Home
Developing
Learn how to develop by using the product.
Findings reports and audit reports
Security analysts and risk managers can access reports of select findings or a series of audit reports that measure compliance with software security best practices and regulatory requirements. This section explains how to create reports of aggregate finding data.
AppScan® Source reports
Software Security Profile report
The Software Security Profile presents a comprehensive analysis of the characteristics of your application that have direct relevance to its security. It provides a detailed audit of critical security features in software for a particular project. This report helps you verify the implementation of requirements such as encryption, access control, logging, and error handling before certifying the software for deployment.

Developing
Learn how to develop by using the product.
- Scanning source code and managing assessments
  This section explains how to scan your source code and manage assessments.
- Triage and analysis
  Grouping similar findings allows security analysts or IT auditors to segment and triage source code problems. This section explains how to triage AppScan® Source assessments and analyze results.
- AppScan® Source trace
  With AppScan® Source trace, you can verify input validation and encoding that meets your software security policies. You can look at the findings that produce input/output traces and mark methods as validation and encoding routines, sources or sinks, callbacks, or taint propagators.
- AppScan® Source for Analysis and defect tracking
  AppScan® Source for Analysis integrates with defect tracking systemsIBM® Rational Team Concert™ to deliver confirmed software vulnerabilities directly to the developer desktop. Defect submission to a defect tracking system contains a textual description of the bug and a file that contains only the findings submitted with the defect.
- Findings reports and audit reports
  Security analysts and risk managers can access reports of select findings or a series of audit reports that measure compliance with software security best practices and regulatory requirements. This section explains how to create reports of aggregate finding data.
  - Creating findings reports
  - AppScan® Source reports
    - Creating an AppScan® Source custom report
    - CWE/SANS Top 25 2011 report
      The CWE/SANS Top 25 2011 report is based on the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.
    - DISA Application Security and Development STIG report
      This topic provides links to the Defense Information Systems Agency (DISA) Application Security and Development Security Technical Implementation Guide (STIG) website and guidance documents.
    - Open Web Application Security Project (OWASP) Top 10 2013 and 2017 reports
      This topic provides links to the Open Web Application Security Project (OWASP) website and guidance documents.
    - Open Web Application Security Project (OWASP) Mobile Top 10 report
      This topic provides links to the Open Web Application Security Project (OWASP) website and guidance documents.
    - Payment Card Industry Data Security Standard (PCI DSS) Version 3.2 report
    - Software Security Profile report
      The Software Security Profile presents a comprehensive analysis of the characteristics of your application that have direct relevance to its security. It provides a detailed audit of critical security features in software for a particular project. This report helps you verify the implementation of requirements such as encryption, access control, logging, and error handling before certifying the software for deployment.
- Creating custom reports
  In the Report Editor, you create report templates used to generate custom reports.

Software Security Profile report

The Software Security Profile presents a comprehensive analysis of the characteristics of your application that have direct relevance to its security. It provides a detailed audit of critical security features in software for a particular project. This report helps you verify the implementation of requirements such as encryption, access control, logging, and error handling before certifying the software for deployment.

The composite identifies areas of potential risk and presents recommendations for minimizing those risks. The report helps facilitate an assessment of the overall application security - which is useful for compliance, policy, and architectural reviews. Findings are based on extensive static analysis of source code using a database of flaws, vulnerabilities, industry-specific standards, and general best practices.

The Software Security Profile displays this information:

Report Card: Contains links to the report details and severity indicators summarizing the section.
Overview: Summarizes the purpose of the report and describes the application configuration.
Metrics: Identifies the total number of packages, classes, methods, and lines of code in all of the packages in the project.
Detailed Findings by Category: Reports each vulnerability category found with a vulnerability category name and an icon that indicates the severity level of the vulnerability.