Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

Application Security Self Scanning

Application security self scanning is a tool for developers who would like to test the security of their new sites. Information Security offers AppScan as an application penetration testing tool for this purpose. The earlier that AppScan is run in the development process, the easier it will be to fix the security flaws that it finds. You can run AppScan as frequently as you would like, and developers should consider running AppScan at least as soon as they have a working site and again before release. The University only has one AppScan license so only one scan can be run at a time. For this reason, please notify Information Security before running a scan so that they can confirm it will not conflict with any other scheduled scans. Scans can take anywhere from a few hours to a few days depending on the size of the application they are scanning. It is recommended that you start a scan at the end of a workday. Most scans will finish overnight and the results can be reviewed the following day. Information Security is available to help interpret the results of scans and can also offer consulting on the security of your application. Contact Information Security for more information or to set up a time to review scan results.

What is AppScan? 

AppScan is an application penetration testing tool used by developers to test the security of their applications while under development and before deployment. AppScan can also be used to scan applications which are already deployed. AppScan will spider and crawl any application that it is pointed at. It will then execute about 5,000 canned security tests against every page that it finds. This tool is a badness-ometer. It will not tell you if your application is good. It will simply tell you if you have really deep security troubles. Since it is a canned application, you should still review for accessible sensitive information and other potential holes in an application. 
AppScan is a badness-ometer. After running a scan, you should still test for other potential security issues.
Where

Why

How

  • No labels

Information on the Tufts IT Knowledgebase is intended for IT Professionals at Tufts.
If you have a question about a Tufts IT service or computer/account support, please contact your IT support group.