AppScan QA & Audit FAQs—Technical
Home
Solutions
  - AppShield™
  - AppShield Appliance
  - AppScan™
    - Develop
    - Testing
    - Deployment
    - FAQ
    - FREE Trial
    - Detailed Information
  - AppScan™DE
  - AppAudit
  - Whitepapers
Demos
Partners
Inside Sanctum
Web Perversion
Customers
News & Events
Support & Training
Contact Us
Gov't Legislation
and Compliance
AppScan QA & Audit FAQs — Technical   Knowledge Center

  1. Where does AppScan install in my IT environment?
  2. Which platforms does AppScan run on?
  3. How does AppScan Explore my application?
  4. How does AppScan Test my application?
  5. How does AppScan communicate results to me about my test?
  6. How does AppScan 3.5 handle JavaScript?
  7. How can I create custom rules with AppScan?
  8. What's the difference between safe and unsafe tests?
  9. I make heavy use of encryption in my site. Do I still need AppScan?
  10. Is AppScan a type of network security scanner? How does it compare to some of the popular network scanners?
  11. What information does AppScan provide to the user when it finds a vulnerability?
  12. What are the minimum system requirements to install AppScan?
 
Where does AppScan install in my IT environment?
 

AppScan 3.5 is a standalone Windows 2000 application. As a result, it can be installed on any network compatible Windows 2000 Professional machine and run against a site from within or outside of a network firewall.

Back to Questions
 
Which platforms does AppScan run on?
 

AppScan 3.5 runs on Microsoft Windows 2000.

Back to Questions

 
How does AppScan Explore my application?
 

The purpose of the explore stage is to learn the behavior and structure of the application so that the tests AppScan creates and customizes are extremely effective at identifying all potential vulnerabilities. When in automatic mode, AppScan behaves like a user and rapidly visits every page of your site, except for those filtered by configuration settings. For each page it visits, it analyzes the application's handling of the HTTP requests and responses. In the process, it detects potential vulnerabilities in the forms, HTML code, links embedded in JavaScript, and CGI's. Once the explore stage is complete, AppScan has created an extensive battery of custom tests it will run against the site to determine the location and severity of actual vulnerabilities.

Back to Questions

 
How does AppScan Test my application?
 

AppScan's tests are designed to find security defects in the application code itself and in the underlying technologies that support it. Each test is created and customized automatically by AppScan before it is sent to the application. When the application responds to a test, AppScan's Expert Security System quickly and precisely analyzes the response to determine if it indicates a vulnerability or not. In addition, every response is categorized and rated automatically based on the likelihood that it is a vulnerability and the level of risk associated with the vulnerability.

Back to Questions

 
How does AppScan communicate results to me about my test?
 

Communicating the right results to the right people is an extremely important step in the application security testing and assessment process. AppScan provides a wide variety of ways in which results can be analyzed, reported, and communicated. You can view the results of every test in a variety of formats. AppScan's interactive results panel and vulnerability index cards provide results in an interactive format that enables you to drill down from high level summary statistics to the granular details of every test including fix recommendations. Alternatively, you can generate summary reports for executives or detailed reports for developers. You can also export test results to third party tools for additional analysis and tracking. In addition to the interactive results and reports, another valuable source of information about the tests is AppScan's traffic log. In the traffic log, users will find an exact record of every component of every AppScan request and the same details for each response from the application including header, cookie, script, and URL information.

Back to Questions

 
How does AppScan 3.5 handle JavaScript?
 

Nearly every site today uses JavaScript to enhance client-side functionality. Until now, there hasn't been a testing tool that could explore JavaScript, identify potentially dangerous content, and test the links embedded in it. This problem is solved with AppScan 3.5.

AppScan can now parse JavaScript and test any and all of the areas of the application that are accessible through it. This means users no longer have to remember to test JavaScript links manually but can rely on AppScan to do this automatically. Results no longer contain client-side logic "blind spots".

Back to Questions

 
How can I create custom rules with AppScan?
 

Custom rules compliment the rules generated automatically by AppScan during the Explore stage. In combination, custom and automatic rules enable the AppScan user to produce results that are relevant, accurate and comprehensive.

Because most of the knowledge required to test application security effectively is already built into AppScan, users do not have to spend much time writing custom rules. Nevertheless, AppScan makes it easy for users to define custom rules with which to test an application. These rules can be used to test specific kinds of parameter tampering, policy non-compliance (such as unencrypted password or credit card info. etc.), and recently announced known vulnerabilities.

Back to Questions

 
What's the difference between safe and unsafe tests?
 

Safe tests can be run against a site with a very small chance of compromising its stability. In contrast, unsafe tests run the very real risk of materially degrading a sites performance or in some cases taking it offline.

Back to Questions

 
I make heavy use of encryption in my site. Do I still need AppScan?
 

Encryption and AppScan are complementary. With certain types of encryption in place, web site administrators can be reasonably sure that data passing from or to the site cannot be intercepted and used for malicious purposes. Likewise, web site administrators can store data in encrypted form so that if accessed directly, this information is indecipherable and useless. However, many web application vulnerabilities stem from flaws in application logic rather than in the openness of the communication between user and site. As a result, encryption is insufficient to prevent the effective exploitation of most application vulnerabilities. AppScan on the other hand, is a product designed to assess the security of the logic built into the application behavior. With both systems in place, a web site can rest assured that the odds of a successful hack have been substantially lowered.

Back to Questions

 
Is AppScan a type of network security scanner? How does it compare to some of the popular network scanners?
 

Although AppScan and traditional security scanners perform some of the same tasks, AppScan is different from these tools because it analyzes the behavior of the actual web application and the vulnerabilities it finds. AppScan exposes security loopholes (such as parameter tampering, forceful browsing, cross-site scripting and hidden field manipulation) that occur in the application code and within widely used third-party products. Network scanners can identify buffer overflow vulnerabilities at the network level, but only AppScan will find these and others at the application level. Unlike traditional network scanners, AppScan dynamically scans the application by analyzing the outbound HTML pages on the fly as they will be seen by the legitimate user and the unscrupulous hacker. The result is a comprehensive evaluation of a web application's vulnerability to attack. Once the assessment is complete, AppScan provides customized reports that include actionable recommendations for how to address known and unknown vulnerabilities.

Back to Questions

 
What information does AppScan provide to the user when it finds a vulnerability?
 

At the end of the day, AppScan's value is driven by how quickly and effectively it finds and enables the fix of web application security defects. AppScan finds both known (CWV) and unknown (ASV) vulnerabilities in the application. CWVs are created in the software that supports the web site and applications. CWVs also result from improper configuration of this software once it is installed on a site. AppScan's advisories for CWVs contain CVE and Bugtraq reference numbers and hyperlinks to more detailed information. In contrast to CWVs, ASVs are the product of the application development process. They emerge during the design and coding of the application and are unique to the application by definition. Following are the types of ASVs for which AppScan tests and provides results:

  • Cross-site Scripting
  • Parameter Tampering
  • Hidden Field Manipulation
  • Backdoors and Debug Options
  • Stealth Commanding
  • Forceful Browsing
  • Application Buffer Overflow
  • Cookie Poisoning
  • HTTP Attacks
  • SQL injection
  • Suspicious Content

Since these are vulnerabilities that can be eliminated during the application development process, AppScan provides all of the information a tester or developer needs to locate, understand, and fix the ASVs in the code quickly and effectively.

Back to Questions

 
What are the minimum system requirements to install AppScan?
 

Minimum System & Software Requirements:

  • Computer: Pentium III PC, 500 MHz (800 MHz recommended)
  • Operating System: Windows 2000 with SP2 or higher & XP
  • RAM: 512 MB (1 GB recommended for large sites)
  • Network: 1 NIC 10/100 MBPS for network communication with configured TCP/IP (100 MBPS recommended)
  • Disk Space: 1 GB
  • Internet Explorer 5.5 or 6.x (You can install AppScan without this application, but you will have to install it before you can run AppScan.)

Back to Questions

 
 
AppShield, Policy Recognition, and Adaptive Reduction are trademarks of Sanctum, Inc. All other product names referenced are the property of their respective owners and are hereby acknowledged.

 
 Datasheet
 Product White Paper
 AppScan Features
 - What's New
 FAQ's
 - Product Overview
 - Pricing ... Training
 - Technical
 - Development & Testing
 Case Studies
 OWASP Compliance
 Press Releases
 AppScan in the News
 Support & Training
 AppScan Demo
 AppScan FREE Trial
 AppScan Extranet

Free AppScan Trial

Strategic Partner Solutions
 - AppScan Express
 - PricewaterhouseCoopers
Because you need a fast, cost-effective route to web application security.
 - Partner Directory

Contact Me Now
Click here if you would like a Sanctum Sales Rep to contact you within 24 hours.

 © 2003 Sanctum, Inc.    Privacy Statement  |   Legal Disclaimer
  1. https://www.gustudentassociation.org/
  2. https://kimmerestaurant.com/
  3. https://www.nyonyafood.com/
  4. https://www.perfectotech.com/
  5. https://www.planetgapyear.com/
  6. https://whatcomvet.com/
  7. https://theclassicyachtexperience.com/
  8. https://www.batonrougerosesociety.org/
  9. https://www.finburysullivan.com/
  10. https://mikrofinanzinstitut.com/
  11. https://oakgroveplantationsc.com/
  12. https://www.the-vision-of-harmony.org/
  13. https://www.pantheonpress.com/
  14. https://thefinancialgraduate.com/
  15. https://www.thenutkitchen.com/
  16. https://altiboutique.com/
  17. https://ambushsweden.com/
  18. https://goingonforgod.com/
  19. https://lasdopestattorney.com/
  20. https://www.sewardne.com/
  21. https://www.tehranfestival.com/
  22. https://www.bistrotmarin.com/
  23. https://brysonchristianmontessorischool.com/
  24. https://www.excalibureurope.com/
  25. https://www.tropicaltopless.com/
  26. https://www.originallotsoflox.com/
  27. https://www.wavespace-berlin.com/
  28. https://www.nicolasboutruche.com/
  29. https://www.michiganmediates.org/
  30. https://www.victoria-abbott.com/
  31. https://www.yourmyrtlebeachproperty.com/
  32. https://metrcconference.com/
  33. https://biotechscope.com/
  34. https://jzbrasil.com/
  35. https://kingswoodacquisition.com/
  36. https://www.mobilegourmetkitchen.com/
  37. https://saafootball.org/
  38. https://griefergames.info/
  39. https://ampalauragarcianoblejas.com/
  40. sbobet
  41. judi parlay
  42. togel kamboja
  43. Pengeluaran Cambodia
  44. judi bola
  45. demo slot
  46. Togel Kamboja
  47. keluaran Kamboja
  48. slot thailand
  49. togel kamboja
  50. keluaran kamboja
  51. togel Kamboja
  52. slot demo
  53. keluaran cambodia
  54. togel cambodia
  55. demo mahjong
  56. live draw macau
  57. slot thailand
  58. pengeluaran kamboja
  59. judi bola
  60. sbobet
  61. slot demo
  62. togel sdy