IBM Support

AppScan Source 8.8 now available

Downloadable files


This document describes how to download and install IBM Security AppScan Source version 8.8.

Download Description

This release is a full product download.

Passport Advantage clients:

Passport Advantage and Passport Advantage Express clients are required to sign in to Passport Advantage Online to download the image.

Non-Passport Advantage clients:

If your organization did not purchase your software and support through Passport Advantage or Passport Advantage Express, you are required to sign in to the new IBM Software Group OEM Portal to download the image.

Note: This includes clients with Flexible Contract Type (FCT) license purchases and IBM Business Partners.

For assistance with the IBM Software Group OEM Portal, visit the eCustomer care page.

IMPORTANT: AppScan Source is affected by a vulnerability in OpenSSL (CVE-2014-0160). We strongly encourage you to apply the latest iFix, which addresses that vulnerability. See for more details - and follow the instructions in for applying the fix.

What's New in IBM Security AppScan Source version 8.8:

One of the primary themes in the AppScan Source 8.8 release focuses on providing a handful of improvements to make the initial user experience better. An investment was made in sets of features to improve the Proof of Concept (POC) experience. A major investment in currency, including the addition of out-of-the-box support for many popular application frameworks, helps to shorten the time to value.

  • Improved Vulnerability Matrix
    The Vulnerability Matrix has been updated with new labels, new colors, and supporting tool tips. The often-confusing Type I and Type II Exception nomenclature has been replaced by more easily understood labels. The new Vulnerability Matrix makes it easier to explain scan results to security, development, and management audiences.
  • New Trace View Options
    Security analysts typically go right to the AppScan Source Trace View to triage and isolate security risk. New in this release is the ability to quickly maximize the screen real estate to display more trace details.
  • New and Enhanced Scan Configurations
    The AppScan Source out-of-the-box scan configurations provide multiple benefits. A specific and focused scan rule is applied for each configuration without requiring security experts. This means the scan performance is improved because fewer rules are being applied. The results are also focused and streamlined because only findings associated with the scan rules are generated.

    In the Version 8.8 release, the Android, Large application, Normal, Quick, and Web scan configurations have been updated. The updates produce more accurate results and eliminate potential false positive results.

    New Scan Configurations for Version 8.8 include: Follow all virtual call targets, iOS, Maximize findings, Maximize traces, Medium-to-large application, User input vulnerabilities, and Service code.
  • New and Enhanced Out-of-the-box Filters
    The AppScan Source out-of-the-box filters make it easy to isolate security risk. They allow organizations to apply security policy to the results of a scan. Filters are customizable and can be globally shared. This means security leads can define filters for developers.

    The out-of-the-box filters save time and help to improve the time to value. A standard workflow is to scan an application, then apply a filter to streamline the results. New out-of-the-box filters in this release include OWASP Top 10 2013 and OWASP Top 10 Mobile Risks (RC1).

    Also new in the Version 8.8 release is the addition of filter information to assessment results and reports. Based on customer requests, this new feature makes it clear to readers and reviewers of scan results if some findings have been filtered out. It improves the communication between development and security teams and ensures potential security risks are not overlooked.
  • New Out-of-the-box Compliance Reports
    AppScan Source provides a built-in custom report editor. This allows organizations to create their own custom reports to match their security best practices. There are also a number of out-of-the-box reports that align with some common security compliance standards. New in the Version 8.8 release are out-of-the-box reports for:
    • DISA STIG V3.5
    • OWASP Top 10 2013
    • OWASP Top 10 Mobile Risks, RC1
  • U.S Federal Compliance Update – NIST Support
    AppScan Source Version 8.8 and the entire family of AppScan products are now NIST compliant. This includes enhanced encryption (support for TLS 1.2). Specifically, the AppScan products now comply with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-131a. Additionally, AppScan Source provides an updated DISA STIG V3.5 out-of-the-box report.
  • Platform Updates – Currency
    There were a number of updates to operating system support, IDEs (that AppScan Source for Development can be applied to - and whose project files and workspaces can be scanned), Defect Tracking Systems (DTS), application frameworks and other supporting components.
    • Operating Systems: Windows Server 2012 (Datacenter, Standard, Essentials, and Foundation Editions), Red Hat Enterprise Linux 6.4
    • IDEs: Visual Studio 2012, Eclipse 4.2, 4.2.2, 4.3, Rational Application Developer 8.5.1, 9.0
    • DTS: Rational ClearQuest 8.0.1, Rational Team Concert 4.0.2, 4.0.3, 4.0.4
    • New out-of-the-box Framework Support:
      • Spring MVC 3
      • Additional feature support for Spring MVC 2.5
      • ASP.NET MVC
      • .NET 4.5
      • Java JAX-RS (V1.0 & 1.1)
      • Java JAX-WS (V2.2)
      • Enhanced Web Services support including WSDL
    • Other Updates: Rational License Key Server 8.1.4, WebLogic 11, 12, WebSphere 8, 8.5, Tomcat 6, 7 (Jasper 2), Microsoft .NET Framework Version 4.5 scan support
  • Microsoft Window Authentication – via AppScan Enterprise
    Additional authentication support to help simplify user management and make large deployments easier. New in this release is support for Microsoft Windows authentication providing additional user management options to the existing support for LDAP and internal product authentication.
  • Capabilities deprecated in AppScan Source Version 8.8
    • Operating System: Windows XP, Windows Server 2003
    • IDE and project/workspace scan support: Visual Studio 2005; Eclipse 3.3, 3.4, 3.5; Rational Application Developer 7.0 (EOS), 7.5 (EOS 9/30/2013); Rational Application Developer 7.5.1, 7.5.2, 7.5.3, 7.5.4, 7.5.5 (EOS 9/30/2013)
    • DTS: Rational ClearQuest 7.0 (EOS); Rational Team Concert
    • Tomcat Version 3 (Jasper 1) is no longer supported for Java and JSP compilation. If you are upgrading AppScan Source and using this version of Tomcat, you will need to upgrade Tomcat to a version that is supported by AppScan Source Version 8.8 (see the AppScan Source system requirements to learn which versions of Tomcat are supported).

Important Note:

OS X Versions 10.7 and 10.8 are only supported for AppScan Source for Analysis and AppScan Source for Automation. No other AppScan Source products are supported on OS X.

Security AppScan Source licensing:

Security AppScan Source provides a License Manager utility that is used for loading and updating license information on your client machine. This utility allows you to view your current license status - or you can use the utility to activate the product by importing a nodelocked license file or by using a floating license on a license server. Nodelocked licenses are tied to individual machines - while floating licenses can be checked out for use on different client machines.

The License Manager utility can be opened from the product installation wizard after installation is complete - or you can launch it from the Windows Start menu.

Security AppScan Source licenses are obtained from the IBM Rational License Key Center. For detailed information about obtaining licenses and license activation, see How to obtain and apply licenses for Security AppScan Source products and the Activating the software section of the Security AppScan Source Installation and Administration Guide.

Product Web site:

User assistance:

The Security AppScan Source Knowledge Center is available online at The Knowledge Center includes the product user guide PDFs and release notes.


Supporting Documentation
Document Description
System Requirements A detailed list of the supported hardware, operating systems and information related to IBM and third party software requirements.
Knowledge Center Browse or search on-line information related to the deployment, configuration and usage of the product.

Download package

  1. You must have active product entitlements for this download, and know your Site Number. (If you do not know your Site Number, contact eCustomer Care.)

  2. Sign in to the site using your IBM ID. If you do not have an IBM ID you will be able to create one. If you did not purchase under Passport Advantage terms, you will later be automatically redirected to the Software and Services site.

  3. On the Self-nomination page, type in your Site Number, and indicate whether or not you are your company's Primary Contact for this site. (If you are not sure whether you are the primary contact, select "No".) Then click Submit.

    At this point your company's primary contact is notified. When your request is approved you will receive email notification, and be able to continue.

  4. After signing in again (if necessary), click Software Download and Media Access, then click Download Finder.

    The downloads that are available to you are listed.

  5. If you purchased under Passport Advantage terms, search - by name or part number - for these packages:

    • IBM Security AppScan Source for Automation V8.8 Multiplatform Multilingual eAssembly (Part Number CRP3VML), which includes:
      • IBM Security AppScan Source for Automation V8.8 Windows Multilingual (Part Number CIQU3ML)
      • IBM Security AppScan Source for Automation V8.8 Linux Multilingual (Part Number CIQU4ML)
      • IBM Security AppScan Source for Automation V8.8 OS X Multilingual (Part Number CIQU5ML)
      • IBM Security AppScan Source for Automation V8.8 Quick Start Guide (Part Number CIQU2ML)
      • IBM Security AppScan Enterprise Server V8.8 Windows Multilingual (Part Number CIQT3ML)
      • IBM Security AppScan Enterprise Server V8.8 Linux Multilingual (Part Number CIQT4ML)

    • IBM Security AppScan Source for Analysis V8.8 Multiplatform Multilingual eAssembly (Part Number CRP3WML), which includes:
      • IBM Security AppScan Source for Analysis V8.8 Windows Multilingual (Part Number CIQU7ML)
      • IBM Security AppScan Source for Analysis V8.8 Linux Multilingual (Part Number CIQU8ML)
      • IBM Security AppScan Source for Analysis V8.8 OS X Multilingual (Part Number CIQU9ML)
      • IBM Security AppScan Source for Analysis and Consulting V8.8 Quick Start Guide (Part Number CIQU6ML)
      • IBM Security AppScan Enterprise Server V8.8 Windows Multilingual (Part Number CIQT3ML)
      • IBM Security AppScan Enterprise Server V8.8 Linux Multilingual (Part Number CIQT4ML)

    • IBM Security AppScan Source for Development and Remediation V8.8 Multiplatform Multilingual eAssembly (Part Number CRP3XML), which includes:
      • IBM Security AppScan Source for Development and Remediation V8.8 Windows Multilingual (Part Number CIQV1ML)
      • IBM Security AppScan Source for Development and Remediation V8.8 Linux Multilingual (Part Number CIQV2ML)
      • IBM Security AppScan Source for Development and Remediation V8.8 Quick Start Guide (Part Number CIQV0ML)
      • IBM Security AppScan Enterprise Server V8.8 Windows Multilingual (Part Number CIQT3ML)
      • IBM Security AppScan Enterprise Server V8.8 Linux Multilingual (Part Number CIQT4ML)

  6. Download the required components of the package. (It may be convenient to download all components together, for quick access later on.)

Problems solved




Restarting AppScan Source For Analysis does not apply project level validation routines properly


Large classpath for WAS jsp compiler causes OOM exception


Error id CRWSA1080E may be thrown incorrectly


Inability to override markup for APIs that already have factory markup in AppScan Source


How to represent inner class in VDB format is not described in Appscan Source documentation


AppScan Source for Security encounters Segmentation Fault during Scanning Phase with Java/JSP


Number of Assessments shown in Published Assessments and My Assessments on startup does not work as expected


No error message generated when WAFL Globals Tracking setting set to False


SRC: JavaScript scan in AppScan Source fails to parse script paths with global attributes


The example for validation routine in the documentation in AppScan Source may mislead the user


The getSourceRoots() API call does not return any Source locations


XML parse fatal error in scanner_exception.log with AppScan Source For Analysis on Linux


Additional options needed in order to deal with size_t and long in 64 bit environments


AppScan Source: .scope file name is too long


AppScan Source compilation errors due to corrupt classpath with WAS 7 on Linux


MS macro $(SolutionDir) from imported solution resolves to location of project file, not solution file


Memory Access Failure for Windows (Application failed to initialize properly (0xc0000018))


Custom Rules cannot be refreshed after ""Unable to modify factory record"" is encountered


Uncaught exception" during Framework Analysis due to "java.lang.AssertionError" in WALA code


Ouncemake is constructing the wrong path to the source file in the ppf file


C++ scan gets ""Scan aborted. Internal error"" when encountering variants bstrVal and pdispVal


Modifying published assessment in AppScan Source does not behave as expected


failed to load root <Primordial,Ljava/lang/Object> of class hierarchy


Developer Plugin for Eclipse does not save Security Assessment after Quality Assessment


Skipping project due to error: Configuration Debug does not exist in Project "Debug|Any CPU


AppScan Source for Analysis shows corrupted error message when failing to import Eclipse workspace


ouncemake fails to compile if a macro is defined with a string value


Findings are jumping from one bundle to another upon rescan


SRC: Scan rules with names greater than 64 characters cause errors when added to rule sets


Import into security analysis is not complete when files are under source control


"Internal error" during C++ scan

Download RELEASE DATE LANGUAGE SIZE(Bytes) Download Options
Windows download at Passport Advantage 22 Oct 2013 English 765172812 HTTP
Linux download at Passport Advantage 22 Oct 2013 English 834978117 HTTP
OS X download at Passport Advantage 22 Oct 2013 English 657143202 HTTP

Technical support

Licensing Information

Consult How to obtain and apply licenses for AppScan Source products.

User assistance

Known issues can also be found in the AppScan Source product documentation. See Where to find documentation for AppScan Source.

Helpful Hints For Obtaining Technical Assistance

Before you contact IBM Security Software Support, gather the background information that you need to describe the problem. When creating the ticket, provide this information:

  • What operation did you performed - and what error messages have you received?
  • The background information needed to understand the issue.
  • Version of AppScan Source. Make sure that you are opening the ticket for AppScan Source (there are several AppScan products supported by different teams).
  • Impact of the issue on your organization, schedule, and deadlines.
  • Upload logs, screen captures, and background information for the ticket.

Problems (APARS) fixed
PM97665, PM97448, PM97166, PM95763, PM94356, PM94251, PM94054, PM93986, PM93849, PM93587, PM93275, PM92942, PM92910, PM92629, PM92501, PM91984, PM91738, PM91446, PM90977, PM90884, PM89380, PM89154, PM88678, PM88357, PM86998, PM85049, PM84935, PM82827, PM63260, PM89408, PM98304

Document information

More support for: IBM Security AppScan Source

Software version: 8.8

Operating system(s): Linux, OS X, Windows

Reference #: 4035797

Modified date: 11 July 2014

Translate this page: