Thursday, 10 January 2013

IBM AppScan eval downloads - and what is the difference between Standard, Source, Enterprise and Dynamic?

If you go the IBM AppScan download page you can see four downloads:
  • IBM Security AppScan Standard V8.6 Evaluation Windows 
  • IBM Security AppScan Source for Analysis V8.6 Evaluation Multiplatform
  • IBM Security AppScan Enterprise Server V8.6 Evaluation Multiplatform
  • IBM Security AppScan Enterprise Dynamic Analysis Scanner V8.6 Evaluation

It would be nice if the names where a bit more explicit on what they do:
  • AppScan Standard - BlackBox scanner (pentesting tool) is .Net based and runs on desktop
  • AppScan Source - WhiteBox scanner (source analysis) is Java based and runs on desktop
  • AppScan Enterprise - BlackBox scanner (pentesting tool) is .Net/C++ (not 100% sure) and runs as a webapp 
  • AppScan Enterprise Dynamic Analysis - I have no idea what this this, but from this blog entry Out with the old, in with the new - IBM Security AppScan Standard 8.6 released! I would say that it is the AppScan Standard engine running as a web app
What we still don't have is 'The AppScan', which would be the product made of the combination of them all (or at least with the ability to consume and instrument them all from one place)

At least there is a single download page for the 8.6 versions, which is a good thing.

1 comment:

Dinesh Shetty said...

Well i've had a chance to work on AppScan quite a number of times in the past so here's some little info i thought i'd spam :D

AppScan Standard:
Desktop installation based tool which works as Grey + Black Box scanner+ malware scan with a pretty decent session detection mechanism + etc etc

AppScan Source:
Desktop installation based tool which is mainly a source code scanning engine. Also called source for security.. if i remember correctly :D. It also has a couple of developer plugins for Eclipse and Visual Studio which are pretty neat. There is one also called as AppScan Plugin for remediation which was a total waste of time :D


AppScan Enterprise:
AppScan enterprise is basically a dashboard which can be used from a management perspective. Not desktop based. It has a web based access so can be accesed remotely via any browser. It can be used to centrally manage projects, assign scans to users, user and policy management, integrate reports, view reports by assets etc etc. So basically it is something that would be useful from a management angle to have a centralized view of security posture at an organizational level. Thing to note here is there untill 8.5 i had to buy a Basic license of AppScan enterprise to make use of appscan source to work well and to combine reports of Standard edition + Source edition


AppScan Enterprise Dynamic Analysis:
Though the name sounds really 31337 but it is basically Appscan Enterprise with a built in scanning engine. So its plain AppScan Standard in a web based console with click click functionalities.


And yea the thing you mentioned regarding "The AppScan" is something which i completely agree with :D .. I mean it can be a real pain if you want to integrate it in a proper SDLC. 4 tools independently.. setting up architecture blah blah blah However, saying that.. Enterprise Edition with Scanning capability is something close to a 50% AppScan :D .. It has the same power as Standard + I've always loved its reporting capabilities. But yet again .. you can't do a whitebox scan with it, you can just view the trace of the code.