AppScan® Source trace
With AppScan® Source trace, you can verify input validation and encoding that meets your software security policies. You can look at the findings that produce input/output traces and mark methods as validation and encoding routines, sources or sinks, callbacks, or taint propagators.
AppScan® Source traces the flow of data through an application, across modules and languages. It displays the paths of potentially dangerous data in a call graph, indicating areas where an application may be susceptible to vulnerabilities.
Tracing helps you defeat SQL Injection, cross-site scripting, and other input validation attacks by identifying the lack of approved input validation and encoding routines in applications. You interactively trace the entire call graph, clicking directly from the Trace view to see the source in the development environment or code editor of your choice. Tracing also enables policy enforcement, allowing you to identify approved routines required for proper input validation and encoding, taint propagation, or sinks and sources, and include them in future scans.
Validation.Required
or Validation.Encoding.Required
findings
for data paths on which the routines are called. In the Trace view,
you can also define vulnerabilities as a source, sink, or both - and
identify a method as a taint propagator, a tainted callback, or not
being susceptible to taint.