If you’re the kind of person that likes taking a look under the hood, then get ready to dive into the new IBM Security AppScan Standard 8.6 and take a peek at what we did for this release.
By the end of this blog you’ll be convinced AppScan Standard 8.6 has some cool new features to help you do your job - download a trial and take it for a test drive.
First, let’s shortly summarize the main enhancements and improvement, and then delve into each one further:
- Next-Generation Dynamic Analysis Security Testing (DAST) Engine
- XSS Analyzer - the last word in XSS security testing
- Usability improvements
- Powerful utilities and integrations
- Additional advanced security testing capabilities:
- Glass box automatically adjusts environmental definitions
- JSA – integrated into the new engine, enabled in ASE.
For years now we’ve been remodeling and re-architecting the AppScan DAST core engine. The engine is basically AppScan's brain. Be it handling traffic, analyzing data, session tracking, site-modeling, the engine is responsible for it all.
AppScan Standard 8.6 and AppScan Enterprise 8.6 now run the same engine, which means that scan results are better aligned, scalability has been greatly improved, and feature delivery will be much easier for both products at the same time.
The new next-gen engine brings with it substantial performance improvements that you will immediately feel. Pointing out why speed is important and how it saves money, is as obvious as pointing out that the sky is blue, so allow me to skip that.
XSS Analyzer – the next word in detecting Cross-Site Scripting
We’ve already written in depth about how XSS Analyzer works behind the scenes – here.
In a nutshell, XSS Analyzer tailors a unique XSS payload taken from a huge knowledge base of 700 million potential payloads, though an iterative process of gathering information about the server defenses. The classic technique was to shoot many predefined payloads at the server, which A) would take more time and B) could miss. The new technique is more accurate, more efficient, and extremely intelligent.
To the best of our knowledge – no other scanner or tool supplies such an extensive weapon against XSS.
See the video explaining XSS Analyzer - here.
CISOs pay attention! We’ve been hearing that the AppScan’s security reports are good but not as good as you'd like them to be – we listened and went ahead and completely redesigned them!
Old report screenshot: New report screenshot:
Much sleeker, attractive, actionable results, easier to work with. The differences will be noticed throughout the organization – from executives to pen testers.
Application Data View - the new main view
Why the change? Why not show the vulnerable issues?
It’s all about importance.
As you know, it’s crucial to make sure during a scan, that the right parameters and cookies are being invoked, that the right values are being used, that the right pages are being explored, that there are no communication errors etc. etc. etc.
AppScan now exposes this information in the main view in a re-designed manner, being populated in realtime, for your pen-testing pleasure.
Some of this information existed in previous versions, but the changes and additions we are introducing will make your security testing experience super easy.
We noticed that users often unintentionally forget to check important prerequisites before going ahead with a scan. This may lead to unsuccessful login attempts, a long scan time, poor coverage of a site and consequently incorrect results. Today’s web applications require precise configuration in order to make sure every area of the site is covered so as not to miss any critical vulnerabilities. The new Application Data View will help you easily configure what you need, and most importantly find errors in the current configuration.
Furthermore, we've added a bunch of tweaks that should make it simpler to keep your finger on the pulse:
- New toolbar with buttons for each view.
- New Pages view: Each page lists its components (JS files, CSS, etc.) and links pointing to and from that page.
- Parameters and Cookies views show a consolidated list (instead of listing multiple records per entity due to multiple values).
- New columns in the Parameters and Cookies views: Tracked and Test Exclude.
Regular expressions - simplified
Complex web applications often require the use of regular expressions in scan configuration. Regular expressions aren’t man’s best friend, so we thought we might be able to help in the process. A click of a button will take you seamlessly to our Expression Test tool, where you can test your regex and make sure you don’t bang your head after hours of scanning using the wrong regex.
We've added this button anywhere in the scan configuration where it's possible to use a regex.
For example, clicking the Expression Test button when configuring a parameter:
will take you to the tool:
The tool is so easy to use, you can even make use of it for outside of AppScan, as I do.
A small but important change is the fact that the scan log is now saved along with the scan. When you load a previously saved scan, the scan log is loaded as well.
Manual test naming
As tiny as this improvement is, we still want you to know about it – you can now name the manual tests you create.
IBM Security AppScan Standard 8.6 now includes two very cool utilities that will make your life easier, and will help you research vulnerabilities with better flexibility.
- Fiddler proxy integration – When configuring Fiddler as a proxy, the recorded traffic is color coded to help you identify which requests belong to which part of the scan (login, test, explore, etc.). Also, it is also possible to load AppScan traffic logs for post-scan analysis.
We'll be publishing another post especially about the Fiddler proxy integration and how to make the best use it.
- Traffic Viewer – the "Swiss army knife" to debug AppScan traffic. Can be used to load or stream traffic logs, compares requests and responses, post-scan traffic replay simulation, and more.
These features should make it easier for the power user to stay on top of what’s going on behind the scenes and to make sure everything is going according to plan. Want to you delve deeper? In the following weeks we’ll be posting a dedicated post about Traffic Viewer.
Additional advanced security testing capabilities
Glass box automatic environment configuration
Another way we thought to put the Glass box server to work was to aid in automatic environment configuration thus shortening scan time. Now, the Glass box server communicates the environment definitions back to AppScan, which prevents irrelevant tests from being sent.
This is a small but necessary step towards less configuration prerequisites.
AppScan Standard 8.5 - JSA was accessible via an extension toolbar button:
AppScan Standard 8.6 - JSA is available via the test policy: