Workflow description

AppScan® provides a comprehensive assessment of your web application. It runs thousands of tests based on all levels of typical user techniques as well as unauthorized access and code injections.

When you run a scan on your application, the tests are sent by AppScan to your web application. The results of the tests are provided by AppScan's site-smart engine and result in expansive reports and fix recommendations, available for enhanced review and manipulation.

AppScan is an interactive tool: you decide on the configuration of the scan and determine what is to be done with the results.

The AppScan workflow includes the following stages:

  1. Select a Template: A predefined scan configuration is a scan template. You can load the Regular Scan template, another predefined template, or a template that you previously saved. (You can later adjust the configuration as required for the current scan.)
  2. Application or Web Service Scan: Scanning web services requires some manual input by the user, to show AppScan how to use the service.
    • AppScan: If you are not scanning a web service, or if you want to scan parts of the application other than its web services, leave this default option selected.
    • External device/client: Select this option if you want to scan a service. You will configure AppScan as recording proxy, and send requests from your external client through AppScan.
  3. Scan Configuration: Configure the scan, taking into account details of your site, your environment, and other requirements.
  4. (Optional) Manual Explore: Log in to the site, and click links and fill in forms as a user would. This is a good way of "showing" AppScan how a typical user might browse the site, ensuring that important parts of the site are scanned, and providing data for filling forms.
  5. (Optional) Run Scan Expert: This is a short pre-scan of your site to evaluate the configuration. Scan Expert may suggest changes to increase the efficiency of the main scan.
  6. Scan the Application or Service: This is the main scan, and consists of Explore and Test stages.

    Explore Stage: AppScan crawls your site, visiting links as a regular user would and records the responses. It creates a hierarchy of the URLs, directories, files, and so on, that it finds on your application. This list is displayed in the Application Tree (see Application Tree).

    The Explore stage can be done automatically, manually, or as a combination of both. You can also import an Explore Data File (see Exporting Manual Explore data), which consists of a previously recorded manual explore sequence. AppScan then analyzes the data it has collected from the site, and based on it, creates tests for the site. These tests are designed to reveal weaknesses both in infrastructure (such as security weaknesses in commercial, 3rd Party products or Internet systems), and the application itself.

    Test Stage: During the Test stage, AppScan tests your application, based on the responses it received during the Explore stage, to reveal vulnerabilities and assess their severity.

    An up-to-date list of all tests included in your current version of AppScan can be seen in the Scan Configuration dialog box (see Test Policy view).

    You can also create user-defined tests in addition to the tests that AppScan automatically creates and runs (see User-Defined Tests). Your tests can supplement those generated by AppScan and can verify the results that it found.

    Test results are displayed in the Result List, from where you can view and modify them. Full details of the results are displayed in the Detail Pane.

  7. (Optional) Run Malware Test: This analyzes pages and links found on your site for malicious and otherwise unwanted content.
    Note: Although a Malware Test can in principle be performed at this stage (in which case it will use the Explore stage results of the main scan), in practice a Malware Test is usually run on a live site, whereas a regular scan is usually run on a test site (because of the risk of disrupting a live site by scanning it).
  8. Review Results to evaluate the security status of the site. You may also want to:
    • Explore additional links manually
    • Review Remediation Tasks
    • Print Reports
    • Adjust the scan configuration, if necessary based on your review of the results, and scan again
Note: For a simplified illustration of this workflow, see Basic workflow.