Home
Managing application risk
Follow this workflow to manage application security risks in your organization.
Step 2: Testing applications for vulnerabilities
Learn how to test vulnerabilities identified in an application.
Importing issues from third-party scanners
Learn how to import issues from 3rd-party scanners.
Preparing a CSV file for import
CSV files of issues must be configured properly to ensure that the issues are successfully imported.

Managing application risk
Follow this workflow to manage application security risks in your organization.
- Step 1: Creating an application inventory
  Learn how to create an application inventory.
- Step 2: Testing applications for vulnerabilities
  Learn how to test vulnerabilities identified in an application.
  - Importing issues from third-party scanners
    Learn how to import issues from 3rd-party scanners.
    - Issue attributes
      This table describes a few of the predefined issue attributes in AppScan Enterprise.
    - Creating an issue profile template
      If you are a Product Administrator, you can create customized attributes for the issue profile template. These customized attributes are used whenever a new issue is imported.
    - Creating third-party scanners
      AppScan Enterprise offers several ways to import issues into the portfolio for triaging.
    - Preparing a CSV file for import
      CSV files of issues must be configured properly to ensure that the issues are successfully imported.
    - Importing issues from a third-party scanner
      Import issues from a third-party scanner or from manual pen testing so that you can triage them. These issues are marked as 'New' so that you can easily identify them in the list of issues that you must address.
    - Importing issues from an exported report from AppScan Standard
      Import issues from AppScan® Standard v9.0.3 so that you can triage them. These issues are marked as 'New' so that you can easily identify them in the list of issues that you must triage.
  - Scenarios for creating scans
    These scenarios are targeted at developers and the security team. Choose the user role that most closely matches your situation.
  - Running and scheduling jobs
    Learn how to run and schedule a job in AppScan Enterprise.
  - Copying a scan between two Enterprise Consoles
    Export scan properties and creating a new scan based on those properties. This is the method you use to copy a scan between two Enterprise Console instances.
  - Stopping a job and then resuming it
    There are three methods you can use to stop a job while it is running. Each method is used for a different reason, which largely depends on whether you want to keep the data or you want to continue running the job from the point where it left off. You can resume a suspended job to continue the scan from where it stopped. A resumed job is handled by the next free agent on any available agent server.
- Step 3: Determining risks and prioritizing vulnerabilities
  Learn how to determine risks and prioritize vulnerabilities identified in an application.
- Step 4: Remediating risks
  Learn how to remediate risks identified in an application.
- Step 5: Measuring progress and demonstrating compliance
  Learn how to measure progress and demonstrate compliance.

Preparing a CSV file for import

CSV files of issues must be configured properly to ensure that the issues are successfully imported.

Procedure

In your third-party scanner, scan your environment for vulnerabilities and export a comma-separated value (CSV) file of the issues.

Tip:

Make sure that the CSV uses UTF-8 encoding.
If the field or cell contains a comma, the field or cell must be enclosed by double quotation marks (").

Examine the CSV file to determine what issue attributes make the issue unique. It's important that you really know your data, and what makes each row in the file unique.
For example, in this CSV file, the port and the name combination make the issue unique.
Make sure that the CSV file has a column attribute that maps to the Issue Type attribute in AppScan Enterprise.
This accomplishes two things:
- The severity level of the issue type is used; otherwise, the issue imports with an 'information' severity level.
- It helps to ensure that the advisories and fix recommendations for the issue type are included in the About this Issue dialog.
AppScan Enterprise includes 2 predefined scanner profiles that import CSV files. Here's how they map to the issue type attribute:
Scanner Profile Issue Attribute Name mapping
Generic Issue Type
Whitehat Sentinel Class
To get the exact name of the issue type, you can go to the Administration > Issue Types page and copy the exact issue type name into the CSV file. For example, an “IBM Lotus Domino Cross-Site Scripting? issue type is different from an ‘IBM Metrica Cross-Site Scripting? issue, and the advisories and fix recommendations might be different for each type.