This section describes how AppScan® Source for Analysis fits into the total AppScan Source solution and provides a basis for understanding the software assurance workflow.

HCL® AppScan® Source delivers maximum value to every user in your organization who plays a role in software security. Whether a security analyst, quality assurance professional, developer, or executive, the AppScan Source products deliver the functionality, flexibility, and power you need - right to your desktop.

When installing AppScan® Source, it is important that the correct installation workflow be followed. These topics guide you through the workflow involved in some sample installation scenarios.

This section describes advanced installation options and activation procedures.

You can customize the installation for the purpose of creating a custom installation wizard - or you can create a custom installer that installs the product silently.

The AppScan® Source custom installation wizard is used for creating silent installers.

You can remove AppScan® Source from the Windows™ Control Panel or with a Linux™ uninstall script. The AppScan Source uninstall does not remove or back up an installed Oracle database. Deleting the AppScan Source user from an Oracle instance is a manual database administrative task.

Before you scan, you must configure applications and projects. This section explains the Application Discovery Assistant, New Application Wizard, and the New Project Wizard. You will learn how to configure attributes for AppScan® Source for Analysis. In addition, this section teaches you how to add existing applications and projects for scanning - and how to add files to projects.

Preferences are personal choices about the appearance and operation of AppScan® Source for Analysis.

This section explains user management, permissions, application and project registration, and port configuration.

AppScan® Source offers a convenient location for auditing user activity. The Audit view logs events such as authentication to the AppScan Enterprise Server, the creation of new users, and the creation of new rules in the database.

Most AppScan® Source products and components require a connection to an AppScan Enterprise Server. The server provides centralized user management capabilities and a mechanism for sharing assessments via the AppScan Source Database.

To add an AppScan® Source user that will be authenticated via LDAP, you must have configured the AppScan Enterprise Server user repository to use an LDAP repository.

AppScan® Source applications and projects have corresponding files that maintain configuration information required for scanning, as well as triage customization. It is recommended that these files reside in the same directory as the source code, since configuration information (dependencies, compiler options, and so forth) required to build the projects is very similar to that required for AppScan Source to scan them successfully. Best practice includes managing these files with your source control system.

If you install the solidDB® database during the product installation, you must configure solidDB user and administrative user credentials. By default, the settings for the solidDB user are user name ounce and password ounce. The default database administrator user name and password are both dba.

This section explains how to scan your source code and manage assessments.

Grouping similar findings allows security analysts or IT auditors to segment and triage source code problems. This section explains how to triage AppScan® Source assessments and analyze results.

With AppScan® Source trace, you can verify input validation and encoding that meets your software security policies. You can look at the findings that produce input/output traces and mark methods as validation and encoding routines, sources or sinks, callbacks, or taint propagators.

AppScan® Source for Analysis integrates with defect tracking systemsIBM® Rational Team Concert™ to deliver confirmed software vulnerabilities directly to the developer desktop. Defect submission to a defect tracking system contains a textual description of the bug and a file that contains only the findings submitted with the defect.

Security analysts and risk managers can access reports of select findings or a series of audit reports that measure compliance with software security best practices and regulatory requirements. This section explains how to create reports of aggregate finding data.

In the Report Editor, you create report templates used to generate custom reports.

This section describes how to customize the database and integrate customized vulnerabilities and other routines into scans.

AppScan® Source allows you to import Java™ applications from Apache Tomcat and WebSphere® Application Server Liberty profile. You can import Java applications from other application servers by extending the application server import framework, as explained in this topic.

Ounce/Make is a tool that automates the importing of configuration information into AppScan® Source from build environments that use makefile. Ounce/Make eliminates the need to import configuration information from makefiles manually.

The CLI is an interface to core AppScan® Source functionality.

This section describes how to use Ounce/Ant, an AppScan® Source build utility that integrates AppScan Source and Apache Ant. Integrating Ounce/Ant with your Ant environment helps you automate builds and code assessments.

The Data Access API provides access to AppScan® Source-generated assessment results, including findings and finding details. It also provides access to assessment metrics such as analysis date and time, lines of code, V-density, and number of findings.

This section describes the Ounce/Maven plug-in, which uses Maven, an Apache build tool, to integrate AppScan® Source into the Maven workflow.

The Automation Server (ounceautod) allows you to automate key aspects of the AppScan® Source workflow and integrate security with build environments during the software development life cycle (SDLC). The Automation Server allows you to queue requests to scan and publish assessments, and generate reports on the security of application code.

AppScan® Source provides a set of Java™ APIs that allow you to add support for frameworks that are used in your applications. The classes and methods offered in these APIs allow you to account for frameworks for which built-in support is not provided.

AppScan® Source for Analysis includes a sample applicationsample applications that you can use to familiarize yourself with the product.

To get the most out of AppScan® Source, you should understand the basic concepts behind the AppScan Source for Analysis working environment and how to use the options that best fit your workflow.

AppScan® Source for Development views and windows provide alternative presentations of findings, support code editing, and allow you to navigate the information in your workbench. A view might appear by itself, or stacked with other views in a tabbed notebook. You can change the layout of a perspective or window layout by opening and closing views and by docking them in different positions in the Workbench window.

The Common Weakness Enumeration (CWE) is an industry standard list that provides common names for publicly known software weaknesses. This topic lists the CWE IDs that are supported in the current version of AppScan® Source.

AppScan® Source for Development is also delivered as MobileFirst Platform Application Scanning. With MobileFirst Platform Application Scanning, you can work in your existing development environment and perform security vulnerability analysis on IBM® MobileFirst Platform projects. Security analysis lets you pinpoint vulnerabilities in the source code and eliminate them entirely with AppScan Source Security Knowledgebase remediation assistance.

HCL® AppScan® Source delivers maximum value to every user in your organization who plays a role in software security. Whether a security analyst, quality assurance professional, developer, or executive, the AppScan Source products deliver the functionality, flexibility, and power you need - right to your desktop.

The AppScan® Source for Development plug-ins can be used with or without an AppScan Enterprise Server. In server mode, you connect to the server to run scans and access shared data, just as in previous product versions. In the new local mode, AppScan Source for Development runs without ever connecting to an AppScan Enterprise Server - and you cannot access shared items such as filters, scan configurations, and custom rules.

To open an assessment or bundle previously created in AppScan® Source for Analysis that relies on a path variable, you should create a matching variable in your development environment. Creating a variable ensures that the data is available across multiple computers. To share assessment data you must define the appropriate variables.

Depending on the type of project that you are scanning and the type of scanning that you want to conduct, you may need to configure your scan before running it. Projects can be configured to, for example, use an different JDK or JSP compiler than those set by default.

General preferences allow you to tailor some of the AppScan® Source for Development default settings to fit your personal preferences.

General preferences allow you to tailor some of the AppScan® Source for Development default settings to fit your personal preferences.

You can scan an Eclipse or Rational® Application Developer for WebSphere® Software (RAD) workspace, project, or file. This includes scanning Java™ (including Android), JavaServer Pages (JSP), and IBM® MobileFirst Platform projects.

AppScan® Source scans source code for vulnerabilities and produces findings. Findings are the vulnerabilities identified during a scan, and the result of a scan is an assessment. You can open a saved assessment from AppScan Source for Development or AppScan Source for Analysis. After you scan, you can save the assessment to a file. Then you can open the assessment again at any time. Assessments are saved as filename.ozasmt.

In all views with findings, except the Assessment Diff view in AppScan® Source for Analysis, you can customize the findings table by identifying only the columns and the column order that you wish to see. Each view may have different settings or you can apply the options to all views. To customize the column order, follow the steps in this task topic.

In multiple views that contain findings, you can search specific findings. The search criterion includes bundles, code, files, projects, or vulnerability types. The search results appear in the Search Results view.

Modified findings are findings that have changed vulnerability types, classifications, or severities - or that have annotations. The Modified Findings view displays these findings for the current application (the application that is active as a result of opening an assessment for it). In the My Assessments view (available only in AppScan® Source for Analysis), the Modified column indicates if a finding has changed in the current assessment.

AppScan® Source alerts you to security errors or common design flaws and assists in the resolution process. The AppScan Source Security Knowledgebase - and internal or external code editors - help with this process.

After a scan, you may decide that some findings are irrelevant to your current work, and you do not want them visible in the findings table when you triage the scan results. These exclusions (or excluded findings) no longer appear in the Findings view and the assessment metrics update immediately with the changed results. Filter and bundle exclusions added to a configuration only take effect on subsequent scans.

AppScan® Source offers multiple methods for creating and using filters. The main view for filter creation, the Filter Editor view, provides a robust set of rules which can be manually set and then saved to a filter. The Filter Editor view also provides a mechanism for managing filters that you have created - allowing you to easily modify or remove them. Alternately, you can filter the findings table using views that offer graphical representations of the findings - and then save those filters in the Filter Editor view. When you create a filter, the other views update to reflect the filter properties.

Some annotations or attributes that are used to decorate code are processed during scans. When a supported annotation or attribute is found in your code during a scan, the information is used to mark the decorated method as a tainted callback. A method marked as a tainted callback is treated as if all of its arguments have tainted data. This results in more findings with traces. Supported annotations and attributes are listed in this help topic.

Bundles (a grouping mechanism for findings) allow you to import a snapshot of findings from AppScan® Source for Analysis to AppScan Source for Development. Once findings are in bundles, you can use AppScan Source for Development to open the project that contains the bundle, import the bundle, or open a saved bundle file (file_name.ozbdl).

With AppScan® Source trace, you can verify input validation and encoding that meets your software security policies. You can look at the findings that produce input/output traces and mark methods as validation and encoding routines, sources or sinks, callbacks, or taint propagators.

AppScan® Source for Development views and windows provide alternative presentations of findings, support code editing, and allow you to navigate the information in your workbench. A view might appear by itself, or stacked with other views in a tabbed notebook. You can change the layout of a perspective or window layout by opening and closing views and by docking them in different positions in the Workbench window.

When you install AppScan® Source, user data and configuration files are stored outside of the installation directory.

The Common Weakness Enumeration (CWE) is an industry standard list that provides common names for publicly known software weaknesses. This topic lists the CWE IDs that are supported in the current version of AppScan® Source.

Learn about auto-triage and analysis of findings from AppScan® Source.

Troubleshooting is the process of finding and eliminating the cause of a problem. Whenever you have a problem with your IBM® software, the troubleshooting process begins as soon as you ask yourself what happened?

If the self-help resources have not provided a resolution to your problem, you can contact HCL® Software Support. HCL Software Support provides assistance in resolving product issues.