Thursday, 20 September 2018 / Published in IBM, Product

AppScan Standard Web Vulnerability Scanner

AppScan Standard (formerly Watchfire AppScan, now under IBM Security AppScan product family) is web vulnerability scanner (WVS), more specifically Dynamic Application Security Testing (DAST) base web vulnerability scanner use to protects against web application attacks and expensive data breaches by testing your application code.

Prevent security risks

It’s critical to adopt an application security strategy that protects applications during every phase of development. Testing web and mobile applications prior to deployment helps to counteract security risks, by generating vulnerability reports and fix recommendations. AppScan Standard automates appsec vulnerability testing, minimizes web app attacks and prevents costly data breaches by permitting you to test apps before deployment. AppScan Standard provides clear visibility across your infrastructure – helping you identify and prioritize threats based on business impact and mitigate risk by fixing code or deploying appropriate policies.

Avoid security vulnerabilities

Use automated Dynamic Application Security Testing (DAST) and advanced static analysis (SAST) – “black box” and “white box” techniques– to detect developing security issues.

Empower accurate scanning

Scan websites to identify embedded vulnerabilities. Simplify interpretation of scan results with scan-specific explanations of each issue.

Get quick remediation

Fix high-priority problems first with streamlined remediation. Make fixes quickly with the provided remediation steps – including code examples and a task list.

Key features

Incorporate application security testing into DevOps
Enhance application security with Cognitive capabilities
Manage and reduce risk in web and mobile applications
Address your appsec risk

Provides a comprehensive view into application vulnerabilities

Configure, run and upload app scans with our cloud integration feature

Get in-depth understanding of app security issues

Customized reporting on industry standards and compliance

Product Overview

IBM Security AppScan® Standard is a security vulnerability testing tool for web applications and web services. It features the most advanced testing methods to help protect your site from the threat of cyber-attack, together with a full range of application data output options.

IBM SecurityAppScan Standard employs three distinct testing techniques that complement and enhance each other:

Dynamic Analysis (“black-box scanning”): This is the primary method, testing and evaluating application responses during run-time.
Static Analysis (“white-box scanning”): This is a unique technology that analyzes JavaScript code in the context of the full web page.
Interactive Analysis (“glass box scanning”): The dynamic test engine can interact with a dedicated glass-box agent which resides on the web-server itself, enabling AppScan to identify more issues, and with greater accuracy, than by conventional dynamic testing alone

AppScan’s advanced capabilities include:

General and regulatory compliance reporting, with over 40 different templates available out-of-the-box
Customization and extensibility through the AppScan eXtension Framework, or by direct integration into existing systems using the AppScan SDK
Link categorization capabilities that go beyond application security to identify risks posed to users from links to malicious or other unwanted sites

AppScan Standard helps you decrease the risk of web application attacks and data breaches both before site deployment and for ongoing risk assessment in production.

AppScan Standard Latest Release and Update

Each time the software release and update, will change this post date and incorporate those latest information in this section.

AppScan Standard 9.0.10 – 9.0.3 Fix Pack 10 (Sep 20, 2018)

What’s new

A complete list of fixes in this version can be found at: http://www.ibm.com/support/docview.wss?uid=swg27021374

This fix pack includes the following improvements:

Web Services Configuration wizard
The new Web Services Configuration Wizard helps you configure a scan based on the service’s Open API definition files (JSON and/or YAML). The wizard helps create the Explore stage traffic (rather than record it), and the configuration is then used to run an automatic scan.

AppScan Detailed System Requirements

For your convenience, the tabs below identify the supported releases of IBM Security AppScan Standard from which you can select detailed system requirement reports for different contexts (by Operating System, by component). Note that clicking a link will always generate a new, up-to-date report.

Note: AppScan Standard runs on Windows operating systems only. If glass box scanning is used, the glass box agent must be installed on the tested application’s server (Java and .NET platforms are supported). The system requirements listed for other (non-Windows) systems apply only to the server on which this glass box agent is installed.

A summary of the minimum hardware and software required to run AppScan Standard.

Important: A complete list of system requirements can be found at: http://www.ibm.com/support/docview.wss?uid=swg27024155

Minimum hardware requirements:

Hardware	Minimum Requirement
Processor	Core 2 Duo 2 GHz (or equivalent)
Memory	4 GB RAM
Disk Space	30 GB
Network	1 NIC 100 Mbps for network communication with configured TCP/IP

Operating system and software requirements:

Software	Details
Operating System	Supported operating systems (both 32–bit and 64–bit editions): Microsoft Windows Server 2016: Standard and Datacenter Microsoft Windows Server 2012: Essentials, Standard and Datacenter Microsoft Windows Server 2012 R2: Essentials, Standard and Datacenter Microsoft Windows Server 2008 R2: Standard and Enterprise, with or without SP1 Microsoft Windows 10: Pro and Enterprise Microsoft Windows 8.1: Pro and Enterprise Microsoft Windows 8: Standard, Pro and Enterprise Microsoft Windows 7: Enterprise, Professional and Ultimate, with or without SP1
Browser	Microsoft Internet Explorer 11Recommended: Internet Explorer Version 11.0.9600.18537, Update Versions 11.0.38 KB3203621 Note: Although the default AppScan Standard browser is based on Internet Explorer 11, you can configure AppScan to login and scan your site using another version of Internet Explorer, or with Google Chrome, Mozilla Firefox or MS Edge, if installed on your OS.
Other	Microsoft .NET Framework 4.6.2If using floating or token licenses: Rational® License Key Server 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5 (Optional) Adobe Flash Player for Internet Explorer is required for Flash execution (and for viewing instructional videos in some of the advisories). Versions 9.0.124.0 up to 14.0.0.125 are supported. Earlier versions are not supported, and some versions may require configuration. (Optional) Microsoft Word 2007, 2010, 2013 for custom report templates.

Important:

Customers without a local license on their computer require a network connection to their licensing server when using Security AppScan Standard.
A personal firewall running on the same computer as Security AppScan Standard might block communication and result in inaccurate findings and reduced performance. For best results do not run a personal firewall on the computer that runs Security AppScan Standard.

Glass box system requirements

In order to use the glass box scanning feature, you will need to set up the server-side glass box agent on your application server. The following server platforms and technologies are supported.

Java™ platforms:

Software	Details
JRE	Versions 6 and 7 are supported. JRE 8 is notsupported.
Operating System	Supported Microsoft Windows systems (both 32–bit and 64–bit editions): MicrosoftWindows Server 2012 MicrosoftWindows Server 2012 R2 MicrosoftWindows Server 2008 R2 Supported Linux systems: Linux RHEL 5, 6, 6.1, 6.2, 6.3, 6.4 Supported UNIX systems: UNIX AIX® 6.1, 7.1 UNIX Solaris (SPARC) 10, 11
Java EE container	JBoss AS 6, 7; JBoss EAP 6.1; Tomcat 6.0, 7.0; WebLogic 10, 11, 12; WebSphere® 7.0, 8.0, 8.5, 8.5.5

.NET platforms:

Item

Details

Operating System

Supported operating systems (both 32–bit and 64–bit editions):

MicrosoftWindows Server 2012
MicrosoftWindows Server 2012 R2
MicrosoftWindows Server 2008 R2

Other

Microsoft IIS 7.0 or laterMicrosoft .NET Framework 4.0 or 4.5 must be installed, and IIS must be configured at the root level to work with this version of ASP.net

Note: User must have administrator privileges when running the application on the server.

Note: The agent should be installed after the application you want to test is successfully installed on the server.

Cookie usage

Although Security AppScan Standard tracks cookies set by the application it is scanning, it does not set cookies of its own for authentication or any other purpose.

Supported Languages

The AppScan user interface can run in the following languages: Chinese (Simplified), Chinese (Traditional), English (United States), French, German, Italian*, Japanese, Korean*, Portuguese (Brazil), Russian*, Spanish (Spain). To change the user interface language go to Tools > Options > General tab

Important: Changes since 9.0.3.7 have not been fully translated in the Online Help documentation. The English documentation is up-to-date.

To access the English documentation for these features:

In Windows Explorer, open [Program Files]\IBM\AppScan Standard\Docs
Locate and open AppScanOnlineHelp.chm (the English Online Help file)
Refer to these sections:
- Configuring > Scan Configuration dialog box > Login Management
- Configuring > Scan Configuration dialog box > Explore Options
- Tools > Configuration dialog box > Web Services Configuration Wizard

Supported Technologies

Helps you understand which technologies used by your site might affect AppScan®’s ability to scan it.

Some technologies used by your site might affect AppScan’s ability to scan it, while others do not affect the scan at all.

AppScan is a “Black-Box” (DAST) tool, and scans your site using the same mechanisms as a browser. Therefore, in general, server-side technologies that are transparent to a browser are also transparent to AppScan, and do not affect the scan.
Client-side technologies such as JavaScript and the HTTP protocol itself, do affect AppScan. Unlike a browser, AppScan needs to understand these technologies at a level that allows automatic crawling, session maintenance, and of course testing. In these cases you need to configure AppScan to scan correctly.

An AppScan scan consists of two main stages: Explore and Test. For each stage, the table below offers guidelines for understanding which server-side and client-side technologies might affect the scan, and in which cases configuration is needed.

	Server-side technologies	Client-side technologies
Explore stage	Any server-side technology that does not affect the client – such as the specific database used – does not affect the scan in any way. Many mechanisms that do affect the client (like session management) will not limit the scan as long as AppScan is configured correctly. For example, web servers and application servers affect how session IDs are managed, and AppScan must be able to track these IDs. Many common session IDs are predefined or can be automatically detected by AppScan and do not require additional configuration. However, additional configuration may still be required for some custom mechanisms. AppScan specifically supports WebSphere Portal custom URLs. WSP encodes the URLs in a way that makes it difficult to track them as they appear. AppScan decodes the URLs so they can be understood and tuned. Glass box scanning is supported for Java and .NET only.	The two main client-side technologies used today are HTML5 and JavaScript, and both affect the Explore stage of the scan: AppScan supports HTML in the Explore stage. This means links can be extracted, forms can be understood and filled, etc. AppScan supports (executes) plain JavaScript. Several major frameworks are specifically supported, including JQuery, AngularJS, and PrototypeJS. Many other JS frameworks though not specifically supported, do not limit the scan in any way. If the automatic Explore stage misses pages due to a specific technology, the pages can be added to the scan by exploring the site manually after the automatic Explore stage, and before the Test stage.
Test stage	AppScan is designed to test the application and not its supporting technologies, therefore they do not affect testing. To consider databases again: AppScan’s suite of SQL Injection tests are independent of the database used. It also offers specific tests for 3rd Party testing (Common Vulnerabilities testing).	Client-side testing is performed only on JavaScript code. Currently only plain JS vulnerabilities are detected. JS Frameworks are not supported, and therefore JS code that uses a framework may not be properly analyzed. HTML5 is fully supported.

Server-side technologies

Client-side technologies

Explore stage

Any server-side technology that does not affect the client – such as the specific database used – does not affect the scan in any way.

Many mechanisms that do affect the client (like session management) will not limit the scan as long as AppScan is configured correctly. For example, web servers and application servers affect how session IDs are managed, and AppScan must be able to track these IDs. Many common session IDs are predefined or can be automatically detected by AppScan and do not require additional configuration. However, additional configuration may still be required for some custom mechanisms.

AppScan specifically supports WebSphere Portal custom URLs. WSP encodes the URLs in a way that makes it difficult to track them as they appear. AppScan decodes the URLs so they can be understood and tuned.

Glass box scanning is supported for Java and .NET only.

The two main client-side technologies used today are HTML5 and JavaScript, and both affect the Explore stage of the scan:

AppScan supports HTML in the Explore stage. This means links can be extracted, forms can be understood and filled, etc.

AppScan supports (executes) plain JavaScript. Several major frameworks are specifically supported, including JQuery, AngularJS, and PrototypeJS. Many other JS frameworks though not specifically supported, do not limit the scan in any way.

If the automatic Explore stage misses pages due to a specific technology, the pages can be added to the scan by exploring the site manually after the automatic Explore stage, and before the Test stage.

Test stage

AppScan is designed to test the application and not its supporting technologies, therefore they do not affect testing. To consider databases again: AppScan’s suite of SQL Injection tests are independent of the database used. It also offers specific tests for 3rd Party testing (Common Vulnerabilities testing).

Client-side testing is performed only on JavaScript code. Currently only plain JS vulnerabilities are detected.

JS Frameworks are not supported, and therefore JS code that uses a framework may not be properly analyzed.

HTML5 is fully supported.

AppScan Standard Web Vulnerability Scanner