What is AppScan DE? What are the IDEs with which AppScan DE 1.7 integrates with? I am working with another development environment. Can I use AppScan DE to test my application during development? Is there a command line interface so I can integrate AppScan DE into my IDE? What business problem does AppScan DE solve? Why is the AppScan Developer Edition 1.7 release significant? What are the key features in AppScan DE? Why is integration in IDEs so important for AppScan DE? What's the difference between AppScan and AppScan DE 1.7? How knowledgeable does the person using AppScan DE have to be? Does AppScan DE test many different types of Web applications or only those written for the Microsoft .NET Framework? What are the strengths of AppScan DE's customization and automation features? Why should security testing be done as a part of the application development process? What information does AppScan DE provide to the user when it finds a security defect? I already write scripts that check for data validation, do I need AppScan DE?

What is AppScan DE?

AppScan DE extends Sanctum's leadership across the development lifecycle helping enterprises to reduce costs and create reliable 'hacker resistant' applications in the development environment. AppScan DE is an integrated, automated unit testing tool that enables rapid development of secure Web applications. Available as both a full integrated tool into Visual Studio.NET, or as a native plug-in for all major Java development environments, AppScan DE provides automated precision script creation and security unit testing, has the robust built in intelligence to deliver comprehensive defect analysis, and finally, offers 'developer centric' real time, inline fix recommendations to help developers build secure, quality applications. As a result, secure applications are deployed faster for less money and the enterprise better optimizes the utilization of development resources. Back to Questions

What are the IDEs with which AppScan DE 1.7 integrates with?

AppScan DE 1.7 is integrated with WebSphere v5; Eclipse 2.0/2.1; JBuilder v8; VS 6.0; and is also tightly integrated into Visual Studio .Net. Back to Questions

I am working with another development environment. Can I use AppScan DE to test my application during development?

Yes. AppScan DE 1.7 can be used as a standalone tool, either through its complete command line interface (CLI) or through its GUI. Users can then test applications that were created using any IDE. Back to Questions

Is there a command line interface so I can integrate AppScan DE into my IDE?

Yes. AppScan DE 1.7 comes with a complete CLI that allows you to automate and even create your own integration to your IDE - simply create a plugin that generates the configuration file, and launch AppScan DE 1.7 using it. Back to Questions

What business problem does AppScan DE solve?

Hackers are becoming more and more sophisticated every day, making it increasingly difficult to protect the integrity of your applications and the valuable information they safeguard. Protecting these applications by manually patching or upgrading is a strategy that will fail you - sooner or later. Today, Web application security must be built in from the ground up - driven throughout the application lifecycle from development, to quality testing, to deployment and maintenance. Sanctum is the recognized leader in Web application security across the Development Lifecycle with the online and offline solutions that work autonomously and continuously to deliver: Reliability: Create 'hacker resistant' applications in the development environment Assurance: Test quality in the QA/Staging environment Confidence: Maintain confidence in the live/production environment Sanctum's solutions complete eBusinesses' security infrastructure, assure regulatory compliance, and create sustainable ROI. AppScan DE helps ensure your application's business logic is resistant to attack without destroying any of its elegance, functionality or effectiveness. AppScan DE automatically identifies the location of each defect, delivers in-line fix recommendations, provides detailed descriptions and enables the developer to perform granular analysis of each test and response. AppScan DE helps the developer build more secure applications in addition to reducing the number of development cycles and associated downtime caused by security defects found in production. As a result, secure applications are deployed faster for less money and the enterprise better optimizes the utilization of development resources. Back to Questions

Why is the AppScan Developer Edition 1.7 release significant?

Until now, developers have been forced to make trade-offs between application security and the time it takes to develop and deploy. They simply have not had the time or the tools to build security into their applications effectively and consistently. AppScan Developer Edition 1.7 is the first and only integrated, automated testing tool that solves this enormous and growing problem for developers. With AppScan DE, developers can build applications and quickly check them for security defects. The defects AppScan DE finds can be located quickly and fixed effectively using the tools and information built into the tool. Through this process, the developer learns how to design and build more secure applications. This reduces the number of development cycles and associated downtime caused by security defects found in production. As a result, secure applications are deployed faster for less money and the enterprise better optimizes the utilization of development resources. AppScan DE 1.7 is integrated with the standard IDEs in the market today, including Visual Studio .NET, Visual Studio 6.0, WebSpehere v5, JBuilder v8, and Eclipse 2.0/2.1. Back to Questions

What are the key features in AppScan DE?

Configure Save time with Precision Script Creation and Security Unit Testing Configure and Launch Security test from with the IDE Customizable configuration settings to enable efficient security testing Automatic: Test creation, execution, and validation process Manual: Control the scope, depth and application interactions of test manually Business Process Record and Play Target specific business processes for unit testing Test Filtering Saves time: focus tests on specific type or subset of defect, or area of application Advanced Web Form Options Automatically submits values for every form field detected Form parameter values are fully customizable Test Built in intelligence delivers comprehensive defect analysis for maximum results Patented Policy Recognition Engine learns intended data input validation processes Automatically authors customized test scripts for every potential security defect it detects based on application logic and structure Precisely evaluates application response to each test identifying location of each defect Auto-Transient Detection Consistent testing in stateful environments Login and Logout Handling Manages and maintains authentication settings on the fly Automated form fill Stores default values for automated form fill to ensure a complete scan Recommend and Report Fix Recommendations Help Developers Build Secure, Quality Applications In-line fix recommendations and detailed description for every defect Real time training for both .Net and Java with specific fix recommendation including secure coding examples and suggestions Defect pinpointing provides location of each defect Interactive Results Displays enable drill down for granular analysis of each test and response Code Sanitation and Content Review Details of every script detected including comments in source code, cookie contents, and JavaScript Reports Executive summaries and detailed information relating to each defect Export results in standard CSV format Test Run Comparisons Measure effectiveness of fixes against results of previous test run Back to Questions

Why is integration in IDEs so important for AppScan DE?

In today's dynamic operating environment, enterprise and professional developer tools demand both functionality and flexibility. By allowing them to use AppScan DE from within their IDE developers are able to incorporate security unit testing easily into the application development process without disrupting their current environment. Visual Studio .NET Integration Advantages Complete Integrated Development Environment with AppScan DE AppScan DE Projects, Configurations, and Test Runs Logical organization of all security unit testing projects and configurations. Test run results stored chronologically and stamped with date and time for quick results comparison. Multiple Language Support Automatically test web applications written in any language supported by Visual Studio .NET including C#, C++, and J#. Integrated Results and Recommendations Review test results and fix recommendations directly from within the Visual Studio .NET development environment Integration Advantages with WebSphere Studio 5.0, Eclipse 2.0/2.1, JBuilder v8, and Visual Studio 6.0 Streamlined security testing - AppScan DE is configured and launched as normal part of workflow from within IDE using native IDE Plug-in. User can set default values for the scan properties, or change them on the fly for every scan. Single click scan automatically tests web applications written in any language/environment supported by the IDE including Java, EJB, Servlets JSP, HTML, etc. Provides customizable configuration settings to enable efficient security testing as part of the development cycle. Review 'developer centric' test results and specific inline real time fix recommendations. Back to Questions

What is the difference between AppScan and AppScan DE 1.7?

AppScan AppScan DE Application or Tool? Standalone Windows 2000/XP Application Development tool fully intergrated into Visual Studio .NET Functions Security Testing of Integrated Applications during QA Vulnerability Assessments of Applications and Sites in Production Verify Compliance with Corporate Security Policies and Government Regulations Security Unit Testing of Applications in Development Range External and Internal IP addresses Internal IP addresses only Automation User determines level of automation Scheduling and scriptable execution Completely automatic by default. Manual configuration available. Can be automated using the CLI Common Web Vulnerabilities (Third Party Software) Misconfigurations Known vulnerabilities    No support for CWV Application-Specific Vulnerabilities (application logic) Cross-site Scripting Parameter Tampering Hidden Field Manipulation Backdoors and Debug Options Stealth Commanding Forceful Browsing Application Buffer Overflow Cookie Poisoning HTTP Attacks SQL Injection Suspicious Content Application-Specific Server Vulnerabilities    Cross-site Scripting Parameter Tampering Hidden Field Manipulation Backdoors and Debug Options Stealth Commanding Forceful Browsing Application Buffer Overflow Cookie Poisoning HTTP Attacks SQL Injection Suspicious Content Back to Questions

How knowledgeable does the person using AppScan DE have to be?

AppScan DE is designed for use by developers that know a lot about building applications but less about the thousands of ways hackers might try to exploit them. Integrating AppScan DE 1.7 with the different IDEs does not require the user to learn new environment in order to scan his applications. AppScan DE provides developers with detailed background and fix recommendations for each security defect found. Real time training for all developers on security testing and secure coding techniques. Back to Questions

Does AppScan DE test many different types of Web applications or only those written for the Microsoft .NET Framework?

AppScan DE will unit test any Web application regardless of the platform upon which it is built. Back to Questions

What are the strengths of AppScan DE's customization and automation features?

AppScan DE can automatically explore an application site unassisted. A user can configure AppScan DE to narrow the scope or depth of the scan precisely in order to reduce unnecessary scanning. The user can define which types of attacks to execute and whether to perform them automatically or manually. Using input from its Expert Security Testing System, AppScan DE automatically assigns severity and success ratings for tests and provides expert advice for the location and fix of any security defects. In short, AppScan DE's automation and customization features combine power and speed with flexibility and control. This unparalleled combination empowers developers to complete more accurate and comprehensive unit tests for security defects in a fraction of the time it would take to do the same assessment manually. Back to Questions

Why should security testing be done as a part of the application development process?

There are two sources of application security defects: External: Common Web Vulnerabilities (CWVs) are the result of misconfiguration of 3rd Party software (e.g. web servers and CGI scripts) Internal: Application-Specific Vulnerabilities (ASVs) are created during application design and development How and when companies detect and fix security defects in Web applications depends on the source of the security defects. Catching and fixing ASVs during the development and testing of applications reduces dramatically the cost of fixing these types of security defects. One estimate is that it costs seven times more to fix a defect once the application's been deployed than it would have if it had been caught during the pre-deployment testing process and fifteen times more to fix than if it was detected and fixed during its development. AppScan DE includes ONLY tests for vulnerabilities caused by insecure programming. This means that developers will only be spending time reviewing results that are relevant to their work. Integrating AppScan DE into existing development processes is simple because: AppScan DE 1.7 is integrated with multiple IDEs AppScan DE 1.7 creates, modifies, and manages unit tests automatically AppScan DE 1.7 provides defect details and fix recommendations automatically. For .Net users it also provides the location of the security defect AppScan DE 1.7's results can be exported in standard CSV format for import into 3rd Party defect reporting and management systems. In short, the most inexpensive and effective way to eliminate application security defects is to catch them as early as possible. To this end, AppScan DE 1.7 integrates into any application development process and IDE, in order to catch security defects early and enable developers to fix them before it gets exponentially more expensive and more risky to do so. Back to Questions

What information does AppScan DE provide to the user when it finds a security defect?

At the end of the day, AppScan DE's value is driven by how quickly and effectively it finds and enables the fix of web application security defects. AppScan DE finds defects in the way applications validate user input. Hackers search for and exploit these defects using one or more of the following techniques: Cross-site Scripting Parameter Tampering Hidden Field Manipulation Backdoors and Debug Options Stealth Commanding Forceful Browsing Application Buffer Overflow Cookie Poisoning HTTP Attacks SQL injection Suspicious Content Since these are vulnerabilities that can be eliminated during the application development process, AppScan DE provides all of the information a tester or developer needs to locate, understand, and fix the defects quickly and effectively. As a result, the developer learns how to design and build secure applications. Specifically, the advisory include information on: the possible impact on the system of a hacking attack utilizing the specific vulnerability products affected by the vulnerability detailed descriptions of the possible attacks utilizing the vulnerability a recommended action that may resolve the vulnerability including sample code further reference regarding the vulnerabilty Back to Questions

I already write scripts that check for data validation, do I need AppScan DE?

The answer to this question is best provided by way of example. For a web application that contains 100 links, AppScan DE will automatically create several thousand separate customized tests to run against the application that look for all types of application security defect. No developer, no matter how prolific, expert in security, and skilled a programmer they are, can match that output and accuracy. At the end of the day, AppScan DE provides the automation and security expertise so developers have more time and freedom to focus on features and functionality. Back to Questions

AppShield, AppScan, Policy Recognition, and Adaptive Reduction are trademarks of Sanctum, Inc. All other product names referenced are the property of their respective owners and are hereby acknowledged.