Security testing overview

You can run tests in HCL AppScan Enterprise Edition and view any resulting defects in the application. You can also run security tests using HCL AppScan Tester Edition directly from the Engineering Test Management application.

Testing with HCL AppScan Enterprise Edition software

When integrating with HCL AppScan, you create and run tests in it. You then view any resulting defects in Engineering Test Management. For more information, see the HCL AppScan documentation for your product version.

Testing with HCL AppScan Tester Edition software

HCL AppScan Tester Edition software is designed to help organizations distribute responsibility for security testing among multiple stakeholders and to help users test for vulnerabilities such as Cross-site scripting, buffer overflows, and SQL injection early in the Web application delivery life cycle.

Security tests should be performed in a preproduction environment, such as on a staging server or a Quality Assurance server. This helps you better contain the risks associated with performing security scans. The preproduction environment should mirror the production environment as much as possible — the application should have the same executable files in both environments — so that you know you are thoroughly testing your exposed application.

Performing a security scan in a production environment is not recommended because of the risks associated with these scans. Sometimes it might be necessary to scan a production environment, perhaps to comply with audit requirements, to detect whether your site has been hacked, or to validate that the SDLC process for integrating security scans is being employed. Regardless of your reasons, it's best to begin scanning a preproduction environment and then move the scan to your production environment. This will help to ensure that the security tests pose less risk to your servers.

Browser-based attacks use flaws in the Web-based application code. Software most vulnerable to these types of attacks includes:

  • User interface code: provides the design of the site
  • Web server: supports the physical communication between the user's browser and the Web applications
  • Front-end applications: interfaces directly with the user interface code, and back-end systems

Security scans should be integrated into your Software Development Life Cycle (SDLC) process so that you can catch security issues before they make their way into your production environment.

For further information, see AppScan Enterprise documentation.