Overview
Outlines the principles of glass box scanning and its setup.
While regular scanning looks on the application as a "black box", analyzing its output without "looking inside" it; glass box scanning uses an agent installed on the application server to inspect the code itself, during the scan. Hence the term "glass" box. To do this te AppScan glass box agent must be installed on the same server as the application you want to test, not on the local machine where AppScan itself is installed.
Glass box scanning has the following advantages:
During the Explore stage, glass box scanning can reveal HTTP parameters that affect the server-side but which are not found in responses, and which would therefore not be discovered by black box scanning alone.
During the Test stage, glass box scanning can verify the success or failure of certain tests, such as Blind SQL Injection, with greater accuracy, resulting in fewer "false positive" results. It can also reveal the existence of certain security issues that cannot be detected by black box techniques.
Glass box scanning enables AppScan® to show you the vulnerability in the actual source code, simplifying both reporting and remediation.
Including glass box scanning adds an extra dimension to the scan in terms of the kind and number of issues that can be found, and the issue information offered.
To set up and work with glass box scanning:
Task |
Description |
---|---|
1. Install agent |
Install the AppScan glass box agent on your application server. Do this once only for a single
server. Note: Agents can be installed on more than one server,
but only one server can be included in a glass box scan. |
2. Define agent |
Define the installed agents in AppScan, so it can communicate with them. Do this once only for each AppScan machine. Note: Multiple instances of AppScan (on different machines) can use the
same glass box web server agent, but they cannot do so simultaneously. |
3. Configure scan |
Configure the scan to use the glass box agent you require. By default this is configured automatically, but it can be adjusted in Scan Configuration > Glass Box. Do this for each scan. |
4. Run scan |
Scan your application with glass box scanning enabled. |
5. Update agent rules |
Update the server agent rules when
prompted to do so by the automatic update process, so that the version
of the rules on the web server remains synchronized with the rules
on your local AppScan version. Note: After running the update process you must restart
the web application server. |