IBM Security AppScan Source: Explore functions

Discover reporting, scanning, triage, and analysis functions for AppScan Source Edition

This is a summary guide to learn the basics of using IBM® Security AppScan® Source Edition. Derek Chowaniec will show you how to configure applications for scanning, alter the scanning configuration for your security needs, use the integrated tools to build a report, triage the information based on your findings, and configure the system to scan and analyze precompiled code. Tom Mulvehill shows you how to hunt down vulnerabilities in Android applications.

Share:

developerWorks security editors, IBM staff, IBM

This article is brought to you by the editors of the developerWorks Security site.



11 July 2013

IBM® Security AppScan® Source Edition helps reduce risk exposure by integrating application security testing into the software development life cycle. This action lets organizations identify software vulnerabilities early in the life cycle so they can be eliminated before deployment. Security AppScan Source supports testing for mobile applications, including those written in Java™ code, C#, and Objective-C.

In this article, IBM Security's Derek Chowaniec explains how to configure applications for scanning, how to alter the scanning configuration of AppScan for your security needs, how to use the integrated tools to build a report, how to triage the information based on your findings, and how to configure the system to scan and analyze precompiled code. IBM Product Manager Tom Mulvehill finishes this article by showing you how to use AppScan Source to hunt down vulnerabilities in Android applications.

Configuration

IBM Security's Derek Chowaniec demonstrates how to manually configure a Java application for IBM AppScan Source Edition for application scanning.


Scanning

Derek demonstrates how to alter and customize existing scanning configurations for your security needs.


Reporting

Derek demonstrates the tools you use to build a simple report with IBM AppScan Source. He explains how you can:

  • Generate a simple set of general findings by property or criteria. You can set surrounding parameters (lines above and below the offense code) to include in your trace data and the vulnerability types to include.
  • Map all findings to a predetermined set of security profiles to place your findings in a broader context.

There is a full set of easily portable formats in which you can save your reports.


Triage

Derek demonstrates the tools you use to perform security triage on applications with IBM AppScan Source. The tools are organized as four views:

  • Assessment summary. You can visualize your assessment by vulnerability type, by API, by project, by file.
  • Vulnerability matrix. Allows you view results by severity, as well as vulnerability type. This view also parses results by vulnerability (tells users this is definitely a problem) and exceptions (tells users this needs more examination).
  • Findings. There is a list of different contexts in which you can view your findings.
  • Bundles. This tool allows you to bundle your found vulnerabilities into categories.

Segments selected in one view changes the organization of information in the other views automatically, allowing you to focus on the same segment in various ways.

In this second segment, Derek continues discussing bundling as a tool to prioritize vulnerabilities and as a way of sharing information with other team members. He discusses the concept of the excluded bundle, a way of removing a group of exceptions from the workflow so they are not considered.

Derek concludes with filtering options for severity, types, classifications, and so on.

Derek mentions exclusions when discussing the vulnerability matrix. Most of the work in the reporting and triage sections of this article so far have been done after the scanning is complete, but you can set up exclusions before you scan. Exclusions set before scanning can speed up scan completion.

Exclusions can be set at different levels—you can exclude sets of issue bundles and you can exclude filters. The exclude filter tool is quite powerful. After you've tightly focused your vulnerability search by creating custom filters, you can choose to exclude all findings that match the filters or all findings that do not match the filters.


Analyzing bytecode

When AppScan configures an application for a scan, it compiles the application source code into an intermediate representation. But what if the source code doesn't compile? AppScan Source contains functions that allows it to scan such code as .NET assemblies, chunks of precompiled code that can be executed by the .NET runtime environment. Derek takes you on a two-part tour of how AppScan Source tools handle this type of advanced security screening.


AppScan in action securing mobile

IBM Product Manager Tom Mulvehill demonstrates how to use IBM Security AppScan Source to identify security vulnerabilities in Android applications. He explains how to isolate mobile application risks down to individual lines of code and outlines AppScan's vulnerability matrix tool. The Android application in question is a restaurant phone app.

Resources

Learn

Get products and technologies

Discuss

Comments

developerWorks: Sign in

Required fields are indicated with an asterisk (*).


Need an IBM ID?
Forgot your IBM ID?


Forgot your password?
Change your password

By clicking Submit, you agree to the developerWorks terms of use.

 


The first time you sign into developerWorks, a profile is created for you. Information in your profile (your name, country/region, and company name) is displayed to the public and will accompany any content you post, unless you opt to hide your company name. You may update your IBM account at any time.

All information submitted is secure.

Choose your display name



The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerWorks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

Required fields are indicated with an asterisk (*).

(Must be between 3 – 31 characters.)

By clicking Submit, you agree to the developerWorks terms of use.

 


All information submitted is secure.

Dig deeper into Security on developerWorks


static.content.url=http://www.ibm.com/developerworks/js/artrating/
SITE_ID=1
Zone=Security, DevOps, Mobile development
ArticleID=937147
ArticleTitle=IBM Security AppScan Source: Explore functions
publish-date=07112013