Home
Reference
Review reference information for the product.
Folder Explorer topics
Learn about folder explorer topics.
Creating scans in the Folder Explorer
Learn how to create scan in the folder explorer.
Optimizing your scan with advanced configuration options
Use this task to configure an advanced scan with complex configuration. Use this method for web applications that require a lot of user interaction to navigate the application or if you would like to just test a specific area of your application.
Correlating static analysis data with dynamic analysis data
Import data from AppScan® Source to correlate its findings with an existing dynamic analysis security scan (AppScan Enterprise Server content scan job or an AppScan Standard import job).
How correlation (hybrid analysis) works
No single automated analysis technique can find all possible vulnerabilities; each technique has its own strengths and weaknesses. Dynamic Analysis Security Testing (DAST) tests a running web application by probing it in ways similar to what a hacker would use. Static Analysis Security Testing (SAST) examines the source code of an application for potential vulnerabilities.
Best practices for hybrid analysis
Because the testing approaches are so different, however, the correlation percentage can be relatively low. The challenges and strengths for each type of analysis differ, as depicted in this table.

Best practices for hybrid analysis

Because the testing approaches are so different, however, the correlation percentage can be relatively low. The challenges and strengths for each type of analysis differ, as depicted in this table.

Bold text indicates strengths.
Dynamic analysis	Static analysis
Awareness	Over approximation
Code coverage	Code/path coverage
Source-free	Limited to given code
HTTP awareness only	More than HTTP validations
Multi-component support	Support per language/framework
Requires deployed application	No need to deploy application
Few prerequisites	Support partial applications
Works as a remote attacker	Integration/deployment issues

For best correlation results:

Pre-filter the SAST issues to the highest severity setting on the Definitive, Suspect issues.
Save a partial assessment or configure the filter to be applied automatically before you publish to AppScan® Enterprise.
With DAST, make sure you explore as much of the application as possible, and use the most comprehensive security test policy that makes sense for the application.
Make sure you analyze the same version of the web application with both approaches.