We are in the process of upgrading from Appscan SE 8.5 to Appscan SE 8.8. We tend to base our scans on small manual explores with non-vulnerable variants turned on. We have gotten burned several times, so are meticulous about reviewing the non-vulnerable variants to ensure that Appscan is testing effectively. We usually use the Application Only policy.
Our testers have been noticing that they are not seeing Blind SQL tests in the non-vulnerable variants, and that the number of SQL tests is down dramatically when compared to Appscan 8.5 scans.
We have a PMR open with Appscan Support, but are wondering if others are seeing the same behavior. We would appreciate it if you could post any feedback here.