Security analysts and risk managers can access reports of select findings or a series of audit reports that measure compliance with software security best practices and regulatory requirements. This section explains how to create reports of aggregate finding data.
AppScan Source for Analysis generates two report types - Findings Reports and AppScan Source Reports. A Findings Report is a report of selected findings. An AppScan Source Report is a report based on categorized groupings of all findings tailored to a specific security policy. AppScan Source reports are listed in “AppScan Source reports” on page 137.
Reports provide the details about findings gathered during a particular scan, and all AppScan Source reports can contain any notes and trace data added to the findings. The length of the report depends on the number of findings included in the report. You can generate reports as PDF files or in Hypertext Markup
Language (HTML). HTML reports function like web pages where you can jump to a section by clicking a button or link. Then you can navigate through the
information using browse functions found in web browsers.
Reports also list any scan-time filters that have been applied to the findings.
Scan-time filters are described in “Determining applied filters” on page 95.
Creating findings reports
About this task
After you scan, you may want to generate reports about the identified vulnerabilities. You can generate multiple findings reports:
v Findings
v Findings by Type
v Findings by Classification v Findings by File
v Findings by API v Findings by Bundle
v Findings by CWE (Common Weakness Enumeration) v DTS Activity
Note: Findings reports show detailed findings by category, similar to the results in the findings table. The generation of findings reports can be memory-intensive (related to https://xmlgraphics.apache.org/fop/1.1/running.html#memory) and may require up to 1024 MB of additional system memory. If you are generating a report for a scan of a large application and noticing memory issues, you can scan parts of your application separately or alter your scan configuration, and then try to generate the report or reports again.
CWE ID hyperlinks in the findings report connect to the CWE website at http://cwe.mitre.org/.
To generate a findings report:
Procedure
1. In a view that contains findings, select the findings to include in the report. If you do not select any findings, the report consists of all findings in the active view.
On the Tools menu, click Generate Findings Report. Alternatively, in views that contain findings, select and right-click a set of findings, and then select Generate Findings Reportin the menu.
2. In the Select Findings Report dialog box, select a report type.
Click Finish to generate the report - or click Next to specify these optional settings in the Specify Destination and Style Sheet page:
v You can specify the report destination and format. You can generate the report in HTML format, as a ZIP file that contains all HTML report
components, or a PDF (you must have Adobe Acrobat Reader to view PDF reports). If you do not specify a report destination and format (or click Finish in the Select Findings Report page), HTML is chosen by default, and the report is saved to <data_dir>\reports (where <data_dir> is the location of your AppScan Source program data, as described in “Installation and user data file locations” on page 223).
Note: If you are creating a custom report (rather than a findings report) in PDF format, you can specify the level of detail to include in the report:
– Summary: Contains counts for each report group
– Detailed: Contains counts for each API for each vulnerability property – Comprehensive: Contains tables consisting of every finding for every API – Annotated: Contains all findings and any notes, trace data, or code
snippets included with the findings
v To include a code snippet in the report, select Include the source code surrounding each findingand indicate the number of lines before and after the vulnerable line of code to include in the report.
Tip: In the Reporting section of the Finding Detail view, you can also set the number of lines of code to include before and after the finding in reports.
After the report is generated, when you expand a finding that contains notes or code snippets, the source code appears below the finding in a blue box or below the yellow note. Bold red text highlights the vulnerable line of code.
v To include AppScan Source trace data in the report, select one or more of the classifications (Definitive, Suspect, or Scan Coverage) under Include trace data for the following classifications.
Click Finish to generate the report.
AppScan Source reports
AppScan Source reports help software security analysts, development managers, and risk management auditors measure compliance with software security best practices and regulatory requirements. AppScan Source reports help ensure that your critical applications meet the security standards you set.
AppScan Source uses source code vulnerability analysis results to power a series of reports that provide a detailed picture of compliance to a security, development, or audit professional.
AppScan Source reports feature:
v Report Card: Report card for a brief view of the security state of each major category
v Detailed Audit Review: A detailed audit of non-compliant findings
v Drill Down: Direct access to the non-compliant code for further analysis and prioritization of remediation and assignment
AppScan Source for Analysis generates a variety of AppScan Source reports:
v “CWE/SANS Top 25 2011 report” on page 139
v “DISA Application Security and Development STIG V3R9 report” on page 139 v “Open Web Application Security Project (OWASP) Mobile Top 10 report” on
page 140
v “Open Web Application Security Project (OWASP) Top 10 2013 report” on page 139
v “Payment Card Industry Data Security Standard (PCI DSS) Version 3.0 report”
on page 140
v “Software Security Profile report” on page 140: Provides an overall view of the security state of an application, across every major vulnerability category.
Creating an AppScan Source custom report
Procedure
1. On the Tools menu, click Generate Report.
2. In the Generate Report dialog box, select an AppScan Source report:
v CWE SANS Top 25 2011
v DISA Application Security and Development STIG V3R9 v OWASP Mobile Top 10
v OWASP Top 10 2013
v PCI Data Security Standard V3.0 v Software Security Profile
Click Finish to generate the report - or click Next to specify these optional settings in the Specify Destination and Style Sheet page:
v You can specify the report destination and format. You can generate the report in HTML format, as a ZIP file that contains all HTML report
components, or a PDF (you must have Adobe Acrobat Reader to view PDF reports). If you do not specify a report destination and format (or click Finish in the Select Findings Report page), HTML is chosen by default, and the report is saved to <data_dir>\reports (where <data_dir> is the location of your AppScan Source program data, as described in “Installation and user data file locations” on page 223).
Note: If you are creating a custom report (rather than a findings report) in PDF format, you can specify the level of detail to include in the report:
– Summary: Contains counts for each report group
– Detailed: Contains counts for each API for each vulnerability property – Comprehensive: Contains tables consisting of every finding for every API – Annotated: Contains all findings and any notes, trace data, or code
snippets included with the findings
v To include a code snippet in the report, select Include the source code surrounding each findingand indicate the number of lines before and after the vulnerable line of code to include in the report.
Tip: In the Reporting section of the Finding Detail view, you can also set the number of lines of code to include before and after the finding in reports.
After the report is generated, when you expand a finding that contains notes or code snippets, the source code appears below the finding in a blue box or below the yellow note. Bold red text highlights the vulnerable line of code.
v To include AppScan Source trace data in the report, select one or more of the classifications (Definitive, Suspect, or Scan Coverage) under Include trace data for the following classifications.
Click Finish to generate the report.
CWE/SANS Top 25 2011 report
The CWE/SANS Top 25 2011 report is based on the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.
To learn about the 2011 CWE/SANS Top 25 Most Dangerous Software Errors, see http://cwe.mitre.org/top25/.
DISA Application Security and Development STIG V3R9 report
This topic provides links to the Defense Information Systems Agency (DISA) Application Security and Development Security Technical Implementation Guide (STIG) website and guidance documents.
To learn about the DISA Application Security and Development STIG, see http://iase.disa.mil/.
Open Web Application Security Project (OWASP) Top 10 2013 report
This topic provides links to the Open Web Application Security Project (OWASP) website and guidance documents.
To learn about OWASP, see https://www.owasp.org/index.php/Main_Page. Links to various OWASP documents and security risks are available at
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project.
Open Web Application Security Project (OWASP) Mobile Top 10 report
This topic provides links to the Open Web Application Security Project (OWASP) website and guidance documents.
To learn about the OWASP Mobile Security Project, see https://www.owasp.org/
index.php/OWASP_Mobile_Security_Project.
Payment Card Industry Data Security Standard (PCI DSS) Version 3.0 report
This report provides relevant data needed to ensure compliance with the Payment Card Industry Data Security Standard (PCI DSS).
See https://www.pcisecuritystandards.org/security_standards/index.php for information.
Software Security Profile report
The Software Security Profile presents a comprehensive analysis of the characteristics of your application that have direct relevance to its security. It provides a detailed audit of critical security features in software for a particular project. This report helps you verify the implementation of requirements such as encryption, access control, logging, and error handling before certifying the software for deployment.
The composite identifies areas of potential risk and presents recommendations for minimizing those risks. The report helps facilitate an assessment of the overall application security - which is useful for compliance, policy, and architectural reviews. Findings are based on extensive static analysis of source code using a database of flaws, vulnerabilities, industry-specific standards, and general best practices.
The Software Security Profile displays this information:
v Report Card: Contains links to the report details and severity indicators summarizing the section.
v Overview: Summarizes the purpose of the report and describes the application configuration.
v Metrics: Identifies the total number of packages, classes, methods, and lines of code in all of the packages in the project.
v Detailed Findings by Category: Reports each vulnerability category found with a vulnerability category name and an icon that indicates the severity level of the vulnerability.