SSi_Tr3.1 – APPSCAN STANDARD v10.0.2 – The basics

Posted on by arnaud bourlier

Dynamic Security Testing (DAST)

Identification and remediation of vulnerabilities

Réf : SSI_Tr3.1

Summary

This training will allow you to discover, deepen and configure the capabilities and latest developments of the dynamic application security scanner: APPSCAN STANDARD v10.0.2 to identify vulnerabilities in web applications and web services. The hands-on exercises will allow you to quickly start scans and then deepen the scanning modes and capabilities in order to target vulnerability searches, then the exercises will show how to automate scan executions, generate standards-based reports, …

Public concerned

  • Developers
  • Webmasters
  • Web project managers
  • Architects
  • Consultants

Pre-requisites

  • Master the basics of web development
  • Basic knowledge of TCP/IP networks and the Internet.

Objectives

  • Understand the different functionalities of APPSCAN STANDARD
  • Implement its scanning capabilities according to the needs : type of vulnerabilities targeted, level of security, development maturity (unit tests, integration, pre-prod)
  • Navigate and use scan results and remediation guidance
  • Generate reports for your organisation’s and your customers’ needs

Content

Unit 1 : Discovering AppScan Standard

  • What is APPSCAN?
  • User interface
  • APPSCAN in the SDLC* development environment [1]

[1] SDLC : Software Dévelopment LifeCycle

Unit 2 : Installation and configuration

  • Diagram of interactions between APPSCAN applications
    • AppScan Standard
    • AppScan Enterprise
    • AppScan Source
  • Description of AppScan Standard and its use
  • Overview of AppScan integration in the development cycle
  • Practical exercises

Unit 3 : Preparing your scan

  • Presentation of the application scan and its limitations
  • Moderating the risks of scanning an application
  • Profiling a web application
  • Overview of the testing process in AppScan Standard
  • Specifying constraints/defining a scope of exploration
  • Enabling good test coverage of the application or enabling good exploration of the application
  • Tips and best practices

Unit 4 : Setting up the 1st scan

  • Create a scan using the configuration tool
  • Defining a host name and associated domains
  • Connection modes
  • Using appropriate test policies
  • Practical work

Unit 5 : Analysing the scan results

  • Browse the results tree
  • Search for information, check and fix the vulnerabilities found
  • Filter out “false positives
  • Describe the state of the issue, including side effects
  • Determine the severity of the issue
  • Retesting an Issue
  • Tips and best practices
  • Practical work

Unit 6 : Reporting and dissemination of results

  • Overview of the different types of reports
  • Exporting scan results to other security solutions

Unit 7 : Login and session management

  • Description of session management and how to use it in AppScan Standard
  • Setting up active/open sessions
  • Performing tests with different privilege levels

Unit 8 : Scanning modes

  • Define the different scanning modes and phases
  • Learn how to use each mode
  • Learn how to combine them to get the best coverage/exploration of a web application

Unit 9 : Setting up exploration options

  • Understanding scan limitation settings
  • Determining when to enable JavaScript
  • Configuring AppScan to run JavaScript
  • Configuring AppScan to scan Adobe Flash-based applications
  • Configuring AppScan to use different user-agents and browser types
  • Practical work

Unit 10 : Optimising your scan

  • Define the context of the application to be scanned: OS, Web Server, …
  • Exclude certain regions of the application from being scanned
  • Recording an operational sequence
  • Scheduling scans
  • Communication and proxy settings

Unit 11 : Content-based scanning

  • Configure APPSCAN STANDARD to use mega-scripts
  • Extracting names from page content

Training environment

  • A training aid will be provided in paper format to each trainee.
  • A training room with a video projector, a whiteboard and 1 PC per trainee.
  • A virtual machine under Virtual Box will be installed on the training machines to carry out the practical exercises.

Duration

1 day (the content can also be adapted according to the technological context and the level of knowledge of the trainees).

  • The training can be provided both face-to-face and remotely
  • The training can take place on an inter-company or intra-company basis

More informations ?

Please contact us on + 33 2 85 29 43 43 or by email : formation@ablogix.fr for a quote.

The training activity of ABlogiX is "registered under number 52 72 01527 72. This registration is not equivalent to State approval", in accordance with Article L6322-48.

Find all our training courses here.