AppScan™ 4.0 QA for Mercury TestDirector FAQs
Application Security Testing
Home
Solutions
  - AppScan™ DE
  - AppScan™ QA
    - FAQ
    - FREE Trial
    - Detailed Information
  - AppScan™ Audit
  - AppShield™
  - AppShield Appliance
  - AppAudit
  - Whitepapers
Demos
Partners
Inside Sanctum
Web Perversion
Customers
News & Events
Support & Services
  - Support
Contact Us
Gov't Legislation
and Compliance
AppScan 4.5 QA Edition FAQs—Licensing, Subscriptions & Training   Knowledge Center

  1. Why should security testing be done as a part of the application development and testing process?
  2. How do I integrate security testing into test plans?
  3. How do I write and modify security test scripts with AppScan QA for Mercury TestDirector?
  4. How do I report security defects to developers with AppScan QA for Mercury TestDirector?
  5. Can the user report vulnerabilities as "Defects" in TestDirector?
  6. Does the user have the ability to "zero in" on specific area of a web site?
  7. Can AppScan QA for Mercury TestDirector perform web application security assessments on multiple Web servers with different content?
  8. What is SQL injection and does AppScan QA for Mercury TestDirector test for it?
  9. What is Cross-Site Scripting and does AppScan QA for Mercury TestDirector test for it?
  10. We have skilled programmers and services to write our Web pages. Do we still have security exposures?
 
Why should security testing be done as a part of the application development and testing process?
 

There are three sources of application defects:

  • External: Common Web Vulnerabilities (CWVs) are the result of flawed programming or misconfiguration of 3rd Party software (e.g., web servers and CGI scripts)
  • Internal: Application-Specific Vulnerabilities (ASVs) are created during application design and development
  • Cross-Platform: XML/SOAP related vulnerabilities could be caused by either external factors, internal factors, or through XML/SOAP specific vulnerabilities.

Today, companies must identify security defects in their applications in every case, but how and when companies do so depends completely on the source of the security defects. Catching and fixing ASVs during the development and testing of applications reduces dramatically the cost of fixing these types of security defects. One estimate is that it costs seven times more to fix a defect once the application's been deployed than it would have if it had been caught during the pre-deployment testing process.

AppScan QA for Mercury TestDirector enables Web application security testing for Mercury Interactive TestDirector users. Security testing performed using AppScan QA for Mercury TestDirector is an administrator's "dream" providing centralized control, easy deployment through thin-client architecture, distributed workload, and low maintenance.

By deploying AppScan QA for Mercury TestDirector, organizations can both maximize existing technology investments while reducing the cost of fixing security-related defects, ensuring faster time to market of a quality application

 
Back to Questions
 
How do I integrate security testing into test plans?
 

The first step is to add a requirement for the Web application to be secure. It's generally a good idea to break this requirement into several sub-requirements for different parts of the application. Users can use the "Requirements" screen in TestDirector for this purpose.

Once requirements are in place, you'll want to add tests in the test plan to cover these requirements. This is where AppScan QA for Mercury TestDirector comes into the picture, allowing you to automate the complex process of testing the security of Web applications. You'll associate specific tests with specific requirements, enabling you to follow the coverage of your test plans.

Application security defects generally involve improper handling of data sent from the user to the application. As a result, including methods, use cases and success criteria for testing the application's handling of invalid or illegal characters in the test plan is the majority of what is required to integrate security testing into test plans. Doing so saves the enterprise money and it reduces business risk associated with security defects that slip through the standard testing process and end up getting deployed.

 
Back to Questions
 
How do I write and modify security test scripts with AppScan QA for Mercury TestDirector?
 

With application security built into the test plan, performing security tests with AppScan QA for Mercury TestDirector is fast and efficient. Since AppScan QA for Mercury TestDirector creates and modifies application security tests to fit the specific application, the job of the tester is to identify for AppScan QA for Mercury TestDirector the application or the business process to be tested.

Many AppScan tests can be created without any "scripting", by simply putting in the URL of the application. Similar to other testing tools, advanced scripting is also possible. This is commonly done with AppScan QA for Mercury TestDirector's "Business Process Record and Play" feature. All the tester needs to do is record and save the process. Business process files are saved in standard XML format, enabling testers to view and edit them using standard editing tools.

In either case, once the tests are created, the tester can either run the tests immediately and independently of any other testing processes or he/she can call the collection of custom security tests via a script he/she has created to do other things in addition to testing for security.

 
Back to Questions
 
How do I report security defects to developers with AppScan QA for Mercury TestDirector?
 

AppScan QA for Mercury TestDirector QA enables testers to get complete test descriptions and results into the hands of developers quickly. Through the results analysis feature, testers can communicate the root cause of security defects to developers. can be included in detailed reports that provide test data, defect advisories, and fix recommendations. Alternatively, results can be exported in a standard formats to defect tracking and management software.

 
Back to Questions
 
Can the user report vulnerabilities as "Defects" in TestDirector?
 

Yes. TestDirector includes a defect tracking system.

The user can report a "Defect" from any step in an AppScan test run. The description and severity will be automatically filled-in, and the advisory and traffic files will be attached to the defect. The defect is "associated" with the test that it's originated from, so at any time the user can go back and see what was the test configuration. The opposite is also possible - click on an AppScan test and see all the defects that were generated from it.

 
Back to Questions
 
Does the user have the ability to "zero in" on specific area of a web site?
 

Yes. AppScan QA for Mercury TestDirector enables users to play specific business processes (created formerly by AppScan QA) or areas of a web site for targeted testing. Once recorded in AppScan QA, AppScan QA for Mercury TestDirector will test the business process automatically.

 
Back to Questions
 
Can AppScan QA for Mercury TestDirector perform web application security assessments on multiple Web servers with different content?
 

Yes. AppScan QA for Mercury TestDirector can perform assessments across multiple web servers as long as this is accepted in the licensing agreement.

 
Back to Questions
 
What is SQL injection and does AppScan QA for Mercury TestDirector test for it?
 

Web applications commonly use SQL to add, edit, or retrieve data from a database. If an application is not sufficiently protected from this form of attack, a hacker can inject SQL commands into a form field and have the backend database execute them. The destructive potential for this attack is enormous. SQL injection can enable a hacker to:

  1. Obtain any or all of the information stored in the database
  2. Erase records
  3. Bring down the database

AppScan QA for Mercury TestDirector runs a series of tests during a scan to determine if the application is vulnerable to SQL injection. It does this safely to ensure that the integrity of the database and its contents are not compromised.

 
Back to Questions
 
What is Cross-Site Scripting and does AppScan QA for Mercury TestDirector test for it?
 

Many web applications contain forms and other interactive components that allow the end user to pass information to the application. Instead of passing benign information into the application through the form, hackers will pass scripts (written in JavaScript or Vbscript typically) to the application. The scripts usually contain code for forms or other manners of collecting information from a web page. As a result of this process, hackers can insert their own scripts into web applications that enable them to do things like:

  1. Steal user names and passwords
  2. Collect customer information

AppScan QA for Mercury TestDirector runs a complete series of tests against every application to determine if it is susceptible to this popular type of attack.

 
Back to Questions
 
We have skilled programmers and services to write our Web pages. Do we still have security exposures?
 

It is imperative that programmers develop awareness of and proficiency for eliminating security defects during the design and development of web applications. This practice is proven to reduce security testing and patch costs downstream. More importantly, secure code is one of the best defenses against getting hacked. Nevertheless, security defects inevitably make it through this process and, if not detected through the testing stage of the application lifecycle, end up exposed in production. AppScan QA for Mercury TestDirector is designed to integrate into the development and testing process in order to verify the application is secure or identify security defects that need to be fixed before the application gets deployed.

 
Back to Questions
 
 
AppShield, Policy Recognition, and Adaptive Reduction are trademarks of Sanctum, Inc. All other product names referenced are the property of their respective owners and are hereby acknowledged.

 
 Datasheet
 Solution Brief
 FAQ's
 - Product Overview
 - Licensing ... Training
 - Technical Overview
 - Application Security Testing

Free Trial
AppScan QA

Strategic Partner Solutions
 - Mercury Interactive
Because you need a fast, cost-effective route to web application security.
 - Partner Directory

Contact Me Now
Click here if you would like a Sanctum Sales Rep to contact you within 24 hours.

 © 2004 Sanctum, Inc.    Privacy Statement  |   Legal Disclaimer
  1. https://www.gustudentassociation.org/
  2. https://kimmerestaurant.com/
  3. https://www.nyonyafood.com/
  4. https://www.perfectotech.com/
  5. https://www.planetgapyear.com/
  6. https://whatcomvet.com/
  7. https://theclassicyachtexperience.com/
  8. https://www.batonrougerosesociety.org/
  9. https://www.finburysullivan.com/
  10. https://mikrofinanzinstitut.com/
  11. https://oakgroveplantationsc.com/
  12. https://www.the-vision-of-harmony.org/
  13. https://www.pantheonpress.com/
  14. https://thefinancialgraduate.com/
  15. https://www.thenutkitchen.com/
  16. https://altiboutique.com/
  17. https://ambushsweden.com/
  18. https://goingonforgod.com/
  19. https://lasdopestattorney.com/
  20. https://www.sewardne.com/
  21. https://www.tehranfestival.com/
  22. https://www.bistrotmarin.com/
  23. https://brysonchristianmontessorischool.com/
  24. https://www.excalibureurope.com/
  25. https://www.tropicaltopless.com/
  26. https://www.originallotsoflox.com/
  27. https://www.wavespace-berlin.com/
  28. https://www.nicolasboutruche.com/
  29. https://www.michiganmediates.org/
  30. https://www.victoria-abbott.com/
  31. https://www.yourmyrtlebeachproperty.com/
  32. https://metrcconference.com/
  33. https://biotechscope.com/
  34. https://jzbrasil.com/
  35. https://kingswoodacquisition.com/
  36. https://www.mobilegourmetkitchen.com/
  37. https://saafootball.org/
  38. https://griefergames.info/
  39. https://ampalauragarcianoblejas.com/
  40. sbobet
  41. judi parlay
  42. togel kamboja
  43. Pengeluaran Cambodia
  44. judi bola
  45. demo slot
  46. Togel Kamboja
  47. keluaran Kamboja
  48. slot thailand
  49. togel kamboja
  50. keluaran kamboja
  51. togel Kamboja
  52. slot demo
  53. keluaran cambodia
  54. togel cambodia
  55. demo mahjong
  56. live draw macau
  57. slot thailand
  58. pengeluaran kamboja
  59. judi bola
  60. sbobet