• 1 reply
  • Latest Post - ‏2013-12-06T15:36:19Z by ScottH
49 Posts

Pinned topic AppScan Standard vs Source scanning capabilities comparison with example

‏2013-01-07T17:30:30Z |
Can someone provide examples to illustrate the different capabilities between AppScan Source edition and AppScan Standard edition? Are there vulnerabilities that Standard can find and Source cannot and vice versa?

  • ScottH
    30 Posts

    Re: AppScan Standard vs Source scanning capabilities comparison with example


    Hi David,

    There is no direct comparison between the 2 tools as they both approach application security different ways.  More accurately they complement one another.

    As a white box scanner, AppScan Source is used during the development cycle to scan your application.  With this you are able to confirm if your application performs validations of input required by your business security policy.  It does this through a static analysis of your source code.  This fits more in with the development phase of the lifecycle.

    As a black box scanner, AppScan Standard (and AppScan Enterprise) perform a live scan against a running and deployed web application.  This scan approach is similar to what a hacker may attempt against your application.  Because this is done against a deployed and running web application, it is typically done later in the lifecycle during testing.


    So as you can see, Source attempts to identify and allow you to mitigate issues in your code early in the lifecycle while Standard and Enterprise target your running application and attempt to identify issues with the deployed application and application server environment.