IBM Security AppScan Standard eXtensions Framework

Software add-ons that extend new functionality to AppScan Standard

IBM®Security® AppScan Standard is a leading suite of automated Web application security solutions that scan and test for common Web application vulnerabilities. Unlike other solutions that inundate users with vulnerability data, AppScan Standard provides intelligent fix recommendations and advanced remediation capabilities, such as comprehensive task lists necessary to fix vulnerabilities uncovered during the scan and improve an organization's overall security posture. The AppScan Standard eXtensions Framework helps you extend new functionality to AppScan Standard and advance your automated Web application security solution.

What are AppScan Standard eXtensions?

AppScan Standard eXtensions are software add-ons that extend new functionality to AppScan Standard. They can add anything from a minor utility that performs a simple task, to a full blown application that performs many complex actions. By using eXtensions, users can customize AppScan Standard to their own needs, just the way they like it. Here are some examples of things you can perform using the AppScan Standard eXtensions Framework:

Build your own eXtensions

You can find the SDK Documentation under the /Docs directory in your AppScan Installation directory.

To begin writing your own eXtension, you first have to add the following namespaces to your project's source code:

This is done by adding the following lines of code to the beginning of your source file:

In addition, you should add AppScan Standard's Public SDK DLL (C:\Program Files (x86)\IBM\AppScan Standard\AppScanSDK.dll) to your project's References--Figure 1

Figure 1. Adding AppScan Standard's Public SDK to your project's References
screen capture to show how to add AppScan Standard's Public SDK to your project
Figure 2. Cont'd--Adding AppScan Standard's Public SDK to your project's References
screen capture to show how to add AppScan Standard's Public SDK to your project

In order to supply extension information, your project may include an XML file (should be named "info.xml"), containing information that will be presented in the Extension Manager (more information in the next section and in the sample code below).

Your new AppScan Standard eXtension should implement the IExtensionLogic interface (Figure 3).

There are three different ways for the extension to integrate into AppScan Standard, as defined by the interface:

Figure 3. IExtensionLogic interface UML model
screen capture to show IExtensionLogic interface UML

Publishing your eXtensions

If you would like your eXtension (or download location) to be published and linked from our AppScan Standard eXtensions Framework pages, please email us at: wfwebmaster@ca.ibm.com.

When you have completed your eXtension, you should package it for reuse with AppScan Standard. Packaging of the eXtension is done in the following way:

Optionally, you can manually create a directory for your extension under "Application Data: TODO", and put your DLL and info.xml file into this directory. This replaces the installation process.

Figure 4. AppScan Standard's Extension Manager window
screen capture to show AppScan Standard's Extension Manager window

Code samples

The following code demonstrates how to implement an extension that registers to an AppScan Standard event, using the AppScan Standard eXtensions Framework.
using System;
using System.Collections.Generic;
using System.Windows.Forms;

using AppScan;
using AppScan.Scan;
using AppScan.Events;
using AppScan.Extensions;
using AppScan.Scan.Events;

namespace MyExtension1
{
/// <summary>
/// SayIt main implementation class.
/// implementing the IExtensionLogic interface
/// </summary>
public class MyExtension : IExtensionLogic
{
/// <summary>
/// extension initialization. typically called on AppScan's startup
/// </summary>
/// <param name="appScan">
main application object the extension is loaded into
</param>
/// <param name="extensionDir">
extension's working directory
</param>
public void Load
(IAppScan appscan, IAppScanGui appScanGui, string extensionDir)
{
appScan = appscan;
RegisterToAppScanEvents();
}

/// <summary>
/// Register to AppScan events
/// </summary>
private void RegisterToAppScanEvents()
{
appScan.Scan.StateChanged += Scan_StateChanged;
}

#region event handlers

private void Scan_StateChanged(object sender, StateChangedEventArgs e)
{
if (e.CurrentState == ScanOperationState.Exploring)
{
MessageBox.Show("Now Exploring");
}
}

#endregion event handlers

The following code demonstrates how to add new menu items to AppScan Standard. The first menu item is added to the Tools > Extensions menu, and the second is added as an Issue context menu item (right-click on an Issue). using System;
using System.Collections.Generic;
using System.Windows.Forms;

using AppScan;
using AppScan.Events;
using AppScan.Extensions;
using AppScan.Scan.Data;

namespace MyExtension1
{
/// <summary>
/// GuiDemo main implementation class.
/// implementing the IExtensionLogic interface
/// </summary>
public class GuiDemo : IExtensionLogic
{
#region Initialization

/// <summary>
/// extension initialization. typically called on AppScan's startup
/// </summary>
/// <param name="appScan">main application object the extension is loaded into</param>
/// <param name="extensionDir">extension's working directory</param>
public void Load
(IAppScan appscan, IAppScanGui appScanGui, string extensionDir)
{
InitGuiHooks();
RegisterGuiHooks(appScanGui);
}

/// <summary>
/// Creates the menu entries objects
/// </summary>
private void InitGuiHooks()
{
extMenuItems = CreateMenuItems();
// Create a (Tools->Extension) menu entry collection
IssueMenuItems = CreateIssueContextMenuItems();
// Create a context-menu entry collection
}
/// <summary>
/// Add menu entries to AppScan
/// </summary>
/// <param name="appScanGui"></param>
private void RegisterGuiHooks(IAppScanGui appScanGui)
{
foreach
(IMenuItem<EventArgs> item in extMenuItems)
appScanGui.ExtensionsMenu.Add(item);

foreach
(IMenuItem<IssuesEventArgs> item in IssueMenuItems)
appScanGui.IssueContextMenu.Add(item);
}

#endregion Initialization

#region GUI itmes construction

private ICollection<IMenuItem<EventArgs>> CreateMenuItems()
{
mainExtMenuItem = new MenuItem
<EventArgs>(messagePrefix + "Hello!", DelegateEmpty);
List<IMenuItem<EventArgs>> items =
new List<IMenuItem<EventArgs>>();
items.Add(mainExtMenuItem);
return items;

}
private ICollection<IMenuItem<IssuesEventArgs>> CreateIssueContextMenuItems()

{
mainIssuesExtMenuItem =
new MenuItem<IssuesEventArgs>(messagePrefix + "Operation 1", DelegateIssue1);
List<IMenuItem<IssuesEventArgs>> items =
new List<IMenuItem<IssuesEventArgs>>();
items.Add(mainIssuesExtMenuItem);
return items;
}
#endregion GUI itmes construction
#region delegates
/// <summary>
/// Tools-Extensions menu entry action
/// </summary>
/// <param name="args"></param>
private static void DelegateEmpty(EventArgs args)
{
MessageBox.Show("Hello!", messageTitle);
}
/// <summary>
/// Issue-context menu entry action
/// </summary>
/// <param name="args"></param>
private void DelegateIssue1(IssuesEventArgs args)
{
DoDelegateIssue(1, args.issues);
}

private static void DoDelegateIssue(int num, ICollection<IIssue> issues)
{
if (issues != null)
{
MessageBox.Show
("Issue operation " + num.ToString()
+ " issues count: " + issues.Count, messageTitle);
}
else
MessageBox.Show
("Issue operation " + num.ToString()
+ " issues list is empty", messageTitle);
}
#endregion delegates
#region data members
IMenuItem<EventArgs> mainExtMenuItem;
IMenuItem<IssuesEventArgs> mainIssuesExtMenuItem;
ICollection<IMenuItem<EventArgs>> extMenuItems;
ICollection<IMenuItem<IssuesEventArgs>> IssueMenuItems;

const string messageTitle = "GuiDemo ";
const string messagePrefix = "GuiDemo: ";

#endregion data members

#region other

/// <summary>
/// retrieves data about current available ext-version
/// </summary>
/// <param name="targetApp">app this extension is designated for</param>
/// <param name="targetAppVersion">current version of targetApp</param>
/// <returns>
update data of most recent extension version,
or null if no data was found, or feature isn't supported.
It is valid to return update data of current version.
extension-update will take place only if returned value indicates
a newer version
</returns>
public ExtensionVersionInfo GetUpdateData
(Edition targetApp, System.Version targetAppVersion)
{
return null;
}

#endregion other

}
}

The following code shows an example of an info.xml file. <?xml version="1.0"?>

<AppScanExtension>

<!-- Front End MetaData -->
<FullName>MyExt</FullName>
<Description>Sample Extensions that does nothing</Description>
<Version>1.0</Version>
<Author>Author Name</Author>
<Copyright>My Copyright info</Copyright>
<HomepageURL>http://www.ibm.com/developerworks/rational/products/appscan/</HomepageURL>
<IconFile>MyExt.gif</IconFile>
<MainDllFile>MyExt.dll</MainDllFile>

<!-- Target Application this extension can install into,
with minimum and maximum supported versions. -->
<TargetEdition>

<!-- supported values: AppScanAuditors, AppScanDev, AppScanQA, AppScanXM, All -->
<ID>All</ID>

<MinCompatibleVersion>7.5</MinCompatibleVersion>
<MaxCompatibleVersion>7.9</MaxCompatibleVersion>

</TargetEdition>

</AppScanExtension>

Frequently asked questions

How/Where do I download and install AppScan Standard eXtensions?
You can download free AppScan Standard eXtensions by linking to the AppScan Standard eXtensions Framework from the IBM developerWorks site at: http://www.ibm.com/developerworks/rational/products/appscan/

What's the advantage for me, as a developer, to use AppScan Standard eXtensions in my projects?
AppScan Standard eXtensions allow you to integrate your own knowledge and code into the automated scanning process while leveraging AppScan Standard as a platform for Web application security scanning and reporting. Your own utilities can now make use of AppScan Standard's crawling engine, advanced reporting, powerful communication layer (e.g. SSL support, Client Side Certificates, Advanced Session State Management, etc.) and automated testing capabilities.

Who can write AppScan Standard eXtensions?
Users who own a copy of AppScan Standard 7.5 (or above) can immediately start developing their own extensions by using AppScan Standard's public SDK and the AppScan Standard eXtensions Framework, which comes bundled with documentation and code samples.

What is the AppScan Standard Public Software Development Kit (SDK)?
The AppScan Standard Public SDK is a programming package which enables you to develop applications that integrate with AppScan Standard closely. The SDK provides interface specifications and API libraries to AppScan Standard as well as thorough documentation and code samples of how to use them.

AppScan Standard's Public SDK is ideal for those who wish to integrate their own applications with the industry's leading Web application security scanner. It is available to end users of AppScan Standard, as well as value-added resellers (VARs) and independent software vendors.

You can write your own applications (or AppScan Standard eXtensions) using the AppScan Standard Public SDK in any language that is .NET-CLR compliant (e.g. C#, VB.NET, VB or J#). In addition, you can use the SDK with the Python scripting language, using PyScan, an integration between Python and AppScan Standard that comes built-in with AppScan Standard v7.5.

Where can I find the AppScan Standard SDK documentation?
You can find the SDK Documentation under the /Docs directory in your AppScan Standard Installation directory.

Is there a discussion forum that I can visit to ask questions about eXtensions to the broader community?
You can post your questions in the AppScan Standard forum on developerWorks.

Connect with IBM developerWorks