Home
Extending product function
Learn how to extend the product.
Customizing the vulnerability database and pattern rules
This section describes how to customize the database and integrate customized vulnerabilities and other routines into scans.
Customizing input/output tracing through AppScan® Source trace
Some applications (particularly web applications) require input/output tracing to identify security vulnerabilities related to SQL injection, command injection, and cross-site scripting. Through AppScan® Source trace, you can specify a validation routine that, if used, eliminates the reporting of any vulnerability. All other outputs are marked as vulnerabilities if input has not been validated.

Extending product function
Learn how to extend the product.
- Customizing the vulnerability database and pattern rules
  This section describes how to customize the database and integrate customized vulnerabilities and other routines into scans.
  - Extending the AppScan® Source Security Knowledgebase
    This section describes how to customize the database and integrate customized vulnerabilities and other routines into scans. Custom rules tailor the AppScan® Source Security Knowledgebase (or vulnerability database) to your specific security standards and apply those standards consistently across your enterprise.
  - Customizing input/output tracing through AppScan® Source trace
    Some applications (particularly web applications) require input/output tracing to identify security vulnerabilities related to SQL injection, command injection, and cross-site scripting. Through AppScan® Source trace, you can specify a validation routine that, if used, eliminates the reporting of any vulnerability. All other outputs are marked as vulnerabilities if input has not been validated.
  - Customizing with pattern-based rules
    AppScan® Source pattern-based scanning is an analysis of your source code based on customized search criteria. Pattern-based scanning is similar to grep (grep searches one or more files for a given character string or pattern). Auditors or security analysts performing triage might use pattern-based scanning to search for specific patterns in specific applications or in a project. Once you define a pattern as a vulnerability type, a scan of your source code identifies the pattern as a vulnerability. When AppScan Source finds a match, the item appears in the findings table. The out-of-the-box AppScan Source rule library includes predefined rules and rule sets (collections of rules).
- Extending the application server import framework
  AppScan® Source allows you to import Java™ applications from Apache Tomcat and WebSphere® Application Server Liberty profile. You can import Java applications from other application servers by extending the application server import framework, as explained in this topic.
- HCL® AppScan® Source for Development (Eclipse Plug-in)
  With AppScan® Source for Development, you can work in your existing development environment and perform security vulnerability analysis on Java and IBM® MobileFirst Platform projects. Security analysis lets you pinpoint vulnerabilities in the source code and eliminate them entirely with AppScan Source Security Knowledgebase remediation assistance.

Customizing input/output tracing through AppScan® Source trace

Some applications (particularly web applications) require input/output tracing to identify security vulnerabilities related to SQL injection, command injection, and cross-site scripting. Through AppScan® Source trace, you can specify a validation routine that, if used, eliminates the reporting of any vulnerability. All other outputs are marked as vulnerabilities if input has not been validated.

User-defined validation routines are routines that process input data and make it safe to pass to output routines. If a validation routine processes input data before passing it to an output routine, no input validation vulnerability exists. Developers may specify their own input validation and encoding routines to work with tracing.