Workflow description

AppScan provides a comprehensive assessment of your web application. It runs thousands of tests based on all levels of typical user techniques as well as unauthorized access and code injections.

When you run a scan on your application, the tests are sent by AppScan to your web application. The results of the tests are provided by AppScan's site-smart engine and result in expansive reports and fix recommendations, available for enhanced review and manipulation.

AppScan is an interactive tool: you decide on the configuration of the scan and determine what is to be done with the results.

The AppScan workflow includes the following stages:

  1. Select a Template: A predefined scan configuration is a scan template. You can load the Regular Scan template, another predefined template, or a template that you previously saved. (You can later adjust the configuration as required for the current scan.)
  2. Application or Web Service Scan: Scanning web services requires some manual input by the user, to show AppScan how to use the service.
    • AppScan: If you are not scanning a web service, or if you want to scan parts of the application other than its web services, leave this default option selected.
    • External device/client: Select this option if you want to scan a service. You will configure AppScan as recording proxy, and send requests from your external client through AppScan.
  3. Scan Configuration: Configure the scan, taking into account details of your site, your environment, and other requirements.
  4. (Optional) Manual Explore: Log in to the site, and click links and fill in forms as a user would. This is a good way of "showing" AppScan how a typical user might browse the site, ensuring that important parts of the site are scanned, and providing data for filling forms.
  5. Scan the Application or Service: This is the main scan, and consists of Explore and Test stages.

    Explore Stage: AppScan crawls your site, visiting links as a regular user would and records the responses. It creates a hierarchy of the URLs, directories, files, and so on, that it finds on your application. This list is displayed in the Application Tree (see Application tree).

    The Explore stage can be done automatically, manually, or as a combination of both. You can also import an Explore Data File (see Exporting Manual Explore data), which consists of a previously recorded manual explore sequence. AppScan then analyzes the data it has collected from the site, and based on it, creates tests for the site. These tests are designed to reveal weaknesses both in infrastructure (such as security weaknesses in commercial, 3rd Party products or Internet systems), and the application itself.

    Test Stage: During the Test stage, AppScan tests your application, based on the responses it received during the Explore stage, to reveal vulnerabilities and assess their severity.

    An up-to-date list of all tests included in your current version of AppScan can be seen in the Scan Configuration dialog box (see Test Policy view).

    You can also create user-defined tests in addition to the tests that AppScan automatically creates and runs (see User-Defined Tests). Your tests can supplement those generated by AppScan and can verify the results that it found.

    Test results are displayed in the Result List, from where you can view and modify them. Full details of the results are displayed in the Detail Pane.

  6. Review Results to evaluate the security status of the site. You may also want to:
    • Explore additional links manually
    • Review Remediation Tasks
    • Print Reports
    • Adjust the scan configuration, if necessary based on your review of the results, and scan again
Note: For a simplified illustration of this workflow, see Basic workflow.