Creating a QuickScan template using scan properties from AppScan Enterprise

A QuickScan template comprises either a content scan job or an import job, plus a report pack. After you create scan templates in the Templates folder in the Folder list, they will automatically be available as scan templates to QuickScan users and to more advanced users who have their QuickScan View turned on in the Show Folder Explorer list. When a QuickScan user creates a scan, a job and report pack will be created based on the template, but will only appear to the QuickScan user as a scan.

About this task

In v9.0.1.1 and earlier, the security team created QuickScan templates for developers based on AppScan Enterprise job options. Although this method allowed analysts to customize the QuickScan template per developer, it often resulted in inconsistent scan configuration and results across the organization. This is because some developers could access more scan configuration options than others.

Beginning in v9.0.2, you can create scan templates for developers that create consistent scan configuration and results. This new method improves the configuration experience for developers (who often don't have a lot of security knowledge) and enables action-based login and manual explore. See Creating a QuickScan template using scan properties from AppScan Standard.

Procedure

  1. Go to the Templates folder in the Folder list and click the Create icon (Create) in the main content pane.
    Note: You can restrict the templates certain user groups can use by creating sub-folders within the Templates folder and assigning specific user roles to each sub-folder:
    • Product Administrator - can create/edit/delete templates
    • Report Consumer/Issue Manager - can use templates
    • Report Administrator - can edit Report Packs in Templates
    • Job Administrator - can create/edit/delete templates
    • QuickScan User - can only use templates that they have been given access to
    • No Access - no access at all
  2. On the Create Folder Item page, select the job type you want to create for the template: content scan job or import job.
  3. Enter a Name and Description (optional) for the template. Make the name as meaningful as possible. For example, if you are creating a manual explore scan, you might name the template Manual explore scan.
  4. Choose how report packs will be generated. By default, the Automatic Report Pack Creation check box is selected. A report pack will be created with the same name as the job, and a set of default reports based on the properties of the job will also be created automatically.
  5. Choose a Method of Creation.
    • Use default properties to create the job with the built-in settings.
    • Use the settings file if you have exported a similar job and you want to use it as the basis for the new job. The settings file is created by exporting the properties of a job
  6. Click Create to create the job. The first property page of the scan template opens so you can continue configuring its properties.
  7. On the Login Management page, choose the method you want QuickScan users to use with this template.
    Note:
    • Recorded: Record a login sequence for the scan to use. The scan will automatically perform the login, and then QuickScan users can do a manual explore afterwards.
    • Automatic. Configure the regular expressions that identify the user name and password fields. The QuickScan heuristics will use these expressions to identify the login page; QuickScan users will not be able to use their own username or password in this template. To include the Automatic login control, the login method chosen on the Login Management page must be Automatic Login or None.
    • None: QuickScan users will configure login management during scan setup.
  8. Continue configuring the scan's properties. When you are finished, click Template Configuration.
  9. On the Template Configuration page, select the QuickScan Controls you want to add to the template.
    Note: If in-session detection is on, then the In-session detection control must be included in the template so that QuickScan users can edit the in-session pattern if necessary.
  10. Choose the type of explore methods you want the scan to use: Starting URL, Manual explore, or Web Services Explore.
    Note: Users cannot manually explore the application using the Starting URL option. The Manual explore option provides the broadest scope for exploring URLs.
  11. You can give more flexibility to advanced users and restrict it from novice users by allowing QuickScan users to access advanced scan configuration pages.
    Note: There are restrictions on some of the scan options that they can modify. See QuickScan User for more details.
  12. Click Save.
    Note: If you rename the template, the corresponding report pack will automatically be renamed.