You must download and deploy an IAST agent on the tested application's web server to
monitor traffic sent during runtime and report vulnerabilities it finds.
Before you begin
- You must have installed the tested application on the web server.
- You must be an Administrator to configure an IAST agent on the application server.
- You must have created an application in the Portfolio tab of the Monitor view in the AppScan
Enterprise application. For more information on creating application in AppScan Enterprise
application, see Creating an application.
About this task
This section helps you to download and deploy an IAST agent on the tested application's web
server.
Procedure
-
Log in to the AppScan Enterprise Server application.
-
Go to the Monitor page > Portfolio tab to view the
list of applications available.
-
Click the application to which you want to download an IAST agent.
-
On the left pane, click the IAST Agents.
The IAST agents page is displayed on the right-pane.
-
Click Create a new Agent.
The Getting started with IAST page is displayed.
-
Click Create a new Agent.
The IAST agent creation page is displayed.
-
From the Agent Type drop-down list, select Java
if the application you are testing is a Java based application. Otherwise select an appropriate
language using the which the tested application is developed.
Note: IAST feature supports only Java based applications.
-
In the Agent Name box, enter a unique name for the agent you are creating
for the application. The agent name can contain alphanumeric and special characters with a length of
maximum 30 characters.
-
Click Download Agent. The Check your downloads folder
message is displayed and the AppScanIASTAgent file is downloaded to the system’s default
download folder.
-
Extract the AppScanIASTAgent file to a folder.
-
Copy the Secagent.war file from the AppScanIASTAgent file's
extracted folder to the tested application's web server.
-
Interact with the tested application for the IAST to detect vulnerabilities.
Note: An IAST scan does not send its own requests. It can discover issues only if the requests are
sent to the application you are testing through system tests, manual explores, or a DAST scan and so
on.
-
Go to the application's tab view and click All Issues on the left-pane to view the list
of issues related to security vulnerabilities discovered.
Note: You can use the filter Discovery Method=IAST to view only IAST issues
in the application.
Results
The IAST agent is deployed on the web server of the tested application. You can now view all
the issues detected by IAST agents in the application's monitor page.