What's new in AppScan on Cloud

• Use updated issue type for runtime SCA issues.
• Show URL in method-signature field of stack-less issues, to be shown in location field in AppScan on Cloud.
• Improved support for RabbitMQ.
• Use new issue types: PasswordLeakageDB and PasswordLeakageSentData.

• Use updated issue type for runtime SCA issues.
• Show URL in method-signature field of stack-less issues, to be shown in location field in AppScan on Cloud.

• Version 2 of REST API was deprecated on July 30,2024, it is no longer supported and will be removed soon. Please use REST API V4 instead. Review the technical overview for assistance in migrating to the updated API.

• New IAST .NET agent (1.11.2)
  • Support for runtime SCA.
  • Alternative installation method to NuGet, using a startup hook.

• Static analysis client updated to 8.0.1574.
• Support for Java 21. In addition, Java 21 is included in the Static Analyzer Command Line Utility (SAClientUtil) package.
• CLI command queue_analysis displays scan IDs for both static analysis (SAST) and Software Composition Analysis (SCA).
• IFA 2.0 enabled for .NET trace findings.
• Secrets scanner scans PowerShell (.ps1) files.
• When users have more than 5000 applications, scan submissions from the command line interface or AppScan Go! no longer fail.
• Updates to rules for Angular, ASP, CSS, Dart, Java source code scanner, JavaScript, JQuery, Objective-C, PHP, Python, secrets scanner, TerraForm, TypeScript, and VueJS.
• General bug fixes.

• Updated autoupdate to use AppScan on Cloud v4 REST API.
• Fixed third party vulnerabilities.

• Auto fix: Curated autofix recommendations are now provided with a GenAI-summarized explanation in the AppScan on Cloud user interface. Auto fix previously was available only in CodeSweep IDE plugin.
• GitHub Enterprise integration for SAST repository scanning: Run static analysis scans on GitHub Enterprise repositories.

• Domain management: Manage domains within your organization, including permissions to different asset groups, and domain authorization without the need to verify them. This feature is now available for Silver, Gold, Platinum, and Per-application subscriptions. To migrate from Domain verification to Domain management contact the Support team for assistance.

• SCA runtime: Building on IAST functionality, SCA can identify and manage vulnerabilities in open source components and libraries used by an application at runtime. Runtime SCA provides more accurate context into potential vulnerabilities, and thus helps prioritize issue remediation and resolution.
• Malware detection: Software Composition Analysis detects and reports open-source libraries that are suspected as malware. AppScan employs a comprehensive, advanced approach that combines automated analysis with human expertise, scanning multiple repositories and performing multi-domain analysis for a holistic security assessment. Our continuous monitoring of package updates, coupled with targeted attack detection and binary analysis, helps uncover hidden threats. Our team of experts reviews suspicious findings, ensuring accurate results.
• Method and root dependence identification: SCA method and root dependence details enhance the detection and analysis of libraries within a software project. The dependency root represents the original library that initiated the inclusion of other libraries that resulted in the inclusion of a vulnerable library, thus allowing users to understand the origin of a vulnerable package. Full dependency hierarchy and information is included in the SBOM report.

• IAST for Kubernetes: AppScan supports automatic installation of IAST agents on Kubernetes clusters, providing support for Java, .Net, and Node.js applications.

• New Compliance Reports and Policies:
  • Network and Information Security Directive (NIS2)
  • OWASP Cloud-Native Application Security Top 10
• Automated comment propagation: Automatically propagates the latest comments along with issue status from the same issue in another application to the current app. This ensures that both the status and comments are consistently updated, providing a complete and synchronized issue record across all applications.

• Renamed the Plugins and APIs page to Integrations to provide a clearer and more intuitive representation of the diverse third-party integrations and customizations available within AppScan on Cloud.
• Added Jira Cloud plugin and AppScan on Cloud CLI.
• Removed AppScan automation framework.

• Support RabbitMQ as a source and sink.
• Support vulnerabilities of type Privacy.DataLeakage, reported when a password is written unencrypted to the database or response.
• Support vulnerabilities of type AppDOS.Flood, reported when a Vert.x app does not set limits to the request body.
• Merge repeated reports on insecure and HTTP-only cookies when the source is similar.

• Reduce agent dependencies to avoid application conflicts.

• SAST scans can now be configured and scheduled to pull source code directly from a public GitHub repository. See Scan a GitHub repository.
• While triaging SAST findings, users can view the relevant source code directly on GitHub.com.
• Findings can now be filtered by filename or path, making triaging more efficient by focusing on specific areas of the codebase.

• The Domain verification wizard is enhanced to allow users to test the connection after placing the file in the root folder. Domains pending verification for more than 30 days will be deleted. Domains remain in a pending state until the verification file is detected in the root folder, or the email verification is confirmed.

• Two new industry-standard reports were added:
  • OWASP API Security Top 10 2023
  • CWE Top 25 Most Dangerous Software Weaknesses 2023
• The following reports were updated:
  • [US] DISA's Application Security and Development STIG, Version 5 Release 3
  • The Payment Card Industry Data Security Standard (PCI DSS) - Version 4

• This page provides real-time information on the operational status of the AppScan on Cloud service and planned maintenance. It is now accessible from the AppScan on Cloud portal.
• You can access this page from the following locations:
  • Within the AppScan on Cloud portal, the AppScan Resources page is accessible under the Support menu at the top of each page. A link to the service status page is at the bottom of the AppScan Resources page.
  • AppScan on Cloud documentation: The link to the status page is included on the Getting started page under the Product Resources section.
  • You can bookmark the URL directly: AppScan on Cloud Service Status page.

• Support for Vertx version 3.x.
• API endpoint discovery for Vertx.

• Update dependencies
• Alternative deployment of the .NET core agent during runtime without need for build (Beta).

• The Create scan dialog box has been redesigned to streamline workflow for DAST scanning.
• The Settings page has been redesigned with improved organization, and now requires confirmation of changes to page settings.
• The Correlation groups page has been redesigned for greater ease-of-use.

• Improved support for customers using the Vertx framework.
• Support components discovery and more accurate stack report for IAST Total.

• Support PHP 8.3 on Ubuntu.
• Support environment variables from server config files.

Static analysis client updated to 8.0.1561.

• Added support for the VertX framework.

• Added support for .NET 8.
• Enhanced support for IAST Total on .NET.
• Optimization.

AppScan Go! steps you through configuring and running a static, SCA, or secrets scan with a refreshed and improved user interface and refined workflow. You can run a complete scan, prepare an IRX file for scanning later, or configure files for automating scans with AppScan plugins. You can also view account information within the tool.