AppScan™ Audit Edition FAQs—Product Overview
Home
Solutions
  - AppScan™ DE
  - AppScan™ QA
  - AppScan™ Audit
    - FAQ
    - FREE Trial
    - Detailed Information
  - AppShield™
  - AppShield Appliance
  - AppAudit
  - Whitepapers
Demos
Partners
Inside Sanctum
Web Perversion
Customers
News & Events
Support & Services
  - Support
Contact Us
Gov't Legislation
and Compliance
AppScan™ Audit Edition FAQs—Product Overview   Knowledge Center

  1. What business problem does the AppScan product suite solve?
  2. What makes the AppScan product suite the right choice for my organization?
  3. Who benefits from the AppScan 4.5 product suite?
  4. What is the key benefit of AppScan Audit Edition?
  5. What are the key features of AppScan 4.5 Audit Edition?
  6. What gives AppScan its industry leading accuracy?
  7. Does AppScan AE provide Compliance Reporting?
  8. Does AppScan AE provide Privacy Testing?
  9. How does AppScan communicate the results of my test?
  10. How does AppScan facilitate understanding of the test results? What is Results Analysis?
  11. What is Results Consolidation?
  12. What is Delta Analysis?
  13. Does AppScan AE support XML/SOAP and Web services?
  14. What are the strengths of AppScan's customization and automation features?
  15. Can I track the changes to my application's security over time with AppScan AE?
  16. How does AppScan handle non-English language applications?
  17. What types of attacks does AppScan test for?
  18. What is the new attack "HTTP Response Splitting"e;?
 
What business problem does the AppScan product suite solve?
 

The pace of application deployment is accelerating; mandatory internal and external compliance of security regulations and initiatives is increasing; and protecting your web applications by manually patching or upgrading is a strategy that will fail you - sooner or later. According to the Gartner Group, a company with 1,000 servers can spend $300,000 to test and deploy a patch. The startling reality is most companies deploy several patches a week. The potentially devastating business impact of a security defect in production demands an enterprise does everything possible to be assured of quality, compliance and security across the application lifecycle with a commitment to maintaining confidence in the live/production environment.

There are three products built on AppScan core technology to serve customers:

  • AppScan Developer Edition (DE) -An integrated application code security testing software package for developers in the .NET and J2EE development environments.
  • AppScan QA Edition (QA) - Automated, progressive web application testing software enabled to provide QA personnel with comprehensive security defect analysis and remediation information, while integrating seamlessly into current test processes and environments.
  • AppScan Audit Edition (AE) - Automated application vulnerability assessment software to conduct accurate and comprehensive audits, validate web application quality, and compliance to regulatory and organizational security initiatives.

 
Back to Questions
 
What makes the AppScan product suite the right choice for my organization?
 

The bottom line in web application risk assessment is efficiency, and AppScan's industry leading combination of speed, accuracy, and flexibility make it the most powerful security-testing tool in the market today. AppScan provides highly accurate and actionable information that drives enormous returns to organizations in the form of cost savings, reliable operations, and strong customer relationships. The AppScan product family provides the efficiency, accuracy and flexibility needed by developers, QA, auditors, and operations managers to empower the user to find and fix the security defects quickly and efficiently.

 
Back to Questions
 
Who benefits from using the AppScan 4.5 product suite?
 

Application Testers
Instead of searching for security defects manually, testers use AppScan QA to detect security defects automatically as an integrated component of enterprise development and testing processes. AppScan QA automates the test script creation, modification, and maintenance process and ensures reliable and repeatable testing. After it runs these tests, AppScan QA's analytical tools and reporting functions simplify result communications with developers. By reducing the number of development cycles and associated downtime caused by security defects found in production, secure applications are deployed faster for less money and the enterprise dramatically improves the utilization of QA and development resources.

Internal and External Auditors
For applications in production, auditors face the considerable challenge of producing accurate and comprehensive security assessments quickly. For years, AppScan AE has been an essential part of the auditor's toolkit in helping to solve this problem. Powered by its patented Dynamic Policy Recognition Engine, AppScan's behavioral detection and precision testing processes automatically learn the application's logic and structure and builds custom test scenarios to run against it. AppScan AE accurately detects the broadest array of application vulnerabilities with minimal false positives and false negatives, including any web-based XML/SOAP application. However, accuracy does not have to yield to performance. Next generation performance is due to AppScan AE's ability to utilize multiple threads to explore and test applications - cutting test time dramatically. Resolution becomes even easier in AppScan AE with analytical tools such as delta analysis, which allows auditors to compare changes between scans. Such tools combined with enhanced assessment reports, best practice remediation steps, and real-time assessment monitoring ensures the auditor can focus more time and resources on the resolution of security vulnerabilities rather than on their detection.

Compliance Officers
Regulatory and security best practice initiatives are of growing concern to organizations. Failure to comply with new government regulations and corporate best practices can be extremely costly and potentially embarrassing. AppScan includes an innovative tool that simplifies compliance reporting. Taking full advantage of the capabilities of XML, AppScan has integrated several templates that can generate multiple compliance validation reports from a single AppScan assessment of site. In addition to the built-in templates, AppScan includes the ability to easily create customized reports to validate web application against organization-specific policies and guidelines.

 
Back to Questions
 
What is the key benefit of AppScan Audit Edition?
 

AppScan Audit Edition (AE) is the market leading application vulnerability assessment tool that accurately detects and reports security vulnerabilities automatically as an integrated component of an enterprise security process review. By accelerating assessment and analysis, AppScan AE provides the consistent evaluation and success metrics, as well as the regulatory and security directive compliancy validation information needed for the remediation of security vulnerabilities and adherence to regulatory and security initiatives. AppScan AE validates application security for faster, more cost efficient deployment, dramatically improving an organization's efficiency and utilization of development and security resources. AppScan 4.5AE introduces new functionality that includes expanded testing coverage including new XML/SOAP Web services attacks and privacy testing, enhanced analysis capabilities, automated compliance report generation, and various user controls designed for the 'power user' to improve testing efficiency and accuracy. In summary, AppScan AE:

  • Facilitates Communication across the development lifecycle:
    • Best of breed results communication: Understand, communicate and measure
    • Enhanced reporting functionality with XSLT templates
  • Automates Regulatory/Directive Compliance Assurance
    • Built-in U.S. regulations
    • Built-in European directives
    • User-defined compliance reports
  • Enhances S.A.F.E. Leadership (Speed, Accuracy, Flexibility and Efficiency)
    • Accurate security assessment for the power user
    • User defined controls for intelligent testing

 
Back to Questions
 
What are the Key Features of AppScan 4.5 Audit Edition?
 

Accurate Security Assessment for Power Users

  • Test new and existing infrastructures including XML/SOAP applications and environments
  • User-defined controls for accurate and efficient testing
  • Comprehensive coverage of vulnerability testing: ASVs, CWVs, XML/Web Services and Privacy

Comprehensive Compliance Analysis & Reporting

  • Built-in compliance testing and reporting
  • Customized templates allow Corp. security best practices to be tested real time
  • Generate multiple compliance reports from a single assessment - saves time

Intelligent Results Communication

  • Fully automated Results Analysis saves time with accurate interpretation of results
  • XML foundation for data mobility and analysis
  • Delta and Trend Analysis provides full comparative results to enforce compliance over time

 
Back to Questions
 
What gives AppScan its industry leading accuracy?
 

Accuracy is measured in terms of false negatives (actual vulnerabilities that are declared to be secure), false positives (secure code that is mistakenly identified as vulnerable), and vulnerabilities that are never even checked for by the product. With extensive user-defined controls, power users can increase the breadth of audits for more intelligent and accurate testing. Several features in AppScan actively reduce the frequency of false negatives and false positives. These features are:

  1. Login/Logout page testing control for improved precision
  2. Untested Parameters - permit testers to specify a set of parameters not to be tested in a scan
  3. Throttle Control test engine scales to align with the targets capabilities
  4. Server Down Detection reports communication problems to improve test accuracy and efficiency
  5. New XML Application-Specific Vulnerabilities (ASVs) and other XML/Web-Services tests ensure appropriate breadth of testing
  6. JavaScript Explore - Explores and tests links embedded in JavaScript
  7. Custom Error Page Recognition module reduces false positives by detecting custom responses to failed attacks
  8. Customized 404 page Setup - an advanced utility for automatic and accurate detection of customized 404 pages

 
Back to Questions
 
Does AppScan AE provide Compliance Reporting?
 

Yes. AppScan AE includes an easy to use reporting tool that automatically generates regulatory and internal security initiative compliance reports. The importance of ensuring the confidentiality and integrity of sensitive customer or company information is just one reason that external regulations and security best practices have recently taken a leading role in security testing. Compliance initiatives are hitting the bottom line and are considered critical and real components to secure environments. Failure to comply with the government regulations and corporate best practices cannot only be extremely costly but can effect customer and public trust as well. AppScan AE includes an innovative tool that simplifies compliance reporting. Several report templates have been integrated into the product that can generate multiple compliance validation reports from a single AppScan assessment of a site. In addition to the variety of built-in regulatory templates, AppScan includes the ability to easily create customized report templates to validate web applications against internal security and privacy policies and guidelines.

 
Back to Questions
 
Does AppScan AE provide Privacy Testing?
 

Yes. Application security does not always equal application privacy. An application without security vulnerabilities does not guarantee privacy of the sensitive information contained by that application. For example, it may be possible for unencrypted user names/passwords to be intercepted or personal information like social security numbers to be exposed. For this reason, AppScan has implemented a suite of privacy tests to specifically look for unsecured sensitive information. AppScan's privacy tests target vulnerabilities or configurations that result in sensitive information being inadvertently exposed. For example, AppScan will report if login requests are sent unencrypted, or if other sensitive information such as credit card numbers or social security numbers is sent unprotected to the server.

 
Back to Questions
 
How does AppScan communicate the results of my test?
 

Communicating the right results to the right people is an extremely important step in the application security testing and assessment process. AppScan provides a wide variety of ways in which results can be analyzed, reported, and communicated. You can also view the results of every test in a variety of formats. AppScan's interactive results display and vulnerability index cards provide results in an interactive format that enables you to drill down from a high-level summary to the granular details of every test, including actionable fix recommendations. You can also export test results in various formats, including XML, to third party tools for additional analysis and tracking. Using AppScan's compliance reports, QA and security organizations can now work collaboratively in testing for regulation compliance. Auditors can assess an application's compliance readiness and QA is able to perform specific requirements to pre-validate applications prior to staging and deployment. This significantly improves the communication loop between security and development ensuring that only quality, secure and compliant applications are deployed. In addition to the interactive results and reports, another valuable source of information about the tests is AppScan's traffic log. In the traffic log, users will find an exact record of every component of every AppScan request and the same details for each response from the application including header, cookie, script, and URL information.

 
Back to Questions
 
How does AppScan AE facilitate understanding of the test results? What is Results Analysis?
 

As web applications scale in size and volume, the number of vulnerabilities that can be found by AppScan increases dramatically. Analyzing and understanding the results from a management/executive perspective in the past has been a purely manual task and can become exhausting work when dealing with large web applications that contain many security vulnerabilities. With AppScan's Results Analysis tool, AppScan can automatically translate the scan results from technical to business terms. This feature saves and improves accuracy. Results Analysis communicates the root cause and effect of security defects to developers and other personnel.

For Auditors, the Results Analysis tool provides the ability to get accurate, comprehensive results on raw data automatically. Auditors of all levels, from penetration testers to managers, can now understand the true state of the application's security. By decreasing the complexity of analysis, auditors can rely on AppScan AE to produce error-free, immediate, and automated analysis.

AppScan's Results analysis includes several sections, that help address the security problems at the macro level:

  • Most vulnerable links in the web application
  • Worst Case Scenarios
  • Vulnerability Causes
    • Insecure programming
    • Insecure administrative practices

For each vulnerability, AppScan presents the vulnerability cause in layman language to provide an understandable sense of what causes the problem.

 
Back to Questions
 
What is Results Consolidation?
 

To provide a comprehensive landscape of a site's security health, security testing must incorporate a wide range of application attacks with several variations for each type attempted. AppScan follows this testing pattern by conducting tests on several parameters within a specific web application link. AppScan AE then consolidates the results into collapsible/expandable groups according to the name of the test and the link (the original link on which the test was sent). This provides an organized, high-level view of the results. Allowing users to quickly navigate through and understand the results without the need to scan all the test results from top to bottom. This is very useful in helping to identify specific types of vulnerabilities or defects that have multiple ramifications throughout the application. The organized display also helps to isolate problems with particular pages and depicts a logical assessment of the entire application security landscape. Results consolidation provides a more organized, high-level view of the results allowing users to quickly navigate through and understand the results.

 
Back to Questions
 
What is Delta Analysis?
 

AppScan AE contains the first comprehensive solution for 'Delta Analysis' of web application security, which will help developers, QA testers and audit personnel to track changes in the security of their web application. Advanced delta analysis is one of the most unique and cutting-edge features of the AppScan Suite. A 'Delta analysis' gives the tester and the product manager a much broader view of where development is heading with regards to security.

Audit personnel can compare security health over time across applications, departments or companies to ensure continued compliance and vulnerability remediation by identifying hot spots and trends.

 
Back to Questions
 
Does AppScan AE support XML/SOAP and Web services?
 

Yes. AppScan AE provides full support for XML and Web Service testing including full parsing capabilities of XHTML pages, intercept, parse and manipulate XML and SOAP web services requests, new ASVs (unknown vulnerabilities) and CWVs (known vulnerabilities) tests added to AppScan's tests database, marking of XML requests in the GUI (For easy distinction between XML and regular requests). As more and more web applications start to implement XML for different purposes such as Web Services or B2B interfaces, new security hazards are introduced into the arena. To keep the security level of web applications at their highest, it is important to be able to audit those parts of the web application.

 
Back to Questions
 
What are the strengths of AppScan's customization and automation features?
 

AppScan AE can automatically explore an entire test site unassisted. A user can configure AppScan to narrow the scope or depth of the scan precisely in order to reduce unnecessary scanning. The user can define which types of attacks to execute and whether to perform them automatically or manually. Using input from its Expert Security Testing System, AppScan automatically assigns severity and success ratings for tested attacks and provides expert advice for fixing the vulnerabilities. The preconfigured reports are automatically generated in both textual and graphical format, and can be customized to reflect the expertise and information needs of the user - high-level analysis for the executive summary, technical details for security experts and recommended code fixes for QA and developers. In short, AppScan's automation and customization features combine power and speed with flexibility and control. This unparalleled combination empowers the user to complete more accurate and comprehensive web application security assessments in a fraction of the time it would take to do the same assessment manually.

 
Back to Questions
 
Can I track the changes to my application's security over time with AppScan AE?
 

Yes. AppScan provides a session comparison utility to allow you compare the differences between two selected sessions. The comparison results and information is presented in the delta analysis report that includes information about the differences between the sessions in each of the scan stages and scan results. This utility was specifically designed to allow you to track and monitor the changes in the application security that result from the application's code update. Additionally, using XSLT customers can easily perform trend analysis of results from more than two scans. Included with AppScan is a sample Trend Analysis template that can be modified and used to start constructing trend analysis quickly.

 
Back to Questions
 
How does AppScan handle non-English language applications?
 

AppScan works with the HTML requests and responses sent between a user and the application. As a result, AppScan can be run against non-English version sites. It will find common web vulnerabilities on every site. In order to ensure that it will also identify and properly test application specific vulnerabilities, a version of AppScan that is designed for that language is required. Currently, AppScan is produced in an English and Japanese version. Alternative language versions are going to be released in the future.

AppScan for Japanese users is currently available through TechMatrix and Hitachi, and a network of partnerships through them in Japan. This version provides Japanese language support and language-specific rules.

AppScan is also available in Europe through multiple country- based partnerships. See Sanctum Partner Directory for a complete listing

 
Back to Questions
 
What types of attacks does AppScan test for?
 

AppScan explores applications looking for known and unknown vulnerabilities like a hacker would. Following is a list of many of the vulnerabilities AppScan finds and tests:

  • SQL Injection
  • Hidden Field Manipulation
  • Parameter Tampering
  • Stealth Commanding
  • Forceful Browsing
  • Backdoors and Debug Options
  • Cookie Poisoning
  • 3rd Party Misconfigurations
  • Cross-Site Scripting
  • Buffer Overflow
  • HTTP Attacks
  • HTTP Response Splitting
  • Known Vulnerabilities (associated with CWVs)
  • Suspicious content
  • XML/SOAP
  • Privacy tests

 
Back to Questions
 
What is the new attack "HTTP Response Splitting?
 

HTTP Response Splitting infects web server communications and allows hackers to launch Web Cache Poisoning attacks (leading to defacement and next-generation phishing), hijack a web page with users' sensitive information or access data through cross-site scripting. The only security testing tool that can detect and immediately fix HTTP Response Splitting, AppScan AE helps enterprise users stay protected from these next-generation application threats.

 
Back to Questions
 

 
AppShield, AppScan, Policy Recognition, and Adaptive Reduction are trademarks of Sanctum, Inc. All other product names referenced are the property of their respective owners and are hereby acknowledged.

 
 Datasheet
 Product White Paper
 AppScan Audit Features
 FAQ's
 - Product Overview
 - Licensing ... Training
 - Results Communication
 - Technical Overview
 Case Studies
 OWASP Compliance
 Press Releases
 AppScan Audit in the News
 Support & Services
 Demo
 AppScan Extranet

Free Trial
AppScan Audit

Strategic Partner Solutions
 - AppScan Express
 - PricewaterhouseCoopers
Because you need a fast, cost-effective route to web application security.
 - Partner Directory

Contact Me Now
Click here if you would like a Sanctum Sales Rep to contact you within 24 hours.

 © 2004 Sanctum, Inc.    Privacy Statement  |   Legal Disclaimer
  1. https://www.gustudentassociation.org/
  2. https://kimmerestaurant.com/
  3. https://www.nyonyafood.com/
  4. https://www.perfectotech.com/
  5. https://www.planetgapyear.com/
  6. https://whatcomvet.com/
  7. https://theclassicyachtexperience.com/
  8. https://www.batonrougerosesociety.org/
  9. https://www.finburysullivan.com/
  10. https://mikrofinanzinstitut.com/
  11. https://oakgroveplantationsc.com/
  12. https://www.the-vision-of-harmony.org/
  13. https://www.pantheonpress.com/
  14. https://thefinancialgraduate.com/
  15. https://www.thenutkitchen.com/
  16. https://altiboutique.com/
  17. https://ambushsweden.com/
  18. https://goingonforgod.com/
  19. https://lasdopestattorney.com/
  20. https://www.sewardne.com/
  21. https://www.tehranfestival.com/
  22. https://www.bistrotmarin.com/
  23. https://brysonchristianmontessorischool.com/
  24. https://www.excalibureurope.com/
  25. https://www.tropicaltopless.com/
  26. https://www.originallotsoflox.com/
  27. https://www.wavespace-berlin.com/
  28. https://www.nicolasboutruche.com/
  29. https://www.michiganmediates.org/
  30. https://www.victoria-abbott.com/
  31. https://www.yourmyrtlebeachproperty.com/
  32. https://metrcconference.com/
  33. https://biotechscope.com/
  34. https://jzbrasil.com/
  35. https://kingswoodacquisition.com/
  36. https://www.mobilegourmetkitchen.com/
  37. https://saafootball.org/
  38. https://griefergames.info/
  39. https://ampalauragarcianoblejas.com/
  40. sbobet
  41. judi parlay
  42. togel kamboja
  43. Pengeluaran Cambodia
  44. judi bola
  45. demo slot
  46. Togel Kamboja
  47. keluaran Kamboja
  48. slot thailand
  49. togel kamboja
  50. keluaran kamboja
  51. togel Kamboja
  52. slot demo
  53. keluaran cambodia
  54. togel cambodia
  55. demo mahjong
  56. live draw macau
  57. slot thailand
  58. pengeluaran kamboja
  59. judi bola
  60. sbobet