OWASP Benchmark with IAST agent

About this task

The OWASP Benchmark Project is a Java test suite designed to evaluate software vulnerability detection tools. The AppScan IAST Java Agent is fully compliant with OWASP Benchmark.

Run OWASP Benchmark with AppScan IAST Java agent


  1. Clone BenchmarkJava and BenchmarkUtils from https://github.com/OWASP-Benchmark.
  2. Open command prompt, change to the BenchmarkUtils directory and run mvn install -DskipTests.
  3. In ASoC: Start an IAST Java session and download the agent zip as described in Starting an IAST session.
  4. Extract the contents of the zip file.
  5. In the extracted JAR, locate secagent.jar in the jar_deployment folder and copy it to BenchmarkJava\tools\HCL
  6. From a command prompt, run runBenchmark_wHCL.bat, and wait for a few moments until the message '[INFO] Press Ctrl-C to stop the container...' is displayed.
  7. Open another command prompt and run BenchmarkJava\runCrawler.bat.
  8. After the crawl is complete, press Ctrl+C to stop the Benchmark Tomcat instance. When asked 'Terminate batch job (Y/N)?' Enter N.
  9. Run BenchmarkJava\createScorecards.bat.
    The test results can be found in:

    BenchmarkJava\scorecard\Benchmark_v1.2_Scorecard_for_HCL_AppScan_IAST_v{IAST_version} files

    Figure 1. OWASP Benchmark v1.2 result comparison