Why should security testing be done as a part of the application development and testing process? How do I report security defects to developers with AppScan 4.0?

Why should security testing be done as a part of the application development and testing process?

There are three sources of application defects: External: Common Web Vulnerabilities (CWVs) are the result of flawed programming or misconfiguration of 3rd Party software (e.g., web servers and CGI scripts) Internal: Application-Specific Vulnerabilities (ASVs) are created during application design and development Cross-Platform: XML/SOAP related vulnerabilities can be caused by either external factors, internal factors, or through XML/SOAP specific vulnerabilities. Today, companies must identify security defects in their applications in every case, but how and when companies do so depends completely on the source of the security defects. Catching and fixing ASVs during the development and testing of applications reduces dramatically the cost of fixing these types of security defects. One estimate is that it costs seven times more to fix a defect once the application's been deployed than it would have if it had been caught during the pre-deployment testing process. Integrating AppScan 4.0 into existing testing processes is simple because: AppScan 4.0 creates, modifies, and manages tests automatically AppScan 4.0 is scriptable so that testers can build security testing into existing test scripts AppScan 4.0's results can be exported in standard formats like CSV for import into 3rd Party defect reporting and management systems. In short, the most inexpensive and effective way to eliminate application security defects is to catch them as early as possible. To this end, AppScan 4.0 integrates into any application development and testing process in order to catch ASVs and enable developers to fix them before it gets exponentially more expensive and more risky to do so. Finally, cross-platform vulnerabilities results from XML/SOAP applications can be discovered through AppScan 4.0's newly updated ability to detect and flag XML/SOAP vulnerabilities whether simple or complex.

Back to Questions

How do I report security defects to developers with AppScan 4.0?

AppScan 4.0 QA enables testers to get complete test descriptions and results into the hands of developers quickly. Through the results analysis feature, testers can communicate the root cause of security defects to developers. can be included in detailed reports that provide test data, defect advisories, and fix recommendations. Alternatively, results can be exported in a standard formats to defect tracking and management software.

Back to Questions

AppShield, Policy Recognition, and Adaptive Reduction are trademarks of Sanctum, Inc. All other product names referenced are the property of their respective owners and are hereby acknowledged.