Welcome
Interactive monitoring
Using an agent installed on your application, AppScan 360° identifies security vulnerabilities in your application during runtime by monitoring all interactions, both legitimate and malicious. The process is "passive," in the sense that IAST does not send its own tests, and can therefore run indefinitely.
User settings
Some low-level IAST behavior can be controlled with user parameters.

Getting started
Welcome to the documentation for HCL AppScan 360°, where you can find information about how to install, maintain, and use this service.
Installation
Learn about AppScan 360° architecture and how to install the product.
Navigation
This section describes the items on the main AppScan 360° menu bar, with links to more detailed information.
Administration
Define users, applications, policies, and configure DevOps integrations.
Dynamic analysis
HCL AppScan 360° performs security scans for web-applications for production, staging and development environments.
Interactive monitoring
Using an agent installed on your application, AppScan 360° identifies security vulnerabilities in your application during runtime by monitoring all interactions, both legitimate and malicious. The process is "passive," in the sense that IAST does not send its own tests, and can therefore run indefinitely.
- About interactive monitoring (IAST)
  AppScan 360° can monitor normal application runtime behavior to detect vulnerabilities.
- Starting an IAST session
  Install the IAST agent on your application server, and configure the scan.
- Deploying IAST
  Deploy the IAST agent on the application server so it can monitor communication with the application and report to AppScan 360°.
- Deploy on Kubernetes
  AppScan supports automatic installation of IAST agent on a Kubernetes cluster. Using a MutatingAdmissionWebhook, the IAST agent is automatically installed on any starting pod.
- Deploy on Azure App Service
  Use the IAST agent to monitor applications that run on Azure App Service.
- OWASP Benchmark with IAST agent
- IAST using the REST API
  Configure and start an IAST scan, including agent deployment, through the REST API.
- IAST configuration file
  Configure a JSON file to override the default IAST settings, and report only the vulnerabilities you want to know about.
- User settings
  Some low-level IAST behavior can be controlled with user parameters.
- IAST scan results
  An interactive (IAST) scan entry shows results since the last time the scan was started.
- IAST troubleshooting
Software Composition Analysis
Use Software Composition Analysis (SCA) to scan for security vulnerabilities in open source and third-party packages used by your code. SCA includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).
Static analysis
Use static analysis (SAST) to scan for security vulnerabilities in web and desktop applications. Static analysis includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).
Results
The Scans and Sessions page lists the scans under the categories DAST, SAST, SCA, and IAST, where you can view your scan results, including scan statistics. To view, rescan, or download reports, select a scan.The Scans and Sessions page lists scans under the categories where you can view your scan results, including scan statistics. To view, rescan, or download reports, select a scan.
Reference
Some frequently asked questions, and information about integrating AppScan 360° into the product lifecycle (SDLC).

IAST environment variables and Java properties

Some low-level IAST behavior can be controlled with user parameters.

Here are a few options, ordered by their priority:

Set an environment variable
Add a Java property, using -Dproperty_name=property_value in the Java command
Add a property to MANIFEST.MF file, inside Secagent.war under META-INF directory


Environment variable name	Java property name / Manifest name	Description	Value
`IAST_LOG`	`secagent.log`	Specify a file to be used as the IAST log. Note: File must exist.	File name
`FLUSH_ON_EVERY_WRITE`	`secagentFlushOnEveryWrite`	When set, log prints are not buffered. This is useful for debug sessions to get the log filled immediately.	True/False
`IAST_MEMORY_DEBUG`	`secagentMemoryDebug`	Turns on memory usage debug prints approximately every 10 seconds.	True/False
`IAST_GC_DEBUG`	`secagentGcDebug`	Turns on GC activity debug prints.	True/False
`IAST_ACCESS_TOKEN`	n/a	Access token for communication with IAST session in AppScan 360° and AppScan Enterprise. Important: Setting this variable overrides the default value embedded in the agent when downloaded from AppScan 360° or AppScan Enterprise.	For an existing agent, it can be obtained by choosing Generate new key in the drop-down menu.
`IAST_ACCESS_TOKEN`	n/a	Relevant for AppScan Enterprise users: ASE HOST URL Important: Setting this variable overrides the default value embedded in the agent when downloaded from AppScan 360° or AppScan Enterprise.	URL or IP for accessing AppScan Enterprise instance.
`IAST_RUNTIME_SCA`	n/a	Enables runtime detection of libraries in addition to standard IAST functionality.	True/False
`IAST_SCA_PROD`	n/a	Enables runtime detection of libraries and disables standard IAST functionality.	True/False

Examples

Setting log file through Java property:

Java -Dsecagent.log=/tmp/myLogDir/MySecagentLog.txt <myApp.jar>

Setting AppScan 360° token through environment variable:

Set IAST_ACCESS_TOKEN RUO5+3JYKRKRSNH7HEIyY3HQWZrWYnNMDCRL0HAw=