Glass box scanning: testing application code during a scan

While regular scanning looks on the application as a "black box", analyzing its output without "looking inside" it, glass box scanning uses an agent installed on the application server to inspect the code itself during the scan.

Glass box scanning has the following advantages:

  • During the Explore stage, glass box scanning can reveal HTTP parameters that affect the server-side but which are not found in responses, and which would therefore not be discovered by black box scanning alone.

  • During the Test stage, glass box scanning can verify the success or failure of certain tests, such as Blind SQL Injection, with greater accuracy, resulting in fewer "false positive" results. It can also reveal the existence of certain security issues that cannot be detected by black box techniques.

  • For many issues, glass box scanning enables AppScan® to show you the vulnerability in the actual source code, simplifying both reporting and remediation.

Note: When glass box scanning is configured to run, certain black box tests that test for the same issues, are not sent. In exceptional cases you can choose to send both sets of tests.

Including glass box scanning adds an extra dimension to the scan in terms of the kind and number of issues that can be found, and also the remediation information that can be offered.