Versions Compared

Version Old Version 7 New Version 8
Changes made by

Rebecca.Dewey

Rebecca.Dewey

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Using application security self-scanning will help to ensure that applications are less vulnerable to many common attacks. Please note that AppScan can be dangerous if used on production sites and should only be For extra security, if your application is on a virtual machine, take a snapshot of it before running the scan. Also notify any others who might be working on the application that it may be disrupted during the time of the scan.What follows is a guide to using IBM's Rational AppScan.

...

 
AppScan is a badness-ometer. After running a scan, you should still test for other potential security issues, such as potential exposure of sensitive information and authentication and access control restrictions. 

Who should use AppScan? When should scans be run?

Application security self scanning is a tool for developers who would like to test the security of their new sites. Information Security offers AppScan as an application penetration testing tool for this purpose. The earlier that AppScan is run in the development process, the easier it will be to fix the security flaws that it finds. You can run AppScan as frequently as you would like, and developers should consider running AppScan at least as soon as they have a working site and again before release. The University only has one AppScan license so only one scan can be run at a time. For this reason, please notify Information Security before running a scan so that they can confirm it will not conflict with any other scheduled scans. Developers may not yet have access to AppScan. Information Security can add your name or your group's name to the list of AppScan registered users. All scans run from one virtual machine which can be launched accessed via remote desktop on any Tufts computer once access is granted. Scans can take anywhere from a few hours to a few days depending on the size of the application they are scanning. It is recommended that you start a scan at the end of a workday. Most scans will finish overnight and the results can be reviewed the following day. Information Security is available to help interpret the results of scans and can also offeroffer consulting on the security of your application. Contact Information Security for more information or to set up a time to review scan results.

...