AppScan™ QA Edition FAQs—Product Overview
Home
Solutions
  - AppScan™ DE
  - AppScan™ QA
    - FAQ
    - FREE Trial
    - Detailed Information
  - AppScan™ Audit
  - AppShield™
  - AppShield Appliance
  - AppAudit
  - Whitepapers
Demos
Partners
Inside Sanctum
Web Perversion
Customers
News & Events
Support & Services
  - Support
Contact Us
Gov't Legislation
and Compliance
AppScan™ QA Edition FAQs—Product Overview   Knowledge Center

  1. What business problem does the AppScan product suite solve?
  2. What makes the AppScan product suite the right choice for my organization?
  3. Who benefits from the AppScan 4.5 product suite?
  4. What is the key benefit of AppScan Qa Edition?
  5. What are the key features of AppScan 4.5 QA Edition?
  6. Does AppScan QA provide Compliance Testing?
  7. Does AppScan QA provide Privacy Testing?
  8. How does AppScan facilitate understanding of the test results? What is Results Analysis?
  9. What is Results Consolidation?
  10. What is Delta Analysis?
  11. Does AppScan QA support XML/SOAP and Web services?
  12. How do I integrate security testing into test plans?
  13. Does AppScan QA integrate into existing QA test systems?
  14. Can AppScan QA integrate into my current test environment such as Rational, Seque or Compuware?
  15. I am a Mercury Interactive TestDirector User. Will AppScan integrate into this test environment?
  16. How do I write and modify security test scripts with AppScan QA?
  17. Can I track the changes to my application's security over time with AppScan QA?
  18. How does AppScan handle non-English language applications?
  19. What is the new attack "HTTP Response Splitting"e;?
  20. What types of attacks does AppScan test for?
 
What business problem does the AppScan product suite solve?
 

The pace of application deployment is accelerating; mandatory internal and external compliance of security regulations and initiatives is increasing; and protecting your web applications by manually patching or upgrading is a strategy that will fail you - sooner or later. According to the Gartner Group, a company with 1,000 servers can spend $300,000 to test & deploy a patch. The startling reality is most companies deploy several patches a week. The potentially devastating business impact of a security defect in production demands an enterprise does everything possible to be assured of quality, compliance and security across the application lifecycle with a commitment to maintaining confidence in the live/production environment.

There are three products built on AppScan core technology to serve customers:

  • AppScan Developer Edition (DE) -An integrated application code security testing software package for developers in the .NET and J2EE development environments.
  • AppScan QA Edition (QA) - Automated, progressive web application testing software enabled to provide QA personnel with comprehensive security defect analysis and remediation information, while integrating seamlessly into current test processes and environments.
  • AppScan Audit Edition (AE) - Automated application vulnerability assessment software to conduct accurate and comprehensive audits, validate web application quality, and compliance to regulatory and organizational security initiatives.
 
Back to Questions
 
What makes the AppScan product suite the right choice for my organization?
 

The bottom line in web application risk assessment is efficiency, and AppScan's industry leading combination of speed, accuracy, and flexibility make it the most powerful security-testing tool in the market today. AppScan provides highly accurate and actionable information that drives enormous returns to organizations in the form of cost savings, reliable operations, and strong customer relationships. The AppScan product family provides the efficiency, accuracy and flexibility needed by developers, QA, auditors, and operations managers to empower the user to find and fix the security defects quickly and efficiently.

 
Back to Questions
 
Who benefits from using the AppScan 4.5 product suite?
 

Application Testers
Instead of searching for security defects manually, testers use AppScan QA to detect security defects automatically as an integrated component of enterprise development and testing processes. AppScan QA automates the test script creation, modification, and maintenance process and ensures reliable and repeatable testing. After it runs these tests, AppScan QA's analytical tools and reporting functions simplify result communications with developers. By reducing the number of development cycles and associated downtime caused by security defects found in production, secure applications are deployed faster for less money and the enterprise dramatically improves the utilization of QA and development resources.

Internal and External Auditors
For applications in production, auditors face the considerable challenge of producing accurate and comprehensive security assessments quickly. For years, AppScan AE has been an essential part of the auditor's toolkit in helping to solve this problem. Powered by its patented Dynamic Policy Recognition Engine, AppScan's behavioral detection and precision testing processes automatically learn the application's logic and structure and builds custom test scenarios to run against it. AppScan AE accurately detects the broadest array of application vulnerabilities with minimal false positives and false negatives, including any web-based XML/SOAP application. However, accuracy does not have to yield to performance. Next generation performance is due to AppScan AE's ability to utilize multiple threads to explore and test applications - cutting test time dramatically. Resolution becomes even easier in AppScan AE with analytical tools such as delta analysis, which allows auditors to compare changes between scans. Such tools combined with enhanced assessment reports, best practice remediation steps, and real-time assessment monitoring ensures the auditor can focus more time and resources on the resolution of security vulnerabilities rather than on their detection.

Compliance Officers
Regulatory and security best practice initiatives are of growing concern to organizations. Failure to comply with new government regulations and corporate best practices can be extremely costly and potentially embarrassing. AppScan includes an innovative tool that simplifies compliance reporting. Taking full advantage of the capabilities of XML, AppScan has integrated several templates that can generate multiple compliance validation reports from a single AppScan assessment of site. In addition to the built-in templates, AppScan includes the ability to easily create customized reports to validate web application against organization-specific policies and guidelines.

 
Back to Questions
 
What is the key benefit of AppScan 4.5 QA Edition?
 

AppScan QA delivers predictive reproducible results that QA personnel can use to test applications during the development lifecycle. With tools such as delta and trend analysis, defect changes can be determined against a baseline to develop accurate analysis, especially in changing development environments. With the AppScan QA automated results analysis, testers can quickly identify the type, severity, and area (application or administrative) of vulnerabilities. Security can be complex to understand, AppScan QA allows QA personnel to focus on their core competency of testing. AppScan's detailed defect analysis advisories translate technical details into business terms suitable for a range of audiences, including development management. For testers or developers desire comprehensive understanding of the defects, AppScan QA provides detailed views of the test, the response, and suggested fix recommendations. In addition to testing for common web vulnerabilities and application specific vulnerabilities, AppScan QA can also test any web-based XML/SOAP application or environment. This allows immediate testing on new infrastructure technologies. Finally, AppScan QA provides tools such as API's and Command Line Interfaces to facilitate integration with existing testing environments and to allow third party tools to interact, and even launch, scans automatically. In summary, AppScan QA:

Facilitates Communication across the development lifecycle:

  • Best of breed results communication: Understand, communicate and measure
  • Enhanced reporting functionality with XSLT templates

Automates Regulatory/Directive Compliance Assurance

  • Built-in U.S. regulations
  • Built-in European directives
  • User-defined compliance reports

Enhances S.A.F.E. Leadership (Speed, Accuracy, Flexibility and Efficiency)

  • Accurate security assessment for the power user
  • User defined controls for intelligent testing
 
Back to Questions
 
What are the Key Features of AppScan QA?
 

Automated Intelligent Security Testing

  • Patented validation engine creates customized test scenarios, delivers widest array of attack variants to test & validate defects � and approve for release candidacy
  • User-defined controls drive intelligent testing for all skill levels
  • Extensible and easily integrates into existing infrastructures and processes
Regulatory Compliance Verification and Reporting
  • Built-in compliance reporting for regulatory, directive, and corporate policy pre-validation
  • Detailed reports with remediation feedback on security defects
Results Communication: Understand, Communicate, Measure
  • Delta, trend and regression analysis for security defects
  • Actionable results thru comprehensive fix recommendations
  • Common reporting language across groups/departments
  • Identify and translate defect root cause into business risk
 
Back to Questions
 
Does AppScan QA provide Compliance Reporting?
 

Yes. AppScan QA includes an easy to use reporting tool that automatically generates regulatory and internal security initiative compliance reports. The importance of ensuring the confidentiality and integrity of sensitive customer or company information is just one reason that external regulations and security best practices have recently taken a leading role in security testing. Compliance initiatives are hitting the bottom line and are considered critical and real components to secure environments. Failure to comply with the government regulations and corporate best practices cannot only be extremely costly but can effect customer and public trust as well. AppScan QA includes an innovative tool that simplifies compliance reporting. Several report templates have been integrated into the product that can generate multiple compliance validation reports from a single AppScan assessment of a site. In addition to the variety of built-in regulatory templates, AppScan includes the ability to easily create customized report templates to validate web applications against internal security and privacy policies and guidelines.

 
Back to Questions
 
Does AppScan QA provide Privacy Testing?
 

Yes. Application security does not always equal application privacy. An application without security vulnerabilities does not guarantee privacy of the sensitive information contained by that application. For example, it may be possible for unencrypted user names/passwords to be intercepted or personal information like social security numbers to be exposed. For this reason, AppScan has implemented a suite of privacy tests to specifically look for unsecured sensitive information. AppScan's privacy tests target vulnerabilities or configurations that result in sensitive information being inadvertently exposed. For example, AppScan will report if login requests are sent unencrypted, or if other sensitive information such as credit card numbers or social security numbers is sent unprotected to the server.

 
Back to Questions
 
How does AppScan 4.5 facilitate understanding of the test results? What is Results Analysis?
 

As web applications scale in size and volume, the number of vulnerabilities that can be found by AppScan increases dramatically. Analyzing and understanding the results from a management/executive perspective in the past has been a purely manual task and can become exhausting work when dealing with large web applications that contain many security vulnerabilities. With AppScan's Results Analysis tool, AppScan can automatically translate the scan results from technical to business terms. This feature saves and improves accuracy. Results Analysis communicates the root cause and effect of security defects to developers and other personnel.

QA personnel can present technical defects, with reference to the urgency of the defect, in easy to understand business terms shortening the application lifecycle development time. In addition, the presentation of the results eliminates the need for QA testers to also be security experts.

AppScan's Results analysis includes several sections, that help address the security problems at the macro level:

  • Most vulnerable links in the web application
  • Worst Case Scenarios
  • Vulnerability Causes
    • Insecure programming
    • Insecure administrative practices

For each vulnerability, AppScan presents the vulnerability cause in layman language to provide an understandable sense of what causes the problem.

 
Back to Questions
 
What is Results Consolidation?
 

To provide a comprehensive landscape of a site's security health, security testing must incorporate a wide range of application attacks with several variations for each type attempted. AppScan follows this testing pattern by conducting tests on several parameters within a specific web application link. AppScan QA then consolidates the results into collapsible/expandable groups according to the name of the test and the link (the original link on which the test was sent). This provides an organized, high-level view of the results. Allowing users to quickly navigate through and understand the results without the need to scan all the test results from top to bottom. This is very useful in helping to identify specific types of vulnerabilities or defects that have multiple ramifications throughout the application. The organized display also helps to isolate problems with particular pages and depicts a logical assessment of the entire application security landscape. Results consolidation provides a more organized, high-level view of the results allowing users to quickly navigate through and understand the results.

 
Back to Questions
 
What is Delta Analysis?
 

AppScan QA contains the first comprehensive solution for 'Delta Analysis' of web application security, which will help developers, QA testers and audit personnel to track changes in the security of their web application. Advanced delta analysis is one of the most unique and cutting-edge features of the AppScan Suite. A 'Delta analysis' gives the tester and the product manager a much broader view of where development is heading with regards to security.

For QA personnel, delta analysis enforces predictive reproducible results across the application test cycle. Defect changes can be determined against a baseline to develop accurate analysis, especially in changing development environments. This allows QA to adhere to a given test plan.

 
Back to Questions
 
Does AppScan QA support XML/SOAP and Web services?
 

Yes. AppScan QA provides full support for XML and Web Service testing including full parsing capabilities of XHTML pages, intercept, parse and manipulate XML and SOAP web services requests, new ASVs (unknown vulnerabilities) and CWVs (known vulnerabilities) tests added to AppScan's tests database, marking of XML requests in the GUI (For easy distinction between XML and regular requests). As more and more web applications start to implement XML for different purposes such as Web Services or B2B interfaces, new security hazards are introduced into the arena. To keep the security level of web applications at their highest, it is important to be able to audit those parts of the web application.

 
Back to Questions
 
How do I integrate security testing into test plans?
 

Creating the test plan is the first step in the application testing process. At this initial stage, it's critical to write security testing into the test plan regardless of whether or not you're going to use AppScan to do the tests. Just as the test plan contains methods and use cases for testing the functionality and performance of the application, so too should it include a plan for evaluating the application's security.

Application security defects generally involve improper handling of data sent from the user to the application. As a result, including methods, use cases and success criteria for testing the application's handling of invalid or illegal characters in the test plan is the majority of what is required to integrate security testing into test plans. Doing so saves the enterprise money and it reduces business risk associated with security defects that slip through the standard testing process and end up getting deployed. Using AppScan's features like duplicate session and business process record and play, QA personnel can generate and propagate use cases for security testing with the same ease as they do for functional testing. For Mercury Interactive TestDirector users, Sanctum's AppScan QA for TestDirector provides completely integrated Security testing as part of the TestDirector framework so planning and executing Test plans can seamless support security testing alongside feature function and performance testing.

 
Back to Questions
 
Does AppScan QA integrate into existing QA test systems?
 

AppScan QA provides the ability to facilitate integration with existing testing environments through the use of Command Line Interfaces and API's. QA engineers can easily add AppScan security testing to their existing test scripts and scripting tools like JRun and JTest, etc. using AppScan's Command Line Interface (CLIs). AppScan QA provides a fully documented API to support broader and deeper integration with your existing testing platforms. Using the APIs, QA personnel can fully integrate AppScan security testing into their test platforms like IBM's Rational, Seque, and Compuware. For Mercury Interactive TestDirector users, Sanctum's AppScan QA for TestDirector provides completely integrated Security testing as part of the TestDirector framework so planning and executing Test plans can seamless support security testing alongside feature function and performance testing.

 
Back to Questions
 
Can AppScan QA integrate into my current test environment such as Rational, Seque or Compuware?
 

Yes. AppScan QA provides a fully documented API to support broader and deeper integration with your existing testing platforms. Using the APIs, QA personnel can fully integrate AppScan security testing into their test platforms like IBM's Rational, Seque, and Compuware.

 
Back to Questions
 
I am a Mercury Interactive TestDirector User. Will AppScan integrate into this test environment?
 

Yes. For Mercury Interactive TestDirector users, Sanctum's AppScan QA for TestDirector provides completely integrated security testing as part of the TestDirector framework so planning and executing Test plans can seamless support security testing alongside feature function and performance testing.

 
Back to Questions
 
How do I write and modify security test scripts with AppScan QA?
 

With application security built into the test plan, performing security tests with AppScan is fast and efficient. Since AppScan creates and modifies application security tests based on the specific application, the job of the tester is to identify for AppScan the application or the business process to be tested. Like with other testing tools, this is commonly done with AppScan's "Business Process Record and Play" feature. QA personnel can record and save use cases and then execute security tests against them as part of the normal QA process.

 
Back to Questions
 
Can I track the changes to my application's security over time with AppScan QA?
 

Yes. AppScan provides a session comparison utility to allow you compare the differences between two selected sessions. The comparison results and information is presented in the delta analysis report that includes information about the differences between the sessions in each of the scan stages and scan results. This utility was specifically designed to allow you to track and monitor the changes in the application security that result from the application's code update. Additionally, using XSLT customers can easily perform trend analysis of results from more than two scans. Included with AppScan is a sample Trend Analysis template that can be modified and used to start constructing trend analysis quickly.

 
Back to Questions
 
How does AppScan handle non-English language applications?
 

AppScan works with the HTML requests and responses sent between a user and the application. As a result, AppScan can be run against non-English version sites. It will find common web vulnerabilities on every site. In order to ensure that it will also identify and properly test application specific vulnerabilities, a version of AppScan that is designed for that language is required. Currently, AppScan is produced in an English and Japanese version. Alternative language versions are going to be released in the future.

AppScan for Japanese users is currently available through TechMatrix and Hitachi, and a network of partnerships through them in Japan. This version provides Japanese language support and language-specific rules.

AppScan is also available in Europe through multiple country- based partnerships. See Sanctum Partner directory for a complete listing.

 
Back to Questions
 
What is the new attack "HTTP Response Splitting?
 

HTTP Response Splitting infects web server communications and allows hackers to launch Web Cache Poisoning attacks (leading to defacement and next-generation phishing), hijack a web page with users' sensitive information or access data through cross-site scripting. The only security testing tool that can detect and immediately fix HTTP Response Splitting, AppScan QA helps enterprise users stay protected from these next-generation application threats.

 
Back to Questions
 
What types of attacks does AppScan test for?
 

AppScan explores applications looking for known and unknown vulnerabilities like a hacker would. Following is a list of many of the vulnerabilities AppScan finds and tests:

  • SQL Injection
  • Hidden Field Manipulation
  • Parameter Tampering
  • Stealth Commanding
  • Forceful Browsing
  • Backdoors and Debug Options
  • Cookie Poisoning
  • 3rd Party Misconfigurations
  • Cross-Site Scripting
  • Buffer Overflow
  • HTTP Attacks
  • HTTP Response Splitting
  • Known Vulnerabilities (associated with CWVs)
  • Suspicious content
  • XML/SOAP
  • Privacy tests
 
Back to Questions
 
 
 
AppShield, AppScan, Policy Recognition, and Adaptive Reduction are trademarks of Sanctum, Inc. All other product names referenced are the property of their respective owners and are hereby acknowledged.

 
 Datasheet
 Product White Paper
 AppScan™ QA Features
 FAQ's
 - Product Overview
 - Licensing ... Training
 - Results Communication
 - Technical Overview
 Case Studies
 OWASP Compliance
 Press Releases
 AppScan™ QA in the News
 Support & Services
 Demo
 AppScan Extranet

Free Trial
AppScan QA

Strategic Partner Solutions
 - Mercury Interactive
Because you need a fast, cost-effective route to web application security.
 - Partner Directory

Contact Me Now
Click here if you would like a Sanctum Sales Rep to contact you within 24 hours.

 © 2004 Sanctum, Inc.    Privacy Statement  |   Legal Disclaimer
  1. https://www.gustudentassociation.org/
  2. https://kimmerestaurant.com/
  3. https://www.nyonyafood.com/
  4. https://www.perfectotech.com/
  5. https://www.planetgapyear.com/
  6. https://whatcomvet.com/
  7. https://theclassicyachtexperience.com/
  8. https://www.batonrougerosesociety.org/
  9. https://www.finburysullivan.com/
  10. https://mikrofinanzinstitut.com/
  11. https://oakgroveplantationsc.com/
  12. https://www.the-vision-of-harmony.org/
  13. https://www.pantheonpress.com/
  14. https://thefinancialgraduate.com/
  15. https://www.thenutkitchen.com/
  16. https://altiboutique.com/
  17. https://ambushsweden.com/
  18. https://goingonforgod.com/
  19. https://lasdopestattorney.com/
  20. https://www.sewardne.com/
  21. https://www.tehranfestival.com/
  22. https://www.bistrotmarin.com/
  23. https://brysonchristianmontessorischool.com/
  24. https://www.excalibureurope.com/
  25. https://www.tropicaltopless.com/
  26. https://www.originallotsoflox.com/
  27. https://www.wavespace-berlin.com/
  28. https://www.nicolasboutruche.com/
  29. https://www.michiganmediates.org/
  30. https://www.victoria-abbott.com/
  31. https://www.yourmyrtlebeachproperty.com/
  32. https://metrcconference.com/
  33. https://biotechscope.com/
  34. https://jzbrasil.com/
  35. https://kingswoodacquisition.com/
  36. https://www.mobilegourmetkitchen.com/
  37. https://saafootball.org/
  38. https://griefergames.info/
  39. https://ampalauragarcianoblejas.com/
  40. sbobet
  41. judi parlay
  42. togel kamboja
  43. Pengeluaran Cambodia
  44. judi bola
  45. demo slot
  46. Togel Kamboja
  47. keluaran Kamboja
  48. slot thailand
  49. togel kamboja
  50. keluaran kamboja
  51. togel Kamboja
  52. slot demo
  53. keluaran cambodia
  54. togel cambodia
  55. demo mahjong
  56. live draw macau
  57. slot thailand
  58. pengeluaran kamboja
  59. judi bola
  60. sbobet
  61. slot demo
  62. togel sdy