• 1 reply
  • Latest Post - ‏2011-04-09T20:56:01Z by SystemAdmin
1 Post

Pinned topic Relationship between AppScan Standard Edition and AppScan Source Edition???

‏2011-03-18T16:15:06Z |

I am using both AppScan Standard Edition and AppScan Enterprise Edition.

But I am not able to understand the relationship between Standard edition with Source Edition.

I want to know that which tool should be run first?
If we run the Source Edition first, then is there a need to run Standard Edition on an application?

Please help me....

Thanks in advance..
  • SystemAdmin
    49 Posts

    Re: Relationship between AppScan Standard Edition and AppScan Source Edition???

    Hi Deepti,

    Standard (and Enterprise) Edition are our dynamic analysis products, they work by sending requests to a QA or Test instance of the web application being reviewed to pinpoint vulnerabilities similar to the same way a penetration tester would. Source Edition is a static analysis tool, which means it runs on the source code without it having to be run/deployed to the web server. There are advantages to each technology and we frequently recommend companies make use of both.

    Since Source works from the source code and can be run far before the application is ever deployed, we always recommend that Source be run first in the code and build phases of the SDLC. Dynamic is typically best used during the test/qa phase and just prior to the push to production. In terms of what should be implemented first, it really depends on the maturity of the organizations security and development organizations, but we usually recommend Standard first because the implementation process is easier for a dynamic product versus a static analysis product.

    Findings directly tied to their locations in the source
    Test earlier in life-cycle
    Test sub-components of an application
    Easier automation
    Fast scanning
    Non-web-applications, infrastructure, middleware
    All control flows
    Illuminate architecture and logic
    Consistent Automation
    Simpler configuration
    No cross-domain requirement
    Lower learning curve
    Findings include attack vectors
    Scan unsupported source languages
    3rd party applications (no source)
    Find configuration vulnerabilities
    Smaller finding sets