Security reports

The Security report provides information about security issues discovered, and you can choose from a variety of templates depending on the type of content you need.

About this task

You can create a security report that covers the whole scan, or for a particular URL or folder in the application tree.

Each report template is a set of content topics that are relevant to different audiences within your organization. The topics contain scan results from each of the views (Security Issues, Remediation Tasks, Application Data), formatted for easy printing, readability, and rapid comprehension of what the results mean, why they are relevant, and how to fix them.

Security Report Options

The table following summarizes the options in the Security Reports dialog box.

Option

Description

Template

Select one of several templates for the report, or define your own, by selecting/clearing check boxes in the right-hand pane, as described in the table following.
  • Default: A medium-level report containing a high-level summary and Issue Information, without details of variants.
  • Summary: A high-level summary with highlights of security risks found in your web application, and statistics of scan results, formatted in tables and charts.
  • Detailed: A thorough report that includes the Summary, as well as security issues, suggestions for how to fix, remediation tasks, and application data.
  • Remediation Tasks: Remediation tasks: actions designed to address the issues discovered in the scan.
  • Developer: Security Issues, variants, how to fix, without the Summary or Remediation Tasks sections.
  • QA: Security Issues, how to fix, and application data, without detailed variant information, or the Summary or Remediation Tasks sections.
  • Site Inventory: Application data only.
  • Custom Template: To create a custom template, select any default template and then make the changes to the report settings as required. The new settings will display as Custom template and Save template option is enabled. Once saved, the template can be used to generate reports both from the user interface and the command line interface.
    • Save template: Save the current Security Report configuration as a custom template.
    • Delete icon: Delete the current custom template.

Min. Severity

Select the lowest level of severity for issues to be included in the report.

Test Type

Select which types of test results to include in the report: All, Application, Infrastructure, or Third-Party Web Component tests.

Group by

Select whether to group issues by type or URL.

Limit number of variants per issue

You can reduce the length of the report by limiting the number of variants listed per issue if this level of detail is unlikely to be useful to the recipient of the report.

After selecting any template as a basis, you can customize the individual report structure by selecting/deselecting the fields of information to be included. If you do this the template name changes to "Custom template".

Security Report Sections

The table following summarizes the standard content of the various Security Reports. In all cases, the actual content can be changed as required by selecting/clearing check boxes in the Report content pane.
Note: A full detailed report could be hundreds of pages long, so be sure to include only the sections that are relevant to your audience.

Report Section

Description

Introduction

A short section that provides some general information about the scan, including such details as overall number of issues found (High, Medium, Low and Informational), and login settings. This section is included in all reports.

Summary

A series of tables summarizing the following information about the scan, or the part of the scan included in the report:
  • Issue types (includes number of issues found for each type, and their severity)
  • Vulnerable URLs (includes number and type of issues per URL)
  • Fix recommendations
  • Security risks
  • Causes
  • WASC threat classification

Security Issues

Issues found in your application:

  • Basic: If you select neither of the following two check boxes, basic information only is included
  • Additional: Includes more detailed information, including screen captures, similar to the Issue Information tab content
  • Variants: Includes specific variant information:
    • Request/Response
    • Difference: The difference between the original request and the test request, as shown in the Detail pane > Request/Response tab

Advisories and Fix Recommendations

Technical explanations of the issues found and recommendations for fixing them.
Note: To include fix recommendations specific to .NET, Java EE and PHP environments, go to Tools > Options > Preferences and select the required options.

Remediation Tasks

Suggested tasks for improving site security based on the issues found. One task may solve more than one issues.

Application Data

List of data that AppScan found in your web application: Application URLs, Script Parameters, Broken Links, Comments, JavaScripts, Cookies, and Filtered URLs.

Procedure

  1. Select the scan content on which to base the report:
    • To create a report for the whole scan, click Tools > Report > Security Report.
    • To create a report for a particular URL or folder that was included in the scan, right-click on the node in the application tree, and then select Report for this node > Security.
  2. Select the relevant template, or define your own report content by selecting/clearing check boxes in the right pane.
  3. Select the options required.
  4. To save the configuration for future use, click Save template and give the template a unique name.
  5. To customize the layout of the report, click the Customize report layout link. See Customizing the report layout for details.
  6. Click Create and then select the output format required: PDF, HTML, TXT, RTF, or XML.
  7. Click Save.
    AppScan displays a status bar to show the progress of report creation.
  8. Click Open report to view the report.
    The report opens in a new tab for viewing.