AppScan® Source trace

With AppScan® Source trace, you can verify input validation and encoding that meets your software security policies. You can look at the findings that produce input/output traces and mark methods as validation and encoding routines, sources or sinks, callbacks, or taint propagators.

AppScan® Source traces the flow of data through an application, across modules and languages. It displays the paths of potentially dangerous data in a call graph, indicating areas where an application may be susceptible to vulnerabilities.

Tracing helps you defeat SQL Injection, cross-site scripting, and other input validation attacks by identifying the lack of approved input validation and encoding routines in applications. You interactively trace the entire call graph, clicking directly from the Trace view to see the source in the development environment or code editor of your choice. Tracing also enables policy enforcement, allowing you to identify approved routines required for proper input validation and encoding, taint propagation, or sinks and sources, and include them in future scans.

When a scan results in a trace, you can create input validation or encoding routines, vulnerabilities, sinks, sources, or taint propagators for specific findings from the Trace view. For example, if you mark a routine as a validation routine in AppScan® Source for Analysis and add it to the AppScan® Source Security Knowledgebase, subsequent scans no longer report Validation.Required or Validation.Encoding.Required findings for data paths on which the routines are called. In the Trace view, you can also define vulnerabilities as a source, sink, or both - and identify a method as a taint propagator, a tainted callback, or not being susceptible to taint.