Home
Interactive monitoring
Using an agent installed on your application, ASoC identifies security vulnerabilities in your application during runtime by monitoring all interactions, both legitimate and malicious. The process is "passive," in the sense that IAST does not send its own tests, and can therefore run indefinitely.
Deploy on Kubernetes
AppScan supports automatic installation of IAST agent on a Kubernetes cluster. Using a MutatingAdmissionWebhook, the IAST agent is automatically installed on any starting pod.

Getting started
Welcome to the documentation for HCL AppScan on Cloud, where you can find information about how to install, maintain, and use this service.
Navigation
This section describes the items on the main AppScan on Cloud menu bar, with links to more detailed information.
Administration
Define users, applications, policies, and configure DevOps integrations.
Dynamic analysis
AppScan on Cloud performs security scans for web-applications for production, staging and development environments. For development environments it is aided by Private Site Scanning technology to scan applications not accessible to the open Internet.
Interactive monitoring
Using an agent installed on your application, ASoC identifies security vulnerabilities in your application during runtime by monitoring all interactions, both legitimate and malicious. The process is "passive," in the sense that IAST does not send its own tests, and can therefore run indefinitely.
- About interactive monitoring (IAST)
  ASoC can monitor normal application runtime behavior to detect vulnerabilities.
- Starting an IAST session
  Install the IAST agent on your application server, and configure the scan.
- Deploying an IAST agent
  Deploy the IAST agent on the application server so it can monitor communication with the application and report to ASoC.
- Deploy on Kubernetes
  AppScan supports automatic installation of IAST agent on a Kubernetes cluster. Using a MutatingAdmissionWebhook, the IAST agent is automatically installed on any starting pod.
- Deploy on Azure App Service
  Use the IAST agent to monitor applications that run on Azure App Service.
- OWASP Benchmark with IAST agent
- IAST using the REST API
  Configure and start an IAST scan, including agent deployment, through the REST API.
- IAST configuration file
  Configure a JSON file to override the default IAST settings, and report only the vulnerabilities you want to know about.
- User settings
  Some low-level IAST behavior can be controlled with user parameters.
- IAST scan results
  An interactive (IAST) scan entry shows results since the last time the scan was started.
- IAST troubleshooting
Software Composition Analysis
Use Software Composition Analysis (SCA) to scan for security vulnerabilities in open source and third-party packages used by your code. SCA includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).
Static analysis
Use static analysis (SAST) to scan for security vulnerabilities in web and desktop applications. Static analysis includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).
Results
The Scans and Sessions page lists the scans under the categories DAST, SAST, SCA, and IAST, where you can view your scan results, including scan statistics. To view, rescan, or download reports, select a scan.
Troubleshooting
If you experience problems with this service, you can perform these troubleshooting tasks to determine the corrective action to take.
FAQ & Reference
Frequently asked questions, information about integrating ASoC into the product lifecycle (SDLC), and ASoC API documentation.

Deploying an IAST agent on Kubernetes

AppScan supports automatic installation of IAST agent on a Kubernetes cluster. Using a MutatingAdmissionWebhook, the IAST agent is automatically installed on any starting pod.

About this task

Illustration of the steps for installing an IAST agent on Kubernetes, with support for Java, .Net, and Node.js applications.

Image showing installation on Kubernetes

Procedure

Download the ASoC Kubernetes IAST agent, as described here.
Extract the contents of the ZIP file.
To install the IAST agent in your Kubernetes cluster:
1. Run the install-secagent-webhook.sh script.
  This script installs the MutatingAdmissionWebhook in the cluster, which will then add an IAST agent to each pod when it starts.
2. To apply the IAST agent, restart any existing pods.

Optional: You can configure the IAST installer to skip specific pods or specify the language of the pod for agent detection. The config file must be placed in the “config” folder before running the install-secagent-webhook.sh script.

Examples of configurations are available in the "examples" folder of the extracted zip.

{ 
                        // don't install IAST agent on service1. Default for ignore is false 
                        "name":"service1", 
                        "namespace":"default", 
                        "ignore":true 
                        }, 
                        { 
                        // hint IAST installer that service2 is Java. Possible values: java, net-core, nodejs 
                        "name":"service2", 
                        "namespace":"my-namespace", 
                        "agents":["java"] 
                        },

To view the pod name of the issues reported from the different pods, see the Additional Info section of the Issue Details tab.
To uninstall the IAST agent in your Kubernetes cluster:
1. Run the uninstall-secagent-webhook.sh script.
2. To complete the uninstallation process, you need to restart any running pods since the agent is not automatically removed from them during uninstallation.