Versions Compared

Version Old Version 13 New Version 14
Changes made by

Rebecca.Dewey

Rebecca.Dewey

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

For additional control of your scan, click "Scan Configuration." From there, navigate to the "Explore Options" tab. Not all of these options are necessary for all scans.

Under the Explore Options tab, you can change the depth limit on the scan and change the JavaScript and Flash settings.

Reducing the depth limit will decrease the number of steps away from the original URL that AppScan will take. Increasing the depth limit will do the opposite.

JavaScript includes options for discovering URLs in JavaScript, which AppScan will not do automatically.

Flash also includes options to discover URLs and execute Flash files which AppScan will not do automatically.

Under the Communication and Proxy tab, you can change the Communication settings.

Timeout: If your application is responding slowly, you can increase the seconds until AppScan stops trying to open a page. 

Number of Threads: For very large applications, you can change the depth limits so that AppScan will stop crawling after the tenth linkIf the application is crashing, you can reduce the number of pages that AppScan will attempt to hit at a time. This will also slow down the scan, making it longer. 

Under the Error Pages tab, you can add custom error pages. If there are any custom error messages in your application, it is highly recommended that you add them. If AppScan attempts to open a page and encounters a custom error message that has not been added, it will not recognize it and the results will show that it hacked into a private area of the application.

Under the Multi-step Operations tab, you can record any complicated access patterns which AppScan may encounter. This is useful if there is a part of your application which can only be accessed using a certain sequence of actions.

Results and Verification 

Once the scan is complete, the results can offer plenty of insight into vulnerabilities in the application. Information Security is available to help you interpret the results of your scan and plan how to fix them. Contact them for more information. 

  • The results will give you an overview of the problem in Issue Information with a more in-depth analysis in Advisory. There will be recommendations on how to fix the problem in Fix Recommendation.
  • If the issue is a false positive, right click on the title in the main screen and set as non-vulnerable.
  • Do not report issues as false positives; this will send emails to IBM telling them that there was an issue with the scan.
  • To re-test an individual result, right click the issue and select re-test.

After the test, you may be wondering what issues to fix first or what are the most important issues to address. Information Security suggests first addressing the red, high threat issues first. Next, address any issues that are listed in the OWASP Top 10 threats list. Additional issues can be addressed before release or in later updates to the application.

Once you have fixed these major issues, you may want to verify your fixes. Simply run the saved scan again by executing the same file on the remote desktop.