Security reports

The Security report provides information about security issues discovered, and you can choose from a variety of templates depending on the type of content you need.

About this task

Security Report icon

You can create a security report that covers the whole scan, or for a particular URL or folder in the application tree.

Each report template is a set of content topics that are relevant to different audiences within your organization. The topics contain scan results from each of the views (Security Issues, Remediation Tasks, Application Data), formatted for easy printing, readability, and rapid comprehension of what the results mean, why they are relevant, and how to fix them.

Security Report Options

The table following summarizes the options in the Security Reports dialog box.

Option

Description

Template

Select one of several templates for the report, or define your own, by selecting/clearing check boxes in the right hand pane, as described in the table following.
  • Default: A medium-level report containing a high level summary and Issue Information, without details of variants.
  • Summary: A high level summary with highlights of security risks found in your web application, and statistics of scan results, formatted in tables and charts.
  • Detailed: A thorough report that includes the Summary, as well as security issues, suggestions for how to fix, remediation tasks and application data.
  • Remediation Tasks: Remediation tasks: actions designed to address the issues discovered in the scan.
  • Developer: Security Issues, variants, how to fix, without the Summary or Remediation Tasks sections.
  • QA: Security Issues, how to fix, and application data, without detailed variant information, or the Summary or Remediation Tasks sections.
  • Site Inventory: Application data only.
  • Custom Template: This option lets you create a custom Security Report template by using the check boxes to define the report you want, and then clicking Create as Template. Once saved, the template can be used to generate reports both from the user interface and the command line interface.
    • Save as Template: Save the current Security Report configuration as a custom template.
    • Delete Template: Delete the current custom template.

Min. Severity

Select the lowest level of severity for issues to be included in the report.

Test Type

Select which types of test results to include in the report: All, Application, Infrastructure, or Third-Party Web Component tests.

Sort by

Select whether to sort issues by type or URL.

Limit number of variants per issue

You can reduce the length of the report by limiting the number of variants listed per issue, if this level of detail is unlikely to be useful to the recipient of the report.

Add page break after each issue

This setting applies only to PDF output. It can make the report clearer to read.

View when done

If you select this check box, the report will be opened in an appropriate viewer after it is generated.
Note: This will only work if you have a program installed that can open the generated report.

After selecting any template as a basis, you can customize the individual report structure by selecting/deselecting the fields of information to be included. If you do this the template name changes to "Custom".

Security Report Sections

The table following summarizes the standard content of the various Security Reports. In all cases the actual content can be changed as required by selecting/clearing check boxes in the Report Content pane.
Note: A full detailed report could be hundreds of pages long, so be sure to include only the sections that are relevant to your audience.

Report Section

Description

Introduction

A short section that provides some general information about the scan, including such details as overall number of issues found (High, Medium, Low and Informational), and login settings. This section is included in all reports.

Summary

A series of tables summarizing the following information about the scan, or the part of the scan included in the report:
  • Issue types (includes number of issues found for each type, and their severity)
  • Vulnerable URLs (includes number and type of issues per URL)
  • Fix recommendations
  • Security risks
  • Causes
  • WASC threat classification

Security Issues

Issues found in your application:

  • Basic: If you select neither of the following two check boxes, basic information only is included
  • Additional: Includes more detailed information, including screen captures, similar to the Issue Information tab content
  • Variants: Includes specific variant information:
    • Request/Response
    • Difference: The difference between the original request and the test request, as shown in the Detail pane > Request/Response tab

Advisories and Fix Recommendations

Technical explanations of the issues found and recommendations for fixing them.
Note: To include fix recommendations specific to .NET, Java EE and PHP environments, go to Tools > Options > Preferences and select the required options.

Remediation Tasks

Suggested tasks for improving site security based on the issues found. One task may solve more than one issues.

Application Data

List of data that AppScan found in your web application: Application URLs, Script Parameters, Broken Links, Comments, JavaScripts, Cookies, and Filtered URLs.

Procedure

  1. Select the scan content on which to base the report:
    • To create a report for the whole scan, click Tools > Report > Security Report
    • To create a report for a particular URL or folder that was included in the scan, right-click on the node in the application tree, and then select Report for this node > Security
  2. Select the relevant template, or define your own report content by selecting/clearing check boxes in the right pane.
  3. Select the options required.
  4. To save the configuration for future use, click Save as Template and give the template a unique name.
  5. To customize the layout of the report, click the Layout tab. See Configuring report layout for details.
  6. Select the output format required: PDF, HTML, TXT, RTF, or XML.
  7. Click Save Report.