How does AppScan QA communicate the results of my test? How do I report security defects to developers with AppScan QA? How does AppScan Report Content? What are Technical Fix Recommendations in AppScan QA? What is the Unique Test ID?

How does AppScan QA communicate the results of my test?

Communicating the right results to the right people is an extremely important step in the application security testing and assessment process. AppScan provides a wide variety of ways in which results can be analyzed, reported, and communicated. You can also view the results of every test in a variety of formats. AppScan's interactive results display and vulnerability index cards provide results in an interactive format that enables you to drill down from a high-level summary to the granular details of every test, including actionable fix recommendations. AppScan QA includes environment-specific, detailed technical fix recommendations. Alternatively, you can generate summary reports for executives or detailed reports for developers. You can also export test results in various formats, including XML, to third party tools for additional analysis and tracking. Using AppScan's compliance reports, QA and security organizations can now work collaboratively in testing for regulation compliance. Auditors can assess an application's compliance readiness and QA is able to perform specific requirements to pre-validate applications prior to staging and deployment. This significantly improves the communication loop between security and development ensuring that only quality, secure and compliant applications are deployed. In addition to the interactive results and reports, another valuable source of information about the tests is AppScan's traffic log. In the traffic log, users will find an exact record of every component of every AppScan request and the same details for each response from the application including header, cookie, script, and URL information

Back to Questions

How do I report security defects to developers with AppScan QA?

AppScan QA enables testers to get complete test descriptions and results into the hands of developers quickly. Through the results analysis feature, testers can communicate the root cause of security defects to developers. QA personnel can provide development with detailed reports that include test data, defect advisories, and environment-specific fix recommendations. Results can be exported in a standard format using the XML export feature and XSLT transformation to format the results to defect tracking and management software packages.

Back to Questions

How does AppScan Report Content?

Communicating the results of a security assessment is equally important to its findings. Therefore, defect reporting is an essential component to the remediation process. Reports, however, must have the capability to be both flexible with the amount of details as well as readable by audiences with varying technical knowledge. The reporting options allow the user to specify what type of vulnerabilities to include, what level of vulnerability (low, medium, high), which specific URLs, and the suggested fix recommendation platform . The AppScan reporting flexibility provides a single reporting utility that addresses the needs for multiple audiences. There is no need to spend extra time or resources to reconstruct the AppScan scan results externally. The native AppScan capabilities enable reports to be tailored to meet the various requirements across the organization.

Back to Questions

What are Technical Fix Recommendations in AppScan QA?

Discovering a security vulnerability is the first step towards remediation and delivery of quality software, however finding, communicating, and correcting the actual defect source is sometimes more challenging and tedious. QA organizations often do not have the resources available to analyze application security defects at the development code-level, resulting in difficult and time-consuming remediation processes. AppScan QA addresses this problem by facilitating remediation of the security defects with comprehensive technical Fix Recommendations. These fix recommendations provide AppScan's technical audiences the detailed information they need to resolve each reported security defect. The fix recommendations include actual developer-level coding suggestion examples and are presented in HTML format for convenience. Fix recommendations are included for both the J2EE and .Net development environments (user specified). The detailed information arms QA personnel with a common language to communicate the defect remediation steps with development organizations, saving time, resources, and development effort.

Back to Questions

What is the Unique Test ID?

Every test in an AppScan session is given a session-specific unique test ID. The ID serves as reference point for each test and test result, and can be referenced in the results analysis as well as in the reporting function. The test ID provides test and audit personnel the reference point they need to help communicate and address specific tests and application vulnerabilities. By enabling the facility to find documented vulnerabilities quickly in searches, cross-referenced static reports, and interactive test-results grids, the overall efficiency and communication is greatly improved.

Back to Questions

AppShield, AppScan, Policy Recognition, and Adaptive Reduction are trademarks of Sanctum, Inc. All other product names referenced are the property of their respective owners and are hereby acknowledged.