AppScan Standard Web Vulnerability Scanner
AppScan Standard (formerly Watchfire AppScan, now under IBM Security AppScan product family) is web vulnerability scanner (WVS), more specifically Dynamic Application Security Testing (DAST) base web vulnerability scanner use to protects against web application attacks and expensive data breaches by testing your application code.
Prevent security risks
It’s critical to adopt an application security strategy that protects applications during every phase of development. Testing web and mobile applications prior to deployment helps to counteract security risks, by generating vulnerability reports and fix recommendations. AppScan Standard automates appsec vulnerability testing, minimizes web app attacks and prevents costly data breaches by permitting you to test apps before deployment. AppScan Standard provides clear visibility across your infrastructure – helping you identify and prioritize threats based on business impact and mitigate risk by fixing code or deploying appropriate policies.
Avoid security vulnerabilities
Use automated Dynamic Application Security Testing (DAST) and advanced static analysis (SAST) – “black box” and “white box” techniques– to detect developing security issues.
Empower accurate scanning
Scan websites to identify embedded vulnerabilities. Simplify interpretation of scan results with scan-specific explanations of each issue.
Get quick remediation
Fix high-priority problems first with streamlined remediation. Make fixes quickly with the provided remediation steps – including code examples and a task list.
Key features
- Incorporate application security testing into DevOps
- Enhance application security with Cognitive capabilities
- Manage and reduce risk in web and mobile applications
- Address your appsec risk
Provides a comprehensive view into application vulnerabilities
Configure, run and upload app scans with our cloud integration feature
Get in-depth understanding of app security issues
Customized reporting on industry standards and compliance
Product Overview
IBM Security AppScan® Standard is a security vulnerability testing tool for web applications and web services. It features the most advanced testing methods to help protect your site from the threat of cyber-attack, together with a full range of application data output options.
IBM SecurityAppScan Standard employs three distinct testing techniques that complement and enhance each other:
- Dynamic Analysis (“black-box scanning”)
- This is the primary method, testing and evaluating application responses during run-time.
- Static Analysis (“white-box scanning”)
- This is a unique technology that analyzes JavaScript code in the context of the full web page.
- Interactive Analysis (“glass box scanning”)
- The dynamic test engine can interact with a dedicated glass-box agent which resides on the web-server itself, enabling AppScan to identify more issues, and with greater accuracy, than by conventional dynamic testing alone
AppScan’s advanced capabilities include:
- General and regulatory compliance reporting, with over 40 different templates available out-of-the-box
- Customization and extensibility through the AppScan eXtension Framework, or by direct integration into existing systems using the AppScan SDK
- Link categorization capabilities that go beyond application security to identify risks posed to users from links to malicious or other unwanted sites
AppScan Standard helps you decrease the risk of web application attacks and data breaches both before site deployment and for ongoing risk assessment in production.
AppScan Standard Latest Release and Update
Each time the software release and update, will change this post date and incorporate those latest information in this section.
AppScan Standard 9.0.10 – 9.0.3 Fix Pack 10 (Sep 20, 2018)
What’s new
A complete list of fixes in this version can be found at: http://www.ibm.com/support/docview.wss?uid=swg27021374
This fix pack includes the following improvements:
- Web Services Configuration wizard
The new Web Services Configuration Wizard helps you configure a scan based on the service’s Open API definition files (JSON and/or YAML). The wizard helps create the Explore stage traffic (rather than record it), and the configuration is then used to run an automatic scan.
AppScan Detailed System Requirements
For your convenience, the tabs below identify the supported releases of IBM Security AppScan Standard from which you can select detailed system requirement reports for different contexts (by Operating System, by component). Note that clicking a link will always generate a new, up-to-date report.
Note: AppScan Standard runs on Windows operating systems only. If glass box scanning is used, the glass box agent must be installed on the tested application’s server (Java and .NET platforms are supported). The system requirements listed for other (non-Windows) systems apply only to the server on which this glass box agent is installed.
A summary of the minimum hardware and software required to run AppScan Standard.
Important: A complete list of system requirements can be found at: http://www.ibm.com/support/docview.wss?uid=swg27024155
Minimum hardware requirements:
| Hardware | Minimum Requirement |
| Processor | Core 2 Duo 2 GHz (or equivalent) |
| Memory | 4 GB RAM |
| Disk Space | 30 GB |
| Network | 1 NIC 100 Mbps for network communication with configured TCP/IP |
Operating system and software requirements:
| Software | Details |
| Operating System | Supported operating systems (both 32–bit and 64–bit editions):
|
| Browser | Microsoft Internet Explorer 11Recommended: Internet Explorer Version 11.0.9600.18537, Update Versions 11.0.38 KB3203621
Note: Although the default AppScan Standard browser is based on Internet Explorer 11, you can configure AppScan to login and scan your site using another version of Internet Explorer, or with Google Chrome, Mozilla Firefox or MS Edge, if installed on your OS. |
| Other | Microsoft .NET Framework 4.6.2If using floating or token licenses: Rational® License Key Server 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5
(Optional) Adobe Flash Player for Internet Explorer is required for Flash execution (and for viewing instructional videos in some of the advisories). Versions 9.0.124.0 up to 14.0.0.125 are supported. Earlier versions are not supported, and some versions may require configuration. (Optional) Microsoft Word 2007, 2010, 2013 for custom report templates. |
Important:
- Customers without a local license on their computer require a network connection to their licensing server when using Security AppScan Standard.
- A personal firewall running on the same computer as Security AppScan Standard might block communication and result in inaccurate findings and reduced performance. For best results do not run a personal firewall on the computer that runs Security AppScan Standard.
Glass box system requirements
In order to use the glass box scanning feature, you will need to set up the server-side glass box agent on your application server. The following server platforms and technologies are supported.
Java™ platforms:
| Software | Details |
| JRE | Versions 6 and 7 are supported. JRE 8 is notsupported. |
| Operating System |
Supported Microsoft Windows systems (both 32–bit and 64–bit editions):
Supported Linux systems:
Supported UNIX systems:
|
| Java EE container | JBoss AS 6, 7; JBoss EAP 6.1; Tomcat 6.0, 7.0; WebLogic 10, 11, 12; WebSphere® 7.0, 8.0, 8.5, 8.5.5 |
.NET platforms:
| Item | Details |
| Operating System |
Supported operating systems (both 32–bit and 64–bit editions):
|
| Other | Microsoft IIS 7.0 or laterMicrosoft .NET Framework 4.0 or 4.5 must be installed, and IIS must be configured at the root level to work with this version of ASP.net |
Note: User must have administrator privileges when running the application on the server.
Note: The agent should be installed after the application you want to test is successfully installed on the server.
Cookie usage
Although Security AppScan Standard tracks cookies set by the application it is scanning, it does not set cookies of its own for authentication or any other purpose.
Supported Languages
The AppScan user interface can run in the following languages: Chinese (Simplified), Chinese (Traditional), English (United States), French, German, Italian*, Japanese, Korean*, Portuguese (Brazil), Russian*, Spanish (Spain). To change the user interface language go to Tools > Options > General tab
Important: Changes since 9.0.3.7 have not been fully translated in the Online Help documentation. The English documentation is up-to-date.
To access the English documentation for these features:
- In Windows Explorer, open [Program Files]\IBM\AppScan Standard\Docs
- Locate and open AppScanOnlineHelp.chm (the English Online Help file)
- Refer to these sections:
- Configuring > Scan Configuration dialog box > Login Management
- Configuring > Scan Configuration dialog box > Explore Options
- Tools > Configuration dialog box > Web Services Configuration Wizard
Supported Technologies
Helps you understand which technologies used by your site might affect AppScan®’s ability to scan it.
Some technologies used by your site might affect AppScan’s ability to scan it, while others do not affect the scan at all.
- AppScan is a “Black-Box” (DAST) tool, and scans your site using the same mechanisms as a browser. Therefore, in general, server-side technologies that are transparent to a browser are also transparent to AppScan, and do not affect the scan.
- Client-side technologies such as JavaScript and the HTTP protocol itself, do affect AppScan. Unlike a browser, AppScan needs to understand these technologies at a level that allows automatic crawling, session maintenance, and of course testing. In these cases you need to configure AppScan to scan correctly.
An AppScan scan consists of two main stages: Explore and Test. For each stage, the table below offers guidelines for understanding which server-side and client-side technologies might affect the scan, and in which cases configuration is needed.
|
Server-side technologies |
Client-side technologies |
|
|---|---|---|
|
Explore stage |
Any server-side technology that does not affect the client – such as the specific database used – does not affect the scan in any way. Many mechanisms that do affect the client (like session management) will not limit the scan as long as AppScan is configured correctly. For example, web servers and application servers affect how session IDs are managed, and AppScan must be able to track these IDs. Many common session IDs are predefined or can be automatically detected by AppScan and do not require additional configuration. However, additional configuration may still be required for some custom mechanisms. AppScan specifically supports WebSphere Portal custom URLs. WSP encodes the URLs in a way that makes it difficult to track them as they appear. AppScan decodes the URLs so they can be understood and tuned. Glass box scanning is supported for Java and .NET only. |
The two main client-side technologies used today are HTML5 and JavaScript, and both affect the Explore stage of the scan: AppScan supports HTML in the Explore stage. This means links can be extracted, forms can be understood and filled, etc. AppScan supports (executes) plain JavaScript. Several major frameworks are specifically supported, including JQuery, AngularJS, and PrototypeJS. Many other JS frameworks though not specifically supported, do not limit the scan in any way. If the automatic Explore stage misses pages due to a specific technology, the pages can be added to the scan by exploring the site manually after the automatic Explore stage, and before the Test stage. |
|
Test stage |
AppScan is designed to test the application and not its supporting technologies, therefore they do not affect testing. To consider databases again: AppScan’s suite of SQL Injection tests are independent of the database used. It also offers specific tests for 3rd Party testing (Common Vulnerabilities testing). |
Client-side testing is performed only on JavaScript code. Currently only plain JS vulnerabilities are detected. JS Frameworks are not supported, and therefore JS code that uses a framework may not be properly analyzed. HTML5 is fully supported. |
