AppScan : 9 Aug 2012Ushma Dubal

Objective

Appscan overview

How to install

New scan process

Demo

Appscan help

Q & A

Important Notice

This presentation is meant to show basic operation of AppScan. It is NOT meant to show the procedures needed to comply with the recommendations and requirements for scanning InfoSphere Information Server products and components. You should review the materials at the following sites if you intend to scan Information Server products and components:Specific Recommendations and Requirements: https://w3-connections.ibm.com/wikis/home?lang=en-us#!/wiki/Wa0ffccd1ded4_4723_8b25_baa3636592d3/page/Requirements%20and%20Recommendations

InfoSphere AppScan Community Welcome page: https://w3-connections.ibm.com/wikis/home?lang=en-us#!/wiki/Wa0ffccd1ded4_4723_8b25_baa3636592d3

AppScan Overview

AppScan is an IBM Rational tool.

AppScan is an automated tool used to perform vulnerability assessments on Web Applications and web services

Scans web applications, finds security issues and reports on them in an actionable fashion

How to install

Appscan can be downloaded from:

(Xtreme Leverage Portal): http://w3-103.ibm.com/software/xl/portal/home

Click on the Technical tab, Software Downloads (internal use) button on the right.Search for BM Rational AppScan Standard Edition (AS Std) V8.5 Windows Multilingual, part number CI458ML and download.

The installation is fairly painless (standalone desktop application) but you will need a license key to complete activate your installation. Without the key, you can only test one specific web site used for AppScan demos.

In order to get Appscan license key. Follow below link:

http://w3.ibm.com/connections/wikis/home/wiki/Rational%20Sales%20Operational%20Support/page/AppScan%20License%20Keys?lang=en

Install cont..

License are of two types.Node locked or Authorized User License Key.

Floating license Key. -- benefit can be used with VM and RD.server: svllicense.svl.ibm.com

Port: 27000

Points to consider: Appscan machine should not have Firewall or antivirus. Need to diable when appscan is used.

Starting a New Scan

Easiest way is to use the scan wizard

Starting point URL

Login

Test policy

wizard2

Login

Accurate login is essential for a good scan

Login Methods

Recorded Recommended

Automatic

Prompt

None

AppScan needs to maintain a session in order to fully explore and test the application

How does it work:

AppScan monitors In-Session pattern

Stops scan, re-logins, refreshes session tokens

Scan Configuration

Scan's can be configured as per user needs.

Start Scan last step

Start a full automatic scan : scan all the url's of application.Start with automatic Explore only : Only explore's the url's.Start with Manual explore : User needs to manually record url's to be scanedI will start the scan later :

Scan Progress

Visual progress indicators

Real-time scan log

Creating the Report

Snapshot of Report

Demo

Site for help:

https://w3.tap.ibm.com/w3ki08/display/ratlseccop/Intellectual%20Capital%20(Resources)

http://ibmforums.ibm.com/forums/forum.jspa?forumID=2968

https://w3-connections.ibm.com/wikis/home?lang=en_US#/wiki/Wa0ffccd1ded4_4723_8b25_baa3636592d3

Appscan help

Q & A

Information Management Software

2010 IBM Corporation

2010 IBM Corporation

GBSC-footer.gifIBM_Whitebanner-decks.gif 2011 IBM Corporation

banner-decks.gif