What is new or different in AppScan v9.0.1.1

What is new or different in AppScan
Enterprise v9.0.2 if you’re upgrading from
v9.0.1.1
Larissa Berger
Miriam Fitzgerald
April 24, 2015
Abstract: This white paper guides customers through the new features introduced in AppScan Enterprise v9.0.2, and the
product changes they’ll encounter when upgrading from v9.0.1.1.
1|Page
Contents
Monitor View updates ........................................................................................................................................................ 1
Portfolio tab ........................................................................................................................................................................ 2
Dashboard tab ..................................................................................................................................................................... 3
Dashboard – Black banner .............................................................................................................................................. 3
Easy access to help .......................................................................................................................................................... 5
Dashboard – Lower White area - Charts Overview......................................................................................................... 5
Security Risk Rating Chart ............................................................................................................................................... 6
Security Risk Rating by Business Unit Chart .................................................................................................................... 8
Testing Status Chart ........................................................................................................................................................ 9
Open Issues Chart ......................................................................................................................................................... 10
Applications with Open Issues ...................................................................................................................................... 10
Top Issue Types Chart ................................................................................................................................................... 11
Issue Severity (Max) Chart ............................................................................................................................................ 12
Issue Severity (Max) by Business Unit Chart ................................................................................................................. 12
Issue Management improvements ....................................................................................................................................... 13
New Issue Status ............................................................................................................................................................... 13
Group by Severity, Issue Type, Status – Application View ................................................................................................ 14
Issue Export ....................................................................................................................................................................... 15
Locate Issue by Issue ID .................................................................................................................................................... 16
Scan template ....................................................................................................................................................................... 17
Create Scan Template in AppScan Enterprise ....................................................................................................................... 17
TEST: Security configuration ......................................................................................................................................... 18
EXPLORE: What to Scan ................................................................................................................................................ 19
GENERAL: Job Properties .............................................................................................................................................. 19
GENERAL: Template Configuration ............................................................................................................................... 19
Create Scan Template in AppScan Standard ......................................................................................................................... 20
SCAN template in the Template Folder view ........................................................................................................................ 20
Scans based on Scan Template ............................................................................................................................................. 20
QuickScan based on Scan Template ..................................................................................................................................... 20
2|Page
Create QuickScan based on Scan template ...................................................................................................................... 20
Edit QuickScan based on Scan Template .......................................................................................................................... 24
Content Scan Job - Scans view .............................................................................................................................................. 28
Create content scan job based on scan template ............................................................................................................. 28
Edit content scan job based on scan template ................................................................................................................. 34
Create a Scan from an application in the Monitor View....................................................................................................... 36
Create content scan job based on scan template ............................................................................................................. 36
Edit content scan job based on scan template ................................................................................................................. 41
Global Update and Scan jobs based on Scan template ........................................................................................................ 43
More on the AppScan Dynamic Analysis Client .................................................................................................................... 44
Administration changes in v9.0.2.......................................................................................................................................... 46
Proxy settings for AppScan Dynamic Analysis Client ........................................................................................................ 46
Liberty Upgrade ................................................................................................................................................................ 46
Maximum memory allocation for a security scan process ............................................................................................... 47
Resources .............................................................................................................................................................................. 48
About the authors ......................................................................................................................................................... 48
3|Page
Monitor View updates
When you upgrade to v9.0.2 from v9.0.1.1 and open the Web UI of AppScan Enterprise, you will start on the Portfolio
tab in the Monitor View, just as you did in v9.0.1.1.
New in v9.0.2, you will see a Dashboard tab beside the Portfolio tab. Both of these tabs are always present in the
Monitor View:
1|Page
Portfolio tab
In v9.0.2, the left side black panel offers only Filters and Search capabilities, and no longer contains the charts that used
to be available when you fully expanded this panel in v9.0.1.1. The charts have been moved to the new Dashboard tab.
2|Page
Dashboard tab
The new Dashboard tab displays a view similar to the example below. It has two distinct areas: a black banner on the top
and a white area with a chart display at the bottom.
Dashboard – Black banner
In the left top corner of the black banner you see a dropdown that displays “All Business Units”. This is a default value
for the Dashboard display, and it means that the banner and the white chart area display metrics aggregated across your
entire portfolio (e.g. metrics are based on information aggregated for all applications in your portfolio, across all
business units).
Click on the arrow to the right of the “All Business Units” text to select a particular business unit. The data in the black
banner (and in the white chart area below) will reflect the security testing state of the applications only for the selected
business unit.
3|Page
Underneath the business unit selection dropdown there is an area that focuses on the Security Risk Rating of
applications:
Why do you need to see this in the Dashboard? Because you can focus very quickly on the applications in your portfolio
or business unit that represent the highest potential risk to your business, and therefore require immediate attention in
terms of remediation efforts.
Simply clicking on a number for Critical Security Risk rating will bring you to a filtered view of the Portfolio tab that will
display exactly these 8 applications. You can start working with these right away. And you can navigate back to the
Dashboard with one click if you need to continue to the High Security Risk Rating applications for example, or if you
want to view other metrics provided in the Dashboard.
For you convenience, the help for the Security Risk Rating explanation and how it is determined is under your fingertips click the
link, and review the details without leaving the Web UI.
However, note that the explanation of the Security Risk Rating in this case is based on the default formula provided in
AppScan Enterprise. The Security Policy of your company may be different than the default we have provided. If this is
the case, contact your Security Program Lead to find out how the application Security Risk Rating is determined for your
applications.
In the top right corner of the black banner, you can see the Testing progress of the applications (based on your selection
in the Business Unit dropdown list):
Clicking the actual percentage number will bring you to the Portfolio tab which will show all tested applications.
4|Page
The small control
above the “Tested” indicator is used to export the data for the selected business unit or the
entire portfolio to an Excel spreadsheet for offline analysis.
The Excel spreadsheet is available to you in case you would like to customize further certain data displays based on the
data available from Application Security Management in AppScan Enterprise.
If you have never used the Application Security Management functionality before this upgrade, it is normal that all the
data in the black banner area is “0”.
Easy access to help
The icon to the right of the “Export to Excel” control launches help for the Dashboard tab:
If you scroll down to the bottom of the Help window, you will see the following link:
Clicking this link brings you to a summary page where you can find quite a few useful “How to” videos on how to take
full advantage of the capabilities provided by Application Security Management and stay ahead of the game in securing
your applications.
Dashboard – Lower White area - Charts Overview
There are currently 8 chart types available in v9.0.2, and these can be classified in two groups:


New trend charts: Security Risk Rating, Testing Status, Open Issues, Applications With Open Issues
Charts that were available in v9.0.1.1 and moved to the Dashboard tab: Security Risk Rating by Business Unit,
Top Issue Types, Issue Severity (Max), Issue Severity (Max) by Business Unit
Trend charts are only available to users who have permission to see them. The Administrator grants this permission,
“View trends”, when setting up user types and access rights. Therefore if trends are accessible to the current user, the
default view will display the Security Risk Rating chart. Otherwise, it will display the Security Risk Rating by Business Unit.
All charts except the Top Issue Type chart get adjusted when you switch between business units (via black banner
selection) or All Business Unit. The Top Issue Type chart can only be displayed for All Business Units, since it shows
metrics that are applicable only to the entire application portfolio.
Trend charts accumulate data to display on a monthly basis. Each trend chart shows 24 months up to and including the
current month. Therefore when v9.0.2 is installed, trend charts will not be fully populated, but will fill up with time. This
is normal and expected, just as if you have never used Application Security Management before, all the charts will be
empty.
5|Page
The chart display can be changed via the chart selection dropdown, displayed in the top left corner of the charting area.
The dropdown selection will show only the charts available to the current user.
Security Risk Rating Chart
Here is how this chart looks by default*:
*This is a trend chart, and the data in this chart accumulates overtime, at the end of each calendar month, and focusing on the last 24 month.
Obviously if you have just upgraded to v9.0.2, you have not yet accumulated all this data. Therefore “default” here is meant to be what the chart
will look like over time. You will likely see only one bar – corresponding to the month when you first start using AppScan Enterprise v9.0.2.
The Security Risk Rating chart tracks how the security risk rating for your application portfolio changes over time.
6|Page
Ideally, you want the majority of your applications to have the lowest possible Security Risk Rating. If your applications
are trending otherwise, you may have to adjust your processes, or deploy other measures to keep your security
management efforts on track.
This chart is customizable – you can focus the chart display by selecting only the category check boxes you would like to
see:
The most recent data bar shows the most recent month data, and it is accompanied by the detailed breakdown by
Security Risk Rating. Just like in the black banner, clicking any of these links brings you to a filtered view of the Portfolio
tab:
Click the calendar bars of any previous month to see aggregated totals – as in this next example that shows the
breakdown for Dec 2014 – the only caveat here is that these totals are not live links:
7|Page
Security Risk Rating by Business Unit Chart
This chart shows applications by Security Risk Rating in each Business Unit so that you can compare at a glance and
easily identify where your remediation efforts are needed most.
In the example above, the Commercial Transportation business unit definitely requires attention in terms of remediation
efforts. It owns the most of Critical and High risk applications within the portfolio.
Clicking each color block within a Business Unit bar will bring you to a filtered view of the Portfolio tab that only displays
the applications with that risk rating – so you can start working with these applications without delay.
If you select a particular business unit from the Business Unit dropdown in the black banner, the chart will display only a
single bar for that particular business unit. Hover over each chart section to see the number of applications in that
category.
8|Page
Testing Status Chart
This chart shows how the testing status of your applications changes overtime. You certainly would want to see progress
so that with time, the majority of your applications move from “Not Started” to “Completed”.
You can focus this display by deselecting unwanted Testing Status states from the legend of the chart (use the
corresponding checkboxes):
If you would like to start working with applications in a particular Testing Status, you can click the corresponding link in
the trend summary menu – and these applications will be shown to you in the Portfolio tab. For example, to view
applications that have not gone into testing yet, click the “36 Not Started” link:
9|Page
Open Issues Chart
This chart shows how the number of open issues in the portfolio or the selected business unit changes over time. Click
the bar or a month name to view totals of a particular month. You should aim to have a low number of open issues as
time passes. This number might become lower as the applications are becoming safer, and as the triage and remediation
activities become more efficient in your business.
In the example above, the last month has a spike of Open issues. While there is no quick link to view these (as we have
no means of showing an aggregated view of issues across different applications), you can still zoom in on where the
problem possibly is. Change the view to display Applications with Open Issues - see details below.
Applications with Open Issues
This chart shows how the number of Applications with Open Issues changes over time. The current month has a link
which allows you to switch to the view of these applications via one click:
10 | P a g e
Now you can start analyzing why there is a spike in Applications with Open Issues and the number of Open Issues in
general by looking at different aspects of these applications.
Top Issue Types Chart
This chart gives you a sense of the top issue types across all of your applications in the portfolio. For example, if there
are many Cross-Site Scripting issues, you can plan appropriate measures to deal with this coding shortcoming by possibly
providing appropriate training for your developers.
This is the only chart that cannot be displayed for a particular business unit, as it aggregates information across all issues
found in the entire portfolio.
11 | P a g e
Issue Severity (Max) Chart
This chart identifies applications by their highest level of issue severity.
Click a chart section to go to a filtered view in the Portfolio tab to continue your triage process.
Issue Severity (Max) by Business Unit Chart
This chart identifies applications by business unit, by their highest level of issue severity.
Click a chart section to go to a filtered view in the Portfolio tab to continue your triage process.
12 | P a g e
Issue Management improvements
New Issue Status
Enhancements to issue management have been added to answer the question: “How do I quickly find out if I have any
issues to triage?”



A New classification has been added for newly discovered or imported issues.
Note that pre-existing (e.g. existing before upgrade to v9.0.2) issues that have not been triaged will remain
classified as Open upon upgrade.
It’s easy to spot whether an application in your care has issues to triage – an alert is displayed in the black pane
of the Application view. This Alert is a link and when clicked, it filters the Issue grid so that only New issues are
displayed:
13 | P a g e
Group by Severity, Issue Type, Status – Application View
To help you focus on issues of a specific Type or Status, we have expanded the “Group By” option in the Application
view. By default, the issues are filtered by Severity, and clicking the Group by icon
selection in v9.0.2:
will give you the following
As an example – another way of quickly finding issues that need triaging is to group issues by Status:
14 | P a g e
Issue Export
A quick way to send issue details to developers to fix is via the Export button in the Application view. The button only
gets enabled if you have selected one or more issues within an Application view, and you need to click the List Menu to
see it:
When you click the Export button, a zip file named to identify the application will be created, and it will contain an .htm
file for each selected issue – named “issue_####.htm”, where #### is an Issue ID:
Each htm file contains the same information as “About this Issue” shows.
15 | P a g e
Locate Issue by Issue ID
When developers fix an issue, they may inform you about it, and supply the issue ID. You need to mark the issue as Fixed
– how can you find it quickly?
In the Application view, simply enter that Issue ID into the Search field, and the issue will be displayed to you – as in
example below for Id 22330 in the Lamcane Holdsaofax application:
16 | P a g e
Scan template
In earlier AppScan Enterprise releases, you were able to use an AppScan Standard authored .scant file to configure a
scan in AppScan Enterprise. However, this needed to be done on a case-by-case basis, as each scan required a separate
import of a .scant file.
In v9.0.2, we have provided a way of creating templates for Content Scan jobs based on .scant files. This template type is
called Scan template. Scan templates can be made available to a larger end user base in a few simple steps.
Create Scan Template in AppScan Enterprise
Open the Scans tab and click the Templates folder in the left hand side tree view panel – this will open the templates
view showing the template folder contents in the grid view. Click the familiar button to add a new template:
This will open the “Create Template” page. You are somewhat familiar with this view; in v9.0.1.1 this view was called
“Create Folder Item” and it contained some options which were not applicable for template creation. For clarity, we
have renamed this view and left only the appropriate content options there.
17 | P a g e
When the “Create Template for Content Scan” radio button is selected (usually by default), the “Create using properties
from AppScan Standard scan template file (.scant file)” option is available and selected by default.
Enter the Name, (and optionally the Description), browse to the .scant file, and click Create. Review the ‘Folder Item
Created’ screen that advises you about the additional settings that you can configure for this template, as well as
information on setting (or not) any Security Policies via a template, and click Done.
TEST: Security configuration
You are now in the configuration screen that is focused on Security – and that is where you see something different –
AppScan Dynamic Analysis Client is mentioned in the dropdown list as a means of selecting the Security Test Policy:
You can leave your template with this setting. This means that the Security Policy indeed can be picked up in AppScan
Dynamic Analysis Client, and this tool is available to AppScan Enterprise users (we will cover this in more detail later),
since only this tool “understands” scan configuration created based on a .scant file.
Or, you can expand the “Use the following security test policy during the scan:” listing and pick a policy for this
Template. However, if you pick a policy in a template, the end user won’t be able to change what policy is used in scans
created based on this template, and this is not a very flexible scenario for security testing.
18 | P a g e
EXPLORE: What to Scan
This is another configuration area that may look a bit different. For example, the “Export saved file” button lets you
extract a .scant file which was originally used to create this template, and “Replace scan template with another .scant
file”:
GENERAL: Job Properties
You can Export Properties of the Template, just like in any other template in prior releases.
GENERAL: Template Configuration
Since most of the information needed for the Template Configuration is coming from a .scant file, as well as from other
areas of the Template Configuration view, there is only one option remaining here – “QuickScan user access to
additional settings”:
You can save your Template now.
19 | P a g e
Create Scan Template in AppScan Standard
In prior releases you were able to use AppScan Standard to create Configuration Files which you could publish to
AppScan Enterprise, and a scan would be created for you based on that configuration.
In v9.0.2 you can create Scan templates from AppScan Standard. Create you configuration and when publishing to
AppScan Enterprise, ensure you choose Templates folder as a “save” location. You will get a Scan template in AppScan
Enterprise as a result, and of course it will be located in the templates folder.
Please view the following video for details:
https://www.youtube.com/watch?v=fTfIyJEt7JA
SCAN template in the Template Folder view
You will see a different icon and a relevant (default) description displayed in the Templates folder beside the Scan
template:
Scans based on Scan Template
Scan Templates can be used just like other templates to create QuickScans, Content Scan Job in the Scans view, and
Scans from the Application Detail Screen in the Monitor View.
QuickScan based on Scan Template
Create QuickScan based on Scan template
As an example, a scan template called Quick and Light Scan is available for QuickScan jobs in AppScan Enterprise. Go to a
folder where you can create a QuickScan (typically the User folder for QuickScan users), and select that template for
your QuickScan:
20 | P a g e
Click the arrow button to proceed with the QuickScan creation – the screen you see at this point is new and different
from what you would see if you don’t use a scan template, or another QuickScan type:
Just as you are urged on the screen, click Create. You will see an additional message on the screen, which you have not
seen before:
It tells you that you should expect the AppScan Dynamic Analysis Client to launch (and if that Client was already set up
on your machine, it takes a few seconds to start).
However, if this Client does not launch, this means that this is the first time you are going to use it, and you need to
download and install it now (this only needs to be done once; the Client will remain on your machine for future use).
Click the Download link, and follow the instructions. When the download and installation are complete, you will be
prompted to restart – please note that AppScan Enterprise will open automatically and you will be brought to this very
screen again, so no work will be lost due to this one-time step.
21 | P a g e
You might see a couple of screens pop up by your browser telling you about an application about to open. Let it proceed
(the actual executable name “under the hood” is ASEConfigClient – and that is what you will see in the browser
warning).
Example – in IE:
Now the AppScan Dynamic Analysis Client application will launch, and you will be automatically logged in (as same user
type as you were in AppScan Enterprise). This is your default view as a QuickScan user:
We will skip the configuration details here, and instead dedicate a separate chapter to the AppScan Dynamic Analysis
Client UI.
22 | P a g e
At the very least, you need to go the Job Properties for your QuickScan and give it a name:
Folder: Note that the folder where this scan will reside is known to this Client and you cannot change it –
“Default/altoromutual.com” is the folder where we started creating this QuickScan.
Application: You can associate your new scan with an existing application right away – the Client will give you a complete
listing of applications that you are allowed to see in AppScan Enterprise.
Test Policy: If a security analyst has not assigned a specific test policy to the scan template this job is based on, the
QuickScan user can select the policy for testing now.
Description: This is optional text to show in the description field of this scan in AppScan Enterprise.
Contact: Who is the person responsible for this scan?
Important option:
This option lets you control whether the job runs as soon as it is created in AppScan Enterprise – this is a default as can
be seen in the screenshot above (e.g. when you click the “Create Job” button in the bottom right corner of the Client
screen, the job is created in AppScan Enterprise, and it is set to run right away).
If you choose not to run this job right away upon creation, the job will be created, and will be idle until you manually
start it in AppScan Enterprise.
23 | P a g e
Click Create Job - you will see a message:
Next, the AppScan Dynamic Analysis Client will close, since it has done its job.
AppScan Enterprise will be active and available to you. You will be brought to different views depending on what you
selection you made for the ‘Run this job now’ checkbox:


Checked (ON) – You see the job properties page where the newly created job is obviously running.
Unchecked (OFF) - You see the folder where you started creating this job (you would need to locate that new job in
that folder).
Your new job will have the same icon as the Scan Template.
Edit QuickScan based on Scan Template
Locate the QuickScan you would like to edit, and click Edit:
The properties page of that QuickScan will open. If you need to change GENERAL settings of the scan (Schedule, Log
Settings, Agent Server, and Job properties) click Additional Settings:
24 | P a g e
If you need to change any settings that govern the scanning process, click Edit in the Dynamic Analysis Configuration
section:
You may be presented with a browser message like the one in the screenshot below. You can select the checkbox
“Remember my choice for appscandast links” and then you won’t see this message again. Then click AppScan Dynamic
Analysis Client.
You will see the same Client UI, where you should be able to make the changes you need, navigating through the pages
using the Next and Back buttons, or the page names in the left side panel.
25 | P a g e
Once you reach the Job Properties page, you will be able to Update Job. Note that the “Run job as soon as possible”
checkbox is enabled by default. Sometimes when you click Update Job with this option turned on, the job configuration
will update, but the job will not start running – because it may have been running already at that moment (for example,
if another user or a schedule kicked off this job run just as you were starting to edit).
9.0.2 GA NOTE: In the April 14th release there was a known defect – when you edit a scan in the Dynamic Analysis
Configuration Client, make sure that the scan you want to edit is not running in AppScan Enterprise; otherwise it might
suspend when you update the scan. The workaround is to clear the “Run job as soon as possible” checkbox and then
click Update Job. The fix is planned for 9.0.2 iFix-1 release.
The next time the scan is run, it will use the updated configuration.
26 | P a g e
Indication that job has been successfully updated:
Click OK, and the AppScan Dynamic Analysis Client will close. You’ll return to AppScan Enterprise where you started the
edit:
Click Close to return to the Folder view where you had started this QuickScan edit:
27 | P a g e
Content Scan Job - Scans view
Create content scan job based on scan template
If you are an Administrator or a Standard user, you can create a Content Scan Job based on a scan template in the Scans
view, from the Create Folder Item page. Select your folder where the new Content Scan Job will reside, and click the
button:
This will open the Create Folder Item page, and by default, it will look like this next screenshot:
28 | P a g e
As you can see, this page contains all the previously available options for a Content scan Job creation, as well as the new
option which allows you to select a template for the job creation:
Select Job using template, and pick a scan template for your new job – let’s use “Quick and Light Scan” as our example:
As soon as you have selected a scan template, the screen will display a message that is new in v9.0.2:
29 | P a g e
Click Create. Another new message shows up on the screen:
It tells you that you should expect the AppScan Dynamic Analysis Client to launch (and if that Client was already set up
on your machine, it takes a few seconds to start).
However, if the Client does not launch, this means that this is the first time you are going to use it, and you need to
download and install it now (this only needs to be done once and the Client will remain on your machine for future use).
Click the Download link, and follow the instructions. When the download and installation are complete, you will be
prompted to restart – AppScan Enterprise will open automatically and you will be brought to this very screen again, so
no work will be lost due to this one-time step.
You might see a couple of screens pop up by your browser telling you about an application that is trying to open - allow
it proceed (the actual executable name “under the hood” is ASEConfigClient – and that is what you will see in the
browser warning).
Example – in IE:
30 | P a g e
Now the AppScan Dynamic Analysis Client will launch, and you will be automatically logged in (as the user that you were
in AppScan Enterprise) – this is your default view:
We will skip the configuration details here, and instead dedicate a separate chapter to the AppScan Dynamic Analysis
Client UI.
At the very least, you need to go the Job Properties for your Content Scan Job and give it a Name:
31 | P a g e
Folder: Note that the Folder where this Scan will reside is known to this Client and you cannot change it –
“Default/altoromutual.com” is the folder where we started creating this Content Scan Job.
Application: You can associate your new scan with an existing application right away – the Client will give you a complete
listing of applications available to you in AppScan Enterprise.
Test Policy: If you have not assigned a specific test policy to the Scan template this job is based on, you can select the
policy for testing now.
Description: Optionally - text to show in the description field of this Scan in AppScan Enterprise
Contact: Who is the person responsible for this scan?
Important option:
This option allows you to control if the job runs as soon as it is created – this is a default as can be seen in the screenshot
above (e.g. when you click the “Create Job” button in the bottom right corner of the Client screen, the job is created in
AppScan Enterprise, and it is set to run right away).
If you choose not to run this job right away upon creation, the job will be created, and will be idle. Click on the “Create
Job” button - you will see a message:
Once you click OK on the message box above, the AppScan Dynamic Analysis Client will close, since it has done its job.
AppScan Enterprise will be active and available to you. You will be brought to the page you have launched the AppScan
Dynamic Analysis Client from. Click Done.
32 | P a g e
The page above will close and you will see the Folder where you started Content Job Creation from. Your new job will
have the same icon as Scan Template.
33 | P a g e
Edit content scan job based on scan template
Like with any other scan, you can edit the configuration of the “scan template” based scan. From the Folder Explorer,
click the Edit link beside the scan name. You will see the following page – which is new and different from the page you
would see for any other scan type – because only the AppScan Dynamic Analysis Client can be used to edit scan options
here:
Click Edit.
AppScan Dynamic Analysis Client launches and you can change the options for this scan.
Once you are done, click Update Job to save the changes you made to the scan configuration in AppScan Enterprise.
Just as with the scan create process, you can use the Run job as soon as possible checkbox to make the job runs once it
is updated in AppScan Enterprise. Note that if the job was already running at the time when you finished editing the
configuration, you will be notified that your request to run the job right away cannot be satisfied. Configuration will be
updated, and any next run request will pick up that updated Configuration.
9.0.2 GA NOTE: In the April 14th release there was a known defect – When you edit a scan in the Dynamic Analysis
Configuration Client, make sure that the scan you want to edit is not running in AppScan Enterprise; otherwise it might
suspend when you update the scan. The workaround is to clear the “Run job as soon as possible” checkbox and then
click Update Job. The fix is planned for 9.0.2 iFix-1 release.
34 | P a g e
The AppScan Dynamic Analysis Client will inform you when the update is completed:
After that the Client will close, and you will return to AppScan Enterprise on the page where you launched the AppScan
Dynamic Analysis Client:
You could run the job now, or change Additional Settings (seen only if you have permissions to do so – and modify the
Logging, Schedule, and Agent Server settings). Click Close to return to the Folder Explorer.
35 | P a g e
Create a Scan from an application in the Monitor View
Create content scan job based on scan template
To create a new scan based on a scan template, go to the Monitor view > Portfolio tab, and select an application you
want to work with. Click Create Scan in the top right corner of the Issue view:
On the Create Scan page, pick a Folder for your scan and then pick a template – we will use “Quick and Light Scan” as
our scan template:
36 | P a g e
A new message appears in this page:
Click Create.
Another new message will appear on the page:
It tells you that you should expect the AppScan Dynamic Analysis Client to launch (and if that Client was already set up
on your machine, it takes a few seconds to start).
However, if this Client does not launch, this means that this is the first time you are going to use it, and you do need to
download and install it now (this only needs to be done once and the Client will remain on your machine for future use).
Click the Download link and follow the instructions. When the download and installation are complete, you may be
prompted to restart –AppScan Enterprise will come back automatically and you will be brought to this screen again, so
no work will be lost due to this one-time step.
37 | P a g e
You may see a couple of screens pop up by your browser telling you about an application coming up - allow it to proceed
(the actual executable name “under the hood” is ASEConfigClient – and that is what you will see in the browser
warning).
Example – in IE:
Now the AppScan Dynamic Analysis Client application will launch, and you will be automatically logged in (as same user
as you were in AppScan Enterprise) – this is your default view - if you are not an Administrative user:
38 | P a g e
We will skip the configuration details here, and instead dedicate a separate chapter to the AppScan Dynamic Analysis
Client UI.
At the very least, you need to go the Job Properties for your Content Scan Job and give it a Name:
Folder: Note that the Folder where this Scan will reside is known to this Client and you cannot change it –
“Default/altoromutual.com” is the folder where we started creating this Content Scan Job.
Application: You can associate your new scan with an existing application right away – the Client will give you a complete
listing of applications available to you in AppScan Enterprise.
Test Policy: If you have not assigned a specific test policy to the Scan template this job is based on, you can select the
policy for testing now.
Description: Optionally - text to show in the description field of this Scan in AppScan Enterprise
Contact: who is the person responsible for this scan?
Important option:
This option allows you to control if the job runs as soon as it is created – this is a default as can be seen in the screenshot
above (e.g. when you click Create Job in the bottom right corner of the Client screen, the job is created in AppScan
Enterprise, and it is set to run right away).
39 | P a g e
If you choose not to run this job right away upon creation, the job will be created, and will be idle.
Click Create Job - you will see a message:
As soon as you click OK in the message box above, the AppScan Dynamic Analysis Client will close since it has done its
job.
AppScan Enterprise will be active and available to you. You will be brought to the page where you launched the AppScan
Dynamic Analysis Client. Click Done to close this dialog:
You see the Application tab where you started the Scan create process:
40 | P a g e
If you navigate to the folder you chose as a place for this new scan to reside in (Default\altoromutual.com), you should
be able to locate the Scan you have just created. It will have the new icon (
).
Edit content scan job based on scan template
You can edit scan properties right from the Application Attributes view. To do this, click the Job Properties
the Scans section:
button in
41 | P a g e
The Edit screen will display – and if this is a Scan template based job, it will look like this:
Click Edit, and the AppScan Dynamic Analysis Client will launch. You can change the scan configuration in the Client, and
click Update Job to save the changes configuration.
Be aware that the Run job as soon as possible option is always checked by default on this page. If you leave it on, and
click Update Job, the configuration will be updated. However, if the job was already running at that time, you will get
notified that your request to run the job right away cannot be satisfied. Any next run request will pick up the updated
configuration.
9.0.2 GA NOTE: In the April 14th release there was a known defect – selecting “Run job as soon as possible” was
updating the Configuration for this job and suspending the already running job. The workaround is to deselect “Run job
as soon as possible” upon Update Job action. The fix is planned for the 9.0.2 iFix-1 release.
42 | P a g e
Once you click Update Job, you will see a confirmation message from the Client:
And the AppScan Dynamic Analysis Client will close as soon as you click OK. You will return to AppScan Enterprise now,
and you’ll see the page where you launched the AppScan Dynamic Analysis Client:
You can run the job now, or amend Additional Settings (Logging, Schedule, Agent Server settings). When you are done,
click Close – and you will see the Application view - where you started from.
Global Update and Scan jobs based on Scan template
Global Update option does not apply to the QuickScan jobs based on Scan Templates. You will notice this also because
you cannot select these scan jobs for Global Update in the Scans View.
43 | P a g e
More on the AppScan Dynamic Analysis Client
The AppScan Dynamic Analysis Client is a Windows-only application that is available for creation and modification (edit)
of the AppScan Enterprise scans that are based on scan templates.
Scan templates are based on the .scant file (scan configuration file) authored in AppScan Standard.
You must download and install the AppScan Dynamic Analysis Client on your end-user machine (e.g. where you run your
browser that connects to the AppScan Enterprise console) only once. AppScan Enterprise will inform and prompt you to
do so if you are in the process of creating or modifying configuration for scans created based on a Scan template.
You don’t need to use this tool to create or modify other scan types.
If you have used AppScan Standard before, the UI provided by AppScan Dynamic Analysis Client will be quite familiar to
you – as it provides the same rich scan configuration experience as AppScan Standard does.
The AppScan Dynamic Analysis Client is aware of the AppScan Enterprise user access rights when it comes to scan
configuration, and will display different sets of options to Administrative and non-Administrative users.
Administrative users will see the BASIC and ADDITIONAL configuration screens:
44 | P a g e
And non-Administrative users will see only BASIC configuration screens:
You can navigate between the pages using the Back and Next buttons, or by simply clicking the name of the Page you
want to reach in the left-hand panel: e.g. clicking Login Management, Manual Explorer, and any other pages you can
see in that panel.
Every page has a Help button (bottom left corner) so you can see help about how to use each option on that page.
NOTE - for Administrators only: For pages in the ADDITIONAL section, please view help for these options as provided in
the IBM Knowledge Center for AppScan Standard v9.0.2. The Client documentation will contain that set of Help
information in the next release.
45 | P a g e
Administration changes in v9.0.2
Proxy settings for AppScan Dynamic Analysis Client
There is one new Administrative option in AppScan Enterprise - Dynamic Analysis Client Proxy. From the Administration
view, go to the Dynamic Analysis Client Proxy page:
If a proxy is specified in this AppScan Enterprise administrative setting, all the Dynamic Analysis Clients will use this
proxy to perform Login Recording and Manual Exploration. Note that in the Client application, under ADDITIONAL
settings, there is also a place for the proxy settings – that is different from the one above. The proxy specified within the
Client is going to be used during the scanning activity.
Liberty Upgrade
We have updated Liberty (embedded into AppScan Enterprise v9.0.2) to v8.5.5.4. If you have manually customized
settings in Liberty’s server.xml file in previous versions, and you are upgrading to v9.0.2, the Configuration Wizard can
take care of merging all your customized settings listed on this screen into the newer setup – if you leave the Restore
previous AppScan Server customized settings option selected as the default – as per the screenshot below.
46 | P a g e
If you deselect this option during the very first Configuration Wizard run upon Upgrade, the upgrade process will create
a backup of your prior settings, and any customization will need to be moved manually into the new setup. Rerunning
the Configuration Wizard after upgrade will not offer this automatic merge option again.
Maximum memory allocation for a security scan process
In v9.0.2 the scan engine changed how it handles memory utilization while running a scan. There is a default maximum
memory limit defined at 1100 MB for a scan.
The scan process will poll its memory usage frequently. If the scan process reaches the maximum specified and if it stays
at or above this limit for longer than ~10-30 seconds, then this scan process will be shutdown and a new scan process
will resume the scan from the point where the previous one left it.
If the event sequence of exceed memory usage-shutdown-resume occurs more than 15 times for the same scan, the
scan will suspend. The message indicating the process was shutdown can be found in the SDKDebug.log, for example
"EngineAgent reached the predefined memory limit. Current: x, Max: y". These messages tell the Administrator what
was the highest memory utilization limit.
This new way of dealing with memory management was implemented to avoid Out Of Memory issues experienced with
large scans in prior product versions. Usually when the scans are too big, and possibly suspend even with the new way of
handling memory, the end user could try a few things to give their scan a chance to succeed.
For example, they could reduce the number of URLs in the Manual Explorer recording (e.g. split coverage into two or
more scans with Manual Explorer records that cover lesser number of URLs each), or use other tweaks for scan
configuration - for example, focusing the scan only on URLs directly referenced by the page being scanned (no spidering
option).
If these options are not viable for any reason, an Administrator can try the new approach - that is, tweak the maximum
memory limit for a scan and make it a bit bigger to try and give the scan that suspended after 15 tries a chance to
succeed.
In general, the maximum memory limit setting could vary between 512 and 2048, and the more reasonable upper limit
would be no more than 1500, or the system may become unstable due to really high memory usage by a single process.
If the maximum memory limit adjustment allows your large scan to succeed, afterwards please revert this setting back
to the default value. Leaving it at the higher value may not be safe, as it affects every scan being run from a given
AppScan Enterprise Server, and potentially increases memory utilization for each scan.
Steps to amend Maximum Memory Limit:
1. Enable the advanced admin setting in AppScan Enterprise following these steps:
· Navigate to the Administration View.
·
In the URL append the following parameter at the end: advancedadmin=1
Example:
https://<servername>/<instance>/Admin/ServersAdmin.aspx?advancedadmin=1
or
47 | P a g e
https://<servername>/<instance>/Admin/ServersAdmin.aspx?fid=<#>&advancedadmin=1
2.
3.
4.
5.
On the left hand pane, click Generic Global Options.
Select a folder item type: Content Scan Job.
Select Option Name: MAX_MEM_USAGE.
Enter a desired value in MB to use as a maximum memory allocation for a scan job. The valid range is between
'512' and '2048', and it is preferable not to go over ~1500.
6. Click Apply.
Resources
Visit the security on developerWorks blog for announcements of new security articles, how-to guides, and
demonstration videos.
Visit the IBM developerWorks security zone for more articles about AppScan Enterprise and other security topics.
Sign up for the developerWorks security newsletter and other topical newsletters from developerWorks.
Visit this link for videos about using AppScan Enterprise: http://www01.ibm.com/support/docview.wss?uid=swg27041996
About the authors
Larissa Berger is the development manager for IBM Security AppScan Enterprise. Miriam Fitzgerald is the information
developer for IBM Security AppScan Enterprise.
48 | P a g e