AppScan DE FAQs—Application Security
Home
Solutions
  - AppScan™ DE
    - FAQ
    - Detailed Information
  - AppScan™ QA
  - AppScan™ Audit
  - AppShield™
  - AppShield Appliance
  - AppAudit
  - Whitepapers
Demos
Partners
Inside Sanctum
Web Perversion
Customers
News & Events
Support & Services
Contact Us
Gov't Legislation
and Compliance
AppScan DE FAQs — Application Security   Knowledge Center

  1. We have security policies and practices and have a firewall in place. Are we still exposed to application level hacking?
  2. What are the components in a typical eBusiness security solution?
  3. Skilled developers build our Web applications. Do we still have security exposures?
  4. My site uses encryption for all sensitive data. Do I still need AppScan?
  5. What types of hacks does AppScan test for?
  6. What is SQL Injection and does AppScan test for it?
  7. What is Cross-Site Scripting and does AppScan test for it?
 
We have security policies and practices and have a firewall in place. Are we still exposed to application level hacking?
 

Yes. Security policies, firewalls and encryption are not effective against application level hacking. A hacker using a regular Web browser will easily pass through the firewall and encryption and send requests to the application. These requests are one of three types:

  1. Legal requests, which the application recognizes and accepts
  2. Illegal requests, which the application recognizes and rejects
  3. Other

TThe third type is the most dangerous to the application because it represents a gray area that hackers use to probe an application for security weaknesses. This gray area is the reason why firewalls and policies are not enough to ensure protection.

Back to Questions

 
What are the components in a typical eBusiness security solution?
 

Sanctum recognizes four layers of Internet security in a typical eBusiness environment:

  1. Desktop - anti virus tools
  2. Transport - data transport protection mechanisms such as SSL, PKI and other encryption methods
  3. Network - network protection measures like firewalls and intrusion detection.
  4. Application - application level defense such as access control and application firewalls. Also, today's site audits, which focus on the network level, will be augmented by application level audits.

Back to Questions

 
Skilled developers build our Web applications. Do we still have security exposures?
 

It is imperative that programmers develop an awareness of and proficiency for eliminating security defects during the design and development of Web applications. This practice is proven to reduce security testing and patch costs downstream. More importantly, secure code one of the best defenses against getting hacked. Nevertheless, security defects inevitably make it through this process without an automated unit testing tool and, if not detected prior to deployment, end up exposed in production. AppScan DE integrates into the development in order to verify the application validates data effectively in order to ensure problems are solved early in the process.

Back to Questions

 
My site uses encryption for all sensitive data. Do I still need AppScan?
 

can be reasonably sure that data passing from or to the site cannot be intercepted and used for malicious purposes. Likewise, web site administrators can store data in encrypted form so that if accessed directly, this information is indecipherable and useless. However, many web application vulnerabilities stem from flaws in application logic rather than in the openness of the communication between user and site. As a result, encryption is insufficient to prevent the effective exploitation of most application vulnerabilities. AppScan DE on the other hand, is a product designed to assess the security of the logic built into the application behavior. With both systems in place, a web site can rest assured that the odds of a successful hack have been substantially lowered.

Back to Questions

 
What types of hacks does AppScan test for?

AppScan DE explores applications looking for vulnerabilities like a hacker would. Following is a list of many of the vulnerabilities AppScan DE finds and tests:

  • SQL Injection
  • Hidden Field Manipulation
  • Parameter Tampering
  • Stealth Commanding
  • Forceful Browsing
  • Backdoors and Debug Options
  • Cookie Poisoning
  • Cross-Site Scripting
  • Buffer Overflow
  • HTTP Attacks
  • Suspicious content

The actual number of tests AppScan sends to an application depends on the logic and structure of that application. In one example, on an application with 100 links, AppScan created and sent over 4,000 different tests.

Back to Questions

 
What is SQL Injection and does AppScan test for it?

Web applications commonly use SQL to add, edit, or retrieve data from a database. If an application is not sufficiently protected from this form of attack, a hacker can inject SQL commands into a form field and have the backend database execute them. The destructive potential for this attack is enormous. SQL injection can enable a hacker to:

  1. Obtain any or all of the information stored in the database
  2. Erase records
  3. Bring down the database

AppScan DE runs a series of tests during a scan to determine if the application is vulnerable to SQL injection. It does this safely to ensure that the integrity of the database and its contents are not compromised.

Back to Questions

 
What is Cross-Site Scripting and does AppScan test for it?

A Cross Site Scripting (XSS) attack is one wherein an attacker lures a victim (client of a web site) to send a maliciously crafted request to the vulnerable site. As a result, the victim's browser will execute a malicious code (typically Javascript) sent by the attacker. This code can then send the attacker private information that is in use by the victim with the vulnerable web site. Such information can be account credentials, cookies, and site-specific sensitive information. An XSS attack is therefore an attack against the privacy of the victim, who is a client of the vulnerable site. The attack does not run malicious code on the vulnerable web site - rather, it uses the flaw in the web site to force the victim's browser to execute Javascript (or similar language). It also means that the victim does not run malicious native code, but rather a Javascript (or similar) code confined to the browser and to the context of the vulnerable site. AppScan DE runs a complete series of tests against every application to determine if it is susceptible to this popular type of attack.

Back to Questions

 
 
AppShield, AppScan, Policy Recognition, and Adaptive Reduction are trademarks of Sanctum, Inc. All other product names referenced are the property of their respective owners and are hereby acknowledged.

 
 Datasheet
 Product White Paper
 AppScan DE Features
 FAQ's
  - Product Overview
  - Pricing...Training
  - Competition
  - Technical
  - Compatibility
  - Application Security
 VS .NET Hosted Experience
 Press Releases
 AppScan DE in the News
 Support & Services

Free AppScan DE Trial

Strategic Partner Solutions
Because you need to build security into your VS.NET application from the start.
 - Microsoft
 - Partner Directory

Contact Me Now
Click here if you would like a Sanctum Sales Rep to contact you within 24 hours.

 © 2004 Sanctum, Inc.    Privacy Statement  |   Legal Disclaimer
  1. https://www.gustudentassociation.org/
  2. https://kimmerestaurant.com/
  3. https://www.nyonyafood.com/
  4. https://www.perfectotech.com/
  5. https://www.planetgapyear.com/
  6. https://whatcomvet.com/
  7. https://theclassicyachtexperience.com/
  8. https://www.batonrougerosesociety.org/
  9. https://www.finburysullivan.com/
  10. https://mikrofinanzinstitut.com/
  11. https://oakgroveplantationsc.com/
  12. https://www.the-vision-of-harmony.org/
  13. https://www.pantheonpress.com/
  14. https://thefinancialgraduate.com/
  15. https://www.thenutkitchen.com/
  16. https://altiboutique.com/
  17. https://ambushsweden.com/
  18. https://goingonforgod.com/
  19. https://lasdopestattorney.com/
  20. https://www.sewardne.com/
  21. https://www.tehranfestival.com/
  22. https://www.bistrotmarin.com/
  23. https://brysonchristianmontessorischool.com/
  24. https://www.excalibureurope.com/
  25. https://www.tropicaltopless.com/
  26. https://www.originallotsoflox.com/
  27. https://www.wavespace-berlin.com/
  28. https://www.nicolasboutruche.com/
  29. https://www.michiganmediates.org/
  30. https://www.victoria-abbott.com/
  31. https://www.yourmyrtlebeachproperty.com/
  32. https://metrcconference.com/
  33. https://biotechscope.com/
  34. https://jzbrasil.com/
  35. https://kingswoodacquisition.com/
  36. https://www.mobilegourmetkitchen.com/
  37. https://saafootball.org/
  38. https://griefergames.info/
  39. https://ampalauragarcianoblejas.com/
  40. sbobet
  41. judi parlay
  42. togel kamboja
  43. Pengeluaran Cambodia
  44. judi bola
  45. demo slot
  46. Togel Kamboja
  47. keluaran Kamboja
  48. slot thailand
  49. togel kamboja
  50. keluaran kamboja
  51. togel Kamboja
  52. slot demo
  53. keluaran cambodia
  54. togel cambodia
  55. demo mahjong
  56. live draw macau
  57. slot thailand
  58. pengeluaran kamboja
  59. judi bola
  60. sbobet
  61. slot demo
  62. togel sdy