FAQ

General

Why did my scan fail?

Possible reasons your scan might fail or come under review include:

Invalid app file
The Test Set you selected is not suited to your site/app
The SAST service is not functioning correctly or at all
There is a connectivity problem between the core platform and the SAST service (see Troubleshooting AppScan 360° Static Analysis deployment)

Obviously if you are able to avoid these issues your scan is more likely to complete automatically and fast. This is especially important if you are incorporating AppScan 360° scanning into an automated process, so scan time will be as short as possible.

How long does a scan take to complete?

Depending on application size and complexity, from a few minutes to much longer. You can elect to receive an email when the scan is complete.

What security issues does AppScan 360° test for?

AppDOS
Browser Caching Sensitive Information
Comments Reveal Sensitive Information
Configuration Issue
CrossSite Scripting (XSS)
DB Connection String Manipulation
Email Phishing
EMail Tampering
Encoding Required
Exposed Web Service
File Tampering
File Upload
HTTP Request Splitting
HTTPResponse Splitting
LDAP Injection
Open Redirect
OS Command Injection
Path Traversal Potential Business Logic Issue (also covers Insecure Direct Object Reference)
Privilege Escalation
RegEx Injection
Remove Test Code
SecondOrder Injection
Sensitive Data Exposure
Sensitive Data Stored in Logs
Sensitive Information Revealed in Error Message
Session Management Timeout Value Too Large
SQL Injection
Unencrypted Communications
URL Tampering
Use of Cryptographically Unsafe Random Number Generator
Use of Hidden Fields
Use of Insecure Cryptography Algorithm
Use of Unsafe Native Code
Weak Access Control
Weak Authentication
XML Injection
XPath Injection
XSLT Injection

Why is the Risk Rating for my application "Unknown"?

Risk Rating is calculated for an application based on two factors:

Issues found (by AppScan 360°)
Business Impact (assigned by the user)

If no issues have yet been found, or if Business Impact is "Unspecified" (the default), the Risk Rating will be "Unknown". To change the Business Impact, see Risk rating.

SAST

What is a static analysis IRX file and what does it contain?

IRX is a secure and encrypted zip archive that contains the information that is necessary to run a full static analysis of your program. It is encrypted at-rest upon creation, as well as during transport to the cloud (over SSL).

Internally, an IRX archive contains these files and artifacts:

A proprietary and obfuscated representation of your deployable program artifacts, built from your deployed source code (for example, Java bytecode or .Net MSIL). To learn which languages are supported for static analysis scans, see System requirements for static analysis).
Any runtime script files that are deployed with your program that can be analyzed for security vulnerabilities (for example .js (Javascript) or .rb (Ruby) files).
Static Analyzer configuration files that describe the application or project hierarchy and relationships or dependencies of your program. This allows for accurate and complete security analysis across project boundaries within your application.
Static Analyzer log files generated during the creation of the archive (for diagnostics and support).