S.A.F.E.: Speed, Accuracy, Flexibility and Efficiency

As the leading security scanning and testing tool, AppScan delivers an unparalleled combination of the benefits that matter most: speed, accuracy, flexibility and efficiency. Its features and performance make it a powerful tool in the hands of both security novices and experts. Intuitive User Interface—AppScan's user interface makes it easy to setup, configure, and run tests. Likewise, analyzing results and generating reports can be done simply and quickly within AppScan's UI. Contextual Help—No matter where you are in AppScan or what you are doing with it, AppScan provides context-sensitive tips, descriptions, and guides that assist you. Business Process Record and Play—AppScan 3.5 enables users to target specific business processes for one-time tests or as a part of regression testing during development. One-Click Update—One-Click Update automatically updates AppScan with the latest security vulnerabilities and security testing technology with one click of the mouse. Updates are available 24 hours a day, 7 days a week. Scan Scheduling—Schedule one-time, regular, and concurrent tests directly from the user interface, from the command line, or from external test scripts. Transient Management System—Creating and maintaining a session is a fundamental function of any web application. Testing tools have historically had trouble managing transients like cookies and URL parameters that are used for state management and session tracking. AppScan's Transient Management System automates the transient detection, management, and modification process so that exploring and testing can occur within stateful environments. Exposed Proxy—Exploring and testing of applications isn't restricted to HTML browsers. With AppScan, users can explore and test applications through AppScan using any client, not only HTML browsers. Client Side Logic—Nearly every site and application use JavaScript. Traditionally, client-side logic has represented a "blind spot" for application scanners and testing tools. AppScan 3.5 now automatically explores and parses JavaScript, tests embedded links, and identifies potentially dangerous comments and uses of parameters in JavaScript. Custom Error Page Recognition—Custom error pages can be a source of an enormous number of false positive results unless the scanning tool can recognize them. Unlike other testing tools that require the user to write rules to detect error pages, AppScan automatically recognizes both standard 404 and custom error pages out of the box.

Site Smart: Automated Behavioral Detection and Precision Testing

AppScan tests for Web application vulnerabilities automatically and produces minimal false positive and false negative results. Patented Policy Recognition Engine—In order to deliver accurate results, AppScan first learns the business logic and structure as it explores the application. It then creates custom tests that are designed to identify security defects and vulnerabilities in the application's logic and structure. SiteSmart Testing System—Once AppScan has created the custom tests, it sends these tests up to ten at a time to the application. Each response from the application is then parsed and validated automatically by AppScan to identify the responses that indicate vulnerabilities and the severity of every vulnerability detected. Comprehensive Knowledge Database—AppScan's knowledge database contains the information that is combined with vulnerable test results so that an auditor, administrator, tester, or developer can quickly locate and patch or fix the defect or vulnerability. The database is updated continually. Code Sanitation and Content Review—AppScan gathers and presents a comprehensive view of information about the application that affects its security but cannot be tested directly. One such example is comments in the source code left behind by developers. AppScan collects, organizes, and displays this information for users to review and incorporate into their plan for tightening the security of the application. Custom Rule Definitions defined by user—While AppScan creates and customizes tests automatically, users can create their own tests using the Custom Rule Definitions. This is a useful feature for users that must define and run a very specific test against the application. Supports Client-Side Certificates, SSL, and NTLM—For applications that require authentication prior to use, AppScan automatically authenticates using certificates, SSL, and NTLM. Settings and options are managed from within the AppScan UI. Precision Filters enable users to avoid wasting scan time and cycles by precisely defining the scope and depth of every scan—Controlling what the AppScan automatically explores and how it tests is easy with the many filters and configuration options during setup.

Actionable Results

Interactive "Index Cards"—In order to understand and fix security defects and vulnerabilities, auditors, testers, and developers need a wide variety of information relating to the vulnerability, the tests run, and the recommended fix. AppScan users find all of this information and more in AppScan's Interactive Vulnerability Index Cards. Traffic Logging—If an AppScan user wants to investigate further the details of a vulnerability, he/she can open and analyze a traffic log that contains every transaction detail between AppScan and the application Custom Reports—Getting the right results in the right format to the right person or people is why AppScan is a valuable tool at the end of the day. Once testing is complete, AppScan users can build and customize (add logos, edit results, insert comments etc.) executive summary and detailed reports quickly and easily. Furthermore, results can be exported in standard formats like CSV and Crystal Reports for further analysis, reporting, and tracking. Online/Offline Results Analysis and Reporting—AppScan users don't have to be online in order to review results or generate reports.