Home
Managing application risk
Follow this workflow to manage application security risks in your organization.
Step 3: Determining risks and prioritizing vulnerabilities
Learn how to determine risks and prioritize vulnerabilities identified in an application.
Prioritizing Vulnerabilities
Learn how to prioritize vulnerabilities identified in an application.
Triaging issues in an application
All issues are classified as 'new' by default. You can see an issue classification by viewing the issue status. If no issues display for an application, associate a security scan with the application. Otherwise, you must manage your issues from a report in the Scans view. If you move a scan job from one application to another, you won't lose any of your issue management changes.
How issue management affects imported issues and vulnerabilities
You can manage vulnerabilities that are imported from AppScan® Source, AppScan Standard, and AppScan Developer.

Managing application risk
Follow this workflow to manage application security risks in your organization.
- Step 1: Creating an application inventory
  Learn how to create an application inventory.
- Step 2: Testing applications for vulnerabilities
  Learn how to test vulnerabilities identified in an application.
- Step 3: Determining risks and prioritizing vulnerabilities
  Learn how to determine risks and prioritize vulnerabilities identified in an application.
  - Determining risk
    Now that management and security analysts have a comprehensive view of the applications across the enterprise, it's time to get a complete picture of the application security risk. Use formulas to create rules for automated application asset classification. The automated calculation of an application security risk rating is based on the application's description and discovered vulnerabilities.
  - Prioritizing Vulnerabilities
    Learn how to prioritize vulnerabilities identified in an application.
    - Workflow for issue triage
    - Filtering a list of security issues in an application
      When an application has many scans that discover many vulnerabilities, use filters on the preset issue attributes, such as Issue Severity, Issue Type, or Issue Status to help you reduce the list to a more manageable size.
    - Triaging issues in an application
      All issues are classified as 'new' by default. You can see an issue classification by viewing the issue status. If no issues display for an application, associate a security scan with the application. Otherwise, you must manage your issues from a report in the Scans view. If you move a scan job from one application to another, you won't lose any of your issue management changes.
      - Issue status classifications and workflow
        Issues can be classified as new, open, in progress, noise, reopened, passed, and fixed. Issues with a status of open and in progress and reopened appear in the issues grid of an application.
      - Differences between managing issues in reports and applications
        If a scan is not associated with an application, triage its issues through the reports in the Scans view (same as 9.0.0.1 and earlier). Otherwise, consider these differences when you are classifying issues in scans that are associated with applications.
      - How issue management affects imported issues and vulnerabilities
        You can manage vulnerabilities that are imported from AppScan® Source, AppScan Standard, and AppScan Developer.
    - Monitoring overdue issues
      Security analysts can see the number of applications that have overdue issues so that they can quickly calculate which issues or applications are out of compliance. AppScan Enterprise v9.0.3 includes an Overdue formula that can be modified or used as an example for creating complex formulas. If your organization must comply with the Payment Card Industry standard, you can add that to the formula. Or modify the formula so that if an issue is still marked New after 10 days, and it has a high severity, it is automatically overdue.
    - Editing multiple issues simultaneously
- Step 4: Remediating risks
  Learn how to remediate risks identified in an application.
- Step 5: Measuring progress and demonstrating compliance
  Learn how to measure progress and demonstrate compliance.

How issue management affects imported issues and vulnerabilities

You can manage vulnerabilities that are imported from AppScan® Source, AppScan® Standard, and AppScan® Developer.

If you manage issues in AppScan® Enterprise, you can use the default setting of the Enterprise Console, Administration > General Settings > Enterprise Console Settings > Issue Attributes. Issue attributes, such as the status and severity of existing vulnerabilities or the Comments field in the About this Issue report, are not overwritten when you import a file from AppScan® Standard, AppScan® Source, or AppScan® Developer. If you manage the status and severity of the vulnerabilities outside of AppScan® Enterprise, you can change the default setting of the Enterprise Console. Consequently, when the file is imported, those settings are taken from the imported file.

Issues are treated globally in AppScan Enterprise, regardless of the scan or import file that originally discovered them. Subsequent imports of the same settings file does not change these issues even if the Use Settings from Imported File check box is selected. However, upon subsequent imports of the same settings file, any new vulnerabilities are created in AppScan Enterprise as new issues, according to the settings of the imported file.