in standard formats like CSV for import into 3rd Party defect reporting and management systems.

In short, the most inexpensive and effective way to eliminate application security defects is to catch them as early as possible. To this end, AppScan integrates into any application development and testing process in order to catch ASVs and enable developers to fix them before it gets exponentially more expensive and more risky to do so.

Back to Questions

 
How do I integrate security testing into test plans?
 

Creating the test plan is the first step in the application testing process. At this initial stage, it's critical to write security testing into the test plan regardless of whether or not you're going to use AppScan to do the tests. Just as the test plan contains methods and use cases for testing the functionality and performance of the application, so too should it include a plan for evaluating the application's security.

Application security defects generally involve improper handling of data sent from the user to the application. As a result, including methods, use cases and success criteria for testing the application's handling of invalid or illegal characters in the test plan is the majority of what is required to integrate security testing into test plans. Doing so saves the enterprise money and it reduces business risk associated with security defects that slip through the standard testing process and end up getting deployed.

Back to Questions

 
How do I write and modify security test scripts with AppScan?
 

With application security built into the test plan, performing security tests with is AppScan fast and efficient. Since AppScan creates and modifies application security tests to fit the specific application, the job of the tester is to identify for AppScan the application or the business process to be tested. Like with other testing tools, this is commonly done with AppScan's "Business Process Record and Play" feature. All the tester needs to do record and save the process. It's a lot like recording a macro or creating a test script in other testing tools. Alternatively, AppScan can be configured to create tests for the entire application automatically if necessary. It's up to the tester to determine the scope of the tests required.

In either case, once the tests are created, the tester can either run the tests immediately and independently of any other testing processes or he/she can call the collection of custom security tests (called a session in AppScan) via a script he/she has created to do other things in addition to testing for security.

Back to Questions

 
How do I report security defects to developers with AppScan?
 

AppScan enables testers to get complete test descriptions and results into the hands of developers quickly. Results can be included in detailed reports that provide test data, defect advisories, and fix recommendations. Alternatively, results can be exported in a standard formats to third party analysis or bug tracking software.

The results of the tests AppScan runs include severity ratings (e.g. the impact the defect has on the security of the application) for every defect found, a detailed description of the defect, links to additional information on the subject, HTML source code for the baseline and tests, and fix recommendations.

Testers can either generate a detailed defect report for developers or they can export results to a third party analysis or tracking tool. In every case, AppScan's actionable results deliver all of the information developers need to locate and fix defects quickly and effectively.

Back to Questions

 
How do I measure the ROI of security testing during the QA process versus doing it at a different point in the process?
 

The benefits of security testing during the application testing and QA process are reduced R&D; costs and reduced business risk. R&D; cost reductions are realized in the form of reduced testing cycles and disruptions (aka "fire-drills") that result when a defect is found downstream in the application development process. When business risk is reduced it means that the probability of successful attack through an application security defect is materially reduced.

Back to Questions

 
I already write scripts that check for data validation, do I need AppScan?
 

The answer to this question is best provided by way of example. For a web application that contains 100 links, AppScan will automatically create several thousand separate customized tests to run against the application. No person, no matter how prolific and skilled a tester or programmer they are, can match that output and accuracy. At the end of the day, AppScan is more accurate and far more efficient at security testing applications than any person ever could be.

Back to Questions

 
 
AppShield, Policy Recognition, and Adaptive Reduction are trademarks of Sanctum, Inc. All other product names referenced are the property of their respective owners and are hereby acknowledged.

 
 Datasheet
 Product White Paper
 AppScan Features
 - What's New
 FAQ's
 - Product Overview
 - Pricing ... Training
 - Technical
 - Development & Testing
 Case Studies
 OWASP Compliance
 Press Releases
 AppScan in the News
 Support & Training
 AppScan Demo
 AppScan FREE Trial
 AppScan Extranet

Free AppScan Trial

Strategic Partner Solutions
 - AppScan Express
 - PricewaterhouseCoopers
Because you need a fast, cost-effective route to web application security.
 - Partner Directory

Contact Me Now
Click here if you would like a Sanctum Sales Rep to contact you within 24 hours.

 © 2003 Sanctum, Inc.    Privacy Statement  |   Legal Disclaimer
  1. https://www.gustudentassociation.org/
  2. https://kimmerestaurant.com/
  3. https://www.nyonyafood.com/
  4. https://www.perfectotech.com/
  5. https://www.planetgapyear.com/
  6. https://whatcomvet.com/
  7. https://theclassicyachtexperience.com/
  8. https://www.batonrougerosesociety.org/
  9. https://www.finburysullivan.com/
  10. https://mikrofinanzinstitut.com/
  11. https://oakgroveplantationsc.com/
  12. https://www.the-vision-of-harmony.org/
  13. https://www.pantheonpress.com/
  14. https://thefinancialgraduate.com/
  15. https://www.thenutkitchen.com/
  16. https://altiboutique.com/
  17. https://ambushsweden.com/
  18. https://goingonforgod.com/
  19. https://lasdopestattorney.com/
  20. https://www.sewardne.com/
  21. https://www.tehranfestival.com/
  22. https://www.bistrotmarin.com/
  23. https://brysonchristianmontessorischool.com/
  24. https://www.excalibureurope.com/
  25. https://www.tropicaltopless.com/
  26. https://www.originallotsoflox.com/
  27. https://www.wavespace-berlin.com/
  28. https://www.nicolasboutruche.com/
  29. https://www.michiganmediates.org/
  30. https://www.victoria-abbott.com/
  31. https://www.yourmyrtlebeachproperty.com/
  32. https://metrcconference.com/
  33. https://biotechscope.com/
  34. https://jzbrasil.com/
  35. https://kingswoodacquisition.com/
  36. https://www.mobilegourmetkitchen.com/
  37. https://saafootball.org/
  38. https://griefergames.info/
  39. https://ampalauragarcianoblejas.com/
  40. sbobet
  41. judi parlay
  42. togel kamboja
  43. Pengeluaran Cambodia
  44. judi bola
  45. demo slot
  46. Togel Kamboja
  47. keluaran Kamboja
  48. slot thailand
  49. togel kamboja
  50. keluaran kamboja
  51. togel Kamboja
  52. slot demo
  53. keluaran cambodia
  54. togel cambodia
  55. demo mahjong
  56. live draw macau