Welcome
Dynamic analysis
HCL AppScan 360° performs security scans for web-applications for production, staging and development environments.
Dynamic scanning (DAST)
AppScan 360° can perform dynamic analysis of an application that runs in a browser or a web API. Use the configuration options available for a web application or web API in AppScan 360°, or upload an AppScan Standard configuration (template file) or a full scan file.

Getting started
Welcome to the documentation for HCL AppScan 360°, where you can find information about how to install, maintain, and use this service.
Installation
Learn about AppScan 360° architecture and how to install the product.
Navigation
This section describes the items on the main AppScan 360° menu bar, with links to more detailed information.
Administration
Define users, applications, policies, and configure DevOps integrations.
Dynamic analysis
HCL AppScan 360° performs security scans for web-applications for production, staging and development environments.
- About dynamic analysis (DAST)
  An AppScan 360° dynamic (DAST) scan consists of two stages: Explore and Test. Even though most of the scan process is seamless to the user, and no input is required until the scan is complete, understanding how dynamic scanning works can help you to better understand the role of scanning in your development process.
- Dynamic scanning (DAST)
  AppScan 360° can perform dynamic analysis of an application that runs in a browser or a web API. Use the configuration options available for a web application or web API in AppScan 360°, or upload an AppScan Standard configuration (template file) or a full scan file.
  - Creating a web application scan
    Provide the starting URL and user credentials for the scan, select the type of site, and (if not previously done) verify your permission to scan the site.
  - Creating an API scan
    AppScan 360° supports different workflows for scanning a web API. If you have a Postman collection, OpenAPI specification file or recorded traffic of your web API, you can import it and use it as the basis for a scan by using the API scan configuration. Alternatively, you can use the Postman collection files or the OpenAPI specification files with the REST API.
  - Creating scan from template
    You can upload your own AppScan Standard template (SCANT) file to run an AppScan 360° scan.
  - Creating scan from scan file
    You can upload your own AppScan Standard scan (SCAN) file to run an AppScan 360° scan.
  - Creating an Incremental scan
  - Test policies
    The test policies is a list of web application security scan settings. You can select one of the predefined test policies available when running scans from the ASoC user interface, but other policies can be applied with imported scans or scans run from the API. You can also upload custom test policies that you created in AppScan Standard and AppScan Enterprise.
  - Test optimization
    Test optimization uses intelligent finding analytics (IFA) to achieve faster scans with minimal loss of issue coverage. When speed is a consideration, choose between four optimization levels.
  - Test automation
    Incorporate dynamic scanning in your functional testing.
  - Client certificates
  - Intelligent Finding Analytics (IFA)
    Intelligent Finding Analytics (IFA) uses artificial intelligence (AI) and machine learning (ML) to analyze data, discover patterns, and make predictions, ultimately transforming data into actionable insights. IFA goes beyond regular data analysis by using advanced methods to find deeper meanings and make smart decisions.
- Recording traffic
  You can record traffic as Recorded explore data for DAST scans using the AppScan Activity Recorder browser extension (for Chrome or Edge), the HCL AppScan Traffic Recorder proxy server, or AppScan Standard.
- HCL AppScan Traffic Recorder
  The HCL AppScan Traffic Recorder (DAST proxy) enables you to record traffic to use as Explore data. Traffic Recorder instances can be created on demand to record traffic that will later be used for a DAST scan.
- IAST Total
  IAST Total (Interactive Application Security Testing), harnesses IAST capabilities to enhance Dynamic Analysis (DAST) scans, improving scan and remediation times while uncovering a broader spectrum of vulnerabilities.
- AppScan Standard
- Troubleshooting Dynamic Analysis
Interactive monitoring
Using an agent installed on your application, AppScan 360° identifies security vulnerabilities in your application during runtime by monitoring all interactions, both legitimate and malicious. The process is "passive," in the sense that IAST does not send its own tests, and can therefore run indefinitely.
Software Composition Analysis
Use Software Composition Analysis (SCA) to scan for security vulnerabilities in open source and third-party packages used by your code. SCA includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).
Static analysis
Use static analysis (SAST) to scan for security vulnerabilities in web and desktop applications. Static analysis includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).
Results
The Scans and Sessions page lists the scans under the categories DAST, SAST, SCA, and IAST, where you can view your scan results, including scan statistics. To view, rescan, or download reports, select a scan.The Scans and Sessions page lists scans under the categories where you can view your scan results, including scan statistics. To view, rescan, or download reports, select a scan.
Reference
Some frequently asked questions, and information about integrating AppScan 360° into the product lifecycle (SDLC).

Dynamic scanning (DAST)

AppScan 360° can perform dynamic analysis of an application that runs in a browser or a web API. Use the configuration options available for a web application or web API in AppScan 360°, or upload an AppScan Standard configuration (template file) or a full scan file.

The DAST scan wizard offers the following methods:


Option	Description
Select scan method
Scan a web application	Configure and run your scan in AppScan 360° using the wizard options. Upload a recording of the login procedure, if needed. Upload a traffic file (DAST.CONFIG) to ensure that specific parts of the application are covered. Creating a web application scan
API scan	Configure and run your scan in AppScan 360° using the wizard options. Creating an API scan Upload a Postman collection Upload a recorded traffic file (DAST.CONFIG)
Scan from file
From template	If you have an AppScan Standard template (SCANT) file, you can use it as the configuration for your AppScan 360° scan. This lets you benefit from all the configuration options available in AppScan Standard. An AppScan Standard template also includes the login recording and multistep configuration. The template does not include a Manual Explore, but you can upload a traffic recording (DAST.CONFIG file) to ensure that specific parts of the application are covered. Creating a new scan from a template file
From scan file	If you have an AppScan Standard scan (SCAN) file, you can use it as the configuration for your AppScan 360° scan. Manual Explore, Multistep operations, and Web API files such as a Postman Collection saved in the SCAN file are included in the scan. You can run a full scan or use the existing Explore date from the file and run only the Test stage of the scan. Creating a new scan from a scan file
Note: AppScan 360° limits file uploads to 2GB.

Related topics

For a list of Threat Classes tested for in dynamic analysis, and their related CWEs, see Dynamic analysis (DAST).