Home
Managing application risk
Follow this workflow to manage application security risks in your organization.
Step 3: Determining risks and prioritizing vulnerabilities
Learn how to determine risks and prioritize vulnerabilities identified in an application.
Prioritizing Vulnerabilities
Learn how to prioritize vulnerabilities identified in an application.
Triaging issues in an application
All issues are classified as 'new' by default. You can see an issue classification by viewing the issue status. If no issues display for an application, associate a security scan with the application. Otherwise, you must manage your issues from a report in the Scans view. If you move a scan job from one application to another, you won't lose any of your issue management changes.
Differences between managing issues in reports and applications
If a scan is not associated with an application, triage its issues through the reports in the Scans view (same as 9.0.0.1 and earlier). Otherwise, consider these differences when you are classifying issues in scans that are associated with applications.

Managing application risk
Follow this workflow to manage application security risks in your organization.
- Step 1: Creating an application inventory
  Learn how to create an application inventory.
- Step 2: Testing applications for vulnerabilities
  Learn how to test vulnerabilities identified in an application.
- Step 3: Determining risks and prioritizing vulnerabilities
  Learn how to determine risks and prioritize vulnerabilities identified in an application.
  - Determining risk
    Now that management and security analysts have a comprehensive view of the applications across the enterprise, it's time to get a complete picture of the application security risk. Use formulas to create rules for automated application asset classification. The automated calculation of an application security risk rating is based on the application's description and discovered vulnerabilities.
  - Prioritizing Vulnerabilities
    Learn how to prioritize vulnerabilities identified in an application.
    - Workflow for issue triage
    - Filtering a list of security issues in an application
      When an application has many scans that discover many vulnerabilities, use filters on the preset issue attributes, such as Issue Severity, Issue Type, or Issue Status to help you reduce the list to a more manageable size.
    - Triaging issues in an application
      All issues are classified as 'new' by default. You can see an issue classification by viewing the issue status. If no issues display for an application, associate a security scan with the application. Otherwise, you must manage your issues from a report in the Scans view. If you move a scan job from one application to another, you won't lose any of your issue management changes.
      - Issue status classifications and workflow
        Issues can be classified as new, open, in progress, noise, reopened, passed, and fixed. Issues with a status of open and in progress and reopened appear in the issues grid of an application.
      - Differences between managing issues in reports and applications
        If a scan is not associated with an application, triage its issues through the reports in the Scans view (same as 9.0.0.1 and earlier). Otherwise, consider these differences when you are classifying issues in scans that are associated with applications.
      - How issue management affects imported issues and vulnerabilities
        You can manage vulnerabilities that are imported from AppScan® Source, AppScan Standard, and AppScan Developer.
    - Monitoring overdue issues
      Security analysts can see the number of applications that have overdue issues so that they can quickly calculate which issues or applications are out of compliance. AppScan Enterprise v9.0.3 includes an Overdue formula that can be modified or used as an example for creating complex formulas. If your organization must comply with the Payment Card Industry standard, you can add that to the formula. Or modify the formula so that if an issue is still marked New after 10 days, and it has a high severity, it is automatically overdue.
    - Editing multiple issues simultaneously
- Step 4: Remediating risks
  Learn how to remediate risks identified in an application.
- Step 5: Measuring progress and demonstrating compliance
  Learn how to measure progress and demonstrate compliance.

Differences between managing issues in reports and applications

If a scan is not associated with an application, triage its issues through the reports in the Scans view (same as 9.0.0.1 and earlier). Otherwise, consider these differences when you are classifying issues in scans that are associated with applications.

If a scan is associated with an application, then issue management is disabled in the reports that contain security issues only (it doesn't affect the Broken Links report, for example). You must triage the security issues in the associated application in the Monitor view instead. When you triage issues in an application in the Monitor view, the Status and Severity Values (including CVSS values calculated by the formulas) are propagated in the reports in the Scans view; you don't need to rerun the report to see the changes, but you might have to refresh the report screen.

Issue management through application view: In v9.0, issue management privileges were set on the folder that contained a scan. In v9.0.1, issue management is set on the application. Upon upgrade from 9.0, if a scan is already associated with an application, users who used to have issue management privileges on the folder will now have basic permissions on the application so they can continue managing these issues. There is the potential of giving them access to scans they previously were not allowed to access. For example,


v9.0	v9.0.1	Result
Folder A: (Bob has an Issue Manager role) Scan X Scan Y Folder B: (Mary has an Issue Manager role) Scan A Scan B	Application 1 is associated with these scan jobs: Scan X Scan B	Mary now has basic access permissions to Scan B so that she can continue to do her job but she also has access to Scan X, which she didn't have in v9.0.

To restrict a user's permissions to managing issues on specific applications, remove them from the Basic Access on the applications they are not allowed to access. In the example above, remove Mary's Basic Access permissions on Scan X. To find the application that contains Scan X, go to the Scans view and flatten the hierarchy to show only jobs. Find Scan X and click the link for the application name it is associated with. On the Application tab, click View details and in the Users section of the dialog, remove Mary's Basic Access permissions.