...
IBM's Rational AppScan is an application penetration testing tool used by developers to test the security of their web applications while under development and before deployment. AppScan can also be used to scan applications which are already deployed but may not target live production environments. AppScan will spider and crawl any application that it is pointed at. It will then execute about 5,000 canned security tests against every page that it finds. This tool is a "badness-ometer". It will not tell you if your application is good. It will simply tell you if you have really deep security troubles. Developers should still review for accessible sensitive information and other potential holes in an application after running a scan.
AppScan is a "badness-ometer". After running a scan, you should still test for other potential security issues, such as potential exposure of sensitive information and authentication and access control restrictions.
...