Welcome
Interactive monitoring
Using an agent installed on your application, AppScan 360° identifies security vulnerabilities in your application during runtime by monitoring all interactions, both legitimate and malicious. The process is "passive," in the sense that IAST does not send its own tests, and can therefore run indefinitely.
Deploying IAST
Deploy the IAST agent on the application server so it can monitor communication with the application and report to AppScan 360°.
Deploying a Node.js IAST agent
You can deploy an IAST agent on the application server that supports Java, .NET, Node.js or PHP based applications. This section explains how to create a Node.js agent type on your web server.

Getting started
Welcome to the documentation for HCL AppScan 360°, where you can find information about how to install, maintain, and use this service.
Installation
Learn about AppScan 360° architecture and how to install the product.
Navigation
This section describes the items on the main AppScan 360° menu bar, with links to more detailed information.
Administration
Define users, applications, policies, and configure DevOps integrations.
Dynamic analysis
HCL AppScan 360° performs security scans for web-applications for production, staging and development environments.
Interactive monitoring
Using an agent installed on your application, AppScan 360° identifies security vulnerabilities in your application during runtime by monitoring all interactions, both legitimate and malicious. The process is "passive," in the sense that IAST does not send its own tests, and can therefore run indefinitely.
- About interactive monitoring (IAST)
  AppScan 360° can monitor normal application runtime behavior to detect vulnerabilities.
- Starting an IAST session
  Install the IAST agent on your application server, and configure the scan.
- Deploying IAST
  Deploy the IAST agent on the application server so it can monitor communication with the application and report to AppScan 360°.
  - Deploying a Java IAST agent
    You can deploy an IAST agent on the application server that supports Java, .NET, Node.js or PHP based applications. This section explains how to create a Java agent type on your web server.
  - Deploying a .NET IAST agent
    You can deploy an IAST agent on the application server that supports Java, .NET, Node.js or PHP based applications. This section explains how to create a .NET agent type on your web server.
  - Deploying a Node.js IAST agent
    You can deploy an IAST agent on the application server that supports Java, .NET, Node.js or PHP based applications. This section explains how to create a Node.js agent type on your web server.
  - Deploying a PHP IAST agent
    You can deploy an IAST agent on the application server that supports Java, .NET, Node.js or PHP based applications. This section explains how to create a PHP agent type on your web server.
- Deploy on Kubernetes
  AppScan supports automatic installation of IAST agent on a Kubernetes cluster. Using a MutatingAdmissionWebhook, the IAST agent is automatically installed on any starting pod.
- Deploy on Azure App Service
  Use the IAST agent to monitor applications that run on Azure App Service.
- OWASP Benchmark with IAST agent
- IAST using the REST API
  Configure and start an IAST scan, including agent deployment, through the REST API.
- IAST configuration file
  Configure a JSON file to override the default IAST settings, and report only the vulnerabilities you want to know about.
- User settings
  Some low-level IAST behavior can be controlled with user parameters.
- IAST scan results
  An interactive (IAST) scan entry shows results since the last time the scan was started.
- IAST troubleshooting
Software Composition Analysis
Use Software Composition Analysis (SCA) to scan for security vulnerabilities in open source and third-party packages used by your code. SCA includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).
Static analysis
Use static analysis (SAST) to scan for security vulnerabilities in web and desktop applications. Static analysis includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).
Results
The Scans and Sessions page lists the scans under the categories DAST, SAST, SCA, and IAST, where you can view your scan results, including scan statistics. To view, rescan, or download reports, select a scan.The Scans and Sessions page lists scans under the categories where you can view your scan results, including scan statistics. To view, rescan, or download reports, select a scan.
Reference
Some frequently asked questions, and information about integrating AppScan 360° into the product lifecycle (SDLC).

Deploying a Node.js IAST agent

You can deploy an IAST agent on the application server that supports Java, .NET, Node.js or PHP based applications. This section explains how to create a Node.js agent type on your web server.

Procedure

Generate a key for the Node.js agent (through the user interface or API).
On your web server:
1. Add an environment variable: IAST_ACCESS_TOKEN: [key]
2. Open the command prompt and run:
```
npm install --save @hclsoftware/secagent
```
3. Edit package.json by locating this line:
```
"start": "node index.js",
```
  and editing it to this:
```
"start": "node -r @hclsoftware/secagent/src/Iast.js index.js",
```
Note: Alternatively, you can add the key to the package.json command as follows:
- Windows: "start": "set IAST_ACCESS_TOKEN=12345 && node -r @hclsoftware/secagent/src/Iast.js index.js"
- Linux: "start": "IAST_ACCESS_TOKEN=12354 node -r @hclsoftware/secagent/src/Iast.js index.js"
Tip: If you use Next to run your applications, the IAST agent can be run with NODE_OPTIONS environment variable before the original command, for example: NODE_OPTIONS='-r @hclsoftware/secagent/src/Iast.js' next app.js
Start your application using npm start.

Results

The IAST agent will monitor requests and report security issues as you use or test your application (run functional tests, run a Dynamic Scan, or explore the app manually).