Começando a utilizar o Appscan

7/30/2019 Comeando a utilizar o Appscan

1/28

Rational AppScan Standard EditionVersion 8.0

Getting Started Guide


2/28

ii IBM Rational AppScan Standard Edition Getting Started


3/28

Contents

Chapter 1. Installing AppScan . . . . . 1System requirements. . . . . . . . . . . . 1

Installation procedure . . . . . . . . . . . 2Silent install . . . . . . . . . . . . . . 2License . . . . . . . . . . . . . . . . 3Test-run . . . . . . . . . . . . . . . . 4

Chapter 2. Basic principles . . . . . . 5Scan stages and scan phases . . . . . . . . . 5Web applications vs. Web services . . . . . . . 5Main window . . . . . . . . . . . . . . 6Workflow . . . . . . . . . . . . . . . 6

Chapter 3. Scan configuration . . . . . 9Scan Expert . . . . . . . . . . . . . . . 9

Manual exploring . . . . . . . . . . . . 10

Chapter 4. Scanning . . . . . . . . . 13Scheduling scans . . . . . . . . . . . . 14

Chapter 5. Working with results . . . . 15Result views . . . . . . . . . . . . . . 15Result Expert . . . . . . . . . . . . . . 16Testing for malware . . . . . . . . . . . 17Exporting results . . . . . . . . . . . . 18

Chapter 6. Reports . . . . . . . . . 19

Chapter 7. Toolbar summary . . . . . 21

Copyright IBM Corp. 2000, 2010 iii


4/28

iv IBM Rational AppScan Standard Edition Getting Started


5/28

Chapter 1. Installing AppScanv System requirements

v Installation procedure on page 2

v

Silent install on page 2v License on page 3

v Test-run on page 4

System requirements

A summary of the minimum hardware and software required to run Rational AppScan, Version 8.0.

Hardware requirements

Hardware Minimum Requirement

Processor Pentium P4, 2.4 GHz

Memory 2 GB RAMDisk Space 30 GB

Network 1 NIC 100 Mbps for network communication with configured TCP/IP

Operating system and software requirements

Software Details

OperatingSystem

Supported operating systems (both 32bit and 64bit editions):

v Windows XP: Professional, SP2 and SP3

v Windows 2003: Standard and Enterprise, SP1 and SP2

v Windows Vista: Business, Ultimate and Enterprise, SP1 and SP2

v Windows Server 2008: Standard and Enterprise, SP1 and SP2

Note: Rational AppScan smart tags, used when creating custom reports, are not supported forVista or Windows Server 2008.

Browser Microsoft Internet Explorer Version 6 or later

Other Microsoft .NET Framework Version 2.0 or later (Version 3.0 or later is required for some optional,additional functionality)

(Optional) Adobe Flash Player for Internet Explorer, Version 9.0.124.0 through 10.0.45.2 inclusive isrequired for Flash execution (and for viewing instructional videos in some of the advisories).Earlier and later versions are not supported for Flash execution. For instructions for downloading asupported version see the main User Guide or Online Help.

(Optional) Word 2003 or 2007 for using AppScan

smart tags to insert fields for custom reporttemplates. In the case of Word 2003 the following update must also be installed: Update for Office2003: KB907417

Important: Customers without a local license on their machine require a network connection to theirRational licensing server when using AppScan.

Important: A personal firewall running on the same computer as Rational AppScan can blockcommunication and result in inaccurate findings and reduced performance. For best results do not run apersonal firewall on the computer that runs Rational AppScan.

Copyright IBM Corp. 2000, 2010 1
http://www.microsoft.com/downloads/details.aspx?FamilyId=1B0BFB35-C252-43CC-8A2A-6A64D6AC4670&displaylang=enhttp://www.microsoft.com/downloads/details.aspx?FamilyId=1B0BFB35-C252-43CC-8A2A-6A64D6AC4670&displaylang=enhttp://www.microsoft.com/downloads/details.aspx?FamilyId=1B0BFB35-C252-43CC-8A2A-6A64D6AC4670&displaylang=enhttp://www.microsoft.com/downloads/details.aspx?FamilyId=1B0BFB35-C252-43CC-8A2A-6A64D6AC4670&displaylang=en


6/28

Installation procedure

Procedure

1. Close any Microsoft Office applications that are open.

Note: If you have Microsoft Word 2003 or higher installed, Rational AppScan smart tags will beadded to its smart tag options during installation. These can be used to insert field codes for creatingcustom report templates. In order for this to be done, Microsoft Word and any other Microsoft Officeprograms that use it (such as Microsoft Outlook) must be closed during installation.

2. Start Rational AppScan Setup and follow the online instructions. The Installation wizard guides youthrough the fast and simple installation.

Note: Depending on your operating system, .NET Framework Version 2.0 or 3.0 may be required tooperate Rational AppScan. If you have an earlier version, or do not yet have it at all, you are asked ifyou want to install the required version. (If you select No, installation stops, as Rational AppScancannot function correctly without the correct version of .NET Framework.)

3. You will be asked if you want to install/download GSC (Generic Service Client). This is necessary forexploring Web Services in order to configure a Web Services scan, but is not needed if you will bescanning only Web applications.

v If the GSC installation file is available locally, you are asked if you want to install GSC. If you clickYes it is installed and the Rational AppScan installation completes.

v If the GSC installation file is not available locally you are asked if you want to download it and theRational AppScan installation completes. To download the GSC installation file click Yes and savethe file to your computer. After the download is complete, double-click on the file to install GSC foruse with Rational AppScan in scanning Web services.

Silent install

You can install Rational AppScan "silently", using the command line and the following parameters:

AppScan_Setup.exe /z"InstallMode" /l"LanguageCode" /s /v"INSTALLDIR=\"InstallPath""

Note: Silent installation automatically installs or updates .NET Framework Version 2.0 or 3.0, if requiredfor your operating system.

Important: If you wish to install Generic Service Client (required for scanning Web services, but not forscanning only Web applications) at the same time as you install Rational AppScan, you must run thecommand line from the folder that contains both the setup (.exe) files.

Parameter Function

/z Install, repair or uninstall Rational AppScan and (optionally) GSC (Generic Server Client, required forscanning Web services, but not for scanning only Web applications).

Options are: GSC to install GSC in addition to Rational AppScan, REPAIR to repair an existinginstallation, REMOVE to uninstall.

If no /z parameter is included, installs Rational AppScan only (without GSC).

/l Language code. Options are: 1033 to install an English version of Rational AppScan (and GSC), 1041for Japanese, 1042 for Korean.

/s Activates "Silent Mode" (otherwise the regular installation will be launched). No content is required.

2 IBM Rational AppScan Standard Edition Getting Started


7/28

Parameter Function

/v Sets the path where Rational AppScan will be installed. (Not required for repair or uninstall.)

The path must be preceded by INSTALLDIR=\ and be enclosed in quotes. The path may includespaces.

Example: /v"INSTALLDIR=\"D:\Program Files\AppScan\""

If you do not define this parameter, installation uses the default path: C:\ProgramFiles\IBM\Rational AppScan\

Examples

v To install an English version of Rational AppScan in the default directory enter:

AppScan_Setup.exe /l"1033" /s

v To install Japanese versions of Rational AppScan and GSC in the default directories enter:

AppScan_Setup.exe /z"GSC" /l"1041" /s

Note: To include GSC in the installation, this command must be run from the folder that contains boththe Rational AppScan and the GSC setup (.exe) files.

v To install a Korean version of Rational AppScan in D:\Program Files\AppScan\ enter:

AppScan_Setup.exe /l"1042" /s /v"INSTALLDIR=\"D:\Program Files\AppScan\""

v To uninstall:

AppScan_Setup.exe /z"REMOVE" /s

License

TheRational AppScan, Version 8.0 installation includes a default license that allows you to scan IBM'scustom designed AppScan testing website, but no other sites. In order to scan your own site you mustinstall a valid license supplied by IBM. Until this is done Rational AppScan will load and save scans andscan templates, but it will not run new scans on your site.

IBM Rational licenses

From Version 7.8 onwards, Rational AppScan licenses are in the FlexLM format (*.upd), and aredownloaded from the Rational License Key Center. There are two types of IBM Rational license,depending on whether you have the Standard or Express edition of AppScan:

Standard Edition uses "floating" licensesThese are installed onto the IBM Rational License Server (which can be the same as the machineon which AppScan runs). Any server on which Rational AppScan is used must have a networkconnection with the license server. Each time a user opens AppScan a licence is checked out, andwhen AppScan is closed the license is checked back in.

Express Edition uses "node-locked" licenses

These are installed onto the machine on which Rational AppScan runs. Each license is assigned toa single machine.

Legacy licenses

If you have upgraded from a version of the product earlier than 7.8 your existing license will not be inFlexLM format, but in *.lic format. As long as it is valid, this license will continue to work with the newversion of AppScan.

If you want to upgrade your legacy license to an IBM Rational license, you can do this by clicking Help> License > Load IBM Rational License (License Key Administrator opens) > License Keys > Get,

Chapter 1. Installing AppScan 3


8/28

Return or Move Keys (Licensing Support opens) > License Key Center. Upgrading will enable you tomanage your licenses using the Rational License Key Center.

To view license status:

1. Click Help > License. The License dialog box opens, showing license status and the followingoptions:

Load IBM Rational License If you have an IBM Rational FlexLM license (either on your computer or on adifferent network server), click here to open the Rational AppScan License KeyAdministrator, from where you can load and manage your licenses.

Load Old Format (.lic) License If you have a valid old format Watchfire legacy license (from a version of theproduct earlier than 7.8), click here to load it.

View License Agreement Click here to see the license agreement.

2. If you load a new license, refresh the license information displayed in the dialog box by clicking

Test-run

If you have an evaluation copy of Rational AppScan (i.e. you have not purchased a license), you can"test-run" the product by scanning IBM's "AltoroMutual Bank" website, which has been created fordemonstration purposes. Use the following URL and login credentials:

URL http://demo.testfire.net/

Username jsmith

Password demo1234

Note: If you are using an evaluation copy of AppScan, the AltoroMutual Bank website is the only siteyou can scan.



9/28

Chapter 2. Basic principlesv Scan stages and scan phases

v Web applications vs. Web services

v

Main window on page 6v Workflow on page 6

Scan stages and scan phases

A Rational AppScan Full Scan consists of two stages: Explore and Test. It is useful to understand theprincipal behind this, even though most of the scan process is in fact seamless to the user, and little userinput is required until the scan is complete.

v Explore stage: During the first stage, the site is explored and an application tree is constructed. This isthe Explore stage. AppScan analyzes the responses to each request it sends, looking for any indicationof a potential vulnerability. When AppScan receives responses that may indicate security vulnerability,it automatically creates tests, as well as noting the validation rules needed to determine which resultsconstitute vulnerability, and the level of security risk involved.

v Test stage: During the Test stage, AppScan sends thousands of custom test requests that it createdduring the Explore stage. It records and analyzes the application's response to identify securityproblems and rank their level of security risk.

v Scan phases: In practice, the Test stage frequently reveals new links within a site, and more potentialsecurity risks. Therefore, after completing the first "phase" of Explore and Test, AppScan automatically

begins a new "phase" to deal with the new information. (The default number of phases is four.)

Web applications vs. Web services

AppScan can scan both Web applications and Web services.

v Web applications: In the case of regular applications (without Web services) it may be sufficient to

supply AppScan with the start URL and login authentication credentials for it to be able to test the site.If necessary you can also manually crawl the site, to give AppScan access to areas that can only bereached through specific user input.

v Web services: In the case of Web services the integrated Generic Service Client (GSC) uses the service'sWSDL file to display the individual methods available in a tree format, and creates a user-friendly GUIfor sending requests to the service. You can use this interface to input parameters and view the results.The process is "recorded" by AppScan and used to create tests for the service.



10/28

Main window

The main screen contains a menu bar, toolbar, view selector, and three data panes: Application tree,Result list and Detail pane. The figure following shows the main screen populated with data following ascan.

View selector Click one of the three buttons to select the type of data displayed in the three main panes.

Application tree As the scan progresses the application tree is populated. By the end of the scan the treeshows all the folders, URLs and files that were found in your application.

Result list Shows relevant results for the selected node in the application tree.

Detail pane Shows relevant details for the selected node in the result list, in three tabs: Advisory, FixRecommendation, and full Request/Response.

Dashboard Shows information about the current results in the form of panels that can be "played" in

succession.

Workflow

This section describes a simple workflow using the Scan Configuration Wizard, most suited to new users,or users with a pre-configured scan template. More advanced users may prefer to configure their scanusing the Scan Configuration dialog box, Explore some of the site manually (to show Rational AppScansome typical user behavior), and then start the scan.

To scan using the wizard:

1. Select a scan template. (You can later adjust the configuration as required.)

2.

Open the Scan Configuration wizard and choose Web Application Scan or Web Service Scan.3. Use the wizard to set up the scan:

To scan an application:

a. Type in the starting URL.

b. (Recommended) Perform the login procedure manually.

c. (Optional) Review the Test Policy.

To scan a Web service:

a. Type in the WSDL file location.

b. (Optional) Review the Test Policy.



11/28

c. Use Generic Service Client (which opens automatically) to send requests to the service whileRational AppScan records your input and the responses received.

Note: You must send at least one request to the service for AppScan to be able to test it.

4. (Optional, applications only) Run Scan Expert:

a. Run Scan Expert to review the effectiveness of your configuration for the application being

scanned.b. Review suggested configuration changes and apply selectively.

Note: You can configure Scan Expert to perform its analysis and apply some of its recommendationsautomatically, when you start the scan.

5. Start Automatic Scan.

6. (Optional) Run Result Expert to process scan results and add information to the Issue Information tab(Detail pane).

7. (Optional) Run Malware Tests to analyze pages and links on your site for malicious or otherwiseunwanted content.

Note: Malware Test uses data gathered during the Explore stage of a regular scan, so you must have

some Explore results for it to function.8. Review Results to evaluate the security status of the site (Result Expert can help you with this), and

v Explore additional links manually

v Print Reports

v Review remediation tasks

v Log defects to your defect tracking system

Chapter 2. Basic principles 7


12/28



13/28

Chapter 3. Scan configuration

About this task

This section describes standard application scan configuration using the wizard. For advancedconfiguration methods, and details of Web service scan configuration, refer to the main user guide andonline help.

Procedure

1. Launch AppScan.

2. In the Welcome Screen, click Create new Scan.

3. In the New Scan dialog box, verify that the Launch wizard checkbox is selected.

4. In the Predefined Templates area, click Default to use the default template. (If you are usingAppScan to scan one of the test sites for which there is a specialized pre-defined template, select thattemplate: Demo.Testfire, Foundstone, or WebGoat.)

5. Select Web Application Scan, and click Next for Step 1 of the three-stage setup.6. Type in the URL where the scan will start.

Note: Click Advanced if you need to add additional servers or domains.

7. Click Next to advance to Step 2.

8. Select Recorded Login, then click New. A message appears describing the procedure for recording alogin.

9. Click OK. The embedded browser opens with the Record button pressed (grayed out).

10. Browse to the login page, record a valid login sequence, and then close the browser.

11. In the Session Information dialog box, review the login sequence and click OK.

12. Click Next to advance to Step 3. At this stage you can review the Test Policy that will be used for

the scan (i.e. which categories are used for the scan.

Note: By default all except invasive tests are used.

Note: The Advanced button lets you control additional test options including privilege escalation(testing the extent to which privileged resources are accessible to users with insufficient accessprivileges) and multiphase scanning.

13. The In-Session Detection checkbox is selected by default, and text indicating that the response is"in-session" is highlighted. During the scan AppScan sends heartbeat requests, checking theresponses for this text to verify that it is still logged in (and logs in again as necessary). Verify thatthe highlighted text is indeed proof of a valid session.

14. Click Next.

15.Select the appropriate radio button to start Automatic Scan, start with Manual Explore or Later (tostart the scan later by clicking the Start icon on the toolbar).

16. (Optional) By default the Scan Expert checkbox is selected so that Scan Expert will run when youcomplete the wizard. You can clear this to proceed directly to the scan stage.

17. Click Finish to exit the wizard.

Scan Expert

One of the options in the Scan configuration wizard is for Scan Expert to run a short scan to evaluate theefficiency of the new configuration for your particular site.



14/28

When Scan Expert runs, the Scan Expert panel opens in the upper part of the screen and the applicationtree starts to appear in the left-hand pane, as Scan Expert explores the site.

At the end of the short evaluation Scan Expert suggests configuration changes that you can accept orreject. (You can review the suggestions individually or elect to apply suggestions automatically.

Note: There are some changes that Scan Expert can only apply with human intervention, so when youselect the automatic option some changes may not be applied.

Manual exploring

About this task

Manual Explore lets you browse the application yourself, clicking on links and inputting data. AppScanrecords your actions, and uses the data to create tests. There are three reasons you might want to exploremanually:

v To pass anti-automation mechanisms (such as the requirement to type in a random word, displayed asan image)



15/28

v To explore a specific user process (the URLs, files and parameters that a user would access given acertain scenario)

v Because interactive links were discovered during a scan, and you want to fill in the required data toenable a more thorough scan

Note: After creating a Manual Explore, you may want to continue with an automatic Explore stage, sothat the scan covers your entire application.

Procedure

1. Click Scan > Manual Explore

The embedded browser opens.

2. Browse the site, clicking on links and filling in fields as required.

3. When finished close the browser.

Note: You can create a manual explore that contains multiple processes by clicking Pause, browsingto a different location, and then clicking Record to resume recording.

The Explored URLs dialog box appears, displaying the URLs that you visited.

4. Click OK.

5. AppScan checks if any of your input is suitable for adding to the Automatic Form Filler, presents alist, and asks if so asks whether you want to add All, None or Selected Parameters.

v If you want some of your input to be added to the Automatic Form Filler, click Add Selected. Thenselect items in the Temporary Form Parameters list, and click Move (to move them to the ExistingForm Parameters list). Then click OK.

6. Click OK. AppScan analyzes the URLs that you crawled and creates tests based on this analysis.

7. To run the new tests, click Scan > Continue Scan.

Chapter 3. Scan configuration 11


16/28



17/28

Chapter 4. Scanning

When the scan begins, the Progress Panel appears in the upper part of the screen, and together with thestatus bar (along the bottom of the screen), shows details of scan progress. The panes are populated with

real-time results as they are processed.

Progress panel

The progress panel shows the current phase of the scan, as well as the URL and parameter being tested.

If new links are discovered during the scan (and multiphase scanning is enabled), and additional scanphase starts automatically upon completion of the previous phase. The new phase may be significantlyshorter than the previous phase, since only new links are scanned. Alerts such as "Server down" may also

be displayed on the progress panel.

Status bar

The status bar at the bottom of the screen shows the following information for the scan:



18/28

Note: The total number of tests to be sent, or URLs to be visited, my increase during a scan, as new linksare discovered.

Scheduling scans

You can schedule scans to start automatically once or at regular intervals.

Procedure1. Click Tools > Scan Scheduler, then click New.

2. Type in a name for the schedule, and fill-in the options you require:

v Select Current Scan or a Saved scan (if Saved, browse to the required .scan file)

v Select Daily, Weekly, Monthly, or Once Only.

v Select Date and Time for the scan

v Type in Domain Name and Password

3. Click OK.

The schedule name appears in the Scan Scheduler dialog box.



19/28

Chapter 5. Working with resultsv Result views

v Result Expert on page 16

v

Testing for malware on page 17v Exporting results on page 18

Result views

Results can be displayed in three views: Security Issues, Remediation Tasks, and Application Data. Theview is selected by clicking a button in the view selector. The data displayed in all three panes varieswith the view selected.

Security Issuesview

Shows the actual issues discovered, from overview level down to individualrequests/responses. This is the default view.

Application Tree: Complete application tree. Counters next to each item show thenumber of issues found for the item.

Result List: Lists issues for the selected note in the application tree, and theseverity of each issue.

Detail Pane: Shows advisory, fix recommendations and request/response (includingall variants used) for the issue selected in the Result List

RemediationTasks view

Provides a To Do list of specific remediation tasks to fix the issues found by thescan.

Application Tree: Complete application tree. Counters next to each item show thenumber of fix recommendations for that item.

Result List: Lists remediation tasks for the selected node in the application tree,and the priority of each task.

Detail Pane: Shows details of the remediation task selected in the Result List, andall the issues that this remediation will solve.

ApplicationData view

Shows script parameters, interactive URLs, visited URLs, broken links, filteredURLs, comments, JavaScripts and cookies from the Explore stage.

Application Tree: Complete application tree.

Result List: Select a filter from the pop-up list at the top of the Result List, todetermine which information is displayed.

Detail Pane: Details of the item selected in the Result List

Unlike the other two views, Application data view is available even if AppScan has

only completed the Explore stage. Use the pop-up list at the top of the Result list tofilter the data.

Severity levels

The Result List displays the issues for whatever item is selected in the application tree. These can be for:

v Root level: All site issues are displayed

v Page level: All issues for the page

v Parameter level: All issues for a particular request to a particular page



20/28

Each issue is assigned one of four security levels:

High security issue

Medium security issue

Low security issue

Informational security issue

Note: This category applies to Issues View only. In Remediation View all issues less thanMedium are classified as Low.

Note: The severity level assigned to any issue can be changed manually by right-clicking on the node.

Security issues tabs

In Security Issues view the vulnerability details for the selected issue appear in the Detail pane in fourtabs:

Issue Information A summary of the information available on the other Detail pane tabs. Its mainpurpose lies in the display of additional information added by Result Expert. Thisinformation includes CVSS Metric scorings for the issue, and relevant screen shots,that can be saved with the results and included in reports.

Advisory Technical details on the selected issue and links for more information. What has to befixed and why.

Fix Recommendations The exact tasks that should be done to make your web application secure against thespecific selected issue.

Request/Response Shows the speciic tests that were sent to the application, and its response (can beviewed as HTML or in a Web browser).

Variants: If there are variants (different parameters that were sent to the same URL),they can be viewed by clicking the < and > buttons at the top of the tab.

Two tabs at the right of this tab let you view Variant Details and add a Screenshotthat will be saved with the results.

Result Expert

Result Expert consists of various modules that are used to process scan results. The processed results areadded to the Issue Information tab of the Detail pane, making the information displayed there morecomprehensive and detailed, including screen shots where relevant.



21/28

Result Expert is usually run automatically following a full scan, however it can also be run manually at

any time, on full or partial scan results.

When time is limited and the volume of results is large, you may decide not to run Result Expert, or todisable one or more of its modules.

To update the Issue Information tabs of all issues found, click Tools > Run Scan Expert.

Testing for malware

The Test for malware feature tests your application for malware and links to malicious external domains. Itdoes this by analyzing results obtained from the Explore stage of a regular scan. It is run as a separate setof tests after a regular scan, or at least the Explore stage of a regular scan. The Malware Test icon is onlyactive when there are existing Explore results.

The feature consists of two modules:

Check application content for malicious patternsAnalyzes your application content, as well as content available from links that lead to otherdomains, for malware patterns, such as malicious executable code. This module can check formalicious patterns in:

v Content of visited URLs

v Content retrieved from external links

v File types that are excluded from regular scans

Check for links to malicious external Web sitesExamines all links that lead from your site to a different domain, and for each link returns its ISScategory. An Internet connection is required for this, in order to connect to the ISS database.

By default, both modules are selected, but you can adjust this from the Scan Configuration dialog box.

To test for malware:

1. Verify that you have Explore stage results for the site, or part of the site, that you want to test. Thesecan be from a full regular scan, from an Explore Only, or from a Manual Explore.

2. To make any configuration changes click Scan > Scan Configuration > Malware tab.

3. Click the icon on the toolbar, or click Scan > Test for malware.

Chapter 5. Working with results 17


22/28

The malware progress dialog box appears, and closes when malware testing is over. A status messageindicates the success of the testing process.

The results are added to the regular scan results in the form of additional Issue Types in the ResultList, and full details in the Detail Pane.

Exporting results

About this task

You can export the complete scan results as an XML file, or as a relational database. (The database optionexports the results into a Firebird database structure. This is open source, and follows ODBC and JDBCstandards.)

Procedure

1. Click File > Export and select XML or DB.

2. Browse to the location you want, and type in a name for the file.

3. Click Save.



23/28

Chapter 6. Reports

After Rational AppScan has assessed your site's vulnerability, you can generate customized reportsconfigured for the various personnel in your organization.

You can open and view the reports from within Rational AppScan, and you can save a report as a file tobe opened with a third-party application, such as Acrobat Reader.

Icon Name Short Description

Security Report Report of security issues found during the scan. Security information may be veryextensive, and can be filtered depending on your requirements. Six standard templatesare included, but each can easily be tailored to include or exclude categories ofinformation, as necessary.

IndustryStandardReport

Report of the compliance (or non-compliance) of your application with a selectedindustry committee, or your own custom standards checklist.

RegulatoryComplianceReport

Report of the compliance (or non-compliance) of your application with a large choiceof regulations or legal standards, or with your own custom Regulatory Compliancetemplate).

Delta AnalysisReport

The Delta Analysis report compares two sets of scan results and shows the differencein URLs and/or security issues discovered.

Template BasedReport

Custom report containing user-defined data and user-defined document formatting, inMicrosoft Word .doc format.

Note: Industry Standard and Regulatory Compliance reports are not available in AppScan DeveloperEdition.



24/28



25/28

Chapter 7. Toolbar summary

The buttons on the toolbar offer quick access to frequently used features (that are also available from themenus).

Button Name Click to:

New Select a template and create a new scan. (Can optionally launch the ScanConfiguration Wizard.)

Open Load a saved scan or scan template.

Save Save the current scan.

Print Print the Application Tree and Detail Pane of the current View (Security Issues,Remediation Tasks or Application Data). Nodes will appear expanded orcontracted as they are currently displayed on the screen.

Scan > (Available only if a scan is loaded and configured.) Opens a short Scan menu, withthe following options:

Full Scan: Start a full scan (Explore and Test stages) or continue a paused scan.

Explore Only: Run an Explore stage only (or continue an Explore that waspaused), without following it with the Test stage.

Test Only: Run a Test stage only (or continue a Test that was paused), without firstrunning an Explore stage. Active only if there are already some Explore results.

Pause Scan (Active only when a scan is running.) Pause current scan (whether Full Scan,Explore Only or Test Only).

You can resume the scan later. You can also save a paused scan to continue atanother time.

Manual Explore Open the browser to the application's URL and manually browse the site, filling inrequired parameters as you go. AppScan will then add this Explore data to itsown, automatically collected Explore data, when creating tests for the site.

Malware Test Tests for malware and malicious external links, using the settings configured in theMalware tab of the Scan Configuration dialog box. This option is available onlywhen there are some Explore results that can be tested.

ScanConfiguration

Open the Scan Configuration dialog box to configure the scan.

Scan Expert > Run Scan Expert to evaluate your current configuration and suggestchanges.Select:

Scan Expert Evaluation

Scan Expert Analysis Only (This option is available if you already have someExplore results that can be analyzed.)



26/28

Button Name Click to:

Scan Log Display the Scan Log during or after a scan. (Lists all actions performed byRational AppScan during the scan, as they occur.)

Find Find an issue. (Enabled only when the Issues view is selected.)

Create Report Create a report with the current scan data.

Update Check for, and download, any available Rational AppScan security updates.

JavaScriptSecurityAnalyzer

Open JavaScript Security Analyzer (JSA) for static JavaScript analysis. Availableonly if the JSA extension is installed and activated (which it is, by default, whenyou install Rational AppScan).



27/28


28/28

Printed in USA

GI11-9150-00

Começando a utilizar o Appscan

Documents

Transcript of Começando a utilizar o Appscan