General
- What are the minimum system requirements to install AppScan?
- What is the Patented Policy Recognition Engine?
Configure
- How do I configure AppScan DE to unit test an application?
- VS .Net integration.
- Native plug in for all other supported IDEs.
- Can I choose how AppScan DE scans my application?
Test
- How does AppScan DE Unit Test my application?
- What kinds of Web Applications does AppScan DE 1.7 test?
- Can AppScan DE test an application if it contains JavaScript?
- Can AppScan DE automatically test an application if it requires HTTP authenticaion?
- Cann AppScan DE automatically test my application if it utilizes client side certificates for authentication?
- Can AppScan DE automatically test my application if my site utilizes NTLM?
- Can AppScan DE automatically test an application if it contains SSL?
- What is code sanitation and content review?
- Will AppScan DE automatically run tests againts the security defects it has identified?
- I have an application server installed with a custom 3rd party application in my environment; does AppScan DE support it?
Recommend
- How do I report security defects with AppScan DE?
- What sorts of information does AppScan DE incldue in the results and reports?
- Are there different views of the testing results?
- What type of information is in the advisories?
- Will I be able to see the details fo what AppScan DE tested and found?
Report
- What typs of reports are available in AppScan DE?
- How does the report get generated?
- What formats can the reports be produced in?
|
|
What are the minimum system requirements to install AppScan DE? |
Minimum System & Software Requirements:
- Computer: Pentium III PC, 800 MHz
- Operating System: Windows 2000 with SP2 (or higher), Windows XP with SP 1 (or higher), Windows .Net Server
- RAM: 512 MB
- Network: 1 NIC 10/100 MBPS for network communication with configured TCP/IP (100 MBPS recommended)
- Disk Space: 100MB for installation, 1GB for results storage
- Other Software: Internet Explorer 5.5 or 6.x and the relevant IDE (for the integration part)
Back to Questions
|
|
What is the Patented Policy Recognition Engine? |
Sanctum's patented Policy Recognition Engine enables AppScan DE to perform unit tests
automatically and accurately. Based on a series of requests it sends to the application
and the responses it receives, the dynamic policy recognition engine learns the logic
and intended behavior of the application and constructs unit tests that are specifically
designed to identify security defects in the logic and behavior of the application.
Back to Questions
|
|
How do I configure AppScan DE to unit test an application? |
Configuring a unit test with AppScan DE 1.7 is easy because it is integrated with your IDE.
Back to Questions
|
|
VS .Net integration? |
Step one is to add an AppScan DE Project to your Visual Studio .NET Solution.
AppScan DE then automatically creates a configuration for an automated unit test
for that Project. Step two allows the developer to modify the default settings
in order to narrow the scope of the test and/or the types of defects for
which AppScan DE will check. Step three is to run the test. AppScan DE then
saves these configuration settings for repeat testing of the same application.
The XML configuration file format allows defining and sharing of configuration files
between AppScan DE projects.
Back to Questions
|
|
Native plug in for all other supported IDEs? |
Launch the AppScan DE Plugin. AppScan DE then automatically creates a configuration for
an automated unit test given your previously set defaults. Step two allows the developer
to modify the default settings in order to narrow the scope of the test and/or the types
of defects for which AppScan DE will check. Step three is to run the test. AppScan
DE then saves these configuration settings for repeat testing of the same application.
The XML configuration file format allows defining and sharing of configuration files between
AppScan DE projects.
Back to Questions
|
|
Can I choose how AppScan DE scans my application? |
Yes. AppScan DE supports multiple scan types allowing the user to choose between control
over the scan and automation of the scan and various degrees in-between. Specifically
there are three scan types:
- Automatic Scan (default) - Pre-scan definitions are supplied by the user. This enables the user to multi-task during the scan and requires less know how from the user.
- Interactive Scan - Manually explore and test specific pages in the application. This maximizes user control of the scan enabling the user to manage every step and every stage of the scan.
- User Defined Scan - All settings are supplied by the user. This is a totally customized scan giving maximum flexibility when conducting a scan.
- Business Process Record and Play - This allows the user to record and play crawling through a specific business process or transaction and accurately repeat the test.
Back to Questions
|
|
How does AppScan DE Unit Test my application? |
First, AppScan DE automatically analyzes the application's handling of the HTTP requests
and responses learning the business logic and structure of the site. In the process,
it detects potential defects in the way the application handles data input in form fields,
URLs and parameters, HTTP headers, cookies, etc. Based on the potential vulnerabilities
it detects, it creates customized tests to evaluate the security of the application's
input validation processes.
Each test is created and customized automatically by AppScan DE before it is sent to
the application. When the application responds to a test, AppScan DE's Expert Security
System quickly and precisely analyzes the response to determine if it indicates the
presence of a vulnerability or not. In addition, every response is categorized
and rated automatically based on the likelihood that it is a security defect
and the level of risk associated with the vulnerability.
Back to Questions
|
|
What kinds of Web Applications does AppScan DE 1.7 test? |
AppScan DE 1.7 performs unit tests through the web front end regardless of the underlying
technologies used to build the applications.
Back to Questions
|
|
Can AppScan DE test an application if it contains JavaScript? |
Yes. AppScan DE can crawl through dynamic pages and JavaScript generated links maximizing the scope of the scanned area.
Back to Questions
|
|
Can AppScan DE automatically test an application if it requires HTTP authentication? |
Yes. AppScan DE can crawl a site requiring HTTP authentication. Configuration of the
HTTP Authentication fields in will ensure that AppScan DE will automatically provide
the appropriate login information during the HTTP authentication process.
Back to Questions
|
|
Can AppScan DE automatically test my application if it utilizes client side certificates for authentication? |
Yes. AppScan DE supports web sites requiring client side certificates to
authenticate users; the AppScan DE user needs only to load the required certificate
in order to scan the site.
Back to Questions
|
|
Can AppScan DE automatically test my application if my site utilizes NTLM? |
Yes. AppScan DE supports web sites running NTLM. The user only needs to enable this option
from within AppScan DE's General Settings menu.
Back to Questions
|
|
Can AppScan DE automatically test an application if it utilizes SSL? |
Yes. AppScan DE can crawl a sites that utilize SSL v3, v2, and TLSv1 ensuring compatibility
with the site's encryption method and allowing scans into the most sensitive parts
of the applications.
Back to Questions
|
|
What is code sanitation and content review? |
In addition to testing applications for security defects, AppScan DE also finds and flags content within an application that could potentially pose a security risk. Examples of such content are:
- Comments left in source code
- Unencrypted cookies
- SQL statements in client-side JavaScript
Back to Questions
|
|
Will AppScan DE automatically run tests against the security defects it has identified? |
Some of the tests AppScan DE is capable of running against the site have the potential
to change data and files on the site so AppScan DE provides developers with complete
control over its application testing engine. Users can have AppScan DE execute
tests automatically or manually. In addition, users can select only specific tests
or types of tests to run against the application instead of the entire comprehensive
set of tests generated by default.
Back to Questions
|
|
I have an application server installed with a custom 3rd party application in my environment; does AppScan DE support it? |
AppScan DE has a highly flexible architecture and is able to support many 3rd party
and custom-built applications. AppScan DE's security testing is based on exploring a
site and analyzing the HTTP and HTML content in the responses sent from the web server
to the browser. As a result, AppScan DE can dynamically handle documents sent from a static
source (requests for HTML pages) or if the document is sent by a web server that produced
it dynamically with a CGI, ASP, ASPX, JSP, or ColdFusion.
Back to Questions
|
|
How do I report security defects with AppScan DE? |
Once it has finished testing an application, AppScan DE delivers complete test descriptions
and results to the developer inside AppScan DE 1.7 (for VS .Net integration - within
the Visual Studio .NET interface). Developers can drill down into results to obtain
test data, defect severity and advisories, and fix recommendations for both .Net
and Java users. In addition, AppScan DE contains a reporting feature that enables
developers to generate soft copy and/or hard copy reports for distribution
to development team members, managers, or executives. Also, results can be exported
in a standard format (CSV) to third party analysis or bug tracking software.
The results of the tests AppScan DE runs include severity ratings (e.g. the impact
the defect has on the security of the application) for every defect found,
a detailed description of the defect, links to additional information on the subject,
HTML source code for the baseline and tests, and fix recommendations.
Back to Questions
|
|
What sorts of information does AppScan DE include in the results and reports? |
When AppScan DE is finished running a unit test, it displays the number of non-vulnerable and
vulnerable links and files detected in an interactive format. The user can then sort
the results in a variety of ways, by defect category, severity, or result type,
or the user can drill-down into a specific result to get a detailed technical description
of the defect as well as a specific recommendation for how it should be fixed.
In addition, results can be displayed in a variety of ways depending on the users needs:
visited links, interactive links, filtered links, faulty links, and links that require scripts.
For every defect identified, AppScan DE provides a pinpointing feature that
automatically launches the affected source file for the developer to check quickly.
In addition, the user can generate a detailed report that contains all of the same
information for export to a third party bug tracking system or to generate a
hard copy print out.
Back to Questions
|
|
Are there different views of the testing results? |
Yes, there is an interactive grid available for easy test result navigation with
three levels of test results, from high level summary data to link-specific details.
These results are color coded for 'at-a-glance' results interpretation and can be grouped
by different test dimensions such as result, category, severity, safety, name,
auto/manual, or link. When possible, subgrouping is provided.
Back to Questions
|
|
What type of information is in the advisories? |
AppScan DE provides developers with detailed background and fix recommendations
for each security defect found. Attack impact, affected products, technical descriptions,
fix recommendations, and reference links are provided. In addition, sample code may
be provided detailing the recommended fix.
Back to Questions
|
|
Will I be able to see the details of what AppScan DE tested and found? |
Yes, users can fully navigate the security test results and obtain specific test details
to help better understand both the tests performed and their impact. Information
on the actual test that was sent and its results are provided, along with the ability
for the user to add comments to the text for inclusion in the report. The properties
tab describes the test that was sent (its path and parameters), as well as its bottom
line success. It also contains a comments field where user comments can be added.
The test response tab shows the html source code of the sites response. The actual attack
AppScan DE sent will also be provided and able to be searched by path, keyword
in the request, keyword in the response, and success or severity.
Back to Questions
|
|
What types of reports are available in AppScan DE? |
AppScan DE reports are completely customizable. Some of the options available include:
- Single view reports with all the information a developer needs
- Reports containing the vulnerabilities per host, vulnerability highlights, URL count, vulnerabilities per applications, and application content
- These reports can also be sorted and grouped to endure it looks and feels as the user desires.
- Report filters such as, filter dialog box, report results by severity, result, test, category, and application path can be applied
Back to Questions
|
|
How does the report get generated? |
Reports can be auto generated upon completion of the testing or they can be manually generated after the testing is complete.
Back to Questions
|
|
What formats can the reports be produced in? |
Results can be exported to 3rd party defect analysts and tracking tools allowing for
easy integration into existing infrastructure and management packages and processes.
Specifically, reports can be exported as raw data to CSV format and can be saved
as pdf, xls, html, rtf, txt, and tiff.
Back to Questions
|
|
|
|
AppShield, AppScan, Policy Recognition, and Adaptive Reduction are trademarks of
Sanctum, Inc. All other product names referenced are the property
of their respective owners and are hereby acknowledged.
|