Overview

Outlines the principles of glass box scanning and its setup.

While regular scanning looks on the application as a "black box", analyzing its output without "looking inside" it; glass box scanning uses an agent installed on the application server to inspect the code itself, during the scan. Hence the term "glass" box. To do this te AppScan glass box agent must be installed on the same server as the application you want to test, not on the local machine where AppScan itself is installed.

Glass box scanning has the following advantages:

  • During the Explore stage, glass box scanning can reveal HTTP parameters that affect the server-side but which are not found in responses, and which would therefore not be discovered by black box scanning alone.

  • During the Test stage, glass box scanning can verify the success or failure of certain tests, such as Blind SQL Injection, with greater accuracy, resulting in fewer "false positive" results. It can also reveal the existence of certain security issues that cannot be detected by black box techniques.

  • Glass box scanning enables AppScan® to show you the vulnerability in the actual source code, simplifying both reporting and remediation.

Including glass box scanning adds an extra dimension to the scan in terms of the kind and number of issues that can be found, and the issue information offered.

To set up and work with glass box scanning:

Task

Description

1. Install agent

Install the AppScan glass box agent on your application server.

Do this once only for a single server.
Note: Agents can be installed on more than one server, but only one server can be included in a glass box scan.

2. Define agent

Define the installed agents in AppScan, so it can communicate with them.

Do this once only for each AppScan machine.
Note: Multiple instances of AppScan (on different machines) can use the same glass box web server agent, but they cannot do so simultaneously.

3. Configure scan

Configure the scan to use the glass box agent you require. By default this is configured automatically, but it can be adjusted in Scan Configuration > Glass Box.

Do this for each scan.

4. Run scan

Scan your application with glass box scanning enabled.

5. Update agent rules

Update the server agent rules when prompted to do so by the automatic update process, so that the version of the rules on the web server remains synchronized with the rules on your local AppScan version.
Note: After running the update process you must restart the web application server.