IBM Security AppScan Source for Analysis
Version 9.0.3.3
User Guide
IBM Security AppScan Source for Analysis
Version 9.0.3.3
User Guide
(C) Copyright IBM Corp. and its licensors 2003, 2016. All Rights Reserved.
IBM, the IBM logo, ibm.com Rational, AppScan, Rational Team Concert, WebSphere and ClearQuest are trademarks or registered trademarks of International Business Machines Corp. registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the web at Copyright and trademark information at http://www.ibm.com/legal/copytrade.shtml. Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both. Microsoft, Windows, Windows NT and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries or both. Unix is a registered trademark of The Open Group in the United States and other countries. Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates.
This program includes: Jacorb 2.3.0, Copyright 1997-2006 The JacORB project; and XOM1.0d22, Copyright 2003 Elliotte Rusty Harold, each of which is available under the Gnu Library General Public License (LGPL), a copy of which is available in the Notices file that accompanied this program.
Contents
Chapter 1. Introduction to AppScan
Source for Analysis. . . 1
Introduction to IBM Security AppScan Source . . . 1
United States government regulation compliance . 2 What's New in AppScan Source . . . 4
What's New in AppScan Source Version 9.0.3.3 . . 4
What's New in AppScan Source Version 9.0.3.2 . . 5
What's New in AppScan Source Version 9.0.3.1 . . 6
What's New in AppScan Source Version 9.0.3 . . 6
Migrating to the current version of AppScan Source 9 Migrating from Version 9.0.2. . . 10
Migrating from Version 9.0 . . . 11
Migrating from Version 8.7 . . . 11
AppScan Source for Analysis overview . . . 13
Workflow . . . 13
Important concepts . . . 14
Classifications . . . 15
Logging in to AppScan Enterprise Server from AppScan Source products . . . 15
Enabling Common Access Card (CAC) authentication . . . 17
Changing AppScan Source user passwords . . . 19
AppScan Enterprise Server SSL certificates . . . 19
AppScan Source and accessibility . . . 20
Notices . . . 20
Copyright . . . 23
Chapter 2. Configuring applications
and projects . . . 25
AppScan Source application and project files . . . 25
Configuring applications . . . 28
Creating a new application with the New Application Wizard . . . 29
Using the Application Discovery Assistant to create applications and projects . . . 30
Adding an existing application . . . 33
Adding multiple applications . . . 34
Importing existing Java applications from Apache Tomcat and WebSphere Application Server Liberty profile application servers . . . 35
Adding an Eclipse or Eclipse-based product workspace . . . 37
Configuring your development environment for Eclipse and Rational Application Developer for WebSphere Software (RAD) projects . . . 38
Eclipse or Application Developer updates . . . 38
Eclipse workspace importers: Eclipse or Rational Application Developer for WebSphere Software (RAD) preference configuration. . . 39
Creating a new project for an application . . . . 39
Adding an existing project . . . 40
Adding multiple projects . . . 42
Adding a new Arxan project. . . 43
Adding a new ASP project . . . 44
Adding a new C/C++ project . . . 45
Adding a new COBOL project . . . 47
Adding a new ColdFusion project . . . 47
Adding a new Java or JavaServer Page (JSP) project . . . 48
Adding a new JavaScript project . . . 55
Adding a new .NET Assembly project . . . . 56
Adding a new Pattern Based project . . . 56
Adding a new Perl project . . . 57
PHP project configuration . . . 58
Adding a new PL/SQL project . . . 68
Adding a new T-SQL project . . . 68
Adding a new Visual Basic project. . . 69
Copying projects . . . 70
Modifying application and project properties . . . 70
Global attributes. . . 71
Application attributes . . . 71
Removing applications and projects . . . 72
Explorer view . . . 72
Chapter 3. Preferences . . . 79
General preferences. . . 79
AppScan Enterprise Console preferences. . . 81
Application server preferences for JavaServer Page compilation . . . 83
Tomcat . . . 83
WebLogic 8, 9, 11, and 12 . . . 83
WebSphere Application Server . . . 84
Defining variables . . . 85
Enabling defect tracking with preferences . . . . 85
Rational ClearQuest preferences . . . 86
Quality Center preferences . . . 87
Rational Team Concert preferences . . . 89
Team Foundation Server preferences . . . 90
Eclipse workspace importers: Eclipse or Rational Application Developer for WebSphere Software (RAD) preference configuration. . . 90
Email . . . 91
Java and JavaServer Pages . . . 91
Knowledgebase articles . . . 92
Project file extensions . . . 92
Chapter 4. Scanning source code and
managing assessments . . . 95
Scanning source code . . . 95
Scanning all applications . . . 95
Scanning one or more applications . . . 96
Scanning one or more projects . . . 96
Scanning one or more files . . . 96
Re-scanning code . . . 97
Scan considerations. . . 97
Managing scan configurations . . . 99
Excluding a file from a scan . . . 105
AppScan Source for Analysis and AppScan Source for Development (Eclipse plug-in)
component prerequisite on Linux. . . 107
Managing My Assessments . . . 107
Publishing assessments . . . 108
Registering applications and projects for publishing to AppScan Source . . . 108
Publishing assessments to AppScan Source . . 109
Publishing assessments to the AppScan Enterprise Console . . . 110
Saving assessments . . . 114
Automatically saving assessments . . . 114
Removing assessments from My Assessments . . 115
Defining variables . . . 115
Defining variables when publishing and saving 116 Example: Defining variables . . . 116
Chapter 5. Triage and analysis . . . . 119
Displaying findings . . . 120
The AppScan Source triage process . . . 122
Sample triage . . . 123
Triage with filters . . . 125
Using AppScan Source predefined filters . . . 129
Creating and managing filters . . . 134
Applying filters . . . 139
Triage with exclusions . . . 141
The scope of exclusions . . . 141
Specifying exclusions . . . 141
Marking findings as exclusions in a findings table . . . 142
Re-including findings that have been marked as exclusions . . . 142
Example: Specifying filter exclusions . . . . 142
Specifying bundle exclusions from the Properties view. . . 143
Triage with bundles . . . 144
Creating bundles . . . 144
Adding findings to existing bundles . . . 145
Viewing findings in bundles . . . 146
Saving bundles to file . . . 146
Submitting bundles to defect tracking and by email . . . 147
Adding notes to bundles . . . 147
Modifying findings . . . 147
Making modifications from a findings table . . 148
Modifying findings in the Finding Detail view 149 Removing finding modifications . . . 151
Comparing findings . . . 152
Comparing two assessments in the Assessment Diff view . . . 152
Comparing two assessments from the main menu bar. . . 152
Finding differences between assessments in the My Assessments and Published Assessments views . . . 153
Custom findings . . . 153
Creating a custom finding in the Properties view . . . 154
Creating custom findings in a findings view . . 155
Creating custom findings in the source code editor . . . 156
Resolving security issues and viewing remediation assistance. . . 156
Analyzing source code in an editor . . . 157
Supported annotations and attributes . . . 158
Chapter 6. AppScan Source trace. . . 161
AppScan Source trace scan results . . . 161
Validation and encoding. . . 162
Searching AppScan Source traces . . . 162
Input/output tracing . . . 163
Using the Trace view . . . 163
Input/output stacks in the Trace view . . . . 164
Analyzing source code in an editor . . . 166
Validation and encoding scope . . . 167
Creating custom rules from an AppScan Source trace . . . 168
Code examples for tracing . . . 170
Example 1: From source to sink . . . 170
Example 2: Modified from source to sink . . . 171
Example 3: Different source and sink files . . . 176
Example 4: Validation in depth . . . 177
Chapter 7. AppScan Source for
Analysis and defect tracking . . . 179
Enabling defect tracking with preferences . . . . 179
Rational ClearQuest preferences . . . 179
Quality Center preferences . . . 180
Rational Team Concert preferences . . . 182
Team Foundation Server preferences. . . 183
Integrating HP Quality Center and AppScan Source for Analysis . . . 183
Submitting findings to Quality Center . . . . 183
Tracking findings submitted to Quality Center 184 AppScan Source finding information in Quality Center . . . 184
Integrating Rational ClearQuest and AppScan Source for Analysis . . . 184
Submitting findings to Rational ClearQuest . . 185
Submitting defects to Rational ClearQuest . . . 185
Integrating Rational Team Concert and AppScan Source for Analysis . . . 185
Submitting defects to Rational Team Concert 186 Rational Team Concert SSL certificates . . . . 186
Integrating Microsoft Team Foundation Server and AppScan Source for Analysis . . . 187
Submitting defects to Microsoft Team Foundation Server . . . 187
Working with submitted defects . . . 188
Submitting bundles to defect tracking and by email 188 Tracking defects through email (sending findings by email) . . . 188
Chapter 8. Findings reports and audit
reports . . . 191
Creating findings reports . . . 191
AppScan Source reports . . . 193
Creating an AppScan Source custom report . . 194
CWE/SANS Top 25 2011 report . . . 195
DISA Application Security and Development STIG V3R10 report . . . 195
Open Web Application Security Project
(OWASP) Top 10 2013 report . . . 195
Open Web Application Security Project (OWASP) Mobile Top 10 report . . . 196
Payment Card Industry Data Security Standard (PCI DSS) Version 3.0 report . . . 196
Software Security Profile report . . . 196
Chapter 9. Creating custom reports
197
Report Editor . . . 197Report Layout tab . . . 198
Categories tab . . . 199
Preview tab . . . 200
Generating custom reports . . . 201
Designing a report from an existing custom report . . . 201
Including categories in the report. . . 201
Previewing the report . . . 202
Saving the report template . . . 202
Chapter 10. Customizing the
vulnerability database and pattern
rules . . . 203
Extending the AppScan Source Security Knowledgebase. . . 203
Creating custom rules . . . 204
Using the Custom Rules wizard . . . 204
Likelihoodrule attributes . . . 209
Customizing input/output tracing through AppScan Source trace . . . 210
Customizing with pattern-based rules . . . 210
Pattern rule sets . . . 210
Pattern rules. . . 212
Applying pattern rules and rule sets. . . 216
Chapter 11. Extending the application
server import framework
. . . 227
Chapter 12. AppScan Source for
Analysis samples
. . . 231
Chapter 13. The AppScan Source for
Analysis work environment . . . 233
The AppScan Source for Analysis workbench. . . 233
Main menu . . . 235 File menu . . . 235 Edit menu . . . 239 Scan menu . . . 240 Tools menu . . . 241 Admin menu . . . 241 View menu . . . 242 Perspective menu . . . 242 Help menu . . . 243 Toolbars . . . 243 Hover help . . . 243 Status bar . . . 244
Chapter 14. Views . . . 245
Configuration views . . . 245Custom Rules view . . . 245
Explorer view . . . 245
Pattern Rule Library view . . . 250
Properties view. . . 251
Scan Configuration view . . . 259
Report Editor . . . 261
Views that assist with scan output . . . 265
Console view . . . 265
Metrics view . . . 265
My Assessments view . . . 266
Published Assessments view . . . 267
Views that assist with triage . . . 268
Assessment Diff view . . . 268
Custom Findings view . . . 268
Views with findings . . . 269
Sources and Sinks view . . . 276
Views that allow you to investigate a single finding 277 Finding Detail view . . . 277
Remediation Assistance view . . . 279
Trace view . . . 280
Views that allow you to work with assessments 281 Assessment Summary view. . . 281
Filter Editor view . . . 282
Vulnerability Matrix view . . . 283
Bundles view . . . 285 Bundle view. . . 285
Glossary . . . 291
A . . . 291 B . . . 291 C . . . 291 D . . . 292 E . . . 292 F . . . 292 L . . . 292 P . . . 292 R . . . 292 S . . . 292 T . . . 293 V . . . 293 W . . . 293 X . . . 293Notices . . . 295
Index . . . 299
Chapter 1. Introduction to AppScan Source for Analysis
This section describes how AppScan®Source for Analysis fits into the total AppScan Source solution and provides a basis for understanding the software assurance workflow.Introduction to IBM Security AppScan Source
IBM®Security AppScan Source delivers maximum value to every user in your organization who plays a role in software security. Whether a security analyst, quality assurance professional, developer, or executive, the AppScan Source products deliver the functionality, flexibility, and power you need - right to your desktop.
The product set includes:
v AppScan Source for Analysis: Workbench to configure applications and projects, scan code, analyze, triage, and take action on priority vulnerabilities. v AppScan Source for Automation: Allows you to automate key aspects of the
AppScan Source workflow and integrate security with build environments during the software development life cycle.
v AppScan Source for Development: Developer plug-ins integrate many AppScan Source for Analysis features into Microsoft Visual Studio, the Eclipse workbench, and Rational®Application Developer for WebSphere® Software (RAD). This allows software developers to find and take action on vulnerabilities during the development process. The Eclipse plug-in allows you to scan source code for security vulnerabilities - and you can scan IBM MobileFirst Platform projects with the Eclipse plug-in.
To enhance the value of AppScan Source within your organization, the products include these components:
v AppScan Source Security Knowledgebase: In-context intelligence on each vulnerability, offering precise descriptions about the root cause, severity of risk, and actionable remediation advice.
v AppScan Enterprise Server: Most AppScan Source products and components must communicate with an AppScan Enterprise Server. Without one, you can use AppScan Source for Development in local mode - but features such as custom rules, shared scan configurations, and shared filters will be unavailable. The server provides centralized user management capabilities and a mechanism for sharing assessments via the AppScan Source Database. The server includes an optional Enterprise Console component. If your administrator installs this component, you can publish assessments to it from AppScan Source for Analysis, AppScan Source for Automation, and the AppScan Source command line interface (CLI). The Enterprise Console offers a variety of tools for working with your assessments - such as reporting features, issue management, trend analysis, and dashboards.
Note:
– AppScan Enterprise Server is not supported on OS X.
– If you have a basic server license, the server may only be accessed by up to ten (10) concurrent connections from AppScan products. With a premium server license, unlimited connections are allowed.
Important: When scanning, AppScan Enterprise Server and AppScan Source clients (except AppScan Source for Development) both require a direct connection to the AppScan Source Database (either solidDB®or Oracle). This Software Offering does not use cookies or other technologies to collect personally identifiable information.
Translated national languages
The AppScan Source user interfaces are available in these languages: v English v Brazilian Portuguese v Simplified Chinese v Traditional Chinese v German v Spanish v French v Italian v Japanese v Korean v Russian
United States government regulation compliance
Compliance with United States government security and information technology regulations help to remove sales impediments and roadblocks. It also provides a proof point to prospects worldwide that IBM is working to make their products the most secure in the industry. This topic lists the standards and guidelines that AppScan Source supports.
v “Internet Protocol Version 6 (IPv6)”
v “Federal Information Processing Standard (FIPS)”
v “National Institute of Standards and Technology (NIST) Special Publication (SP) 800-131a” on page 3
v “Windows 7 machines that are configured to use the United States Government Configuration Baseline (USGCB)” on page 4
Internet Protocol Version 6 (IPv6)
AppScan Source is enabled for IPv6, with these exceptions:
v Inputting IPv6 numerical addresses is not supported and a host name must be entered instead. Inputting IPv4 numerical addresses is supported.
v IPv6 is not supported when connecting to Rational Team Concert™.
Federal Information Processing Standard (FIPS)
On Windows and Linux platforms that are supported by AppScan Source, AppScan Source supports FIPS Publication 140-2, by using a FIPS 140-2 validated cryptographic module and approved algorithms. On OS X platforms that are supported by AppScan Source, manual steps are needed to operate in FIPS 140-2 mode.
To learn background information about AppScan Source FIPS compliance - and to learn how to enable and disable AppScan Source FIPS 140-2 mode, see these technotes:
v Operating AppScan Source version 8.7 or later in FIPS 140-2 mode on OS X v How to enable/disable/verify FIPS 140-2 mode in AppScan Source (Linux and
Windows)
v Background information about AppScan Source version 8.7 or later FIPS 140-2 support
National Institute of Standards and Technology (NIST) Special
Publication (SP) 800-131a
NIST SP 800-131A guidelines provide cryptographic key management guidance. These guidelines include:
v Key management procedures.
v How to use cryptographic algorithms.
v Algorithms to use and their minimum strengths. v Key lengths for secure communications.
Government agencies and financial institutions use the NIST SP 800-131A
guidelines to ensure that the products conform to specified security requirements. NIST SP 800-131A is supported only when AppScan Source is operating in FIPS 140-2 mode. To learn about enabling and disabling AppScan Source FIPS 140-2 mode, see “Federal Information Processing Standard (FIPS)” on page 2.
Important: If the AppScan Enterprise Server that you will connect to is enabled for NIST 800-131a compliance, you must set AppScan Source to force Transport Layer Security V1.2. If Transport Layer Security V1.2 is not forced, connections to the server will fail.
v If you are not installing the AppScan Source Database (for example, you are only installing client components), you can force Transport Layer Security V1.2 by modifying <data_dir>\config\ounce.ozsettings (where <data_dir> is the location of your AppScan Source program data, as described in “Installation and user data file locations” on page 286)). In this file, locate this setting:
<Setting
name="tls_protocol_version" read_only="false"
default_value="0" value="0"
description="Minor Version of the TLS Connection Protocol" type="text"
display_name="TLS Protocol Version" display_name_id=""
available_values="0:1:2" hidden="false"
force_upgrade="false" />
In the setting, change value="0" to value="2" and then save the file.
v If you are installing the AppScan Source Database, you force Transport Layer Security V1.2 in the IBM Security AppScan Enterprise Server Database Configuration tool after installing both AppScan Source and the Enterprise Server.
Windows 7 machines that are configured to use the United
States Government Configuration Baseline (USGCB)
AppScan Source supports scanning applications on Windows 7 machines that are configured with the USGCB specification.
Note: On machines that are configured with the USGCB specification, AppScan Source does not support defect tracking system integration with HP Quality Center or Rational ClearQuest®.
What's New in AppScan Source
Explore these new features that have been added to AppScan Source - and note any features and capabilities that have been deprecated in this release.
v “What's New in AppScan Source Version 9.0.3.3”
v “What's New in AppScan Source Version 9.0.3.2” on page 5 v “What's New in AppScan Source Version 9.0.3.1” on page 6 v “What's New in AppScan Source Version 9.0.3” on page 6
What's New in AppScan Source Version 9.0.3.3
v “New platform and integration solution support” v “Enhanced and new scanning support” on page 5 v “New installation file name for Windows” on page 5
v “Common Access Card (CAC) support on Windows” on page 5
v “DISA Application Security and Development STIG V3R10 report support” on page 5
New platform and integration solution support
As of AppScan Source Version 9.0.3.3:
v Microsoft Windows 10 is now a supported operating system. This includes Windows 10 Education, Enterprise, and Pro editions.
Note:
– On Windows 10, the AppScan Source installer (AppScanSrc_Installer.exe file) must be run in Windows 7 compatibility mode. On Windows 10, you must also set the AppScan_Uninstaller.exe file to run in Windows 7
compatibility mode before uninstalling AppScan Source. This file is located in <install_dir>\Uninstall_AppScan\AppScan_Uninstaller.exe(where
<install_dir> is the location of your AppScan Source installation, as described in “Installation and user data file locations” on page 286). See http://www.ibm.com/support/docview.wss?uid=swg21696098 for more information.
– Windows 10 support is affected by the issue described in http://www.ibm.com/support/docview.wss?uid=swg21689814.
v If you are connecting to an AppScan Enterprise Server Version 9.0.3.1 or higher, the IBM Security AppScan Source Database can be installed to an Oracle 12c database.
Important: If you have an existing installation of AppScan Source that utilizes an Oracle 11g database, and you want to upgrade to Oracle 12c, you must upgrade AppScan Source before upgrading the Oracle database.
v Tomcat 8is now included in the installation of AppScan Source.
v Visual Studio 2015 solution and project files can now be scanned in AppScan Source for Analysis, AppScan Source for Automation, and the AppScan Source command line interface. If you have .sln or .vcproj files that have been created in Visual Studio 2015, these files can be imported and scanned when using AppScan Source for Analysis, AppScan Source for Automation, or the AppScan Source command line interface on Windows.
Note: Applying the AppScan Source for Development Visual Studio plug-in to Visual Studio 2015 is not supported.
v Xcode 7.3 for Objective-C (for iOS applications only) is now a supported compiler on OS X (support for Xcode 7.3 is retroactive to AppScan Source Version 9.0.3.2).
Enhanced and new scanning support
v PHP Versions 5.5 and 5.6 can now be scanned on Windows and Linux in IBM Security AppScan Source for Analysis, IBM Security AppScan Source for Automation, and the IBM Security AppScan Source command line interface (CLI).
v When using AppScan Source to scan Java™, @ValidatorMethod, @CallbackMethod, and @SuppressSecurityTrace method-level annotations are now supported.
New installation file name for Windows
On Windows, the installation file name has changed from setup.exe to AppScanSrc_Installer.exe.
Common Access Card (CAC) support on Windows
The Common Access Card (http://www.cac.mil) is the standard identification for active duty uniformed service personnel, Selected Reserve, DoD civilian
employees, and eligible contractor personnel in the United States. It is used to enable physical access to buildings and controlled spaces, and provides access to DoD computer networks and systems. The CAC can be used for access into computers and networks that are equipped with various smart card readers. When it is inserted into the reader, the device asks the user for a PIN.
If you are running AppScan Source on Windows and connecting to an AppScan Enterprise Server Version 9.0.3.1 iFix-001 or higher that is enabled for Common Access Card (CAC) authentication, AppScan Source now supports CAC
authentication.
DISA Application Security and Development STIG V3R10 report
support
AppScan Source now supports the Defense Information Systems Agency (DISA) Application Security and Development Security Technical Implementation Guide (STIG) V3R10 report.
What's New in AppScan Source Version 9.0.3.2
AppScan Source and AppScan Enterprise version compatibility
Some versions of AppScan Source no longer require that AppScan Source and AppScan Enterprise version and release levels match when publishing to the
AppScan Enterprise Console. See http://www.ibm.com/support/
docview.wss?uid=swg21975211 to learn which versions of AppScan Source and AppScan Enterprise are compatible when publishing assessments.
This change is retroactive to some previous versions of AppScan Source, as described in http://www.ibm.com/support/docview.wss?uid=swg21975211.
What's New in AppScan Source Version 9.0.3.1
v “New integration solution support”
v “Scanning WAR and EAR files in AppScan Source for Automation and the AppScan Source command line interface (CLI)”
New integration solution support
As of AppScan Source Version 9.0.3.1:
v Tomcat 8 is now supported for compiling Java and JSP.
Note: Operating system support is dependent on the operating system supported by individual compilers.
v Xcode 7.0, 7.1, and 7.2 for Objective-C (for iOS applications only) are now supported compilers on OS X.
Scanning
WAR
and
EAR
files in AppScan Source for Automation
and the AppScan Source command line interface (CLI)
The openapplication (oa) command in the CLI can now be used to open WAR and EAR files. In addition, these files can be scanned in AppScan Source for Automation using the ScanApplication command.
What's New in AppScan Source Version 9.0.3
v “New platform and integration solution support” v “Scan configuration enhancements” on page 7v “New rule attributes allow you to identify high severity definitive security findings more accurately” on page 7
v “Automatic lost sink resolution allows for better scan results” on page 8 v “Enhanced and new scanning support” on page 8
v “Capabilities and features that are no longer supported in AppScan Source Version 9.0.3” on page 9
New platform and integration solution support
As of AppScan Source Version 9.0.3, these operating systems are supported: v Red Hat Enterprise Linux Version 6 Updates 6 and 7
v OS X Version 10.11. Support for OS X Version 10.11 is retroactive to AppScan Source Version 9.0.2, with the limitation described in http://www.ibm.com/ support/docview.wss?uid=swg21968948 (this limitation only affects AppScan Source Version 9.0.2).
In addition:
v Xcode 6.3 and 6.4 for Objective-C (for iOS applications only) are now supported compilers on OS X (support for Xcode 6.3 and 6.4 is retroactive to AppScan Source Version 9.0.2). Note that some limitations exist for Xcode 6.3 and 6.4
support. Please see http://www.ibm.com/support/
docview.wss?uid=swg21962208 for details. These limitations do not apply to AppScan Source Version 9.0.3.1 and higher.
v The AppScan Source for Development Eclipse plug-in now integrates with IBM MobileFirst Platform Foundation Version 7.1. You can now scan IBM MobileFirst Platform Version 7.1 projects, applications, environments, and HTML files in AppScan Source products.
v Rational Application Developer for WebSphere Software (RAD) Version 9.1.1 project files and workspaces can be scanned - and the AppScan Source for Development (Eclipse plug-in) can be applied to RAD Version 9.1.1. v Eclipse Version 4.5 project files and workspaces (Java and IBM MobileFirst
Platform only) can be scanned - and the AppScan Source for Development (Eclipse plug-in) can be applied to Eclipse Version 4.5.
v IBM WebSphere Application Server Version 8.5.5 is now supported for compiling Java and JSP.
Note: Operating system support is dependent on the operating system supported by individual compilers.
Scan configuration enhancements
The Scan Configuration view has been redesigned and now offers these key features:
v The ability to specify filters.
v Setting the type of analysis to perform during a scan. This includes taint-flow analysis and pattern-based analysis.
AppScan Source now includes these built-in scan configurations: Web preview scan, Web quick scan, Web balanced scan, and Web deep scan
New rule attributes allow you to identify high severity definitive
security findings more accurately
This release of AppScan Source introduces the Attribute.Likelihood.High and Attribute.Likelihood.Lowattributes. These attributes have been added to the built-in rules and can also be used when creating custom rules.
In AppScan Source, likelihood represents the probability or chance that a security finding can be exploited. AppScan Source takes the definition of likelihood that is presented at https://www.owasp.org/index.php/
OWASP_Risk_Rating_Methodology#Step_2:_Factors_for_Estimating_Likelihood, and refines it by determining likelihood based on trace properties. Given a set of trace properties - for example, Source API name, Source API type, Source
Technology, or Source Mechanism - AppScan Source determines the likelihood that a trace can or will be exploited using a specific vulnerability in the future.
Likelihood is tied to the source element of a trace. A source is an input to the program, such as a file, servlet request, console input, or socket. For most input sources, the data returned is unbounded in terms of content and length. When an input is unchecked, it is considered a source of taint.
v Given a trace with an HTTP source (for example, Request.getQueryString) and a cross-site scripting sink (for example, Response.write), a high likelihood is determined, thereby raising the confidence of the finding.
v Given a trace with a system property source (for example, getProperty) and a cross-site scripting sink (for example, Response.write), a low likelihood is determined, thereby lowering the confidence of the finding.
Likelihood is used to identify high priority actionable findings that must be acted on or fixed immediately. It is tied to highly-exploitable sources of taint and can provide you with a more fine-grained approach for classifying findings. Likelihood is stored as an attribute that is tied to a source of taint, in the AppScan Source vulnerability database. The feature is available out-of-the-box.
We have conducted extensive research in order to determine the likelihood factor for sources. Using the Custom Rules Wizard, you can add likelihood information to new sources of taint that you add to your rule base. This will improve the classification of findings generated from a scan and, in turn, improve the efficiency of your overall triage workflow.
In the Custom Rules Wizard, there are two values (High and Low) that you can set for the Likelihood property. A value of High means that the source is very
susceptible to taint. In other words, the barrier to taint entering the system is very low making it easy for attackers to submit malicious data either manually or in an automated fashion. A value of Low means that the barrier to entering malicious data through this source is very high. This could mean that in order for taint to be introduced to the source, an attacker would have to have insider knowledge of the system and have permissions to operate on the victim's network.
Note: As a result of these rule attributes, if you have generated assessments in previous versions of AppScan Source, you may find that findings classifications for the same source has changed when it is scanned in Version 9.0.3. For more
information, and to learn how to disable these rule attributes, see the migration considerations regarding these changes.
Automatic lost sink resolution allows for better scan results
AppScan Source now tries to resolve lost sinks in traces by automatically inferring markup for lost sink methods such as getters, setters, and methods that return boolean values. This allows for a more thorough analysis of your code and improved lost sink resolution.
Note: As a result of this feature, if you have generated assessments in previous versions of AppScan Source, you may notice a change in findings results for lost sinks that were not resolved. For more information, and to learn how to disable automatic markup generation, see the migration considerations regarding these changes.
Enhanced and new scanning support
v PHP Version 5.4 can now be scanned on Windows and Linux in IBM Security AppScan Source for Analysis, IBM Security AppScan Source for Automation, and the IBM Security AppScan Source command line interface (CLI).
v AppScan Source now includes built-in support for the Spring MVC 4 framework.
– When scanning JavaServer Pages, you now have the option of scanning precompiled class files instead of compiling them during a scan. To scan precompiled class files in the AppScan Source for Development Eclipse plug-in, configure your project for security scanning (select Security Analysis > Configure Scan > Configure Projects for Security) and select the
Precompiled classescheck box. To scan precompiled class files in IBM Security AppScan Source for Analysis, select the Precompiled classes check box in one of these locations:
- The Project Dependencies tab in the project properties.
- The Java Project Dependencies page when creating a new project or application.
– When scanning Java, AppScan Source will now scan Java files and Java byte code with missing dependencies or compilation errors. If there are missing dependencies or compilation errors, information about them will be written to a log file. With this information, you can then add the dependencies to your project properties, re-scan, and achieve full coverage for scan results.
v As of AppScan Source Version 9.0.3, header locations and configuration options are determined more accurately when Xcode projects are imported and scanned. This change introduces the use of xcodebuild -dry-run to obtain every file's build configuration, so there may be a pause at the beginning of scans while AppScan Source determines file configurations before proceeding.
Capabilities and features that are no longer supported in
AppScan Source Version 9.0.3
As of AppScan Source Version 9.0.3:
v OS X Version 10.8 is no longer a supported operating system.
v Xcode Version 4.6 is no longer supported. Scanning Objective-C projects with this version of Xcode is no longer supported.
v Eclipse Version 3.6 and 3.7 project files and workspaces are no longer supported - and the AppScan Source for Development (Eclipse plug-in) can no longer be applied to Eclipse Versions 3.6 and 3.7.
v Rational Application Developer for WebSphere Software (RAD) Version 8.0.x project files and workspaces are no longer supported - and the IBM Security AppScan Source for Development plug-in for IBM Rational Application Developer for WebSphere Software (RAD) can no longer be applied to RAD Version 8.0.x.
v IBM Rational Team Concert Versions 3.0 and 3.0.1 are no longer supported defect tracking systems.
v WebSphere Application Server Version 6.1 is no longer a supported application server.
v Support for scanning PHP Versions 4.x up to 5.2 is deprecated.
Migrating to the current version of AppScan Source
This topic contains migration information for changes that have gone into this version of AppScan Source. If you are upgrading from an older version of AppScan Source, be sure to note the changes for the version of AppScan Source that you are upgrading and all versions leading up to this current version. v “Migrating from Version 9.0.2” on page 10
v “Migrating from Version 9.0” on page 11 v “Migrating from Version 8.7” on page 11
Migrating from Version 9.0.2
v “New rule attributes may result in findings classification changes in existing scans”
v “Automatic lost sink generation”
New rule attributes may result in findings classification changes
in existing scans
After Version 9.0.2, Attribute.Likelihood.High and Attribute.Likelihood.Low rule attributes were introduced. When these attributes are used, AppScan Source can more accurately determine if findings are definitive and/or suspect. As a result, if you scan source code in AppScan Source Version 9.0.2 or earlier, you may find that some findings classifications will change when the same source code is scanned in product versions after 9.0.2. This will be most noticeable for findings related to highly exploitable web sources - or for property or environment sources that are less exploitable.
These rule attributes are used by default. You can disable them, as follows:
1. Open <data_dir>\config\ipva.ozsettings in a text editor (where <data_dir> is the location of your AppScan Source program data, as described in “Installation and user data file locations” on page 286). Locate the allow_likelihood setting in the file. This setting will look similar to:
<Setting
name="allow_likelihood" value="true"
default_value="true"
description="Allow the processing of the Likelihood attributes to help determine trace confidence based on the source API"
display_name="Allow Likelihood" type="bool"
/>
In this setting, modify the value attribute. If the attribute is set to true, this setting will be on. If it is set to false, AppScan Source will not use these rule attributes during scans.
2. Save the file after you have modified this setting and start or restart AppScan Source.
Automatic lost sink generation
After Version 9.0.2, automatic lost sink resolution was introduced for traces that end in getters/setters and methods that return boolean values. This is done by automatically inferring markup for these application programming interfaces (API). As a result, if you scan source code in AppScan Source Version 9.0.2 or earlier, you may notice changes in findings results that contained unresolved lost sinks when the same source code is scanned in product versions after 9.0.2.
Automatic markup generation is on by default. You can disable it if you want to use other means of lost sink resolution such as custom rules, as follows:
1. Open <data_dir>\config\ipva.ozsettings in a text editor (where <data_dir> is the location of your AppScan Source program data, as described in “Installation and user data file locations” on page 286). Locate the
automatic_lost_sink_resolutionsetting in the file. This setting will look similar to:
<name="automatic_lost_sink_resolution" value="true"
default_value="true"
description="This setting tries to perform automatic lost sink resolution by assuming taint propagation for getters, setters and APIs which return boolean with no arguments."
display_name="Auto Lost Sink Resolution" type="bool"
/>
In this setting, modify the value attribute. If the attribute is set to true, this setting will be on. If it is set to false, AppScan Source will not automatically generate markup for these methods.
2. Save the file after you have modified this setting and start or restart AppScan Source.
Migrating from Version 9.0
AppScan Enterprise Server authentication: Migration
considerations for replacement of the IBM Rational Jazz
™user
authentication component with IBM WebSphere Liberty
v Migrating from an Enterprise Server that only has local Jazz users: In this upgrade scenario, the former Jazz users will appear in the AppScan Source Database as AppScan Enterprise Server users, however, they will not be valid. These users can be removed from the Database - or they can be converted to AppScan Source users if you follow the instructions in http://www.ibm.com/ support/docview.wss?uid=swg21686347 for enabling that conversion.
v Migrating from an Enterprise Server that was configured with LDAP: During the Enterprise Server upgrade, you have the option of configuring the Enterprise Server with LDAP again. If you do this, existing users will still work in AppScan Source.
v Migrating from an Enterprise Server that was configured with Windows
authentication: If your Enterprise Server was configured with Windows authentication, existing users will work in AppScan Source, provided the new Enterprise Server Liberty is configured to use Windows authentication.
Migrating from Version 8.7
v “Changes to findings classifications”
v “Default settings changes that will improve scan coverage” on page 12
v “Restoring AppScan Source predefined filters from previous versions” on page 13
Changes to findings classifications
After Version 8.7, findings classifications changed. This table lists the old classifications mapped to the new classifications:
Table 1. Findings classification changes
Findings classifications prior to AppScan Source Version 8.8
Classifications as of AppScan Source Version 8.8
Vulnerability Definitive security finding
Type I Exception Suspect security finding
An example of these changes can be seen in the Vulnerability Matrix view.
As of Version 8.8, the view looks like this:
Default settings changes that will improve scan coverage
As of AppScan Source Version 8.8:
v The default value of show_informational_findings in scan.ozsettings has changed from true to false.
v The default value of wafl_globals_tracking in ipva.ozsettings has changed from false to true. This setting enables AppScan Source to find dataflow between different components of a framework-based application (for example, dataflow from a controller to a view).
The change to show_informational_findings will result in assessments not including findings with a severity level of Info by default.
Note: If you have scan configurations that were created prior to Version 8.8 that did not explicitly set values for these settings, the scan configurations will now use their new default values.
Restoring AppScan Source predefined filters from previous
versions
In AppScan Source Version 8.8, predefined filters were improved to provide better scan results. If you need to continue using the predefined filters from older versions of AppScan Source (archived filters are listed in “AppScan Source predefined filters (Version 8.7.x and earlier)” on page 132), follow the instructions in “Restoring archived predefined filters” on page 133.
AppScan Source for Analysis overview
AppScan Source for Analysis is a tool for analyzing code and providing specific information about source code vulnerabilities in critical systems. AppScan Source for Analysis lets you centrally manage your software risk across multiple
applications, or even your entire portfolio. You can scan source code, triage, and eliminate vulnerabilities before they become a liability to your organization. AppScan Source for Analysis provides audit and quality assurance teams with tools to scan source code, triage results, and submit flaws to defect tracking systems.
Armed with in-context intelligence from the AppScan Source Security Knowledgebase, analysts, auditors, managers, and developers can: v Scan selected source code on-demand to locate critical vulnerabilities v Receive precise remediation advice and invoke their preferred development
environment and code editor directly from analysis
v Trace tainted data through a precise, interactive call graph from input to output v Enforce coding policies, verifying approved input validation and encoding
routines through AppScan Source trace
v Learn and implement secure programming best practices during software development
Workflow
After installation, deployment, and user management, the AppScan Source workflow consists of these basic steps.
1. Set security requirements: A manager or security expert defines vulnerabilities and how to judge criticality.
2. Configure applications: Organize applications and projects.
3. Scan: Run the analysis against the target application to identify vulnerabilities. 4. Triage and analyze results: Security-minded staff study results to prioritize
remediation workflow and separate real vulnerabilities from potential ones, allowing triage on critical issues to begin immediately. Isolate the issues you need to fix first.
5. Customize the Knowledgebase: Customize the AppScan Source Security Knowledgebase to address internal policies.
6. Publish scan results: Add scan results to the AppScan Source Database or publish them to the AppScan Enterprise Console.
7. Assign remediation tasks: Assign defects to the development team to resolve vulnerabilities.
8. Resolve issues: Eliminate vulnerabilities by rewriting code, removing flaws, or adding security functions.
9. Verify fixes: The code is scanned again to assure that vulnerabilities are eliminated.
A s s ign
AppScan Source for Analysis
R emediate
AppScan Source for Analysis AppScan Source for Remediation AppScan Source for Development
Triage
AppScan Source for Analysis
S c an
AppScan Source for Analysis AppScan Source for Automation AppScan Source for Development
AppScan Source for Analysis
Monitor
Enterprise Console
AppScan Enterprise Server
C onfigure
Important concepts
Before you begin to use or administer AppScan Source, you should become familiar with fundamental AppScan Source concepts. This section defines basic AppScan Source terminology and concepts. Subsequent chapters repeat these definitions to help you understand their context in AppScan Source for Analysis. AppScan Source for Analysis scans source code for vulnerabilities and produces
findings. Findings are the vulnerabilities identified during a scan, and the result of
a scan is an assessment. A bundle is a named collection of individual findings and is stored with an application.
Applications, their attributes, and projects are created and organized in AppScan Source for Analysis:
v Applications: An application contains one or more projects and their related attributes.
v Projects: A project consists of a set of files (including source code) and their related information (such as configuration data). A project is always part of an application.
v Attributes: An attribute is a characteristic of an application that helps organize the scan results into meaningful groupings, such as by department or project leader. You define attributes in AppScan Source for Analysis.
The principal activity of AppScan Source for Analysis is to scan source code and analyze vulnerabilities. Assessments provide an analysis of source code for vulnerabilities including:
v Severity: High, medium, or low, indicating the level of risk
v Vulnerability Type: Vulnerability category, such as SQL Injection or Buffer Overflow
v File: Code file in which the finding exists
v API/Source: The vulnerable call, showing the API and the arguments passed to it
v Method: Function or method from which the vulnerable call is made
v Location: Line and column number in the code file that contains the vulnerable API
v Classification: Security finding or scan coverage finding. For more information, see “Classifications.”
Classifications
Findings are classified by AppScan Source to indicate whether they are security or scan coverage findings. Security findings represent actual or likely security
vulnerabilities - whereas scan coverage findings represent areas where configuration could be improved to provide better scan coverage. Each finding falls into one of these classifications:
v Definitivesecurity finding: A finding that contains a definitive design,
implementation, or policy violation that presents an opportunity for an attacker to cause the application to operate in an unintended fashion.
This attack could result in unauthorized access, theft, or corruption of data, systems, or resources. Every definitive security finding is fully articulated, and the specific underlying pattern of the vulnerable condition is known and described.
v Suspect security finding: A finding that indicates a suspicious and potentially vulnerable condition that requires additional information or investigation. A code element or structure that can create a vulnerability when used incorrectly. A suspect finding differs from a definitive finding because there is some unknown condition that prevents a conclusive determination of vulnerability. Examples of this uncertainty can be the use of dynamic elements, or of library functions for which the source code is not available. As a result, there is an additional level of research that is required to confirm or reject a suspect finding as definitive.
v Scan coverage finding: Findings that represent areas where configuration could be improved to provide better scan coverage (for example, lost sink findings).
Note: In some cases, a classification of None may be used to denote a classification that is neither a security finding nor a scan coverage finding.
Logging in to AppScan Enterprise Server from AppScan Source
products
Most AppScan Source products and components require a connection to an AppScan Enterprise Server. The server provides centralized user management capabilities and a mechanism for sharing assessments via the AppScan Source Database.
When you launch AppScan Source for Analysis, you are prompted to authenticate to an AppScan Enterprise Server. If you are running AppScan Source for
Enterprise Server when you first initiate an action that needs access to the server, such as launching a scan, or viewing scan configurations.
v “Logging in from AppScan Source for Analysis and AppScan Source for Development with an AppScan Enterprise Server user ID and password” v “Using Common Access Card (CAC) authentication to log in from AppScan
Source for Analysis and AppScan Source for Development”
v “Logging in from AppScan Source for Automation and the AppScan Source command line interface (CLI)” on page 17
Logging in from AppScan Source for Analysis and AppScan
Source for Development with an AppScan Enterprise Server user
ID and password
In AppScan Source for Analysis, when logging in, you are prompted for:
v User ID: Specify your user ID (depending on how your account was set up, this is a user ID that exists both on the AppScan Enterprise Server and in the
AppScan Source Database - or it is a user ID that exists only in the AppScan Source Database). If your AppScan Enterprise Server uses Windows
authentication, you must include the Windows domain name - for example MyWindowsDomain\username.
v Password: Specify the password for your user ID.
v AppScan Enterprise Server: Specify the URL for your AppScan Enterprise Server instance.
In AppScan Source for Development, when logging in, you are prompted for: v Server URL: Specify the URL for your AppScan Enterprise Server instance. v User ID: Specify your user ID (depending on how your account was set up, this
is a user ID that exists both on the AppScan Enterprise Server and in the AppScan Source Database - or it is a user ID that exists only in the AppScan Source Database). If your AppScan Enterprise Server uses Windows
authentication, you must include the Windows domain name - for example MyWindowsDomain\username.
v Password: Specify the password for your user ID.
Using Common Access Card (CAC) authentication to log in from
AppScan Source for Analysis and AppScan Source for
Development
On Windows, you can connect to AppScan Enterprise Server using CAC
authentication (http://www.cac.mil). Before doing this, you must set up AppScan Enterprise Server and AppScan Source for Common Access Card (CAC)
authentication. If your Enterprise Server is set up for CAC authentication, you cannot use an Enterprise Server user ID and password for logging in.
In AppScan Source for Analysis, when logging in, you are prompted for: v User: Select your CAC Common Name from the list.
v AppScan Enterprise Server: Specify the URL for your AppScan Enterprise Server instance.
In AppScan Source for Development, when logging in, you are prompted for: v Server URL: Specify the URL for your AppScan Enterprise Server instance. v User: Select your CAC Common Name from the list.
After clicking OK, you will be prompted by a Windows Security dialog box for your CAC card pin.
Tip:
v If login fails, ensure that your AppScan Enterprise Server is set up correctly and that your certificate is valid. Check to see if you can access the AppScan
Enterprise Server via a browser. If so, you should be able to select the certificate and log in.
v If the login dialog box User field does not list available certificates, ensure that you have modified the java.security file in your JRE, as described in “Enabling Common Access Card (CAC) authentication.”
v If you are not prompted by a Windows Security dialog box for your CAC card pin, ensure that the Microsoft Smart Card Resource Manager service is running. Note that this service may not run for some remote desktop connection types.
Logging in from AppScan Source for Automation and the
AppScan Source command line interface (CLI)
Login actions are also required when running AppScan Source for Automation or the AppScan Source command line interface (CLI). See the IBM Security AppScan
Source Utilities User Guide for more information.
To learn about AppScan Enterprise Server SSL certificates, see “AppScan Enterprise Server SSL certificates” on page 19.
Enabling Common Access Card (CAC) authentication
This topic helps you set up AppScan Source to allow a connection to an AppScan Enterprise Server that is enabled for Common Access Card (CAC) authentication.
Before you begin
CAC authentication is only supported on Windows and for connections to AppScan Enterprise Server Version 9.0.3.1 iFix-001 and higher.
Procedure
1. Ensure that AppScan Enterprise Server is not yet set up for CAC authentication.
2. Log in to AppScan Source for Analysis or the AppScan Source command line interface (CLI) as an AppScan Source administrator.
3. Follow the instructions in the IBM Security AppScan Source Installation and
Administration Guide for setting all AppScan Enterprise Server users to have all
permissions. This will set the initial default permissions for AppScan
Enterprise Server users to full administrative access, however, after CAC setup is complete, you will be able to change the default permissions to suit the needs of your organization.
4. Exit or shut down all AppScan Source client applications. 5. Set up AppScan Enterprise Server to allow CAC authentication
6. Follow the instructions in the IBM Security AppScan Source Installation and
Administration Guide for registering the AppScan Source Database with an
AppScan Enterprise Server that is enabled for Common Access Card (CAC) authentication.
7. Open <data_dir>\config\ounce.ozsettings (where <data_dir> is the location of your AppScan Source program data, as described in “Installation and user data file locations” on page 286)). In this file, locate this setting:
<Setting
name="client_cert_auth" value="false"
default_value="false"
description="Uses client certificate authentication" display_name="Uses client certificate authentication" type="boolean"
read_only="true" hidden="true" />
8. In the setting, change value="false" to value="true" and then save the file. 9. If you will be logging in to AppScan Enterprise Server from AppScan Source
for Analysis or the AppScan Source for Development Eclipse plug-in:
a. In your Java installation directory, locate jre/lib/security/java.security. For AppScan Source for Analysis, the jre folder is located in your
AppScan Source installation directory. Create a backup copy of this file. b. Edit java.security.
c. In the list of providers and their preference orders, add
com.ibm.security.capi.IBMCACas the first security provider. For example, if you are editing java.security for AppScan Source for Analysis usage, change this: security.provider.1=com.ibm.crypto.fips.provider.IBMJCEFIPS security.provider.2=com.ibm.jsse2.IBMJSSEProvider2 security.provider.3=com.ibm.crypto.provider.IBMJCE security.provider.4=com.ibm.security.cert.IBMCertPath security.provider.5=sun.security.provider.Sun to this: security.provider.1=com.ibm.security.capi.IBMCAC security.provider.2=com.ibm.crypto.fips.provider.IBMJCEFIPS security.provider.3=com.ibm.jsse2.IBMJSSEProvider2 security.provider.4=com.ibm.crypto.provider.IBMJCE security.provider.5=com.ibm.security.cert.IBMCertPath security.provider.6=sun.security.provider.Sun
d. Save and close the java.security file.
10. Log in as an AppScan Source administrator to AppScan Source for Analysis or the AppScan Source command line interface (CLI) using CAC authentication. 11. Change the default permissions of AppScan Enterprise Server users to suit the
needs of your organization.
What to do next
Your certificate cannot be SHA-1 if you want to enforce Federal Information Processing Standard (FIPS) mode. You can enforce FIPS mode by using a SHA-2 certificate and by running the appscanserverdbmgr_cac_fips.bat tool that is described in the IBM Security AppScan Source Installation and Administration Guide. In the guide, locate the help for registering the AppScan Source Database with an AppScan Enterprise Server that is enabled for Common Access Card (CAC) authentication.
1. Open the Windows Certificate Manager: In the Windows Start menu, type certmgr.mscin the Search box and then press Enter. If you are prompted for an administrator password or confirmation, type the password or provide
confirmation.
2. Open the certificate by double-click or user interface Open action. 3. Select the Details tab in the certificate.
4. Locate the Signature hash algorithm field. The value for this field indicates the type of certificate.
Changing AppScan Source user passwords
To be able to change an AppScan Source user password, you must have Manage
Users permissions and the change must be made in AppScan Source for Analysis. If you do not have this permission, have your administrator change your password for you, following the instructions in this topic. If your AppScan Enterprise Server is configured to use LDAP authentication or Windows authentication, this topic does not apply.
Procedure
1. In AppScan Source for Analysis, select Admin > Manage Users from the main workbench menu.
2. The Manage Users dialog box lists existing AppScan Source users. To change the password for one of these users, edit the user information by completing one of these tasks:
v Double-click the user.
v Right-click the user and choose Edit User. v Select the user and click the Edit User button.
Note: You cannot change the password of an AppScan Enterprise Server user from AppScan Source.
3. In the Edit User dialog box, enter a new password and then type the password again in the Confirm Password field.
4. Click OK to change the password.
AppScan Enterprise Server SSL certificates
When the AppScan Enterprise Server is installed, it should be configured to use a valid SSL certificate. If this is not done, you will receive an untrusted connection message when logging in to the server from AppScan Source for Analysis or the AppScan Source command line interface (CLI) - or AppScan Source for
Development on Windows and Linux.
SSL certificate storage location
Certificates that have been permanently accepted are stored in
<data_dir>\config\cacertspersonaland <data_dir>\config\cacertspersonal.pem (where <data_dir> is the location of your AppScan Source program data, as described in “Installation and user data file locations” on page 286). Remove these two files if you no longer want the certificates permanently stored.
AppScan Source for Automation and SSL certificate validation
By default, certificates are automatically accepted when using AppScan Source for Automation. This behavior is determined by the ounceautod_accept_ssl setting in
the Automation Server configuration file (<data_dir>\config\
ounceautod.ozsettings (where <data_dir> is the location of your AppScan Source program data, as described in “Installation and user data file locations” on page 286)). If this setting is edited so that value="true" is set to value="false", SSL validation will be attempted and logging in or publishing to AppScan Enterprise Console will fail with error if an invalid certificate is encountered.
AppScan Source command line interface (CLI) and SSL
certificate validation
By default, when using the CLI login command, SSL validation will be attempted and logging in or publishing to AppScan Enterprise Console will fail with error if an invalid certificate is encountered (if you have not already permanently accepted the certificate while logging in via another AppScan Source client product). This behavior can be modified by using the option -acceptssl parameter when issuing the login command. When this parameter is used, SSL certificates are
automatically accepted.
AppScan Source and accessibility
Accessibility affects users with physical disabilities, such as restricted mobility or limited vision. Accessibility issues can impede the ability to use software products successfully. This topic outlines known AppScan Source accessibility issues and their workarounds.
Using JAWS Screen Reading Software with the AppScan Source
installer
To use Freedom Scientific JAWS (http://www.freedomscientific.com/products/fs/ jaws-product-page.asp) when running the AppScan Source installer, you must install Java Access Bridge in the AppScan Source JVM. This will allow JAWS to properly speak labels and controls in the installer panels.
v Information about the Java Access Bridge (including the download link and installation instructions) can be found at http://www.oracle.com/technetwork/ java/javase/tech/index-jsp-136191.html.
v Information about the InstallAnywhere requirement for installing the Java Access Bridge can be found at http://kb.flexerasoftware.com/selfservice/ documentLink.do?externalID=Q200311.
Using JAWS Screen Reading Software in user interface panels
with descriptive text
Many parts of the AppScan Source user interface contain descriptive text. In most cases, you must use the JAWS Insert+B keystroke to be able to read this
descriptive text.
Notices
This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may
be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to: IBM Director of Licensing
IBM Corporation North Castle Drive
Armonk, NY 10504-1785 U.S.A.
For license inquiries regarding double-byte character set (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to:
Intellectual Property Licensing Legal and Intellectual Property Law IBM Japan, Ltd.
19-21, Nihonbashi-Hakozakicho, Chuo-ku Tokyo 103-8510, Japan
The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law :
INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement might not apply to you.
This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice.
Any references in this information to non-IBM Web sites are provided for
convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.
Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged, should contact:
IBM Corporation 2Z4A/101
11400 Burnet Road
Austin, TX 78758 U.S.A.
Such information may be available, subject to appropriate terms and conditions, including in some cases payment of a fee.
The licensed program described in this document and all licensed material
available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement or any equivalent agreement between us.
Any performance data contained herein was determined in a controlled
environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on development-level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurement may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment.
Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of
performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.
All statements regarding IBM's future direction or intent are subject to change or withdrawal without notice, and represent goals and objectives only.
All IBM prices shown are IBM's suggested retail prices, are current and are subject to change without notice. Dealer prices may vary.
This information is for planning purposes only. The information herein is subject to change before the products described become available.
This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental.
COPYRIGHT LICENSE:
This information contains sample application programs in source language, which illustrate programming techniques on various operating platforms. You may copy, modify, and distribute these sample programs in any form without payment to IBM, for the purposes of developing, using, marketing or distributing application programs conforming to the application programming interface for the operating platform for which the sample programs are written. These examples have not been thoroughly tested under all conditions. IBM, therefore, cannot guarantee or imply reliability, serviceability, or function of these programs. You may copy, modify, and distribute these sample programs in any form without payment to IBM for the purposes of developing, using, marketing, or distributing application programs conforming to IBM's application programming interfaces.
