Configuring for concurrent scanning

An AppScan 360° SAST consists of two steps:

  1. Prepare a scan for analysis.

    This operation is performed by the preparer service when the end user submits source code or a binary such as a .war file for scanning.

  2. Analyze a scan.

    This operation is performed by the analyzer service. The input file to this service could be supplied by the preparer or directly by the end user who chooses to perform a prepare on their client system using the tools provided (for example, AppScan Go!).

Concurrent scans can be run by configuring the maximum number of preparers and analyzers, as required, to allow Kubernetes to autoscale the number of each service available for scanning. Since the time to prepare or analyze varies by scan, concurrency is specific to each of these operations.

The maximum number of each service depends on the expected peak scan load profile, that is, the peak number of scans submitted, percentage scanning source code/binary, and percentage scanning IRXs.

Because of these unknowns, the optimal configuration may not be possible to define at the initial deployment. The AppScan 360° SAST configuration can be adjusted based on actual scan load and monitoring the RabbitMQ queues to determine the average time a scan waits for availability of either service.

RabbitMQ management portal can be accessed using the ingress by enabling the following property while installing or reconfiguring AppScan 360° SAST:

rabbitmq:
  ingress:
    enabled: true
    hostname: <fqdn to access rabbitmq portal>
The initial configuration can specify an equal number of preparers and analyzers and can be adjusted over time. Use the following table to help calculate total resources (max) required for some sample configurations.
Note: To achieve concurrency, there are two things to consider:
  1. Number of AppScan 360° licenses issued during the ASCP installation.
  2. Kubernetes configuration and availability of resources to allow multiple preparers and analyzers to be up and running at the same time.

Calculation for each type of resource = number of preparers * resource per preparer + number of analyzers * resource per analyzer + number of ASCP adapters * resource per adapter + total resources for the remaining services (these services are not autoscaled).

ASCP adapters count Preparers count Analyzers count MaxCPU MaxRAM
1 1 1 24 ((6*1)+(6*1)+(4*1)+4+2+2) 60GB ((16*1)+(24*1)+(6*1)+6+4+4)
3 3 3 56 ((6*3)+(6*3)+(4*3)+4+2+2) 152GB ((16*3)+(24*3)+(6*3)+6+4+4)
3 10 10 140 ((6*10)+(6*10)+(4*3)+4+2+2) 452GB ((16*10)+(24*10)+(6*3)+6+4+4)
3 5 10 110 ((6*5)+(6*10)+(4*3)+4+2+2) 372GB ((16*5)+(24*10)+(6*3)+6+4+4)
Note: The ASCP Adapter service is limited to scale up to a maximum of 3. Further increase is not required.