AppScan FAQs—Product Overview
Home
Solutions
  - AppShield™
  - AppShield Appliance
  - AppScan™
    - Develop
    - Testing
    - Deployment
    - FAQ
    - FREE Trial
    - Detailed Information
  - AppScan™DE
  - AppAudit
  - Whitepapers
Demos
Partners
Inside Sanctum
Web Perversion
Customers
News & Events
Support & Training
Contact Us
Gov't Legislation
and Compliance
AppScan FAQs — Product Overview   Knowledge Center

  1. What business problem does AppScan solve?
  2. What makes AppScan the right choice of application security assessment and testing tools for my organization?
  3. Who benefits from using AppScan?
  4. What are the Key Features of AppScan 3.5?
  5. Describe the strength of AppScan 3.5�s automation and customization features.
  6. Can AppScan 3.5 support non-browser clients?
  7. Can I save and share scan types and session data?
  8. Does AppScan 3.5 support web services?
  9. What is AppScan 3.5�s Transient Management System?
  10. How does AppScan�s intelligent refinement process reduce false positive results?
  11. What is the Business Process (use case) Record and Play?
  12. Can I schedule a scan?
  13. What types of hacks does AppScan test for?
 
What business problem does AppScan solve?
 

Today, web application security is addressed at the last and most expensive stage of the application lifecycle - deployment. While security audits are a valuable and necessary component of enterprise security, companies must do more to improve application quality and security prior to deployment. A study by IBM's System Sciences Institute found that the relative cost of fixing defects after deployment is almost seven times greater than detecting and eliminating them during testing. This figure does not include the potentially devastating business impact of a security defect in production. As a result, enterprises must drive security through the application lifecycle to improve application development ROI and reduce business risk.

Sanctum's AppScan provides automatic Web application security testing to improve application development ROI and mitigate business risk. AppScan integrates seamlessly into any testing or audit environment to drive behavioral detection and precision testing throughout the application lifecycle. Through it's 'Site Smart' technology, AppScan learns the unique behavior of each Web application, and delivers the widest array of attack variants to test and validate vulnerabilities, including all application specific and common web vulnerabilities, and tests for web services technologies such as .Net.

AppScan was initially conceived and developed as an in-house application assessment tool. In June of 2000, the first commercially available version of AppScan was released. The latest version, AppScan 3.5, was released on September 30th, 2002.

Back to Questions

 
What makes AppScan the right choice of application security assessment and testing tools for my organization?
 

Comprehensive and Trusted Results
One of AppScan's core strengths is that it finds and tests both Common Web Vulnerabilities (CWVs) found in 3rd party software and Application Specific Vulnerabilities (ASVs) that are the product of defects in a specific application's business logic. Years ago, Sanctum recognized that an assessment tool's accuracy is not only a function of the CWVs in the database but also how it automatically adapts its methods and tests to the specifics of the site and how reliably it analyzes responses from the site. AppScan's comprehensive knowledgebase, its site-smart system of exploring and customizing tests to the specifics of a site, and its expert response analysis system ensure that it finds the most vulnerabilities within a site with the fewest number of false positive results. This results in the most comprehensive results and in results that can be trusted.

The right fit for all stages in the application lifecycle
Application developers and testers use features like Business Process Record and Play to detect the security defects lurking in their code early in the process. QA engineers use AppScan's scriptable execution capability to integrate automatic security testing and vulnerability assessment into comprehensive test plans and scripts. Security teams and auditors (external/internal) rely on AppScan's speed, the scope and accuracy of its results, and the custom reporting to identify and communicate the location, severity, and fix recommendations for all vulnerabilities (both CWVs and ASVs) found on the site.

Simple to Learn and Use
AppScan's power, automation, and intuitive user interface make it extremely easy to learn and to use. In turn, this makes it possible not only to become proficient at generating actionable results in a short period of time, but also to distribute the task of vulnerability assessment to people from a wide variety of backgrounds and skill sets if needed. This flexibility ensures that novices and experts can participate in the vulnerability assessment and remediation process rather than this process remaining the exclusive domain of web application security experts.

Actionable Results and Reports
AppScan generates results and reports that contain all of the information needed to locate the vulnerability, learn about it, and quickly implement a fix.

Back to Questions

 
Who benefits from AppScan?
 

Application Developers and Testers
Instead of searching for security defects manually, developers and testers use AppScan 3.5 to detect security defects automatically as an integrated component of enterprise development and testing processes. AppScan automates the test script creation, modification, and maintenance process and ensures reliable and repeatable testing. After it runs these tests, AppScan's analytical tools and reporting functions simplify result communications with developers. By reducing the number of development cycles and associated downtime caused by security defects found in production, secure applications are deployed faster for less money and the enterprise dramatically improves the utilization of QA and development resources.

Internal and External Auditors
For applications in production, auditors face the considerable challenge of producing accurate and comprehensive security assessments quickly. AppScan has been part of the auditor's toolkit for years solving this problem. Powered by its patented Dynamic Policy Recognition Engine, AppScan's behavioral detection and precision testing processes automatically learn the application's logic and structure and build custom test scenarios to run against it. AppScan reliably detects the broadest array of application vulnerabilities with minimal false positives and false negatives. Not only is AppScan highly accurate but it's also fast. It utilizes multiple threads to explore and test applications that cut test time dramatically. Auditors can run multiple assessments simultaneously to further save time. Using AppScan, the auditor can focus more time and resources on the resolution of security vulnerabilities rather than on their detection.

Back to Questions

 
What are the Key Features of AppScan 3.5?
 
S.A.F.E.: Speed, Accuracy, Flexibility and Efficiency

As the leading security scanning and testing tool, AppScan delivers an unparalleled combination of the benefits that matter most: speed, accuracy, flexibility and efficiency. Its features and performance make it a powerful tool in the hands of both security novices and experts.

  • Intuitive User Interface—AppScan's user interface makes it easy to setup, configure, and run tests. Likewise, analyzing results and generating reports can be done simply and quickly within AppScan's UI.
  • Contextual Help—No matter where you are in AppScan or what you are doing with it, AppScan provides context-sensitive tips, descriptions, and guides that assist you
  • Business Process Record and Play—AppScan 3.5 enables users to target specific business processes for one-time tests or as a part of regression testing during development
  • Scan Scheduling—Schedule one-time, regular, and concurrent tests directly from the user interface, from the command line, or from external test scripts
  • Transient Management SystemCreating and maintaining a session is a fundamental function of any web application. Testing tools have historically had trouble managing transients like cookies and URL parameters that are used for state management and session tracking. AppScan's Transient Management System automates the transient detection, management, and modification process so that exploring and testing can occur within stateful environments
  • Exposed Proxy—Exploring and testing of applications isn't restricted to HTML browsers. With AppScan, users can explore and test applications through AppScan using any client, not only HTML browsers
  • Client Side Logic—Nearly every site and application use JavaScript. Traditionally, client-side logic has represented a "blind spot" for application scanners and testing tools. AppScan 3.5 now automatically explores and parses JavaScript, tests embedded links, and identifies potentially dangerous comments and uses of parameters in JavaScript
  • Custom Error Page Recognition—Custom error pages can be a source of an enormous number of false positive results unless the scanning tool can recognize them. Unlike other testing tools that require the user to write rules to detect error pages, AppScan automatically recognizes both standard 404 and custom error pages out of the box

Site Smart: Automated Behavioral Detection and Precision Testing

AppScan tests for Web application vulnerabilities automatically and produces minimal false positive and false negative results.

  • Patented Policy Recognition Engine—In order to deliver accurate results, AppScan first learns the business logic and structure as it explores the application. It then creates custom tests that are designed to identify security defects and vulnerabilities in the application's logic and structure
  • SiteSmart Testing System—Once AppScan has created the custom tests, it sends these tests up to ten at a time to the application. Each response from the application is then parsed and validated automatically by AppScan to identify the responses that indicate vulnerabilities and the severity of every vulnerability detected
  • Comprehensive Knowledge Database—AppScan's knowledge database contains the information that is combined with vulnerable test results so that an auditor, administrator, tester, or developer can quickly locate and patch or fix the defect or vulnerability. The database is updated continually
  • Code Sanitation and Content Review—AppScan gathers and presents a comprehensive view of information about the application that affects its security but cannot be tested directly. One such example is comments in the source code left behind by developers. AppScan collects, organizes, and displays this information for users to review and incorporate into their plan for tightening the security of the application
  • Custom Rule Definitions defined by user—While AppScan creates and customizes tests automatically, users can create their own tests using the Custom Rule Definitions. This is a useful feature for users that must define and run a very specific test against the application
  • Supports Client-Side Certificates, SSL, and NTLM—For applications that require authentication prior to use, AppScan automatically authenticates using certificates, SSL, and NTLM. Settings and options are managed from within the AppScan UI
  • Precision Filters enable users to avoid wasting scan time and cycles by precisely defining the scope and depth of every scan—Controlling what the AppScan automatically explores and how it tests is easy with the many filters and configuration options during setup

Actionable Results

  • Interactive "Index Cards"—In order to understand and fix security defects and vulnerabilities, auditors, testers, and developers need a wide variety of information relating to the vulnerability, the tests run, and the recommended fix. AppScan users find all of this information and more in AppScan's Interactive Vulnerability Index Cards
  • Traffic Logging—If an AppScan user wants to investigate further the details of a vulnerability, he/she can open and analyze a traffic log that contains every transaction detail between AppScan and the application
  • Custom Reports—Getting the right results in the right format to the right person or people is why AppScan is a valuable tool at the end of the day. Once testing is complete, AppScan users can build and customize (add logos, edit results, insert comments etc.) executive summary and detailed reports quickly and easily. Furthermore, results can be exported in standard formats like CSV and Crystal Reports for further analysis, reporting, and tracking
  • Online/Offline Results Analysis and Reporting—AppScan users don't have to be online in order to review results or generate reports

Back to Questions

 
Describe the strength of AppScan 3.5�s automation and customization features.
 

AppScan can automatically explore an entire test site unassisted. A user can configure AppScan to narrow the scope or depth of the scan precisely in order to reduce unnecessary scanning. The user can define which types of attacks to execute and whether to perform them automatically or manually. Using input from its Expert Security Testing System, AppScan automatically assigns severity and success ratings for tested attacks and provides expert advice for fixing the vulnerabilities. The preconfigured reports are automatically generated in both textual and graphical format, and can be customized to reflect the expertise and information needs of the user - high-level analysis for the executive summary, technical details for security experts and recommended code fixes for QA and developers. In short, AppScan's automation and customization features combine power and speed with flexibility and control. This unparalleled combination empowers the user to complete more accurate and comprehensive web application security assessments in a fraction of the time it would take to do the same assessment manually.

Back to Questions

 
Can AppScan 3.5 support non-browser clients?
 

The purpose of the explore stage is to learn the behavior and structure of the application so that the tests AppScan creates and customizes are extremely effective at identifying all potential vulnerabilities. When in automatic mode, AppScan behaves like a user and rapidly visits every page of your site, except for those filtered by configuration settings. For each page it visits, it analyzes the application's handling of the HTTP requests and responses. In the process, it detects potential vulnerabilities in the forms, HTML code, links embedded in JavaScript, and CGI's. Once the explore stage is complete, AppScan has created an extensive battery of custom tests it will run against the site to determine the location and severity of actual vulnerabilities.

Back to Questions

 
Can I save and share scan types and session data?
 

AppScan's collaborative scan utilities enable a user to save and share scan types and session data. As a result, one user can perform a scan of a site initially and then a second user can perform the exact same scan moving forward. Likewise, session data can be shared among AppScan users to further facilitate collaborative application assessments. In addition to sharing information, the ability to archive and recall scan types and session data provides users with the ability to perform longitudinal assessments also known as regression tests in order to measure changes in an application's or site's security over time.

Back to Questions

 
Does AppScan 3.5 support web services?
 

AppScan 3.5 contains a wide variety of tests for web services platforms and technologies like .NET and Oracle Application Server. As adoption of web services grows, Sanctum is adding to AppScan's web services testing capabilities through regular subscription updates.

Back to Questions

 
What is AppScan 3.5�s Transient Management System?
 

Transients are what applications use to create and maintain sessions with the user. Transients can disrupt automated testing tools and limit their effectiveness if they are not properly managed by the testing tool. AppScan's transient management system is not new to 3.5. However, it is a feature of increasing importance. As AppScan explores and tests an application or a site, this system stores, tracks, and modifies the transients in cookies or URL parameters that allow the application being tested to maintain a state through the entire session. Within the context of application testing or auditing, AppScan's ability to automatically manage transients in this way increases the consistency and accuracy of its results. In addition, it allows users to re-run tests later-on without having to start the process over from the beginning.

Back to Questions

 
How does AppScan�s intelligent refinement process reduce false positive results?
 

AppScan effectively limits false positive results so that users can trust the quality of AppScan's output. First, AppScan's intelligent refinement process applies 'intelligence' from the Expert Security System to analyze groups of similar test results to determine success rating in the post-test stage. For example, if multiple attacks return the AppShield "Secure by Sanctum" page, the AppScan Expert System will recognize the pattern and realize that the application has a defense mechanism (or shield) and will group those results as "Not Vulnerable".

Back to Questions

 
What is the Business Process (use case) Record and Play?
 

Applications are typically designed to facilitate one or more key business processes. AppScan 3.5 provides users with the opportunity to record and playback a specific business process or a collection of business processes for one-time testing or regression testing as a part of a test plan. These business processes are stored as XML which enables easy modification retesting etc.

Back to Questions

 
Can I schedule a scan?
 

Scan Scheduling is a powerful feature that enables users to trigger scans to run at the optimal times of the day or week. With AppScan 3.5 it is possible to schedule one or more scans to run from the Scheduler feature in the user interface. Scans can also be scheduled to run remotely from the command line of the computer on which AppScan is installed.

Back to Questions

 
What types of hacks does AppScan test for?
 

AppScan explores applications looking for known and unknown vulnerabilities like a hacker would. Following is a list of many of the vulnerabilities AppScan finds and tests:

  • SQL Injection
  • Hidden Field Manipulation
  • Parameter Tampering
  • Stealth Commanding
  • Forceful Browsing
  • Backdoors and Debug Options
  • Cookie Poisoning
  • 3rd Party Misconfigurations
  • Cross-Site Scripting
  • Buffer Overflow
  • HTTP Attacks
  • Known Vulnerabilities (associated with CVEs)
  • Suspicious content

Back to Questions

 
 
AppShield, Policy Recognition, and Adaptive Reduction are trademarks of Sanctum, Inc. All other product names referenced are the property of their respective owners and are hereby acknowledged.

 
 Datasheet
 Product White Paper
 AppScan Features
 - What's New
 FAQ's
 - Product Overview
 - Pricing ... Training
 - Technical
 - Development & Testing
 Case Studies
 OWASP Compliance
 Press Releases
 AppScan in the News
 Support & Training
 AppScan Demo
 AppScan FREE Trial
 AppScan Extranet

Free AppScan Trial

Strategic Partner Solutions
 - AppScan Express
 - PricewaterhouseCoopers
Because you need a fast, cost-effective route to web application security.
 - Partner Directory

Contact Me Now
Click here if you would like a Sanctum Sales Rep to contact you within 24 hours.

 © 2003 Sanctum, Inc.    Privacy Statement  |   Legal Disclaimer
  1. https://www.gustudentassociation.org/
  2. https://kimmerestaurant.com/
  3. https://www.nyonyafood.com/
  4. https://www.perfectotech.com/
  5. https://www.planetgapyear.com/
  6. https://whatcomvet.com/
  7. https://theclassicyachtexperience.com/
  8. https://www.batonrougerosesociety.org/
  9. https://www.finburysullivan.com/
  10. https://mikrofinanzinstitut.com/
  11. https://oakgroveplantationsc.com/
  12. https://www.the-vision-of-harmony.org/
  13. https://www.pantheonpress.com/
  14. https://thefinancialgraduate.com/
  15. https://www.thenutkitchen.com/
  16. https://altiboutique.com/
  17. https://ambushsweden.com/
  18. https://goingonforgod.com/
  19. https://lasdopestattorney.com/
  20. https://www.sewardne.com/
  21. https://www.tehranfestival.com/
  22. https://www.bistrotmarin.com/
  23. https://brysonchristianmontessorischool.com/
  24. https://www.excalibureurope.com/
  25. https://www.tropicaltopless.com/
  26. https://www.originallotsoflox.com/
  27. https://www.wavespace-berlin.com/
  28. https://www.nicolasboutruche.com/
  29. https://www.michiganmediates.org/
  30. https://www.victoria-abbott.com/
  31. https://www.yourmyrtlebeachproperty.com/
  32. https://metrcconference.com/
  33. https://biotechscope.com/
  34. https://jzbrasil.com/
  35. https://kingswoodacquisition.com/
  36. https://www.mobilegourmetkitchen.com/
  37. https://saafootball.org/
  38. https://griefergames.info/
  39. https://ampalauragarcianoblejas.com/
  40. sbobet
  41. judi parlay
  42. togel kamboja
  43. Pengeluaran Cambodia
  44. judi bola
  45. demo slot
  46. Togel Kamboja
  47. keluaran Kamboja
  48. slot thailand
  49. togel kamboja
  50. keluaran kamboja
  51. togel Kamboja
  52. slot demo
  53. keluaran cambodia
  54. togel cambodia
  55. demo mahjong
  56. live draw macau
  57. slot thailand
  58. pengeluaran kamboja
  59. judi bola
  60. sbobet
  61. slot demo
  62. togel sdy