Configuring for concurrent scanning

An AppScan 360° SAST consists of two steps:

  1. Prepare a scan for analysis.

    This operation is performed by the preparer service when the end user submits source code or a binary such as a .war file for scanning.

  2. Analyze a scan.

    This operation is performed by the analyzer service. The input file to this service could be supplied by the preparer or directly by the end user who chooses to perform a prepare on their client system using the tools provided (for example, AppScan Go!).

Concurrent scans can be run by configuring the maximum number of preparers and analyzers, as required, to allow Kubernetes to autoscale the number of each service available for scanning. Since the time to prepare or analyze varies by scan, concurrency is specific to each of these operations.

The maximum number of each service depends on the expected peak scan load profile, that is, the peak number of scans submitted, percentage scanning source code/binary, and percentage scanning IRXs.

Because of these unknowns, the optimal configuration may not be possible to define at the initial deployment. The AppScan 360° SAST configuration can be adjusted based on actual scan load and monitoring the RabbitMQ queues to determine the average time a scan waits for availability of either service.

RabbitMQ management portal can be accessed using the ingress by enabling the following property while installing or reconfiguring AppScan 360° SAST:

rabbitmq:
  ingress:
    enabled: true
    hostname: <fqdn to access rabbitmq portal>

The initial configuration can specify an equal number of preparers and analyzers and can be adjusted over time.

To achieve the default scan concurrency (25 scans), the minimum resource configuration is:

CPU RAM HDD
120 cores 820GB 500GB

If large scans are being submitted, provision with additional resources to achieve desired performance.

Use the following table to help calculate total (minimum) resources required for some sample configurations, based on out of the box defaults configured for the components.
Note: To achieve concurrency, there must be sufficient resources available, including:
  1. Number of AppScan 360° licenses issued during the ASCP installation.
  2. Kubernetes configuration and availability of resources to allow multiple preparers and analyzers to be up and running at the same time.
ASCP adapters count Preparers count Analyzers count Minimum CPU Minimum RAM
1 1 1 9 42
3 25 25 107 814
3 10 25 77 574
Note: The ASCP Adapter service is limited to scale up to a maximum of three. Further increase is not required.

Resource configuration (advanced users)

Calculation for total resources: number of preparers * resource per preparer + number of analyzers * resource per analyzer + number of ASCP adapters * resource per adapter + total resources for the remaining services (these services are not autoscaled).