Home
Developing
Learn how to develop by using the product.
Triage and analysis
Grouping similar findings allows security analysts or IT auditors to segment and triage source code problems. This section explains how to triage AppScan® Source assessments and analyze results.
Resolving security issues and viewing remediation assistance
AppScan® Source alerts you to security errors or common design flaws and assists in the resolution process. The AppScan Source Security Knowledgebase - and internal or external code editors - help with this process.

Developing
Learn how to develop by using the product.
- Scanning source code and managing assessments
  This section explains how to scan your source code and manage assessments.
- Triage and analysis
  Grouping similar findings allows security analysts or IT auditors to segment and triage source code problems. This section explains how to triage AppScan® Source assessments and analyze results.
  - Displaying findings
    The Findings view, or any view with findings, displays a findings tree (a hierarchical grouping of assessment criteria) and a findings table for each scan. The item that is selected in the findings tree determines the findings that are presented in the table.
  - The AppScan® Source triage process
    The triage process includes manipulating findings through bundles, filters, and exclusions - and comparing assessment results.
  - Sample triage
    This example describes an AppScan® Source triage workflow used by a security analyst. Triage workflow may vary according to your business needs.
  - Triage with filters
    AppScan® Source for Analysis reports on all potential security vulnerabilities and may produce many thousands of findings for a medium to large code base. When you scan, you may find that the findings list contains items that are not important to you. To remove certain findings from the Findings view, you can choose a predefined filter or you can create your own filter. A filter specifies the criteria that determine which findings to remove from view.
  - Triage with exclusions
    After a scan, you may decide that some findings are irrelevant to your current work, and you do not want them visible in the findings table when you triage the scan results. These exclusions (or excluded findings) no longer appear in the Findings view and the assessment metrics update immediately with the changed results. Filter and bundle exclusions added to a configuration only take effect on subsequent scans.
  - Working with bundles
    Bundles (a grouping mechanism for findings) allow you to import a snapshot of findings from AppScan® Source for Analysis to AppScan Source for Development. Once findings are in bundles, you can use AppScan Source for Development to open the project that contains the bundle, import the bundle, or open a saved bundle file (file_name.ozbdl).
  - Working with static analysis fix groups
    Fix groups are a new approach to managing, triaging, and resolving issues found in static analysis scans. After running a static scan, AppScan® Source organizes issues into fix groups based on vulnerability type and the required remediation task.
  - Modifying findings
    Modified findings are findings that have changed vulnerability types, classifications, or severities - or that have annotations. The Modified Findings view displays these findings for the current application (the application that is active as a result of opening an assessment for it). In the My Assessments view (available only in AppScan® Source for Analysis), the Modified column indicates if a finding has changed in the current assessment.
  - Comparing findings
    Use the Diff Assessments action or the AppScanDelta utility to compare assessments. When two assessments are compared, the differences between the two are displayed in the Assessment Diff view or in an .ozasmt file. The results summarize new, fixed/missing, and common findings.
  - Custom findings
    To augment your analysis results, you can create custom findings. These are user-created findings that AppScan® Source for Analysis adds to the currently-open assessment or selected application. Custom findings impact assessment metrics and can be included in reports. Once created, a custom finding is automatically included in future scans of the application.
  - Resolving security issues and viewing remediation assistance
    AppScan® Source alerts you to security errors or common design flaws and assists in the resolution process. The AppScan Source Security Knowledgebase - and internal or external code editors - help with this process.
    - Analyzing source code in an editor
      With AppScan® Source, you can analyze or modify source code in an internal editor - or you can choose from a variety of external editors.
  - Supported annotations and attributes
    Some annotations or attributes that are used to decorate code are processed during scans. When a supported annotation or attribute is found in your code during a scan, the information is used to mark the decorated method as a tainted callback. A method marked as a tainted callback is treated as if all of its arguments have tainted data. This results in more findings with traces. Supported annotations and attributes are listed in this help topic.
- AppScan® Source trace
  With AppScan® Source trace, you can verify input validation and encoding that meets your software security policies. You can look at the findings that produce input/output traces and mark methods as validation and encoding routines, sources or sinks, callbacks, or taint propagators.
- AppScan® Source for Analysis and defect tracking
  AppScan® Source for Analysis integrates with defect tracking systemsIBM® Rational Team Concert™ to deliver confirmed software vulnerabilities directly to the developer desktop. Defect submission to a defect tracking system contains a textual description of the bug and a file that contains only the findings submitted with the defect.
- Findings reports and audit reports
  Security analysts and risk managers can access reports of select findings or a series of audit reports that measure compliance with software security best practices and regulatory requirements. This section explains how to create reports of aggregate finding data.
- Creating custom reports
  In the Report Editor, you create report templates used to generate custom reports.

Resolving security issues and viewing remediation assistance

AppScan® Source alerts you to security errors or common design flaws and assists in the resolution process. The AppScan® Source Security Knowledgebase - and internal or external code editors - help with this process.

About this task

The AppScan® Source Security Knowledgebase offers suggestions for correcting findings. This in-context intelligence for each vulnerability offers precise descriptions about the root cause, severity of risk, and actionable remediation advice. For example, it describes strcpy(), a Buffer Overflow type, as having a high severity level and provides this remediation assistance:

strcpy is susceptible to destination buffer overflow because it does not know the length of the destination buffer and therefore cannot check to make sure it does not overwrite it. You should consider using strncpy that takes a length parameter. strncpy is a security risk as well, although to a lesser degree.

To view the AppScan® Source Security Knowledgebase:

Procedure

In AppScan® Source for Analysis, open the How to Fix view and then select a finding in the findings table. Remediation assistance for that particular finding displays. Alternately, select Help > Security Knowledgebase from the main menu bar to open the entire AppScan® Source Security Knowledgebase in a browser.
In AppScan® Source for Development (Eclipse plug-in), open the How to Fix view and then select a finding in the findings table. Remediation assistance for that particular finding displays.
In AppScan® Source for Development (Visual Studio plug-in), select a finding in a findings table. Select AppScan Source > Knowledgebase Help from the main menu bar - or right-click the finding and select Knowledgebase Help from the menu. This opens the remediation assistance for the selected finding.