Built-in scan configurations

AppScan® Source provides built-in scan configurations. These cannot be modified or removed. Selecting them in the list allows you to duplicate them or view their settings. Built-in configurations can be accessed in server mode or local mode.

Scan configurations

Scan configurations allow you to adapt the analysis and output of scans to meet specific needs for different kinds of applications, scan environments, and security processes. These might be to focus on particular resources the application interacts with, particular timing requirements of a DevSecOps process, or particular vulnerabiities the security team has identified.

Scan adaptations are done by setting various parameters that control the analysis process. Parameters are grouped into scan rules and advanced settings. AppScan® Source built-in scan configurations are based on specific cases that our customers have identified.

AppScan® Source includes the following built-in scan configurations:

Android
Follow all virtual call targets
Large application
Maximize findings
Maximize traces
Medium-to-large application
Normal
Quick
Service code
User input vulnerabilities
Web balanced
Web deep
Web preview
Web quick
Web

Scan configuration groupings

The built-in scan configurations provide a range of common scan details, speed, and size. In general, the scans can be categorized as:

Normal
Generic
Web
Others

It may seem that larger scans are better scans because they provide more data. This is not always the case.

Depending on the type of data being scanned, and other scan configuration details, larger scans may actually perform shallower analyses to decrease time and/or space resource requirements. Thus it is important to understand what you are scanning for, and the type of findings expected by any scan, whether it is built-in scan configuration or a custom configuration.

Normal scan

This is the default scan configuration and uses the default values for the parameters. This configuration is useful for all types of applications and provides a balance of time used, depth of analysis and number of findings. Note that default values can be changed in the ozsettings files (ipva.ozsettings, ounce.ozsettings, scan.ozsettings, or others).

Generic scans

This group of configurations are suitable for any type of application and range from quickest to longest duration with increasing numbers of findings in this order:

Large application scan
Quick scan
Medium-to-large application scan
Follow all virtual call targets scan
Maximize traces
Maximize findings

Web scans

This group of configurations is most suitable for web applications. These range from quickest to longest duration with increasing numbers of findings in this order:

Web quick scan
Web preview scan
Web scan
Web balanced scan
Web deep scan

Others

Service code scan is suitable for web services, libraries, and REST applications
Android scan is suitable for mobile apps in the Android environment.
User input vulnerabilities scan focuses on inputs provided by external users of web applications or internal users of desktop applications.

Scan rules

Scan rules are parameters that control the selection of potentially threatening inputs to your application. These may be configured to focus on inputs of particular interest to the developers or security team. Reducing the number of inputs examined can reduce the scan time.

Note: For additional information about each of the scan rules, see Scan Configuration view.


		Scan rules
		Everything	User input	Web applications	Error handling and logging	Environment	External systems	Data store	Unusual things	File system	Sensitive data
Scan configuration	Normal (Default)	X
	Android	X
	Follow all virtual call targets	X
	Large application		X				X	X
	Maximize findings	X
	Maximize traces	X
	Medium-to-large	X
	Quick		X	X			X	X	X	X	X
	Service code	X
	User input vulnerabilities		X
	Web balanced		X	X			X	X	X		X
	Web deep		X	X			X	X	X		X
	Web preview		X	X			X	X	X		X
	Web quick		X	X			X	X	X		X
	Web		X	X				X	X		X

Advanced settings

Advanced settings are parameters that generally control how much time is spent by the analysis and how deeply the application is analyzed. Generally, setting parameters to lower time limits or to limit the depth of analysis can reduce the duration of the scan and also reduce the number of findings.

Note: If a value it not specified, or listed in the user interface as "<Inherited>", it is the same as the default value associated with a "Normal" scan as set in the ozsettings files (ipva.ozsettings, scan.ozsettings, or others). The values listed here for the "Normal" scan are system original values.


		Advanced settings
		Automatic callback markup	Automatic propagator markup	Display skipping message	Filter custom rules	Initial pruning heuristic	IPVA per root time limit	No inline validation	Prototypical traces	Replace Set/Get attribute calls	Show informational findings	Single virtual call	Suppress processing restricted messages	Virtual call autocallback threshold	Virtual call count	WAFL Global tracking
Scan configuration	Normal (Default)	False	False	False	True	7	50	False	0 (all)	False	False	True	True	0	0 (all)	True
	Android					7	50			True		True			0	True
	Follow all virtual call targets											False			0
	Large application					100	2		1			True				False
	Maximize findings	True	True			0	50				True	False			0	True
	Maximize traces	True	True			0	50					False			0	True
	Medium-to-large				False	100	4	True	1	True		False			5	True
	Quick					100	2		1	False		True
	Service code	True			False	100	4	True	1	True		False			5	True
	User input vulnerabilities				False	100	4	True	1			False			5
	Web balanced
	Web deep	True	True			9	50				True	False			0	True
	Web preview					100	2		1			True				False
	Web quick					100	2		1			True				False
	Web					7	50		0	True		True			0	True