Home
Dynamic analysis
AppScan on Cloud performs security scans for web-applications for production, staging and development environments. For development environments it is aided by Private Site Scanning technology to scan applications not accessible to the open Internet.
Dynamic scanning (DAST)
ASoC can perform dynamic analysis of an application that runs in a browser or a web API. Use the configuration options available for a web application or web API in ASoC, or upload an AppScan Standard configuration (template file) or a full scan file.
Creating an API scan
ASoC supports different workflows for scanning a web API. If you have a Postman collection, OpenAPI specification file or recorded traffic of your web API, you can import it and use it as the basis for a scan by using the API scan configuration. Alternatively, you can use the Postman collection files or the OpenAPI specification files with the REST API.
Using recorded traffic
If you have recorded traffic of your web API, you can import it and use it as the basis for a scan. For example, if there are API endpoints that are not part of the Postman collection or if you have API functional automation, you can record the traffic when the API automation runs and feed the traffic to AppScan for security testing.

Getting started
Welcome to the documentation for HCL AppScan on Cloud, where you can find information about how to install, maintain, and use this service.
Navigation
This section describes the items on the main AppScan on Cloud menu bar, with links to more detailed information.
Administration
Define users, applications, policies, and configure DevOps integrations.
Dynamic analysis
AppScan on Cloud performs security scans for web-applications for production, staging and development environments. For development environments it is aided by Private Site Scanning technology to scan applications not accessible to the open Internet.
- About dynamic analysis (DAST)
  An ASoC dynamic (DAST) scan consists of two stages: Explore and Test. Even though most of the scan process is seamless to the user, and no input is required until the scan is complete, understanding how dynamic scanning works can help you to better understand the role of scanning in your development process.
- Dynamic scanning (DAST)
  ASoC can perform dynamic analysis of an application that runs in a browser or a web API. Use the configuration options available for a web application or web API in ASoC, or upload an AppScan Standard configuration (template file) or a full scan file.
  - Creating a web application scan
    Provide the starting URL and user credentials for the scan, select the type of site, and (if not previously done) verify your permission to scan the site.
  - Creating an API scan
    ASoC supports different workflows for scanning a web API. If you have a Postman collection, OpenAPI specification file or recorded traffic of your web API, you can import it and use it as the basis for a scan by using the API scan configuration. Alternatively, you can use the Postman collection files or the OpenAPI specification files with the REST API.
    - Using a Postman collection
      If you have a Postman Collection of requests to your web API, you can import it and use it as the basis for a scan by using the API scan configuration wizard or the REST API.
    - Using an OpenAPI specification file
      You can use an OpenAPI specification file to automatically scan your API. It ensures a more thorough and accurate scan, helping to find potential issues across the entire API.
    - Using recorded traffic
      If you have recorded traffic of your web API, you can import it and use it as the basis for a scan. For example, if there are API endpoints that are not part of the Postman collection or if you have API functional automation, you can record the traffic when the API automation runs and feed the traffic to AppScan for security testing.
  - Creating scan from template
    You can upload your own AppScan Standard template (SCANT) file to run an ASoC scan.
  - Creating scan from scan file
    You can upload your own AppScan Standard scan (SCAN) file to run an ASoC scan.
  - Creating an Incremental scan
  - Test policies
    The test policies is a list of web application security scan settings. You can select one of the predefined test policies available when running scans from the ASoC user interface, but other policies can be applied with imported scans or scans run from the API. You can also upload custom test policies that you created in AppScan Standard and AppScan Enterprise.
  - Test optimization
    Test optimization uses intelligent test filtering to achieve faster scans with minimal loss of issue coverage. When speed is a consideration, choose between four optimization levels.
  - Test automation
    Incorporate dynamic scanning in your functional testing.
  - Client certificates
  - Azure OpenAI
    Azure OpenAI can be integrated with AppScan via API endpoints to enhance accuracy by reducing false positives and improving test results.
- AppScan Presence
  An AppScan Presence on your server enables you to scan sites not accessible from the Internet, and to incorporate scanning as part of your functional testing.
- Recording traffic
  You can record traffic as Explore data for DAST scans using the AppScan Activity Recorder browser extension (for Chrome or Edge), the HCL AppScan Traffic Recorder proxy server, or AppScan Standard.
- HCL AppScan Traffic Recorder
  The HCL AppScan Traffic Recorder (DAST proxy) enables you to record traffic to use as Explore data. Traffic Recorder instances can be created on demand to record traffic that will later be used for a DAST scan.
- IAST Total
  IAST Total (Interactive Application Security Testing), harnesses IAST capabilities to enhance Dynamic Analysis (DAST) scans, improving scan and remediation times while uncovering a broader spectrum of vulnerabilities.
- AppScan Standard
- Private sites
  An AppScan Presence on your server enables you to scan sites not accessible from the Internet.
Interactive monitoring
Using an agent installed on your application, ASoC identifies security vulnerabilities in your application during runtime by monitoring all interactions, both legitimate and malicious. The process is "passive," in the sense that IAST does not send its own tests, and can therefore run indefinitely.
Software Composition Analysis
Use Software Composition Analysis (SCA) to scan for security vulnerabilities in open source and third-party packages used by your code. SCA includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).
Static analysis
Use static analysis (SAST) to scan for security vulnerabilities in web and desktop applications. Static analysis includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).
Results
The Scans and Sessions page lists the scans under the categories DAST, SAST, SCA, and IAST, where you can view your scan results, including scan statistics. To view, rescan, or download reports, select a scan.
Troubleshooting
If you experience problems with this service, you can perform these troubleshooting tasks to determine the corrective action to take.
FAQ & Reference
Frequently asked questions, information about integrating ASoC into the product lifecycle (SDLC), and ASoC API documentation.

Creating an API scan using recorded traffic

If you have recorded traffic of your web API, you can import it and use it as the basis for a scan. For example, if there are API endpoints that are not part of the Postman collection or if you have API functional automation, you can record the traffic when the API automation runs and feed the traffic to AppScan for security testing.

Before you begin

Backup your site before scanning.
If you have not yet done so, Create an application for your scans.
Verify with ASoC that you have permission to scan the domain (see Verifying a domain), or you can authorize domains without verification using Domain management.
If your site is not available on the Internet, and an AppScan Presence does not yet exist on the server: Creating the AppScan Presence.
If scanning a live production site, refer first to What changes should I make when scanning a live production site?

About this task

Ensure you have the recorded traffic file that was recorded using one of the following methods:

Recorded using an Activity recorder through Swagger UI
AppScan Standard with Postman or SoapUI
Using a traffic recorder

For web APIs, the best option is usually the HCL AppScan Traffic Recorder.

Procedure

On the specific Application page, click Create scan, then click Create scan under DAST Dynamic Analysis.
In the Create scan: DAST dialog, choose API scan to begin the configuration process.
Select the API explore method, Recorded traffic.
Drag and drop your file to the marked area, or click the Add icon to browse and add the dast.config file that has the recorded traffic.
In the Domains to test section, you must add all verified/allowed domains you want to include in the scan. Both these formats are valid:
- https://demo.testfire.net/
- demo.testfire.net
Important: Domains not listed will not be scanned.
Configure the other scan options as required, such as authentication, test policies, and other advanced settings. For more information, see Creating an API scan.
Click Scan. The recorded traffic file is imported. Run the scan to detect any vulnerabilities in your web API.

What to do next

You can view the status of the scan on the Scans and sessions page.