Home
Managing application risk
Follow this workflow to manage application security risks in your organization.
Step 2: Testing applications for vulnerabilities
Learn how to test vulnerabilities identified in an application.
Scenarios for creating scans
These scenarios are targeted at developers and the security team. Choose the user role that most closely matches your situation.
Developers
The developer team creates scan templates using different methods and user interfaces in AppScan.
Creating a scan from a template
Depending on the method your security team uses to create a scan template, you might use the AppScan Dynamic Analysis Client or the AppScan Enterprise user interface to create your scans. These topics describe each task you might need.
Creating a scan using the GraphQL template
In the AppScan Enterprise 10.1.0 release, GraphQL template is introduced to scan the APIs that contain GraphQL queries. In this initial version of the template, the capabilities are limited to only the APIs with GraphQL queries and not the web applications.
Recording the APIs using the ADAC client using external tools and proxy ports
Create a GraphQL scan by recording the APIs using the ADAC client using external tools and proxy ports.

Managing application risk
Follow this workflow to manage application security risks in your organization.
- Step 1: Creating an application inventory
  Learn how to create an application inventory.
- Step 2: Testing applications for vulnerabilities
  Learn how to test vulnerabilities identified in an application.
  - Importing issues from internal or third-party scanners
    Learn how to import issues from internal and 3rd-party scanners.
  - Scenarios for creating scans
    These scenarios are targeted at developers and the security team. Choose the user role that most closely matches your situation.
    - Overview of scan configuration differences in v9.0.2 and higher and in previous versions
      The security team (whose members have Administrator privileges) creates templates by using scan configuration that they author in AppScan Standard. The scan template file is then available for use in AppScan Enterprise. Developers (with QuickScan user privileges) pick up the template when they create a scan, and use a wizard in the new AppScan Dynamic Analysis Client to finish the scan creation. They use the same Client when they need to amend the scan configuration.
    - Developers
      The developer team creates scan templates using different methods and user interfaces in AppScan.
      - Creating a scan from a template
        Depending on the method your security team uses to create a scan template, you might use the AppScan Dynamic Analysis Client or the AppScan Enterprise user interface to create your scans. These topics describe each task you might need.
        Types of scan templates
        These are the available scan templates in AppScan Enterprise. The security team might also create templates that are specific to your organization.
        Creating a scan based on a template using AppScan Standard scan properties
        Create scans that use templates that are based on scan configuration options from AppScan Standard. An easy-to-use wizard (AppScan Dynamic Analysis Client) takes you through the scan configuration options, including action-based login and manual explore features.
        Creating a scan based on a template using AppScan Enterprise scan properties
        A QuickScan crawls your site to discover its content using parameters set in a scan template created by an Administrator. After it is collected by the scan, the data is stored in a database for analysis by the reporting engine and made available to you through report packs, which are collections of reports. Most of your data analysis tasks will focus on the data provided in these reports.
        Creating a scan using the GraphQL template
        In the AppScan Enterprise 10.1.0 release, GraphQL template is introduced to scan the APIs that contain GraphQL queries. In this initial version of the template, the capabilities are limited to only the APIs with GraphQL queries and not the web applications.
        How to get the GraphQL template
        GraphQL template is used to scan the APIs with GraphQL queries. In this topic you can learn the ways in which you can get the GraphQL template.
        Adding the APIs using AppScan Enterprise Postman REST API
        Create a GraphQL scan by adding the APIs using AppScan Enterprise Postman REST API
        Recording the APIs using the ADAC client using external tools and proxy ports
        Create a GraphQL scan by recording the APIs using the ADAC client using external tools and proxy ports.
        Recording the APIs using the ADAC client using Postman or SoapUI
        Create a GraphQL scan by Recording the APIs using the ADAC client using Postman or SoapUI.
        Creating a scan from AppScan Standard using AppScan Connect
        You can import the Postman collection in a scan job using AppScan Standard and then replicate this job in AppScan Enterprise.
      - Editing a scan
        You can edit a basic scan to modify configuration options. If you need help editing your scan or you need more settings added to it, ask your security team to help you. They can edit your scan from an advanced view in the AppScan Dynamic Analysis Client.
      - Creating an import scan
        An import QuickScan uploads AppScan® files using parameters set in a scan template created by a Product Administrator. After the file is uploaded, its data is stored in a database for analysis by the reporting engine and made available to you through report packs, which are collections of reports.
    - Security Team
      Using scan configuration authored in AppScan standard, the security team creates templates.
    - Converting scan configurations from AppScan® Standard in the AppScan® Dynamic Analysis Client
      If you have an existing content scan that is based on a scan template (*.scant) from AppScan® Standard, you can convert the scan configuration so that you can edit it directly in the AppScan Dynamic Analysis Client. However, after you convert the scan configuration, you cannot open it again in AppScan Standard.
  - Running and scheduling jobs
    Learn how to run and schedule a job in AppScan Enterprise.
  - Copying a scan between two Enterprise Consoles
    Export scan properties and creating a new scan based on those properties. This is the method you use to copy a scan between two Enterprise Console instances.
  - Stopping a job and then resuming it
    There are three methods you can use to stop a job while it is running. Each method is used for a different reason, which largely depends on whether you want to keep the data or you want to continue running the job from the point where it left off. You can resume a suspended job to continue the scan from where it stopped. A resumed job is handled by the next free agent on any available agent server.
- Step 3: Determining risks and prioritizing vulnerabilities
  Learn how to determine risks and prioritize vulnerabilities identified in an application.
- Step 4: Remediating risks
  Learn how to remediate risks identified in an application.
- Step 5: Measuring progress and demonstrating compliance
  Learn how to measure progress and demonstrate compliance.

Recording the APIs using the ADAC client using external tools and proxy ports

Create a GraphQL scan by recording the APIs using the ADAC client using external tools and proxy ports.

Procedure

On the AppScan Enterprise Scan page, click Create Folder Item.
Select the Job using template radio-button and in the drop-down list, select the option GraphQL template.
Click the Create button. The browser launches the AppScan Dynamic Analysis Client (ADAC).
Navigate to the Manual Explore section, click Add, select External client, and then select Others.
Configure the external tool to use the proxy port and IP for the local client displayed on the Record Traffic window.
Once configured, run the collection in the external tool.
After you run the collection, in the Record Traffic window, click the Stop Recording button and then click Save.
In ADAC window, select the checkbox under domains detected for the domains to be included in the scanning.
Navigate to Job Properties, select a desired Test Policy, and click Create Job.
Run the scan.