AppScan Source 8.7 now available

Downloadable files


Abstract

This document describes how to download and install IBM Security AppScan Source version 8.7.

Download Description

This release is a full product download.


Passport Advantage clients:

Passport Advantage and Passport Advantage Express clients are required to sign in to Passport Advantage Online to download the image.


Non-Passport Advantage clients:

If your organization did not purchase your software and support through Passport Advantage or Passport Advantage Express, you are required to sign in to the new IBM Software Group OEM Portal to download the image.

Note: This includes clients with Flexible Contract Type (FCT) license purchases and IBM Business Partners.

For assistance with the IBM Software Group OEM Portal, visit the eCustomer care page.


IMPORTANT: AppScan Source is affected by a vulnerability in OpenSSL (CVE-2014-0160). We strongly encourage you to apply the latest iFix, which addresses that vulnerability. See http://www.ibm.com/support/docview.wss?uid=swg21670303 for more details - and, after applying AppScan Source version 8.7.0.1, follow the instructions in http://ibm.com/support/docview.wss?uid=swg24037355 for applying the iFix.


What's New in IBM Security AppScan Source version 8.7:

  • New platform and integration solution support:

    As of AppScan Source Version 8.7, these operating systems are supported:
    • OS X Versions 10.7 and 10.8 (AppScan Source for Analysis and AppScan Source for Automation only). For detailed OS X support information, see the AppScan Source system requirements.
    • Update 3 of Red Hat Enterprise Linux Version 6.0

    In addition:
    • Eclipse 3.8 project files can be scanned - and the AppScan Source for Development (Eclipse plug-in) can be applied to Eclipse 3.8.
    • Rational Application Developer for WebSphere Software (RAD) Version 8.5.1 project files and workspaces can be scanned - and the AppScan Source for Development (Eclipse plug-in) can be applied to RAD Version 8.5.1.
    • Rational Team Concert Version 4.0.1 is now a supported defect tracking system.
    • If you are using floating licenses to activate AppScan Source software, Rational License Server Version 8.1.3 is now supported.

  • Security analysis of Apple mobile (iOS-based) applications:

    Apple mobile applications are typically developed on the OS X platform for deployment on Apple mobile devices (for example, iPhone and iPad) which run iOS. For example, an Apple iPhone application could be developed on a MacBook Pro running OS X Version 10.8 - but it would be deployed on an iPhone running iOS Version 6.0.

    AppScan Source security analysis can now be performed on OS X (not on Apple mobile devices) - however, the analysis will focus on iOS security risk.

  • Extensive iOS security research to identify Apple mobile application risks:

    Working in concert with IBM Security Research, a comprehensive analysis was conducted on the iOS Software Development Kit (SDK) to identify application programming interfaces (API) that might introduce application security risk. An exhaustive list of API was investigated to determine if some are sources (inputs) of risky information, sinks (outputs), or if they propagate security risk. The API profiles have been added to the AppScan Source Security Knowledgebase and tied to the analysis engine. This provides the ability to identify iOS-specific security risks.

    Combined with the research conducted on the Android SDK, AppScan Source has researched and characterized the security risk of approximately 30,000 mobile API.

  • Xcode IDE interoperability:

    Xcode is the Apple Integrated Development Environment (IDE). Developers write their mobile applications using the Xcode IDE. Xcode on OS X is analogous to Visual Studio on Windows. However, unlike Visual Studio or Eclipse, Xcode does not support a plug-in architecture. For this reason, AppScan Source provides features to allow interoperability with Xcode and to support developer-focused application security analysis. AppScan Source can read and import Xcode projects.

    Because Xcode does not support third party plug-in modules, we are not offering support for AppScan Source for Development or AppScan Source for Remediation on OS X. In the AppScan Source Version 8.7 release, only AppScan Source for Analysis and AppScan Source for Automation are available on OS X. Additionally, it should be noted that there is still a requirement to connect the OS X-based AppScan Source products to a Windows or Linux version of the AppScan Enterprise server.

    For detailed Xcode support information, see the AppScan Source system requirements.

  • Objective-C support:

    The Objective-C programming language is a superset of the C programming language - but it is largely a different language. Objective-C is the primary language used to develop Apple mobile applications. AppScan Source Version 8.7 provides full language support for Objective-C. The support includes full data and call flow analysis (also referred to as trace support). AppScan Source can build a graphical representation (the trace) from the source (input) to the sink (output).

    One of the greatest mobile application security risks is unauthorized access to data. AppScan Source will highlight all the places where data leaves an application - effectively providing a map of places where encryption should be applied in an application.

    The analysis of applications written in Objective-C is based on the iOS SDK and is focused on Apple mobile applications. Applications written in Objective-C targeted to run on Mac OS X are not supported.

    For detailed Objective-C support information, see the AppScan Source system requirements.

  • Enhanced JavaScript support:

    Prior to AppScan Source Version 8.7, AppScan Source support for JavaScript was based on regular expression analysis. Powerful regular expression patterns were used to identify security risk. However, one of the limitations to the regular expression analysis was the inability to conduct call and data flow analysis.

    AppScan Source Version 8.7 provides enhanced JavaScript support that includes the ability to conduct call and data flow analysis. JavaScript analysis will now generate trace information.

  • Multiple languages supported on OS X:

    AppScan Source supports the analysis of Objective-C, Java, and JavaScript on OS X. This will address the use case where some development teams develop both Apple and Android mobile applications on the Mac platform.

    Note: These are the only languages supported by AppScan Source on OS X.

  • United States government regulation compliance:

    Compliance with United States government security and information technology regulations help to remove sales impediments and roadblocks. It also provides a proof point to prospects worldwide that IBM is working to make their products the most secure in the industry. The AppScan Source Version 8.7 release provides compliance with two important standards - FIPS 140-2 and IPv6.

    Federal Information Processing Standard (FIPS) Publication 140-2 is a United States government computer security standard that mandates that only approved cryptography technology be allowed in software products. This required AppScan Source to review and update where necessary all the cryptography used in each AppScan Source product.

    Internet Protocol Version 6 (IPv6) support is an emerging requirement. In release AppScan Source Version 8.7, the connection between AppScan Source and AppScan Enterprise now supports IPv6.

  • Enhanced filter support:

    In previous AppScan Source releases, only one filter could be applied. In AppScan Source Version 8.7, new filter options provide better support for different security best practices. Filters can now be combined, which provides finer and more granular control of the analysis results. Security analysts now have an easier way to reduce the number of findings that developers need to action.

    Multiple filters can be associated with a single application. These filters get applied automatically after a scan. This makes it easier for security analysts to define security policy and best practices. For example, a security analyst could define a set of filters to isolate SQL Injection and XSS high risk. A developer would have the filters applied automatically when scanning from their IDE and only be presented with a finite set of actionable results.

  • Installation Improvements:

    The installation procedure on all supported platforms has been streamlined and updated to ensure that application binaries and data are separated. This helps ensure better compliance with operating systems such as Microsoft Windows 7. It is also better aligned with mature information technology organization best practices and requirements.

  • Capabilities deprecated in AppScan Source Version 8.7:

    As of AppScan Source Version 8.7, support for these operating systems is discontinued:
    • Microsoft Windows Vista, all editions
    • Any level of Microsoft Windows XP prior to Service Pack 3
    • Solaris, all versions and editions.

    In addition, support for Oracle 10g is discontinued in AppScan Source Version 8.7.

  • Various bug fixes.


Important Note:

OS X Versions 10.7 and 10.8 are only supported for AppScan Source for Analysis and AppScan Source for Automation. No other AppScan Source products are supported on OS X.

Security AppScan Source licensing:

Security AppScan Source provides a License Manager utility that is used for loading and updating license information on your client machine. This utility allows you to view your current license status - or you can use the utility to activate the product by importing a nodelocked license file or by using a floating license on a license server. Nodelocked licenses are tied to individual machines - while floating licenses can be checked out for use on different client machines.

The License Manager utility can be opened from the product installation wizard after installation is complete - or you can launch it from the Windows Start menu.


Security AppScan Source licenses are obtained from the IBM Rational License Key Center. For detailed information about obtaining licenses and license activation, see How to obtain and apply licenses for Security AppScan Source products and the Activating the software section of the Security AppScan Source Installation and Administration Guide.

Product Web site:

http://www.ibm.com/software/products/appscan-source

User assistance:

The Security AppScan Source Knowledge Center is available online at http://www.ibm.com/support/knowledgecenter/SSS9LM_8.7.0.1/com.ibm.security.appscansrc.infocenter.nav.doc/helpindex.html. The Knowledge Center includes the product user guide PDFs and release notes.

Prerequisites

Supporting Documentation
Document Description
System Requirements A detailed list of the supported hardware, operating systems and information related to IBM and third party software requirements.
Knowledge Center Browse or search on-line information related to the deployment, configuration and usage of the product.

Download package


  1. You must have active product entitlements for this download, and know your Site Number. (If you do not know your Site Number, contact eCustomer Care.)

  2. Sign in to the http://www.ibm.com/software/howtobuy/passportadvantage/pao_customers.htm site using your IBM ID. If you do not have an IBM ID you will be able to create one. If you did not purchase under Passport Advantage terms, you will later be automatically redirected to the Software and Services site.

  3. On the Self-nomination page, type in your Site Number, and indicate whether or not you are your company's Primary Contact for this site. (If you are not sure whether you are the primary contact, select "No".) Then click Submit.

    At this point your company's primary contact is notified. When your request is approved you will receive email notification, and be able to continue.

  4. After signing in again (if necessary), click Software Download and Media Access, then click Download Finder.

    The downloads that are available to you are listed.

  5. If you purchased under Passport Advantage terms, search - by name or part number - for these packages:

    • IBM Security AppScan Source for Automation V8.7 Multiplatform Multilingual eAssembly (Part Number CRLB5ML), which includes:
      • IBM Security AppScan Source for Automation V8.7 Windows Multilingual (Part Number CIGA9ML)
      • IBM Security AppScan Source for Automation V8.7 Linux Multilingual (Part Number CIGB0ML)
      • IBM Security AppScan Source for Automation V8.7 OS X Multilingual (Part Number CIGB1ML)
      • IBM Security AppScan Source for Automation V8.7 Quick Start Guide (Part Number CIGA8ML)
      • IBM Security AppScan Enterprise Server V8.7 Windows Multilingual (Part Number CIGA3ML)
      • IBM Security AppScan Enterprise Server V8.7 Linux Multilingual (Part Number CIGA4ML)

    • IBM Security AppScan Source for Analysis V8.7 Multiplatform Multilingual eAssembly (Part Number CRLB6ML), which includes:
      • IBM Security AppScan Source for Analysis V8.7 Windows Multilingual (Part Number CIGB3ML)
      • IBM Security AppScan Source for Analysis V8.7 Linux Multilingual (Part Number CIGB4ML)
      • IBM Security AppScan Source for Analysis V8.7 OS X Multilingual (Part Number CIGB5ML)
      • IBM Security AppScan Source for Analysis and Consulting V8.7 Quick Start Guide (Part Number CIGB2ML)
      • IBM Security AppScan Enterprise Server V8.7 Windows Multilingual (Part Number CIGA3ML)
      • IBM Security AppScan Enterprise Server V8.7 Linux Multilingual (Part Number CIGA4ML)

    • IBM Security AppScan Source for Development and Remediation V8.7 Multiplatform Multilingual eAssembly (Part Number CRLB7ML), which includes:
      • IBM Security AppScan Source for Development and Remediation V8.7 Windows Multilingual (Part Number CIGB7ML)
      • IBM Security AppScan Source for Development and Remediation V8.7 Linux Multilingual (Part Number CIGB8ML)
      • IBM Security AppScan Source for Development and Remediation V8.7 Quick Start Guide (Part Number CIGB6ML)
      • IBM Security AppScan Enterprise Server V8.7 Windows Multilingual (Part Number CIGA3ML)
      • IBM Security AppScan Enterprise Server V8.7 Linux Multilingual (Part Number CIGA4ML)

  6. Download the required components of the package. (It may be convenient to download all components together, for quick access later on.)


Problems solved


APAR

Title

PM81661

Quality-only scan on a single file without a Dev license gives a licensing error, but not when scanning entire project

PM72185

.vcxproj file extension not on list of default file extensions when adding it within a "manual" application"

PM72182

DotNetNuke scan: Error in "Preparing for IPVA" phase, SOLID error "Too long constraint value"

PM74081

Tooltips for the left and right arrow buttons in Report Editor's Categories tab are incorrectly reversed

PM76933

Modifying a shared custom scan configuration causes a duplicate scan configuration of the same name to appear

PM73416

"Generate Findings Report" should be available in the Tools menu when selecting findings in the Asseesment Diff view

PM74578

Unexpected results searching Japanese version of AppScan Source Knowledgebase

PM74846

Title of a report generated from Assessment Diff is inconsistent

PM79978

"Regular Expression Untainting Input" scan rule flags false positives

PM74579

Cannot add a Text Block in Report Editor from the Japanese version of AppScan Source

PM79834

AppScan Source scanning failed if the JAR file is located in folder with Japanese name

PM73157

"Save Assessment As ..." results in the error "Server-side Exception: null"

PM83142

JVM runs out of memory while generating findings report in PDF

PM79065

Developer Scan license not returned after logout in Eclipse

PM80734

"Bad file" error scanning a .NET solution in a directory with multi-byte characters

PM76326

AppScan Source does not handle multibyte characters correctly in C/C++ comments

PM80963

WAFL parse error when & is in the parameter name

PM77995

Process "Stopped" when trying to background appscansrccli with "&"

PM79747

Some strings in .html and .pdf reports are not translated properly

PM72178

HP QC integration wont work without installing via MSI installer

Download RELEASE DATE LANGUAGE SIZE(Bytes) Download Options
Windows download at Passport Advantage 25 Mar 2013 English 789287687 HTTP
Linux download at Passport Advantage 25 Mar 2013 English 851667433 HTTP
OS X download at Passport Advantage 25 Mar 2013 English 668144572 HTTP

Technical support


Licensing Information

Consult How to obtain and apply licenses for AppScan Source products.


User assistance

Known issues can also be found in the AppScan Source product documentation. See Where to find documentation for AppScan Source.




Helpful Hints For Obtaining Technical Assistance

Before you contact IBM Security Software Support, gather the background information that you need to describe the problem. When creating the ticket, provide this information:

  • What operation did you performed - and what error messages have you received?
  • The background information needed to understand the issue.
  • Version of AppScan Source. Make sure that you are opening the ticket for AppScan Source (there are several AppScan products supported by different teams).
  • Impact of the issue on your organization, schedule, and deadlines.
  • Upload logs, screen captures, and background information for the ticket.


Problems (APARS) fixed
PM81661, PM72185, PM72182, PM74081, PM76933, PM73416, PM74578, PM74846, PM79978, PM74579, PM79834, PM73157, PM83142, PM79065, PM80734, PM76326, PM80963, PM77995, PM79747, PM72178

Rate this page:

(0 users)Average rating

Document information


More support for:

IBM Security AppScan Source
Installation

Software version:

8.7

Operating system(s):

Linux, Mac OS X, Windows

Reference #:

4034606

Modified date:

2014-05-02

Translate my page

Machine Translation

Content navigation