Workflow examples for managing application security

These workflow examples explain how you can start to manage applications: depending on whether you are using AppScan® Enterprise for the first time or you want to associate existing scans with new applications. Pick the example that best suits your needs, or use parts of examples as a starting point to create your own workflow.

Creating applications and scans

If you are a new user or current user of AppScan Enterprise and you decide not to migrate existing scans, you can create new applications and new scans.

Procedure

  1. Set up an application profile.
    1. Delete the predefined attributes that are not relevant to your organization.
    2. Create attributes that describe your applications.
  2. Create formulas to define risk.
    1. Validate that the predefined formulas are relevant to your organization.
    2. Create formulas that reflect your interpretation of business risk.
  3. Create an application. If you already track your applications in a .csv file, import it.
  4. Assign permissions to users for the application.
  5. Create scans for the application or import issues from a 3rd-party scanner.
  6. Conduct issue triage on an application's issues.
  7. Resolve the discovered security issues.
  8. Evaluate the security risk of the application.

Migrating existing scans into an application view

This migration process gives you the chance to do some maintenance and remove any scans that are not needed. If you are an AppScan Enterprise customer, your scans and folders in the Folder Explorer view might be organized by business unit, application, or even by geographical location. This type of structure makes it easier to use the Monitor view because all of the relevant scans are already logically grouped.

About this task

It is important to understand that applications and folders are not structurally related; you are not creating applications within folders. You use the scans that are grouped in folders as a starting point to create your applications in the Monitor view.

Procedure

  1. Take an inventory of your existing scans and folder structures by doing the following steps for each folder in the Folder Explorer view:
    1. Look at each scan to ensure that you have complete coverage for the application.
    2. Delete the scans that are no longer relevant.
    3. Identify areas of your website that are not covered so that you can create scans.
  2. Set up an application profile.
    1. Delete the predefined attributes that are not relevant to your organization.
    2. Create attributes that describe your applications.
  3. Create formulas to define risk.
    1. Validate that the predefined formulas are relevant to your organization.
    2. Create formulas that reflect your interpretation of business risk.
  4. Export the application list. The exported CSV file contains a row of application attribute column headers. Add your application details to the file so that you can create multiple applications at one time when you import the file.
  5. Import the .csv file.
  6. Create an application for the first folder.
  7. Associate existing scans with the application by selecting and adding multiple scan jobs. This method eliminates the work of associating scans individually, especially if you have many scans to work with.
    Tip: Consider flattening the hierarchy to see all of your scans. If you have many scans in the hierarchy, performance might be affected.
  8. For each application, edit the specific attributes for it and consider the business impact. If you do not know all the information for each attribute, make note of it and come back to it later.
  9. Give user access control to each application.