AppScan Presentation
description
Transcript of AppScan Presentation
AppScan : 9 Aug 2012Ushma Dubal
Objective
Appscan overview
How to install
New scan process
Demo
Appscan help
Q & A
Important Notice
This presentation is meant to show basic operation of AppScan. It is NOT meant to show the procedures needed to comply with the recommendations and requirements for scanning InfoSphere Information Server products and components. You should review the materials at the following sites if you intend to scan Information Server products and components:Specific Recommendations and Requirements: https://w3-connections.ibm.com/wikis/home?lang=en-us#!/wiki/Wa0ffccd1ded4_4723_8b25_baa3636592d3/page/Requirements%20and%20Recommendations
InfoSphere AppScan Community Welcome page: https://w3-connections.ibm.com/wikis/home?lang=en-us#!/wiki/Wa0ffccd1ded4_4723_8b25_baa3636592d3
AppScan Overview
AppScan is an IBM Rational tool.
AppScan is an automated tool used to perform vulnerability assessments on Web Applications and web services
Scans web applications, finds security issues and reports on them in an actionable fashion
How to install
Appscan can be downloaded from:
(Xtreme Leverage Portal): http://w3-103.ibm.com/software/xl/portal/home
Click on the Technical tab, Software Downloads (internal use) button on the right.Search for BM Rational AppScan Standard Edition (AS Std) V8.5 Windows Multilingual, part number CI458ML and download.
The installation is fairly painless (standalone desktop application) but you will need a license key to complete activate your installation. Without the key, you can only test one specific web site used for AppScan demos.
In order to get Appscan license key. Follow below link:
http://w3.ibm.com/connections/wikis/home/wiki/Rational%20Sales%20Operational%20Support/page/AppScan%20License%20Keys?lang=en
Install cont..
License are of two types.Node locked or Authorized User License Key.
Floating license Key. -- benefit can be used with VM and RD.server: svllicense.svl.ibm.com
Port: 27000
Points to consider: Appscan machine should not have Firewall or antivirus. Need to diable when appscan is used.
Starting a New Scan
Easiest way is to use the scan wizard
Starting point URL
Login
Test policy
wizard2
Login
Accurate login is essential for a good scan
Login Methods
Recorded Recommended
Automatic
Prompt
None
AppScan needs to maintain a session in order to fully explore and test the application
How does it work:
AppScan monitors In-Session pattern
Stops scan, re-logins, refreshes session tokens
Scan Configuration
Scan's can be configured as per user needs.
Start Scan last step
Start a full automatic scan : scan all the url's of application.Start with automatic Explore only : Only explore's the url's.Start with Manual explore : User needs to manually record url's to be scanedI will start the scan later :
Scan Progress
Visual progress indicators
Real-time scan log
Creating the Report
Snapshot of Report
Demo
Site for help:
https://w3.tap.ibm.com/w3ki08/display/ratlseccop/Intellectual%20Capital%20(Resources)
http://ibmforums.ibm.com/forums/forum.jspa?forumID=2968
https://w3-connections.ibm.com/wikis/home?lang=en_US#/wiki/Wa0ffccd1ded4_4723_8b25_baa3636592d3
Appscan help
Q & A
Information Management Software
2010 IBM Corporation
2010 IBM Corporation
GBSC-footer.gifIBM_Whitebanner-decks.gif 2011 IBM Corporation
banner-decks.gif