Rational AppScan Build Edition

Embed Security Testing seamlessly into your Development Environment
The most efficient way to stay ahead of application security vulnerabilities is to build software securely, from the ground up. The challenge is developers are not security experts, and secure coding is not their top priority. So the best way to engage the development organization in the process of application security is to provide them with tools that work in their existing environments.

IBM Rational AppScan Build Edition embeds Web application security testing into the existing build management workflow. AppScan Build Edition empowers the development organization by automating Web application security testing from their current build management systems and providing vulnerability data to the existing defect tracking systems and remediation process.

• Comprehensive Security Analysis combining Dynamic, Static & Runtime Analysis, providing unmatched coverage of potential security issues for web applications

• Next-Generation Accuracy via new patent-pending String Analysis, Developer Essentials test policy and the correlation of Static & Dynamic Analysis, greatly reducing the likelihood of false positives

• Unparalleled Ease of Use with zero-configuration Static Analysis making efficient and accurate security testing possible for Developers

• Identification of line-of-code location for Black-Box Issues - the Runtime-Analysis based Execution Flow provides textual and graphical insight, greatly simplifying the understanding and remediation of those issues.

• Self-Serve Security Testing for Developers from built-in Flash-based training, accurate and prioritized results pointing straight to the line of code, and detailed remediation advice complete with code samples

• Seamless Integration into the Development Process:
  - Deep integration with Rational Application Developer and Eclipse
  - Team collaboration through Rational ClearQuest and source-control systems

• Completes the Rational AppScan End-to-End security solution by enabling the security team to establish and control scanning permissions and policies and provide Security & QA teams with a way to pass reproducible vulnerability issues back to development for remediation and verification

Unique to AppScan Developer Edition and AppScan Build Edition is the combination of security analysis techniques employed to achieve unparalleled ease of use and accuracy in a security code analysis solution. These analysis techniques include:

• Static Code Analysis (white box testing) to check source code for potential security vulnerabilities

• String Analysis, which is an IBM patent-pending technique, to bring automation to the code analysis configuration process. The configuration is a challenging step for non-security experts and String Analysis provides the necessary intelligence to properly configure the analysis for efficient and accurate scan results

• Dynamic Analysis (black box testing) to identify potential vulnerabilities in the compiled code (unit testing)

• Runtime Analysis, which is paired with Dynamic Analysis, to track the flow of execution in order to identify where the vulnerability might exist in the execution code.

• Composite Analysis combines all the analysis techniques to correlate the results and leverage the strengths of each techniques and thereby compensate for the weaknesses in each individual analysis technique

• Code Coverage , which is a capability of AppScan Build Edition provides the insight required to identify what code has received testing coverage