IBM Support

Scanning COBOL code in AppScan Source

Technote (FAQ)

This document applies only to the following language version(s):



How do you learn about COBOL scan rules in IBM Security AppScan Source for Security - and what are some of the potential vulnerabilities in COBOL source code?


COBOL files (.cbl) can be directly imported into AppScan Source for security scanning.

From a security perspective, COBOL applications have similar considerations to any other kind of application. AppScan Source can help you identify high risk locations within your COBOL application - and assist you in their remediation.

The AppScan Source scanner will look for common attack vectors within a COBOL application. Some examples of these are:

  • Cross Site Scripting (XSS):
    Dangerous code that reads from, and writes to, web sources with no sanitization or encoding of the output.
  • HTTP Response Splitting:
    This allows an attacker to manipulate headers.
  • Cryptography:
    Using insecure or outdated algorithms such as Blowfish, which can be susceptible to brute-force attacks.
  • Ignored error conditions:
    Ignoring errors can hide a valid exception or make application debugging difficult to understand.
  • Hardcoded passwords:
    Hardcoding even default passwords is considered a bad practice and opens up the application to insider threats.
  • Privacy leakage:
    Code that potentially allows the leakage of private data (for example, social security numbers).

How to get more information while scanning COBOL source code:

All scans can benefit from a quick analysis using regular expression type rules. For example, to identify locations where potential SQL injections issues might arise, you can add a rule similar to this:

This will present the locations in your code where SQL queries are executed. This information will be useful in understanding where user-controlled inputs are running in SQL queries without any sanitization.

Any attack surface identified for your application can be analyzed using these mechanisms to provide further coverage beyond what comes in the box. These findings need to be understood in terms of other mitigating factors, acceptable risk levels, and impact of the application itself. AppScan Source can help guide you through the process by unveiling threats within the code itself - which is the first step in understanding your threat posture.

Document information

More support for: IBM Security AppScan Source

Software version: Version Independent

Operating system(s): Windows

Software edition: Security

Reference #: 1502622

Modified date: 27 May 2016