...
Using application security self-scanning to find and fix vulnerabilities will help to ensure that applications are less vulnerable susceptible to many common attacks. Please note that AppScan can be dangerous if used on production sites and should only be For be targeted at test or development environments. For extra security, if your application is on a virtual machine, take a snapshot of it before running the scan. Also notify any others who might be working on the application that it may be disrupted during the time of the scan.What follows is a guide to using IBM's Rational AppScan.
...
Click next. If your application requires a log-in, press "Record." This will open your application's URL and you should then navigate to the log-in screen. AppScan will record how you get there and the credentials that you enter.NOTE: NEVER give AppScan administrator credentials. AppScan will open EVERY link in your application. For Administrators, this almost always includes a link which will shut down the application. AppScan will not know to differentiate the disable links from other links and it will shut down your application. Please give AppScan a user credential. For extra security, if your application is on a virtual machine, take a snapshot of it before running the scan. Also notify any others who might be working on the application that it may be disrupted during the time of the scan.
Click next. Test policy should either be "Default" or "Complete." Default will run most of the security tests that AppScan contains against your application. Complete will run all of AppScan's tests against your application. Try running a default Test Policy first. If you don't get many results, run a complete scan.
...