IBM Rational AppScan

Wednesday, February 9, 2011
Presentation – IBM Rational AppScan (Gil Salazar)
Q: Will allow you to see the damage done to the database?
A: No.
Q: Do the UITS AppScan have fixed IPs?
A: Yes. There are two of them.
Q: Does AppScan have a server component?
A: No. It is entirely a client application.
Q: Can AppScan figure out server details?
A: Sometimes.
Q: Will AppScan try to modify files?
A: It will try WebDAV PUT, etc.
Q: Will a re-test get prioritization in the ISO queue?
A: Don’t know … we’ll forward the question to them.
Q: Do we have to scan third-party applications hosted elsewhere?
A: Probably not, but you might ask the vendor how they do vulnerability scanning,
Q: Can AppScan analyze code?
A: No.
Q: Do we have to scan Drupal or WordPress?
A: That might be wise, especially if you’re using community-supplied modules.
Discussion: Should we do the training at a Web Developers meeting?
The Leadership Team and the Web Security Group will discuss this.