IBM Security AppScan
Enterprise
Version 9.0.3.9 Readme
Overview
This document contains
release notes for IBM Security AppScan Enterprise.
This product comprises several core components that can be set up
together or separately across multiple machines: the Enterprise Console
is the web-based user interface; the Agents run jobs, dashboards and report
packs; the analysis scanner runs the tests; and the database is where all
configuration and scan results are stored. See the Planning and
Installation Guide for more detailed information, located in the same folder as
this file.
These release notes provide
basic installation information and document known issues that were discovered
prior to release.
System Requirements
Installation Notes
Check Installing
AppScan Enterprise.
The AppScan
Enterprise installation includes the following download packages:
- ASE.zip: This package contains files for the AppScan
Enterprise Server. Download the file to the machine where AppScan Enterprise Server is to be installed, unzip
the file, and then run the AppScanEnterpriseServerSetup_9.0.3.9.exe
file.
Note: The
executables for the GSC Explorer (ASE_GSCSetup.exe) and the Manual Explorer
tool (ManualExplorerSetup.exe) are included in the AppScanEnterpriseServerSetup_9.0.3.9.exe
and available for download through the UI, but are also provided as optional
separate downloads. If you install AppScanEnterpriseServerSetup_9.0.3.9.exe,
you do not need to run the executables separately.
- ASE_DASSetup_9.0.3.9.exe: This package contains files for the Dynamic Analysis Scanner.
Download the package to the machines where you plan to install AppScan scanners and run it there.
What's new in V9.0.3.9
o
Improved
Action-Based Scanning: Updated Dynamic Analysis engine for greater compatibility with newer web apps, and improved coverage to
reveal additional vulnerabilities
o
Windows
2016 Server support
o
Import
HTTP Archive (HAR) traffic files for content scan jobs
o
To
be used as login sequence data in "Login
Management" screen
o
To
be used as explore data in "What to Scan" page
o
Users
search capability in Administration tab
o
OWASP Top
10 2017 Report in scan view
o New ADAC capabilities:
o Greatly Improved Login
Management Configuration: Login Management includes many improvements to help
you configure and manage how AppScan logs in to your
application, and maintains sessions
o
New
Action-Based Explore Options give you greater control, and the Action-Based tab
includes new settings to help achieve more efficient Action-Based exploring
o
Communication
and Proxy settings now let you:
o
Configure
local proxy settings
o
Configure
the local proxy with the same settings as the ASE Agent
o
Improved
Chrome-based embedded browser provides greater compatibility with newer web
apps
o APIs for DevOps
o Enhanced WebHook
capability to post job status to endpoint URL
o Enhanced REST API to support
exclusions with exceptions for content scan jobs
o New REST API for uploading a
template file
o New REST API for creating a
job using a template file
o Updated REST API to generate
a report for a scan with no issues
o
Script
to delete old and unused issue records included in downloads folder
o Enhanced scanners in monitor
view to compute CVSS for issues imported from AppScan
Standard
The full list is available here AppScan Enterprise 9.0.3 Fix List
For
additional details on Security updates and Engine fixes visit http://www-01.ibm.com/support/docview.wss?uid=swg27047066
Upgrade
notes
Upgrading from 9.0.3
- Custom
error pages are no longer set globally, they are only set on the content
scan job. On upgrade, each content job, scant job and dynamic analysis
scan job will move the global custom error pages to the individual job.
- Existing
content scan jobs in the Folder Explorer view, including QuickScan jobs that are not created in the AppScan Dynamic Analysis Client, will have a new check
box enabled on the Explore Options page that enables
filtering of similar pages based on structure (DOM). If an existing scan :
- had
a redundant path limit set to 5, that option is disabled and DOM-based
filtering is turned on
- had
a redundant path limit set to a different value, that option is kept
enabled and DOM-based filtering is not turned on
- had
a similar content limit set to 5, with HTML structure enabled, that
option is turned off and DOM-based filtering is turned on
- had
a similar content limit set to a different value, or it compares Text and
HTML structure, that option is kept enabled and DOM-based filtering is
not turned on
Upgrading from 9.0.2
- In
previous releases, imported issues were cumulative. In v9.0.2.1, you can
remove issues that were previously found in an application but are not
included in subsequent imports. In scanner profiles from v9.0.1, the Remove Orphaned Issues check box is disabled in v9.0.2.1
to respect previous behavior (can be overridden by clearing the check
box). However, this option is enabled by default in the AppScan Standard scanner because it's new in v9.0.2.1.
- When
you add a new issue attribute name to a scanner profile, the Use Imported Values check box is enabled by default. Keep
the Use Imported Values check box enabled if you want to
update an existing issue attribute with values contained in the imported
file. If you clear the check box, AppScan
Enterprise will retain the value previously used. If you select the Unique check box, you cannot clear the Use
Imported Values check box.
- There
were changes to the REST APIs.
Upgrading from 9.0.1
- There
is a New issue status. Upon upgrade, the New issue column is
available for display in the Portfolio tab in the Monitor
view. Formulas are updated to include issues with a New status.
Upgrade does not affect the status of issues that were discovered in
previous versions.
- A
new Dashboard tab displays the charts that were displayed in the Portfolio
tab in v9.0.1. The new dashboard includes trend charts for Security
Risk Rating, Testing Status, Applications with Open Issues,
and Open Issues.
Note: Possible
naming conflicts between v9.0.1 application attribute customizations and new
v9.0.2 dashboard trend charts
The
Open Issues and Applications with Open Issues charts rely on a
new application attribute called "Open Issues" that is defined as a
formula. However, if you previously created an application attribute called
"Open Issues" of any type other than formula, the upgrade does not
attempt to resolve the conflict between your attribute and the one that version
9.0.2 needs for the new charts.
The
new charts will not display as intended after upgrade, and you must resolve
this problem manually. Rename your "Open Issues" attribute to
something else if you want to preserve its values. Update all formulas where
you referenced your "Open Issues" attribute to reflect the new name. Then,
rerun the configuration wizard to create the "Open Issues" formula
attribute that the new charts require.
- A
new approach to create scans consistent with AppScan
Standard, for both the security team who creates the templates and for the
developers who create the scans. See Overview
of scan configuration differences in v9.0.2 and previous versions.
- The
new method is accessed from both the Monitor and Scans
views.
- Existing
scan templates from v9.0.1.1 are kept after upgrade, and the old method
of QuickScan template creation still exists.
- To
take advantage of this new method, during upgrade you must run the
Default Settings Wizard after the Configuration Wizard to install the
templates for v9.0.2.
- To
avoid any template name conflicts in the Templates directory in
the Folder Explorer, (v9.0.2) is appended to the template name.
- If
you install a new instance of AppScan Enterprise,
you can still access the templates from v9.0.1.1. When you create a new
content scan or template from the Scans view, select Create
using previously saved settings file and go to <install-dir>\AppScan
Enterprise\Initializations\ASE\DefaultTemplates\Job\Version
9.0.1.1 to select the *.xml file.
- The
embedded version of Liberty is now v8.5.5.4. During configuration, you can
choose to restore previous AppScan Server
customized settings on the Liberty Server. See Restore
AppScan Server settings.
Upgrading from 9.0
- AppScan Enterprise v9.0.1 includes an
architecture redesign to reduce the installation footprint and to remove
IBM Rational Jazz Team Server (Jazz Team Server) as the user
authentication component. With the removal of Jazz Team Server, the Apache
Tomcat and WebSphere Application Server deployment servers are no longer
supported in v9.0.1. They are replaced with IBM WebSphere Application
Server Liberty Core v8.5.5.2. See Replacing
Jazz Team Server with WebSphere Liberty - Frequently asked questions.
- Issue
management through the Monitor (application) view:
- If
a scan is not associated with an application, triage its issues
through the reports in the Scans view (same as 9.0.0.1 and earlier). If a
scan is associated with an application, then issue management is
disabled in the reports containing security issues only (it doesn't
affect Broken Links, for example). You must triage the security issues in
the associated application in the Monitor view instead. Any issue
triaging that is done in the Monitor view is not reflected in the reports
in the Scans view. For example, although the issue severity and status
are still displayed in the reports in the Scans view, those attribute
values are not the same as the ones from the Monitor view; the issue
management changes are not reflected in the reports in the Scans view.
- In
v9.0, issue management privileges were set on the folder that contained a
scan. In v9.0.1, issue management is set on the application. Upon upgrade
from 9.0, if a scan is already associated with an application, users who
used to have issue management privileges on the folder will now have
basic permissions on the application so they can continue managing these
issues. There is the potential of giving them access to scans they
previously were not allowed to access. For example,
|
v9.0
|
v9.0.1
|
Result
|
|
Folder
A: (Bob has an Issue Manager role)
Folder
B: (Mary has an Issue Manager role)
|
Application
1 is associated with these scan jobs:
|
Mary
now has basic access permissions to Scan B so that she can continue to do her
job but she also has access to Scan X, which she didn't have in v9.0.
|
o To restrict a user's permissions to managing
issues on specific applications, remove them from the Basic Access on the
applications they are not allowed to access. In the example above, remove
Mary's Basic Access permissions on Scan X. To find the application that
contains Scan X, go to the Scans view and flatten the hierarchy to show only
jobs. Find Scan X and click the link for the application name it is
associated with. On the Application tab, click View details and in the Users
section of the dialog, remove Mary's Basic Access permissions.
Upgrading from 8.8
- Server
Groups are no longer defined by URLs. Any existing URL definitions will be
removed from existing Server Groups.
- HTTPS
has replaced HTTP as the scheme required for login and REST Services.
- Some
reports have been removed because they no longer fit the product
direction. Read the Deprecated Features.
Upgrading from 8.7
- Common
scan engine between AppScan Standard and AppScan Enterprise:
A new common scan engine provides a more standardized scan job option
configuration. As such, some reports are no longer available in AppScan Enterprise:
- Correlated
Security Issues (AppScan DE) report
- Image
Catalog report
- Metadata
Catalog report
- Missing
Alt Text report
- Missing
Titles report
- Multimedia
Content report
- Server
Side Image Maps report
- Third
Party Links report
- Web
Applications report
- Web
Beacons report
- Website
Technologies report
- Load
balancing option removed: Load balancing on starting
URLs and domains is no longer available with the new standardized scan job
option configuration. Upon upgrade, jobs that had load balancing set will
use the new common engine to run without the load balancing option.
- User
licensing: The service account license
type has been removed. Upon database upgrade, the Configuration Wizard
will set the service account license type to the same license type as the
Default User (one of floating user scanning, floating user reporting,
authorized user scanning, or authorized user reporting).
- Enabling
FIPS 140-2 compliance on the Enterprise Console: Name and behavioral changes to incorporate NIST compliance have
been made to the General Settings page where this is enabled on the
Administration tab. The "Enable enhanced security" check box has
been renamed "Disable Manual Explorer Plugin", and upon upgrade,
the check box keeps the value it had before upgrade. If you were FIPS
compliant, then this checkbox remains selected; otherwise, it remains
unchecked. If your organization is a US federal agency and must comply
with FIPS 140-2 or NIST SP800-131a, enable the check box to make the
Enterprise Console compliant with those security standards.
- Case-sensitivity has moved from the domain to the job level. Set it on the job's
What to Scan page.
- Deprecated
reports: The OWASP Top 10 2010 report
has been replaced with the 2013 version in v8.8. However, if you have
report packs and dashboards that used the 2010 report, the data will not
be lost. New instances of AppScan Enterprise 8.8
will only use the 2013 report.
- Login
attempts algorithm changes:
Prior to version 8.8, the scan would attempt to log in three times before
suspending. Now the scan attempts for 90 seconds before suspending.
Upgrading from 8.6 to
8.7
The upgrade process to
8.7 includes a one-time database optimization step that requires additional
time and could extend the overall upgrade process.
- The
previously used method for protecting data "at rest" (physical
media) has been deprecated and will be removed as part of the upgrade
process.
- A
new method is available, Transparent Data Encryption (TDE), which is
built into Microsoft SQL Server 2008 Enterprise Edition and
higher. To improve database upgrade performance, enable TDE after the
database upgrade has completed.
- For
Microsoft SQL Server 2008 Standard Edition and higher, other third
party encryption methods are also available, including MS Windows
Encrypting File System.
- Additional
disk space is required during the upgrade process on the database server, roughly equal to the size of the existing AppScan
Enterprise database. This space will be used temporarily during upgrade and
returned after upgrade is completed.
- Scans
will now use a local (embedded) database file.
It is important to have sufficient disk space that is allocated to Agent
Server machines.
- Enabling
FIPS 140-2 compliance: Products that support FIPS
140-2 standards can be set into a mode where the product uses only FIPS
140-2 approved algorithms and methods.
- XRule filters on report packs: XRule filters were removed from report
packs. Any reports that contain XRules will
contain more data after the report pack is rerun.
Deprecated Features
Deprecated Features are
listed here.
Known Issues and Workarounds
- When you record a login sequence in AppScan Dynamic Analysis client using Login
Management, and then move to the Review & Validate tab, if
Request-Based is the selected Login Playback Method, you may be unable to
change it to Action-Based. Workaround: Close the Scan Configuration dialog
box and reopen it.
- Documentation update for this release is done
in English only. Translation update into additional languages is deferred
to a subsequent release.
- It is required to install SQL Native Client
version (SQLNCLI11) if the config wizard fails to connect to SQL Server
database after installing MDAC 2.7 or higher.
- Knowledge Center (KC)
is updated with all the changes but product inline help is not updated in
this release.
- If the extended log file size is large ( beyond
2GB ), sometimes the download log file operation from Scan tab summary
report might result in a 0KB zip file. In such instances, user will have
to copy the file from the Logs directory in the AppScan
Enterprise Agent server.
- Removal of OWASP 2013 and support for
OWASP 2017 Report: All report pack and report pack templates created prior
to 9.0.3.9 will have report OWASP 2013 itself. If required, this will have
to be manually removed and OWASP 2017 report should be added by the user.
- When a template is uploaded into ASE via REST
API, the edit page of that template throws an exception on the page "An unknown error has occurred. Contact
your Product Administrator. " But it does not affect any functionality of editing the template or
creating and running a Job out of it.
- As an
administrator, if you edit an existing scan in the Dynamic Analysis
Configuration Client, and click "Update Job" from any page in
the 'Additional' scan property pages, you will get an "Update all
required fields" error message. Click "Update Job" again to
resolve the message and exit the Client.
- When
you edit a scan in the Dynamic Analysis Configuration Client, make sure
that the scan you want to edit is not running in AppScan
Enterprise; otherwise it might suspend when you update the scan. Alternatively,
on the Job Properties page of the Client, clear the 'Run job as soon as
possible' check box and then click 'Update Job'.
- The
summary charts in the Dashboard tab do not render properly in Internet
Explorer 8.0. Use Microsoft Silverlight with Internet Explorer 8.0. The
charts will load, but interaction will not work. Consider upgrading your
browser to IE 11 or FireFox 31.
- To
access the new interactive REST API framework in 9.0.1, the AppScan Enterprise instance name must be called 'ase' (for example, https://<localhost>:9443/ase/api/pages/apidocs.html).
- Use
Microsoft Silverlight with Internet Explorer 8.0 to properly render Dojo
functionality.
- When
a scan job only has a recorded login (no Manual Explore or Starting URLs),
the scan will not crawl below that page. Add at least one URL to the
Manual Explore or Starting URL of the What to Scan page.
- If
you upgrade a database from pre-8.8, and then click any existing job, the
scan log will be empty. Rerun your jobs to generate a new scan log.
- When
editing the Edit Application Profile Template page in IE 8/9, changes are
not saved. Navigate away from the field you are editing and then back to
it. Save your changes. Alternatively, upgrade your browser to IE10 or
Firefox 24.
- JavaScript
Analyzer (JSA) is turned off by default on scans, including upgraded
scans. You can enable JSA on the Security page of your content scan job.
- For
performance improvements, upon upgrade to 8.6.0.2, security tests are no
longer sent against non-applicable content such as image files, documents,
media files, etc. Further details are available at http://www.ibm.com/support/docview.wss?uid=swg21618288.
- Since
AppScan Enterprise Server sends security tests
that some firewall products could flag as suspicious network activity,
there is a risk of performance degradation and of false negative results
when the firewall is deployed between the Agents and the website being
scanned.
- When
normalization rules are defined within the Job Properties, it is important
to ensure that they result in a valid URL. If the user-defined
normalization rules results in an empty URL string, there is a risk of the
scan not ending.
- If
Issue Management has been done on the reports, the Report Pack Summary
report will be out of synchronization with the report data. The Report
Pack will need to be re-run to synchronize the numbers when Issue
Management tasks are completed.
- Deleted
reports are not immediately removed from the dashboard. The dashboard must
be re-run for the change to take effect.
- When
using Manual Explore functionality in IE it is advised to enable the
Internet/Advanced Option for 'Use HTTP 1.1 through proxy connections';
otherwise connectivity issues and/or performance degradation may occur.
- When
sorting lists, the collation order may not work as expected for the
following languages: Danish, Japanese, and Chinese. .NET and SQL
collations are used, as are locale-specific collations, but the product
does not comply with ICU.
Product Fix History
Product fixes by version
are listed here.
Notices
� �
Copyright IBM Corporation 2000, 2017. � Copyright HCL Limited 2018. All rights
reserved.
U.S.
Government Users Restricted Rights - Use, duplication or disclosure restricted
by GSA ADP Schedule Contract with IBM Corp.
This
information was developed for products and services offered in the U.S.A.
IBM may
not offer the products, services, or features discussed in this documentation
in other countries and regions. Consult your local IBM representative for
information on the products and services currently available in your area. Any
reference to an IBM product, program, or service is not intended to state or
imply that only that IBM product, program, or service may be used. Any
functionally equivalent product, program, or service that does not infringe any
IBM intellectual property right may be used instead. However, it is the user's
responsibility to evaluate and verify the operation of any non-IBM product,
program, or service.
IBM may
have patents or pending patent applications covering subject matter described
in this document. The furnishing of this document does not grant you any
license to these patents. You can send license inquiries, in writing, to:
IBM
Director of Licensing
IBM Corporation
North Castle Drive
Armonk, NY 10504-1785
U.S.A.
For license
inquiries regarding double-byte (DBCS) information, contact the IBM
Intellectual Property Department in your country or region, or send inquiries,
in writing, to:
IBM
World Trade Asia Corporation
Licensing
2-31 Roppongi 3-chome, Minato-ku
Tokyo 106-0032, Japan
The
following paragraph does not apply to the United Kingdom or any other country
or region where such provisions are inconsistent with local law: INTERNATIONAL
BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS"
WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR
FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of
express or implied warranties in certain transactions, therefore, this
statement may not apply to you.
This
information could include technical inaccuracies or typographical errors.
Changes are periodically made to the information herein; these changes will be
incorporated in new editions of the publication. IBM may make improvements
and/or changes in the product(s) and/or the program(s) described in this
publication at any time without notice.
Any
references in this information to non-IBM Web sites are provided for
convenience only and do not in any manner serve as an endorsement of those Web
sites. The materials at those Web sites are not part of the materials for this
IBM product and use of those Web sites is at your own risk.
IBM may
use or distribute any of the information you supply in any way it believes
appropriate without incurring any obligation to you.
Licensees
of this program who wish to have information about it for the purpose of
enabling: (i) the exchange of information between
independently created programs and other programs (including this one) and (ii)
the mutual use of the information which has been exchanged, should contact:
Intellectual
Property Dept. for Security Software
IBM Corporation
20 Maguire Road
Lexington, Massachusetts 02421-3112
U.S.A.
Such
information may be available, subject to appropriate terms and conditions,
including in some cases, payment of a fee.
The
licensed program described in this document and all licensed material available
for it are provided by IBM under terms of the IBM Customer Agreement, IBM
International Program License Agreement or any equivalent agreement between us.
Any
performance data contained herein was determined in a controlled environment.
Therefore, the results obtained in other operating environments may vary
significantly. Some measurements may have been made on development-level
systems and there is no guarantee that these measurements will be the same on
generally available systems. Furthermore, some measurements may have been
estimated through extrapolation. Actual results may vary. Users of this
document should verify the applicable data for their specific environment.
All
statements regarding IBM's future direction or intent are subject to change or
withdrawal without notice, and represent goals and objectives only.
This
information contains examples of data and reports used in daily business
operations. To illustrate them as completely as possible, the examples include
the names of individuals, companies, brands, and products. All of these names
are fictitious and any similarity to the names and addresses used by an actual
business enterprise is entirely coincidental.
If you are
viewing this information softcopy, the photographs and color illustrations may
not appear.
Trademarks and service marks
IBM, the
IBM logo, and ibm.com are trademarks or registered trademarks of International
Business Machines Corporation in the United States, other countries and
regions, or both. These and other IBM trademarked terms are marked on their
first occurrence in this information with the appropriate symbol (� or �),
indicating US registered or common law trademarks owned by IBM at the time this
information was published. Such trademarks may also be registered or common law
trademarks in other countries and regions. A current list of IBM trademarks is
available on the Web at www.ibm.com/legal/copytrade.html.