IBM Security AppScan Standard 8.6

Downloadable files


IBM Security AppScan Standard (previously known as IBM Rational AppScan Standard Edition) has been made generally available on the IBM Passport Advantage website.

Download Description

On this page
Sections Description
This section provides an overview on what is new in this release with a description of any new functionality or enhancements when applicable.
This section provides important information to review prior to the installation of this release.
This section describes where and how to download the package for installation in your environment.
This section provides the installation instructions necessary to apply this release into your environment.
This section contains a link to the known problems (open defects) identified at the time of this release.

Supporting documentation
Document Description
Click to navigate to the detailed system requirement report page.
Click to open the AppScan Standard 8.6 InfoCenter, an online version of the Help that comes with the product..
Click to review defects (APARs) resolved in recent releases, including this release, by version.
Click to access additional documentation for AppScan Standard, by version.


Installation Instructions

After downloading the installation pack to your computer and unzipping the contents, double-click on AppScan_Setup.exe to launch the setup process and follow the simple on-line instructions.

Note: During the installation you will be asked if you want to install Generic Service Client (GSC). This is a program included in the AppScan Standard package, and used by AppScan Standard when scanning Web Services. If your site includes web services, install GSC; otherwise do not..

Download package

Download locations
Location Description
Passport Advantage Passport Advantage and Passport Advantage Express clients are required to sign in to download the software package.
IBM OEM software IBM Software Group OEM offerings are designed for partners who develop and sell business solutions with embedded or bundled IBM middleware software. Clients with Flexible Contract Type (FCT) license purchases and IBM Business Partners must sign in to download the software package.

  1. Log in to one of the above download locations, as appropriate.

  2. Search for and download the following package (ZIP file):
    IBM Security AppScan Standard V8.6 Multilingual Windows eAssembly
    Part Number CI8PRML

    This package includes:
    • AppScan_Setup.exe - The file for installing AppScan Standard 8.6
    • GSC_Setup.exe - The file for installing Generic Service Client, used for scanning web services, if your application includes web services
    • Quick Start Guide - A multilingual PDF file
    • Traffic Viewer - An optional additional program for viewing web traffic

How critical is this fix?


This is a service release of AppScan Standard containing new features as well as fixes for client reported and internally found defects.

Problems solved

Known side effects

Known issues are documented here:
Known issues in AppScan Standard 8.6

AppScan Standard 8.6 has the following modified behavior:

  1. As a result of AppScan moving from Rational to the new Security group within IBM, the default installation directory path has been changed from
    ...(Program Files)\IBM\Rational AppScan
    ...(Program Files)\IBM\AppScan Standard

  2. Earlier versions of AppScan Standard are not removed when installing AppScan Standard 8.6.

  3. In AppScan Standard 8.6 the scan file format has been redesigned. As a result, scans saved with an earlier version cannot be opened in AppScan Standard 8.6. There are two options:
    • They can be opened in the AppScan version in which they were saved (which can remain installed, and be opened, on the same machine)
    • They can be used as a template to create a new scan in AppScan 8.6.

Change history

Version 8.6 includes the following features and enhancements:

Next generation Dynamic Application Security Testing (DAST) scanning engine

  • Re-architected to use a single technology platform (.NET) that fits all DAST products.
  • AppScan Standard and AppScan Enterprise results are now better aligned.

Security Report
  • Completely redesigned, attractive and easy-to-read format.
  • More actionable results.
  • The new Additional Issue Information checkbox includes screenshots and other additional information in the report.

Application Data view
  • Application Data is now the default view during the Explore stage. It is updated live as AppScan Standard explores the site, and data in all three panes can be clicked on and viewed during the Explore stage.
  • New Result list toolbar with buttons for the various views.
  • New Pages view lists actual viewable pages. For each page, a list of web components (such as cascading style sheets (CSS), JavaScript files and snippets, Frames, and iFrames) is shown, as well as links pointing to and from the page.
    Note: One web page may consist of numerous components, including many Explored URLs.
  • More efficient assignment of parameters, resulting in a more concise Parameters list.
  • Columns now show Tracked and Test Exclude status for Parameters and Cookies in the Result list.

Configuration > Parameters and cookies view
  • New column: Source (Scan template / Login Seq / Multi-step seq variable / Scan Expert (module name) / Explore Optimizer / User-defined.
  • Now hides template items by default. Click Show to see them.
  • Ignore column renamed to Redundancy Tuning (settings are Default / Custom).
  • When a custom parameter is added, new fields allow input of occurrence index and extracted name.
  • Enhanced Custom Parameters configuration screen for easier setup.
Security and accuracy
  • New cross site scripting detection module, with a "learning system” that tailors a unique, custom XSS payload from a knowledge base of millions of potential payloads, rather than relying on a database of predefined tests.
  • Glass box server agent now adjusts the AppScan Standard Environmental Definition configuration automatically (operating system and application server name).

JavaScript Security Analyzer
  • The JavaScript Security Analyzer extension (JSA) has been built into the DAST scanning engine. It is enabled through Configuration > Test Options view > Enable JavaScript Security Analysis, and configured through Test Policy view > Static Analysis (SAST).

Manual Tests
  • Manual tests can now be assigned names by the user.

Scan Log
  • The scan log is now saved as part of the scan. When a saved scan is loaded, the existing scan log loads too, and data is added to it as scanning continues.

  • Dialog box fields that allow or require a regular expression, now have a button on the right hand side that opens the Expression Test PowerTool, so you can verify the input.
  • Two utilities, Traffic Viewer and a Fiddler add-on, are now included in AppScan Standard for support purposes.

Modified behavior
  • As a result of AppScan Standard moving from Rational to the new Security group within IBM, the default installation directory path has been changed to
    ...(Program Files)\IBM\AppScan Standard
  • Earlier versions of AppScan Standard are not removed when installing AppScan Standard 8.6.
  • Scans saved with the earlier version cannot be opened in AppScan Standard 8.6. They can either be opened in the AppScan Standard version in which they were saved (which can remain installed, and be opened, on the same machine) or used as a template to create a new scan in AppScan Standard 8.6.
Modified advanced options
  • Some options in the Advanced view of the Configuration dialog, and in the Advanced tab of the Options dialog have been removed. For a complete list, click here.

Technical support

Document information

More support for:

IBM Security AppScan Standard

Software version:

Operating system(s):


Software edition:


Reference #:


Modified date:


Translate my page

Content navigation