Application Security Self Scanning

Using application security self-scanning to find and fix vulnerabilities will help to ensure that applications are less susceptible to many common attacks. Please note that AppScan can be dangerous if used on production sites and should only be targeted at test or development environments. For extra security, if your application is on a virtual machine, take a snapshot of it before running the scan. Also notify any others who might be working on the application that it may be disrupted during the time of the scan. What follows is a guide to using IBM's Rational AppScan. If you need assistance or would like the scan to be run for you, please contact Information Security.

What is AppScan?

IBM's Rational AppScan is an application penetration testing tool used by developers to test the security of their web applications while under development and before deployment. AppScan can also be used to scan applications which are already deployed but may not target live production environments. AppScan will spider and crawl any application that it is pointed at. It will then execute about 5,000 canned security tests against every page that it finds.

This tool is a "badness-ometer". It will not tell you if your application is good. It will simply tell you if you have really deep security troubles. Developers should still review for accessible sensitive information and other potential holes in an application after running a scan.

AppScan is a "badness-ometer". After running a scan, you should still test for other potential security issues, such as potential exposure of sensitive information and authentication and access control restrictions.

Who should use AppScan?

Application security self scanning is a tool for developers who would like to test the security of their new sites. Information Security offers AppScan as an application penetration testing tool for this purpose. Developers may not yet have access to AppScan. Information Security can add your name or your group's name to the list of AppScan registered users.

When should scans be run?

The earlier that AppScan is run in the development process, the easier it will be to fix the security flaws that it finds. You can run AppScan as frequently as you would like, and developers should consider running AppScan at least as soon as they have a working site and again before release. The University only has one AppScan license so only one scan can be run at a time. Scans run on a virtual machine which is accessed via remote desktop on any Tufts computer once access is granted. Scans can take anywhere from a few hours to a few days depending on the size of the application they are scanning. It is recommended that you start a scan at the end of a workday. Most scans will finish overnight and the results can be reviewed the following day. Information Security is available to help interpret the results of scans and can also offer consulting on the security of your application. Contact Information Security for more information or to set up a time to review scan results.

How to Run a Scan

At the start menu of your computer, open "Programs" and then "Remote Desktop Connection." Enter "weber.uit.tufts.edu" as the computer and then click OK. Next authenticate your credentials by clicking "Use Another Account." Enter TUFTS\ and then your UTLN. If you receive a message that says "The identity of the remote computer cannot be verified. Do you want to connect anyway?" select "Yes."

On the desktop of the virtual machine, open IBM Rational AppScan and select "Create New Scan" and then "Regular Scan". This will launch the Configuration Wizard. Select "Web Application Scan."

You will be prompted to enter a starting URL. Enter the URL of your application and then check the box that says "Scan only links in and below this directory." NOTE: This step is very important. If you leave this box unchecked, AppScan will attempt to scan the entire internet instead of only your application and things it links to. This will exponentially increase the amount of time your scan will take to complete. Leaving the box unchecked also violates the Tufts responsible use policy. Please check this box.

Click next. If your application requires a log-in, press "Record." This will open your application's URL and you should then navigate to the log-in screen. AppScan will record how you get there and the credentials that you enter.

NOTE: NEVER give AppScan administrator credentials. AppScan will open EVERY link in your application. For Administrators, this almost always includes a link which will shut down the application. AppScan will not know to differentiate the disable links from other links and it will shut down your application. Please give AppScan a user credential and preferably a demo credential. AppScan will record the credentials that are used for login purposes in plain text which will be readable to anyone who opens the saved scan file. For extra security, if your application is on a virtual machine, take a snapshot of it before running the scan. Also notify any others who might be working on the application that it may be disrupted during the time of the scan.

Click next. Test policy should either be "Default" or "Complete." Default will run most of the security tests that AppScan contains against your application. Complete will run all of AppScan's tests against your application. Try running a default Test Policy first. If you don't get many results, run a complete scan.

Click "Next." Select "Start a Full Automatic Scan" and then select "Finish." You will be prompted to save your scan. Once the scan is saved, it will start automatically. If the scan does not start automatically, find the green button with a triangle in it that says "Scan." Click it and then select "Start Full Scan."

Additional Features

For additional control of your scan, click "Scan Configuration." From there, navigate to the "Explore Options" tab. Not all of these options are necessary for all scans.

Under the Explore Options tab, you can change the depth limit on the scan and change the JavaScript and Flash settings.

Reducing the depth limit will decrease the number of steps away from the original URL that AppScan will take. Increasing the depth limit will do the opposite.

JavaScript includes options for discovering URLs in JavaScript, which AppScan will not do automatically.

Flash also includes options to discover URLs and execute Flash files which AppScan will not do automatically.

Under the Communication and Proxy tab, you can change the Communication settings.

Timeout: If your application is responding slowly, you can increase the seconds until AppScan stops trying to open a page.

Number of Threads: If the application is crashing, you can reduce the number of pages that AppScan will attempt to hit at a time. This will also slow down the scan, making it longer.

Under the Error Pages tab, you can add custom error pages. If there are any custom error messages in your application, it is highly recommended that you add them. If AppScan attempts to open a page and encounters a custom error message that has not been added, it will not recognize it and the results will show that it hacked into a private area of the application.

Under the Multi-step Operations tab, you can record any complicated access patterns which AppScan may encounter. This is useful if there is a part of your application which can only be accessed using a certain sequence of actions.

Results and Verification

Once the scan is complete, the results can offer plenty of insight into vulnerabilities in the application. Information Security is available to help you interpret the results of your scan and plan how to fix them. Contact them for more information.

The results will give you an overview of the problem in Issue Information with a more in-depth analysis in Advisory. There will be recommendations on how to fix the problem in Fix Recommendation.
If the issue is a false positive, right click on the title in the main screen and set as non-vulnerable.
Do not report issues as false positives; this will send emails to IBM telling them that there was an issue with the scan.
To re-test an individual result, right click the issue and select re-test.

After the test, you may be wondering what issues to fix first or what are the most important issues to address. Information Security suggests first addressing the red, high threat issues first. Next, address any issues that are listed in the OWASP Top 10 threats list. Additional issues can be addressed before release or in later updates to the application.

Once you have fixed these major issues, you may want to verify your fixes. Simply run the saved scan again by executing the same file on the remote desktop.

Browser not supported