Web application automatic scan workflow

Provides a simple workflow of an automatic scan of a web application.

AppScan provides a comprehensive assessment of your web application. It runs thousands of tests based on all levels of typical user techniques as well as unauthorized access and code injections.

When you run a scan on your application, the tests are sent by AppScan to your web application. The results of the tests are provided by AppScan's site-smart engine and result in expansive reports and fix recommendations, available for enhanced review and manipulation.

AppScan is an interactive tool: you decide on the configuration of the scan and determine what is to be done with the results.

A diagram showing a simple web application automatic scan workflow.

Users with experience in the field of web security, see Workflow for advanced users.

Workflow description

  1. Scan Configuration: Configure the scan, taking into account details of your site, your environment, and other requirements through Configuration > Web Essentials:
    1. Enter the Starting URL: Specify the URL where the scan will begin.
    2. Record Login: Capture the login process to ensure authenticated pages are scanned.
    3. (Optional) Review Test Policy: Select the test policy based on your web application.
  2. Start Full Scan: Initiate a full scan.

  3. Automatic scanning consists of the Explore and Test stages.
    1. Explore Stage: AppScan crawls your site, visiting links as a regular user and records the responses. It creates a hierarchy of the URLs, directories, files, and so on, that it finds on your application. This list is displayed in the Application Tree (see Application tree).
      Note: The Explore stage can be done automatically, manually, or as a combination of both. You can also import an Explore Data File (see Exporting Manual Explore data), which consists of a previously recorded manual explore sequence. AppScan then analyzes the data it has collected from the site, and based on it, creates tests for the site. These tests are designed to reveal weaknesses both in infrastructure (such as security weaknesses in commercial, 3rd Party products or Internet systems), and the application itself.
    2. Test Stage: During the Test stage, AppScan tests your application, based on the responses it received during the Explore stage, to reveal vulnerabilities and assess their severity.

      An up-to-date list of all tests included in your current version of AppScan can be seen in the Scan Configuration dialog box (see Test policy and optimization).

      You can also create user-defined tests in addition to the tests that AppScan automatically creates and runs (see User-Defined Tests). Your tests can supplement those generated by AppScan and can verify the results that it found.

      Test results are displayed in the Result List, from where you can view and modify them. Full details of the results are displayed in the Detail Pane.

  4. Post-Scan Activities:

    1. Review Results: Analyze the scan findings and adjust the scan configuration, if necessary based on your review of the results, and scan again.

    2. Review Fix Recommendations: Assess and apply suggested fixes to address identified vulnerabilities.
    3. Explore Links Manually: Manually check any links that require further investigation.
    4. Generate Reports: Create detailed reports based on the scan results.
Note: AppScan supports both manual exploration and importing recorded traffic together with its automatic scanning capabilities, providing a comprehensive approach to security assessment.