FAQ
Some frequently asked questions.
General
Why did my scan fail?
Possible reasons your scan might fail or come under review include:
- Invalid app file
- The Test Set you selected is not suited to your site/app
- AppScan 360° Static Analysis service is not functioning correctly or at all
- There is a connectivity problem between the core platform and the SAST service (see Troubleshooting AppScan 360° Static Analysis deployment)
Obviously if you are able to avoid these issues your scan is more likely to complete automatically and fast. This is especially important if you are incorporating AppScan 360° scanning into an automated process, so scan time will be as short as possible.
How long does a scan take to complete?
Depending on application size and complexity, from a few minutes to much longer. You can elect to receive an email when the scan is complete.What security issues does AppScan 360° test for?
- AppDOS
- Browser Caching Sensitive Information
- Comments Reveal Sensitive Information
- Configuration Issue
- CrossSite Scripting (XSS)
- DB Connection String Manipulation
- Email Phishing
- EMail Tampering
- Encoding Required
- Exposed Web Service
- File Tampering
- File Upload
- HTTP Request Splitting
- HTTPResponse Splitting
- LDAP Injection
- Open Redirect
- OS Command Injection
- Path Traversal Potential Business Logic Issue (also covers Insecure Direct Object Reference)
- Privilege Escalation
- RegEx Injection
- Remove Test Code
- SecondOrder Injection
- Sensitive Data Exposure
- Sensitive Data Stored in Logs
- Sensitive Information Revealed in Error Message
- Session Management Timeout Value Too Large
- SQL Injection
- Unencrypted Communications
- URL Tampering
- Use of Cryptographically Unsafe Random Number Generator
- Use of Hidden Fields
- Use of Insecure Cryptography Algorithm
- Use of Unsafe Native Code
- Weak Access Control
- Weak Authentication
- XML Injection
- XPath Injection
- XSLT Injection
Why is the Risk Rating for my application "Unknown"?
Risk Rating is calculated for an application based on two factors:
- Issues found (by AppScan 360°)
- Business Impact (assigned by the user)
SAST
What is a static analysis IRX file and what does it contain?
IRX is a secure and encrypted zip archive that contains the information that is necessary to run a full static analysis of your program. It is encrypted at-rest upon creation, as well as during transport to the cloud (over SSL).
Internally, an IRX archive contains these files and artifacts:
- A proprietary and obfuscated representation of your deployable program artifacts, built from your deployed source code (for example, Java bytecode or .Net MSIL). To learn which languages are supported for static analysis scans, see System requirements for static analysis).
- Any runtime script files that are deployed with your program that can be analyzed for security vulnerabilities (for example .js (Javascript) or .rb (Ruby) files).
- Static Analyzer configuration files that describe the application or project hierarchy and relationships or dependencies of your program. This allows for accurate and complete security analysis across project boundaries within your application.
- Static Analyzer log files generated during the creation of the archive (for diagnostics and support).