FAQ

Some frequently asked questions.

General
DAST
SAST

General

What are the Kubernetes platforms supported by AppScan 360°?

AppScan 360° does not use any platform specific features and is expected to work on all platforms, but not all are verified to work. AppScan 360°is verified to work on the following Kubernetes platforms:

  • K0s
  • K3s
  • K8s
  • OpenShift
  • VMware
  • Tanzu

If you have extra security measures, you might need to do additional checks and modifications in the configuration. For example, OpenShift requires some prerequisites to work with AppScan 360°. For more information, see What are the prerequisites for using OpenShift with AppScan 360°?

What is Harbor and how to I use it?

HCL Harbor is HCL Software's container registry. From Harbor you can download Docker images (a read-only template containing the application code, libraries, tools, and dependencies needed to run AppScan 360°) and Helm charts (packages of pre-configured Kubernetes resources that simplify the deployment and management of AppScan 360° in a Kubernetes cluster.)

To login to HCL Harbor:
  1. Go to https://hclcr.io.
  2. Click LOGIN VIA OIDC PROVIDER.
  3. Log in with your HCL credentials.
  4. Select Projects > AppScan 360°.

    The Repositories tab contains the latest AppScan 360° Docker images and Helm charts for download.

If you are using Kubernetes, you may need to add a CLI secret to your Kubernetes configuration. Either:
  • Use docker login hclcr.io with your username and password.
  • Set environment variables for the docker/config.json file: 
    export HCLCR_USERNAME= 
export HCLCR_PASSWORD=
  • Set an environment variable for base64 encoding: 
    export AS360_KNI_JSON_CONFIG_AS_BASE64=""
Contact HCL Support if you encounter issues with logging in.

Where is the AppScan 360° Helm repository?

The AppScan 360° Helm repository is hosted on a public GitHub server at https://github.com/HCL-TECH-SOFTWARE. You can clone the appropriate repository from this location.

Why did my scan fail?

Possible reasons your scan might fail or come under review include:
  • Invalid app file
  • The Test Set you selected is not suited to your site/app
  • AppScan Central Platform is not functioning correctly or at all

If you are able to avoid these issues your scan is more likely to complete automatically and fast. This is especially important if you are incorporating AppScan 360° scanning into an automated process, so scan time will be as short as possible.

How long does a scan take to complete?

Depending on application size and complexity, from a few minutes to much longer. You can elect to receive an email when the scan is complete.

What security issues does AppScan 360° test for?

  • AppDOS
  • Browser Caching Sensitive Information
  • Comments Reveal Sensitive Information
  • Configuration Issue
  • CrossSite Scripting (XSS)
  • DB Connection String Manipulation
  • Email Phishing
  • EMail Tampering
  • Encoding Required
  • Exposed Web Service
  • File Tampering
  • File Upload
  • HTTP Request Splitting
  • HTTPResponse Splitting
  • LDAP Injection
  • Open Redirect
  • OS Command Injection
  • Path Traversal Potential Business Logic Issue (also covers Insecure Direct Object Reference)
  • Privilege Escalation
  • RegEx Injection
  • Remove Test Code
  • SecondOrder Injection
  • Sensitive Data Exposure
  • Sensitive Data Stored in Logs
  • Sensitive Information Revealed in Error Message
  • Session Management Timeout Value Too Large
  • SQL Injection
  • Unencrypted Communications
  • URL Tampering
  • Use of Cryptographically Unsafe Random Number Generator
  • Use of Hidden Fields
  • Use of Insecure Cryptography Algorithm
  • Use of Unsafe Native Code
  • Weak Access Control
  • Weak Authentication
  • XML Injection
  • XPath Injection
  • XSLT Injection

Why is the Risk Rating for my application "Unknown"?

Risk Rating is calculated for an application based on two factors:
  • Issues found (by AppScan 360°)
  • Business Impact (assigned by the user)
If no issues have yet been found, or if Business Impact is "Unspecified" (the default), the Risk Rating will be "Unknown". To change the Business Impact, see Risk rating.

DAST

Why is my scan "Queued"?

The number of scans that can be run at the same time (concurrent scans) depends on available resources. If you start a scan when your maximum number of concurrent scans are already running, the new scan is queued. Queued scans run automatically, in the order you started them, as soon as allowed by available resources..

Note that the maximum number of scans that can be queued also depends on available resources. When the queue is full, you will not be able to start additional scans.

The order of a queue cannot be edited, and follows the order the scans were started.

Why can I no longer specify the environment to be Staging or Production?

Until recently DAST scan configuration included a choice of Staging or Production environments. This was to reduce the risk of the scan affecting your site's stability. New configuration options now available in the wizard have made this setting redundant, so it has been removed. Instead, if you are scanning a production site, you can consider making the following configuration changes:
  • In Explore > Automatic form fill, clear the check box to disable this option.
  • In Communication > Maximum request rate, the default value should be fine for most production sites, but you can consider reducing the maximum number of requests allowed per second to reduce traffic to your site.

For more details and suggestions, see the next section.

What changes should I make when scanning a live production site?

Where possible, it is recommended to run DAST scans on staging rather than production sites. Running a DAST scan on a live production site may affect the site stability. Where necessary, considering the following points can help you configure your production site scan effectively.

Database may get filled with artificial information sent during scanning

You can reduce the impact of this by taking the following precautions:
  1. In Explore > Automatic form fill, clear the check box.

    This will ensure that AppScan 360° does not fill forms automatically, submitting data that might flood a database, bulletin board or online forum system, or send unwanted email to an administrator or moderator account. However, you should be aware that doing this will limit AppScan 360°'s ability to reach areas of the site that are accessed by submitting forms. In this mode of operation, AppScan 360° will only scan areas of the site that can be accessed by following links (with or without parameters).

  2. In Communication > Maximum request rate, consider reducing the maximum number of requests allowed per second.
  3. Create a test account.
    Using a test account makes it easier to track database changes (for example, to make sure that services are not actually ordered), and helps site administrators clean up the site after scanning. When creating the account consider doing some or all of the following:
    • Limit database access to test records only, so that modified records can be restored.
    • Ensure that new records created by the test account will be deleted.
    • Ensure that purchase orders (or other transactions) from the test account will be ignored.
    • If transactions have an impact (such as when dealing with stocks), allow the account access to test records only.
    • If the site has forums, allow the test account access to test forums only, so that real customers will not see the tests created during the Test stage.
    • If the site has different privileges for different accounts, set up more than one test account, with different privileges. This will ensure a more comprehensive scan of the site.
    • Do not create a test account with administrator-level access.

Risk of email flooding

When testing pages that use email notification, AppScan 360° generates many requests and may overload the site's email server. If feasible, temporarily change the email addresses on the pages being tested, so that email is sent to an invalid email address.

Test Optimization: If it scans faster, why shouldn’t I always use it?

Test optimization is great when you need faster results, but it is not as thorough as a non-optimized scan. We recommend optimized scans when speed is important, but that you also back them up with full scans at regular intervals.

Test Optimization: Can I expect the results of two optimized scans on the same site to be identical?

Since our team is constantly analyzing and updating the settings, each AppScan update has improved optimization settings, and therefore even if the site is unchanged the results may not be identical. However it is unlikely that a test that revealed an issue in the earlier scan would be filtered out of the later scan with the same optimization level.

OTP: How do I identify the OTP HTTP-parameter?

For DAST scans of sites that use OTP (one-time password), AppScan needs to know the name of the parameter that contains the OTP (in order to be able to login to the application), and usually identifies it when validating the recorded login. If it fails to do so, or if you use automatic login (rather than recorded login), you must add the parameter yourself.

To identify the parameter:
  1. Browse to the application's login page.
  2. Click F12 to open the developer tools pane of the browser (opens to the right of, or underneath, the main browser pane).
  3. Click on the Elements tab to view the HTML code.

    When you select a part of the code, the element is highlighted in the main browser pane.

  4. Locate the element that highlights the OTP field.
    Example:
    <input type="text" name="OTPvalue" value="">
  5. The value of the name parameter, without the quotation marks, is the OTP HTTP parameter you need.
    Example:
    OTPvalue
  6. If there is more than one OTP HTTP parameter, separate them with commas.

Which protocols are supported for DAST scans?

AppScan 360° can scan applications that require TLS 1.0, 1.1, 1.2, and 1.3.

Which TLS protocol does AppScan 360° support for connecting to the AppScan 360° service?

AppScan 360° supports TLS 1.2 for connecting to the service.

Why has the number of Medium severity issues increased in my rescan?

When rescanning a scan that was originally run using a version of the DAST engine earlier than v10.2.0, more Medium severity issues are found in the rescan than in the original scan.

From AppScan DAST engine version 10.2.0, CWE Issue severity and CVSS scoring are based on CVSS version 3.1. Scans run using older versions of the DAST engine used CVSS 2.0 scoring. Some issues that were assigned Low severity in the older version, were assigned Medium severity in 10.2.0, resulting in an increase in Medium severity issues. This will be changed in a future version of the DAST engine.

SAST

What is a static analysis IRX file and what does it contain?

IRX is a secure and encrypted zip archive that contains the information that is necessary to run a full static analysis of your program. It is encrypted at-rest upon creation, as well as during transport to the cloud (over SSL).

Internally, an IRX archive contains these files and artifacts:

  • A proprietary and obfuscated representation of your deployable program artifacts, built from your deployed source code (for example, Java bytecode or .Net MSIL). To learn which languages are supported for static analysis scans, see System requirements for static analysis).
  • Any runtime script files that are deployed with your program that can be analyzed for security vulnerabilities (for example .js (Javascript) or .rb (Ruby) files).
  • Static Analyzer configuration files that describe the application or project hierarchy and relationships or dependencies of your program. This allows for accurate and complete security analysis across project boundaries within your application.
  • Static Analyzer log files generated during the creation of the archive (for diagnostics and support).