Jump to main content
Getting started
Welcome to the documentation for HCL AppScan 360°, where you can find information about how to install, maintain, and use this service.
About HCL AppScan 360°
HCL AppScan 360° is unified application security, visibility, and risk management. Versatile, scalable, and deployable anywhere.
What's new in HCL AppScan 360°
Explore new features that have been added to HCL AppScan 360°, and note any features and capabilities that have been deprecated in this release.
Roles and workflows
Learn about different AppScan 360° tasks and workflows for different AppScan 360° users.
Sample apps and scripts
Use these sample applications to practice scanning with AppScan 360°.
Contact and support
Useful links to human and online resources.
Compliance
Licensing
Installation
Learn about AppScan 360° architecture and how to install the product.
Administration
Define users, applications, policies, and configure DevOps integrations.
Users
User management allows you to control access to sensitive applications by assigning them to asset groups and then adding specific users to those groups.
Applications
An application is a collection of scans related to the same project. It can be a web site, a desktop app, a mobile app, a web service, or any component of an app. Applications enable you to asses risk, identify trends, and make sure that your project is compliant with industry and organization policies.
Policies
You can apply the predefined policies, as well as your own custom policies, to show only data for the issues that are relevant for you.
DevOps
Tools for incorporating AppScan 360° in your software development lifecycle.
Personal scans
A personal scan is a way of evaluating the relative security of an application in development without affecting overall application scan data (issues, for example), or compliance.
Scan status
Audit trail
The audit trail (Organization > Audit trail) logs user activity.
Navigation
This section describes the items on the main AppScan 360° menu bar, with links to more detailed information.
All applications
The Applications page lists all applications in your organization that are within the asset groups to which you are assigned. From the Applications page, you can create new applications and open individual application pages.
Scans and sessions
This view lists all scans and sessions in all your applications.
Dashboard
The main dashboard is the third item on the main menu bar. It gives you a detailed overview of the current state and history of all your applications.
Organization
Organization is your go-to hub for managing policies, domains, settings, and audit trails – it's where you control and organize it all.
Dynamic analysis
AppScan on Cloud performs security scans for web-applications for production, staging and development environments.
About dynamic analysis (DAST)
An AppScan 360° dynamic (DAST) scan consists of two stages: Explore and Test. Even though most of the scan process is seamless to the user, and no input is required until the scan is complete, understanding how dynamic scanning works can help you to better understand the role of scanning in your development process.
Dynamic scanning (DAST)
AppScan 360° can perform dynamic analysis of an application that runs in a browser or a web API. Use the configuration options available in AppScan 360°, or upload an AppScan Standard configuration (template file) or a full scan file.
Recording traffic
You can record traffic as Explore data for DAST scans using the AppScan Activity Recorder browser extension (for Chrome or Edge), the HCL AppScan Traffic Recorder proxy server, or AppScan Standard.
HCL AppScan Traffic Recorder
The HCL AppScan Traffic Recorder (DAST proxy) enables you to record traffic to use as Explore data. Traffic Recorder instances can be created on demand to record traffic that will later be used for a DAST scan.
AppScan Standard
Static analysis
Use static analysis (SAST) to scan for security vulnerabilities in web and desktop applications. Static analysis includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).
System requirements for static analysis
Supported operating systems and the types of files, locations, and projects that can be scanned by AppScan 360° when you perform static analysis.
Scanning for security vulnerabilities
To scan source code for security vulnerabilities, follow the steps in these topics.
Static analysis troubleshooting
If you experience problems with static analysis, you can perform these troubleshooting tasks to determine the corrective action to take.
Results
The Scans and Sessions page lists scans under the categories where you can view your scan results, including scan statistics. To view, rescan, or download reports, select a scan.
Sample Security Reports
Application reports
Scan data
Issues
The Issues page for an application, by default displays non-compliant issues only. You can apply a variety of filters to see the issues you need, and click on any issue to open the detailed issue information pane.
Fix groups
Fix groups currently apply only to issues found in static analysis scans.
Reports
Generate reports for issues discovered in an application. Send reports to send to developers, internal auditors, penetration testers, managers, and the CISO. Security information might be extensive, and can be filtered depending on your requirements.
Remediation
After risks are determined and vulnerabilities are prioritized, your security team can start the remediation process.
Rescanning
Following your first scan, as you fix issues you can scan the same application again multiple times and overwrite the previous results; the dashboard always displays the current results. When you scan again (rather than starting a new scan), the rescan overwrites the previous one.
Reference
Some frequently asked questions, and information about integrating AppScan 360° into the product lifecycle (SDLC).
FAQ
Some frequently asked questions.
Threat Class and CWE
Tables showing threat classes of issues tested for by AppScan 360°, and their related CWE numbers.
CSV format
This section describes how to save response data as in CSV format.
Notices