Home
DAST
AppScan on Cloud performs security scans for web-applications for production, staging and development environments. For development environments it is aided by Private Site Scanning technology to scan applications not accessible to the open Internet.
Dynamic (DAST) scanning
ASoC can perform dynamic analysis of an application that runs in a browser or a web API. Use the configuration options available in ASoC, or upload an AppScan Standard configuration (template file) or a full scan file.
Test optimization
Test Optimization uses intelligent test filtering to achieve faster scans, when speed is needed, with minimal loss of issue coverage. You choose between four optimization levels depending on your needs.

DAST
AppScan on Cloud performs security scans for web-applications for production, staging and development environments. For development environments it is aided by Private Site Scanning technology to scan applications not accessible to the open Internet.
- Dynamic (DAST) scanning
  ASoC can perform dynamic analysis of an application that runs in a browser or a web API. Use the configuration options available in ASoC, or upload an AppScan Standard configuration (template file) or a full scan file.
  - Create scan
    Provide the Starting URL and user credentials for the scan, select the type of site, and (if not previously done) verify your permission to scan the site.
  - Create scan from template
    You can upload your own AppScan Standard template (SCANT) file to run an ASoC scan.
  - Create scan from scan file
    You can upload your own AppScan Standard scan (SCAN) file to run an ASoC scan.
  - Recording traffic
    You can download and install the free AppScan Activity Recorder browser extension (for Chrome or Edge), the AppScan Traffic Recorder extension, or use AppScan Standard.
  - Using AppScan Standard
  - Test policy
    The AppScan Standard Default test policy is used when running scans from the ASoC UI, but other policies can be applied with imported scans, or scans run from the API.
  - Test optimization
    Test Optimization uses intelligent test filtering to achieve faster scans, when speed is needed, with minimal loss of issue coverage. You choose between four optimization levels depending on your needs.
  - Test automation
    This section describes how to incorporate dynamic scanning in your functional testing.
  - Client certificates
- AppScan Presence
  An AppScan Presence on your server enables you to scan sites not accessible from the Internet, and to incorporate scanning as part of your functional testing.
- AppScan Traffic Recorder
  The AppScan Traffic Recorder (DAST proxy) enables you to record traffic to use as Explore data. Traffic Recorder instances can be created on demand to record traffic that will later be used for a DAST scan.
- Private sites
  An AppScan Presence on your server enables you to scan sites not accessible from the Internet.

Test optimization

Test Optimization uses intelligent test filtering to achieve faster scans, when speed is needed, with minimal loss of issue coverage. You choose between four optimization levels depending on your needs.

A full regular scan typically sends thousands of tests and may take hours, in some cases days, to complete. During the early stages of development, or for a quick overall evaluation of the current security posture of your product, you can use Test Optimization to get the results you need in a shorter time frame by choosing a balance between speed and issue coverage. There are three levels of optimization, and the table below shows some suggested use cases for each level.

Our intelligent test filters are based on statistical analysis, and filter out certain tests – or even specific test variants – to produce a shorter scan that identifies the more common, severe and otherwise important vulnerabilities only. Using Test Optimization can greatly reduce overall scan time when fast results are more important to you than a thorough, in-depth scan. Later in the development cycle, or at specific intervals, you may decide to use the Normal (full) scan for a more complete security picture.

Test Optimization is configured in DAST scan setup.


Setting	Vulnerabillity coverage*	Test stage speed	Suggested use
No optimization	Maximum	Full length scan (as configured)	For security experts before a major releases, compliance testing, and benchmarks, when a longer scan will not interrupt your development workflow. With this setting all issues in the selected Test Policy are tested for.
Fast (default)	~97%	Up to twice as fast	For security experts for their more frequent scans.
Faster	~85%	Up to five times as fast	For DevSecOps, during ongoing evaluation.
Fastest	~70%	Up to ten times as fast	For Dev and QA during initial evaluation.

* Compared with an equivalent, non-optimized scan, and applies to actual Vulnerabilities, not Informational Issues.

Important: The values shown in the table above are estimates based on some typical applications, but the actual reduction in scan time and extent of issue coverage will vary depending on your specific application.

See also: Test Optimization FAQ