I am using both AppScan Standard Edition and AppScan Enterprise Edition.
But I am not able to understand the relationship between Standard edition with Source Edition.
I want to know that which tool should be run first?
If we run the Source Edition first, then is there a need to run Standard Edition on an application?
Please help me....
Thanks in advance..
This topic has been locked.
Pinned topic Relationship between AppScan Standard Edition and AppScan Source Edition???
Answered question This question has been answered.
Unanswered question This question has not been answered yet.
SystemAdmin 110000D4XK49 Posts
Re: Relationship between AppScan Standard Edition and AppScan Source Edition???2011-04-09T20:56:01ZThis is the accepted answer. This is the accepted answer.Hi Deepti,
Standard (and Enterprise) Edition are our dynamic analysis products, they work by sending requests to a QA or Test instance of the web application being reviewed to pinpoint vulnerabilities similar to the same way a penetration tester would. Source Edition is a static analysis tool, which means it runs on the source code without it having to be run/deployed to the web server. There are advantages to each technology and we frequently recommend companies make use of both.
Since Source works from the source code and can be run far before the application is ever deployed, we always recommend that Source be run first in the code and build phases of the SDLC. Dynamic is typically best used during the test/qa phase and just prior to the push to production. In terms of what should be implemented first, it really depends on the maturity of the organizations security and development organizations, but we usually recommend Standard first because the implementation process is easier for a dynamic product versus a static analysis product.
Findings directly tied to their locations in the source
Test earlier in life-cycle
Test sub-components of an application
Non-web-applications, infrastructure, middleware
All control flows
Illuminate architecture and logic
No cross-domain requirement
Lower learning curve
Findings include attack vectors
Scan unsupported source languages
3rd party applications (no source)
Find configuration vulnerabilities
Smaller finding sets