Home
Reference
Review reference information for the product.
Folder Explorer topics
Learn about folder explorer topics.
Creating scans in the Folder Explorer
Learn how to create scan in the folder explorer.
Optimizing your scan with advanced configuration options
Use this task to configure an advanced scan with complex configuration. Use this method for web applications that require a lot of user interaction to navigate the application or if you would like to just test a specific area of your application.
Correlating static analysis data with dynamic analysis data
Import data from AppScan® Source to correlate its findings with an existing dynamic analysis security scan (AppScan Enterprise Server content scan job or an AppScan Standard import job).
How correlation (hybrid analysis) works
No single automated analysis technique can find all possible vulnerabilities; each technique has its own strengths and weaknesses. Dynamic Analysis Security Testing (DAST) tests a running web application by probing it in ways similar to what a hacker would use. Static Analysis Security Testing (SAST) examines the source code of an application for potential vulnerabilities.
Best practices for hybrid analysis
Because the testing approaches are so different, however, the correlation percentage can be relatively low. The challenges and strengths for each type of analysis differ, as depicted in this table.

Reference
Review reference information for the product.
- Configuring Wizard topics
  Learn about configuring wizard topics.
- Folder Explorer topics
  Learn about folder explorer topics.
  - Creating scans in the Folder Explorer
    Learn how to use scan in folder explorer.
  - Creating scans in the Folder Explorer
    Learn how to create scan in the folder explorer.
    - Creating a QuickScan template using scan properties from AppScan Enterprise
      A QuickScan template comprises either a content scan job or an import job, plus a report pack. After you create scan templates in the Templates folder in the Folder list, they will automatically be available as scan templates to QuickScan users and to more advanced users who have their QuickScan View turned on in the Show Folder Explorer list. When a QuickScan user creates a scan, a job and report pack will be created based on the template, but will only appear to the QuickScan user as a scan.
    - Configuring a basic scan without security testing
      Use this task to configure a basic scan with minimal configuration. This scan will automatically discover more URLs to test in your web application. Use this method for an application that has a lot of static links and does not require a lot of user interaction. This scan does not test for security issues, but helps you start exploring your site to determine complete site coverage.
    - Configuring a security scan using scan properties in AppScan Enterprise
      Security scans should be performed in a preproduction environment, such as on a staging or Quality Assurance server. Doing so helps you contain the risks associated with performing security scans. Your preproduction environment should mirror the production environment as much as possible; the application should have the same executable files in both environments so that you know you are thoroughly testing your exposed applications. Security scans should also be integrated into your Software Development Life cycle (SDLC) process so that you can catch security issues before they make their way into your production environment.
    - How a security scan works
      A security scan has two distinct phases: Explore and Test.
    - Workflow for security testing
      A security scan requires careful configuration so that it can find all the URLs on your web application and then test them for vulnerabilities.
    - How JavaScript™ source code analysis works
      JavaScript™ Security Analyzer (JSA) performs static JavaScript source code analysis to detect a range of client-side issues, primarily DOM-Based Cross Site Scripting. JSA analyzes the HTML pages that AppScan® Enterprise collected during the Explore stage. JSA runs in parallel to the Test stage, or can be launched manually on existing Explore results at any time.
    - Optimizing your scan with advanced configuration options
      Use this task to configure an advanced scan with complex configuration. Use this method for web applications that require a lot of user interaction to navigate the application or if you would like to just test a specific area of your application.
      - Adding additional servers and domains to the scan
        To account for additional domains and multiserver environments, add any additional servers and domains to the scan's What to Scan page.
      - Finding more content
        An XRule is an XML script used to enhance the scanning of your website or application and to search the database for information that has been collected by a scan. When using it to enhance the ability of the job to scan a site, an XRule can find links inside a Flash file, find dynamically-created links inside JavaScript™, or get past a login routine.
      - Scanning WebSphere® Portals
        Specify the portal to scan.
      - Setting scan limits
        Set scan limits to focus the scan. You can limit the scan by the number of pages, the path of redundant content or click depth.
      - Excluding URLs from a scan
        Exclusions are used to exclude specific files, directories or file types from being analyzed during the scan. You might have a section of your site that would negatively affect the overall scan results if it was included in the analysis, possibly because it is under construction and has known issues. By excluding this section of your site, you can prevent it from affecting the report and dashboard results.
      - Normalizing URLs and forms
        Normalization rules help the scan job determine whether URLs and forms are unique so that they are not repeated incorrectly in your reports.
      - Defining parameters and cookies
        You might have parameters and cookies that require special treatment, such as Session IDs and parameters that you do not want the scan to manipulate.
      - Handling login and logout pages
        Configure how the scan handles the login and logout pages of a web application. Use a login sequence to follow a complex login process or enter regular expressions for detecting logout pages that the scan will encounter. Logout pages are identified to prevent the scan from logging out of the application or website prematurely.
      - Completing web forms automatically
        Use Automatic Form Fill to supply a content scan job with values for form fields that it encounters. Using the field values that you provide, the scan can continue uninterrupted to discover more URLs and content for analysis.
      - Connecting to a web server
        Define the scan job's behavior as it connects to your network.
      - Authenticating to the website
        When the scan job encounters a page that requires Windows™ NT® authentication, it automatically provides the user name and password that you choose. You can add user names and passwords for authenticated pages. Client side certificates dictate whether the scan engine and manual explore/recorded login rely on a particular client certificate file or the service account's certificate store for authentication with the server they are trying to scan.
      - Identifying custom error pages so the scan recognizes them
        Custom error pages are used on websites to ensure that a user does not hit a "dead end" when they encounter a broken link. Instead, the error page guides the user to another page, such as a home page.
      - Configuring scanning for privacy statement links
        It is important that a website visitor can easily determine how data is going to be used when a website asks for information. A website's privacy policy will describe why data is being collected, who will be given access to the data and what types of rights the website visitor has regarding that data after it is submitted. Providing a link from a page that contains a form collecting personal data to the privacy policy governing that data is the best way of providing information to the user when they need it.
      - Manually exploring your site to add more URLs to the scan
        A Manual Explore means you will be indicating the exact URLs for the scan to test in the configuration (the scan will not automatically crawl to discover new URLs). Use this method for web applications that require a lot of user interaction to navigate the application or if you would like to just test a specific area of your application.
      - Correlating static analysis data with dynamic analysis data
        Import data from AppScan® Source to correlate its findings with an existing dynamic analysis security scan (AppScan Enterprise Server content scan job or an AppScan Standard import job).
        How correlation (hybrid analysis) works
        No single automated analysis technique can find all possible vulnerabilities; each technique has its own strengths and weaknesses. Dynamic Analysis Security Testing (DAST) tests a running web application by probing it in ways similar to what a hacker would use. Static Analysis Security Testing (SAST) examines the source code of an application for potential vulnerabilities.
        Examples of hybrid analysis
        Here are some examples of hybrid analysis.
        Best practices for hybrid analysis
        Because the testing approaches are so different, however, the correlation percentage can be relatively low. The challenges and strengths for each type of analysis differ, as depicted in this table.
        Differences between static analysis findings and dynamic analysis issues
        Understand the differences between findings and issues so that reports make sense.
      - Incremental scans
      - Test Optimization view
        Test Optimization uses AppScan®’s intelligent test filtering to achieve faster scans, when speed is needed, with minimal loss of issue coverage. You choose between four optimization levels depending on your needs.
      - Retesting a security issue
        Retesting a security issue provides a quick way to verify that you have indeed fixed an issue. Rather than running an entire job to see results, you can select one or more issues that you have fixed and retest them right away.
    - Capturing and Importing Traffic Data
    - Importing an action-based login file from AppScan Standard
      The action-based login capability in AppScan Standard produces the user's actual actions in the browser, rather than just the requests, and replays the sequence in the browser. Take advantage of this capability by creating an action-based login in AppScan Standard and importing it into AppScan Enterprise to help avoid out-of-session events during scanning.
    - Importing manual explore data from AppScan® Standard
      You can import data that is exported from AppScan® Standard version 7.x (and later) into AppScan Enterprise. Importing this data can save you time and reduce redundant work effort. Only the URLs (parameters and domains) and HTTP requests from the AppScan .exd file are imported.
    - Importing AppScan® data to use in reports
      An import job takes the results from a data file, and integrates it into the AppScan® Enterprise Server database. Imported data can be used to create reports and dashboards. It can also be combined with data from content scan jobs to create a complete picture of your issues.
- Triage with reports
  Reports are automatically generated after a job has run. They provide a way of managing issues so that you can helps you manage issues that are important to your organization and do so in a way that is supported both by the Enterprise Console's workflow and the workflows of other processes within your organization.
- Configuration Manager

Best practices for hybrid analysis

Because the testing approaches are so different, however, the correlation percentage can be relatively low. The challenges and strengths for each type of analysis differ, as depicted in this table.

Bold text indicates strengths.
Dynamic analysis	Static analysis
Awareness	Over approximation
Code coverage	Code/path coverage
Source-free	Limited to given code
HTTP awareness only	More than HTTP validations
Multi-component support	Support per language/framework
Requires deployed application	No need to deploy application
Few prerequisites	Support partial applications
Works as a remote attacker	Integration/deployment issues

For best correlation results:

Pre-filter the SAST issues to the highest severity setting on the Definitive, Suspect issues.
Save a partial assessment or configure the filter to be applied automatically before you publish to AppScan® Enterprise.
With DAST, make sure you explore as much of the application as possible, and use the most comprehensive security test policy that makes sense for the application.
Make sure you analyze the same version of the web application with both approaches.