IBM Security AppScan Source

Identify and fix vulnerabilities in web and mobile applications

Forrester Consulting: Total Economic Impact™ (TEI) of IBM Security AppScan Source

Learn how our client achieved triple-digit ROI by implementing IBM AppScan Source.

IBM® Security AppScan® Source helps organizations lower costs and reduce risk exposure by identifying web-based and mobile application source code vulnerabilities early in the software development lifecycle, so they can be fixed before deployment.

IBM Security AppScan Source integrates application security testing into your software development lifecycle. It offers enhanced mobile application scanning capabilities and supports testing for mobile web, native and hybrid applications, which includes support for JavaScript, HTML5, Cordova, Java and Objective-C. IBM Security AppScan Source also provides integration with IBM MobileFirst Studio and the ability to scan Worklight applications.

IBM Security AppScan Source can enable:

Stronger and more cost-effective software security through source code analysis.
Improved intelligence through integration with existing tools and processes such as application development, build integration and security monitoring.
Security best practices through centralized management and enforcement of security policies.
Reporting, governance and compliance capabilities that facilitate communication of security status and issues.

Stronger and more cost-effective software security

Identifies security vulnerabilities and defects in source code during the early stages of the application lifecycle when they are inexpensive to remediate.
Builds automated security into development by integrating security source code analysis with automated scanning during the build process.
Scans, triages and manages security policies; prioritizes assignment of results to security teams for vulnerability remediation.
Delivers fast scans of more than one million lines of code per hour; scans even the most complex enterprise applications.
Extends security analysis to Android and Apple iOS mobile applications.

Improved intelligence through integration

Integrates with defect tracking systems (DTS), software configuration management and build management tools.
Provides increased security intelligence through correlation of static analysis results with dynamic analysis results.
Accommodates a broad portfolio of large and complex applications across a wide range of languages.
Is built on open architecture to protect your existing investments.

Security best practices

Define and enforce consistent policies that can be used throughout the enterprise.
Enable enterprise-wide metrics and reporting with a centralized policy and assessment database.
Provide audit and compliance reports that make it easier to understand application-related threat exposures at the executive level.

Reporting, governance and compliance capabilities

Provide visibility into security and compliance risks presented by the identified security issues.
Deliver more than 40 security compliance reports, including PCI Data Security Standard (PCI DSS), Payment Application Data Security Standard (PA-DSS), ISO 27001 and ISO 27002, HIPAA, Gramm–Leach–Bliley Act (GLBA) and Basel II.
Focus on mobile application security, including an Open Web Application Security Project (OWASP) Top 10 Mobile Risks report.
Support creation of customized reports to align with your organization's security best practices.

IBM Security AppScan Source

White Paper: Ensuring application security in mobile device environments
Learn how to choose the most effective mobile application security solution to identify and help prevent vulnerabilities.

Analyst report: Gartner Magic Quadrant for Application Security
IBM positioned in leaders quadrant.

Solution brief: Manage data security and application threats with a multi-tiered approach (832KB)
Learn practical approaches for using IBM Security AppScan and the IBM Security portfolio to bolster overall security preparedness.

White paper: Breaking down silos of protection: An integrated approach to managing application security
Examines solutions for enabling risk-based application security management, from identifying and prioritizing applications based on business impact to assessing applications for vulnerabilities and mitigating risk by fixing vulnerabilities.

The following are basic hardware and software requirements for the current release of IBM Security AppScan Source. View the detailed system requirements for more information (including system requirements for previous releases).

Operating System	Software	Hardware
Microsoft Windows 10 Education, Enterprise, and Pro 32 and 64-bit (in 32-bit mode) Microsoft Windows 8 Professional and Enterprise 32 and 64-bit (in 32-bit mode) Microsoft Windows 8.1 Professional and Enterprise 32 and 64-bit (in 32-bit mode) Microsoft Windows 7 Professional, Enterprise & Ultimate 32 and 64-bit (in 32-bit mode) Microsoft Windows Server 2008 Enterprise and Standard (SP1 and SP2)(32-bit x86) Microsoft Windows Server 2008 R2 Enterprise and Standard 64-bit (in 32-bit mode) Microsoft Windows Server 2012 Datacenter, Standard, Essentials, and Foundation (in 32-bit mode) Microsoft Windows Server 2012 R2 Datacenter, Standard, and Essentials (in 32-bit mode) RedHat Enterprise Linux 5.0 (through Update 8), 6.0 (through Update 7) Workstation & Server 32 and 64-bit (in 32-bit mode) macOS Versions 10.10, 10.11 and 10.12 (IBM Security AppScan Source for Security, IBM Security AppScan Source for Development (Eclipse plug-in), and IBM Security AppScan Source for Automation only)	Compilers: GNU Compiler Collection (gcc) for Linux, Visual Studio 2010 (V10) for Windows, Visual Studio 2012 (V11) for Windows, Visual Studio 2013 (V12) for Windows, Xcode Versions 6.3, 6.4, 7.0, 7.1, 7.2, 7.3 and 8 for Objective-C (for Apple iOS applications only), Java V1.5, and higher, Java EE Application Servers: Tomcat V5, V6, V7, and V8, Oracle Weblogic Server V8, V9, V11, and V12, IBM WebSphere Application Server (V7, V8, V8.5, and V8.5.5) Language Support for Security Testing (Windows): Java™, Android, JavaScript, JSP, ColdFusion, C, C++, .NET (C#, ASP.NET, and VB.NET), Classic ASP (JavaScript/VBScript), PHP (5.5, 5.6, and 5.7), Perl, Visual Basic 6, PL/SQL, T-SQL, and COBOL Language Support for Security Testing (Linux): Java™, Android, JavaScript, JSP, ColdFusion, C, C++, PHP (5.5, 5.6, and 5.7), Perl, PL/SQL, T-SQL, and COBOL Language Support for Security Testing (macOS): Objective-C in Xcode projects, Java, Android, JavaScript, JSP IDE Plug-in and Project File scanning support (Windows): IBM Worklight V6.0 and 6.1.0, IBM Worklight Foundation V6.2, and IBM MobileFirst Platform V6.3, V7.0, and V7.1; Eclipse versions 3.8, 4.2, 4.2.x, 4.3, 4.3.1, 4.3.2, 4.4, and 4.5; IBM Rational Application Developer (RAD) V8.5, V8.5.1, V8.5.5, V9.0, V9.0.1, V9.1, and V9.1.1; Visual Studio 2010 (Professional, Premium, and Ultimate), Visual Studio 2012 (Professional, Premium, and Ultimate), and Visual Studio 2013 (Professional, Premium, and Ultimate); Visual Studio supports C++, C#, ASP.NET, and VB.NET; Visual Studio 2015 project files can be scanned; Eclipse and RAD support scanning Java (including Android), JavaServer Pages (JSP), and IBM MobileFirst Platform projects IDE Plug-in and Project File scanning support (Linux): IBM Worklight V6.0 and 6.1.0, IBM Worklight Foundation V6.2, and IBM MobileFirst Platform V6.3, V7.0, and V7.1; Eclipse versions 3.8, 4.2, 4.2.x, 4.3, 4.3.1, 4.3.2, 4.4, and 4.5; IBM Rational Application Developer (RAD) V8.5, V8.5.1, V8.5.5, V9.0, V9.0.1, V9.1, and V9.1.1; Eclipse and RAD support scanning Java (including Android), JavaServer Pages (JSP), and IBM MobileFirst Platform projects IDE Plug-in and Project File scanning support (macOS): IBM Worklight V6.0 and 6.1.0, IBM Worklight Foundation V6.2, and IBM MobileFirst Platform V6.3, V7.0, and V7.1; Eclipse versions 3.8, 4.2, 4.2.x, 4.3, 4.3.1, 4.3.2, 4.4, and 4.5; IBM Rational Application Developer (RAD) V9.0, V9.0.1, V9.1, and V9.1.1; Eclipse and RAD support scanning Java (including Android), JavaServer Pages (JSP), and IBM MobileFirst Platform projects Defect Tracking System (Windows and Linux): IBM Rational ClearQuest® V7.1.1, V7.1.2, V8.0, and V8.0.1; HP Quality Center V9.2, V10.0, and V11.5; IBM Rational Team Concert V4.0, V4.0.1, V4.0.2, V4.0.3, V4.0.4, V4.0.5, V4.0.6, and V4.0.7; Microsoft Team Foundation Server 2008 and 2010 Defect Tracking System (macOS): Rational Team Concert V4.0, V4.0.1, V4.0.2, V4.0.3, V4.0.4, V4.0.5, V4.0.6, and V4.0.7 External Database Support: Oracle 11g (32-bit), Oracle 12c License Server: IBM Rational License Server Versions 8.1.1, 8.1.2, 8.1.3 and 8.1.4 (if activating by floating license) Translated national languages: English, Brazilian Portuguese, Simplified Chinese, Traditional Chinese, German, Spanish, French, Italian, Japanese, Russian and Korean	Processor: 2 CPU Memory: 2 GB RAM minimum (with 8 GB or more recommended) Disk Space: 3 GB (4 GB required for installation) Network: 1 NIC 10 Mbps for network communication with configured TCP/IP (100 Mbps recommended)

Operating System	Software	Hardware
Microsoft Windows 10 Education, Enterprise, and Pro 32 and 64-bit (in 32-bit mode) Microsoft Windows 8 Professional and Enterprise 32 and 64-bit (in 32-bit mode) Microsoft Windows 8.1 Professional and Enterprise 32 and 64-bit (in 32-bit mode) Microsoft Windows 7 Professional, Enterprise & Ultimate 32 and 64-bit (in 32-bit mode) Microsoft Windows Server 2008 Enterprise and Standard (SP1 and SP2)(32-bit x86) Microsoft Windows Server 2008 R2 Enterprise and Standard 64-bit (in 32-bit mode) Microsoft Windows Server 2012 Datacenter, Standard, Essentials, and Foundation (in 32-bit mode) Microsoft Windows Server 2012 R2 Datacenter, Standard, and Essentials (in 32-bit mode) RedHat Enterprise Linux 5.0 (through Update 8), 6.0 (through Update 7) Workstation & Server 32 and 64-bit (in 32-bit mode) macOS Versions 10.10, 10.11 and 10.12 (IBM Security AppScan Source for Security, IBM Security AppScan Source for Development (Eclipse plug-in), and IBM Security AppScan Source for Automation only)	Compilers: GNU Compiler Collection (gcc) for Linux, Visual Studio 2010 (V10) for Windows, Visual Studio 2012 (V11) for Windows, Visual Studio 2013 (V12) for Windows, Xcode Versions 6.3, 6.4, 7.0, 7.1, 7.2, 7.3 and 8 for Objective-C (for Apple iOS applications only), Java V1.5, and higher, Java EE Application Servers: Tomcat V5, V6, V7, and V8, Oracle Weblogic Server V8, V9, V11, and V12, IBM WebSphere Application Server (V7, V8, V8.5, and V8.5.5) Language Support for Security Testing (Windows): Java™, Android, JavaScript, JSP, ColdFusion, C, C++, .NET (C#, ASP.NET, and VB.NET), Classic ASP (JavaScript/VBScript), PHP (5.5, 5.6, and 5.7), Perl, Visual Basic 6, PL/SQL, T-SQL, and COBOL Language Support for Security Testing (Linux): Java™, Android, JavaScript, JSP, ColdFusion, C, C++, PHP (5.5, 5.6, and 5.7), Perl, PL/SQL, T-SQL, and COBOL Language Support for Security Testing (macOS): Objective-C in Xcode projects, Java, Android, JavaScript, JSP IDE Plug-in and Project File scanning support (Windows): IBM Worklight V6.0 and 6.1.0, IBM Worklight Foundation V6.2, and IBM MobileFirst Platform V6.3, V7.0, and V7.1; Eclipse versions 3.8, 4.2, 4.2.x, 4.3, 4.3.1, 4.3.2, 4.4, and 4.5; IBM Rational Application Developer (RAD) V8.5, V8.5.1, V8.5.5, V9.0, V9.0.1, V9.1, and V9.1.1; Visual Studio 2010 (Professional, Premium, and Ultimate), Visual Studio 2012 (Professional, Premium, and Ultimate), and Visual Studio 2013 (Professional, Premium, and Ultimate); Visual Studio supports C++, C#, ASP.NET, and VB.NET; Visual Studio 2015 project files can be scanned; Eclipse and RAD support scanning Java (including Android), JavaServer Pages (JSP), and IBM MobileFirst Platform projects IDE Plug-in and Project File scanning support (Linux): IBM Worklight V6.0 and 6.1.0, IBM Worklight Foundation V6.2, and IBM MobileFirst Platform V6.3, V7.0, and V7.1; Eclipse versions 3.8, 4.2, 4.2.x, 4.3, 4.3.1, 4.3.2, 4.4, and 4.5; IBM Rational Application Developer (RAD) V8.5, V8.5.1, V8.5.5, V9.0, V9.0.1, V9.1, and V9.1.1; Eclipse and RAD support scanning Java (including Android), JavaServer Pages (JSP), and IBM MobileFirst Platform projects IDE Plug-in and Project File scanning support (macOS): IBM Worklight V6.0 and 6.1.0, IBM Worklight Foundation V6.2, and IBM MobileFirst Platform V6.3, V7.0, and V7.1; Eclipse versions 3.8, 4.2, 4.2.x, 4.3, 4.3.1, 4.3.2, 4.4, and 4.5; IBM Rational Application Developer (RAD) V9.0, V9.0.1, V9.1, and V9.1.1; Eclipse and RAD support scanning Java (including Android), JavaServer Pages (JSP), and IBM MobileFirst Platform projects Defect Tracking System (Windows and Linux): IBM Rational ClearQuest® V7.1.1, V7.1.2, V8.0, and V8.0.1; HP Quality Center V9.2, V10.0, and V11.5; IBM Rational Team Concert V4.0, V4.0.1, V4.0.2, V4.0.3, V4.0.4, V4.0.5, V4.0.6, and V4.0.7; Microsoft Team Foundation Server 2008 and 2010 Defect Tracking System (macOS): Rational Team Concert V4.0, V4.0.1, V4.0.2, V4.0.3, V4.0.4, V4.0.5, V4.0.6, and V4.0.7 External Database Support: Oracle 11g (32-bit), Oracle 12c License Server: IBM Rational License Server Versions 8.1.1, 8.1.2, 8.1.3 and 8.1.4 (if activating by floating license) Translated national languages: English, Brazilian Portuguese, Simplified Chinese, Traditional Chinese, German, Spanish, French, Italian, Japanese, Russian and Korean	Processor: 2 CPU Memory: 2 GB RAM minimum (with 8 GB or more recommended) Disk Space: 3 GB (4 GB required for installation) Network: 1 NIC 10 Mbps for network communication with configured TCP/IP (100 Mbps recommended)