Getting started
Welcome to the documentation for HCL AppScan on Cloud, where you can find information about how to install, maintain, and use this service.
About HCL AppScan on Cloud
Security is about protecting your valuable assets. Some of the most important assets your organization owns are in the form of information, such as intellectual property, strategic plans, and customer data. Protecting this information is critical for your organization to continue to operate, be competitive, and meet regulatory requirements.
Roles and workflows
Learn about different ASoC tasks and workflows for different authorized ASoC users with a valid subscription.
What's new in AppScan on Cloud
Discover upcoming and recently added features.
System requirements
System requirements and supported operating systems and languages for the ASoC analyzers. Also learn about the supported browsers and minimum resolution for the service.
Subscriptions
My Subscriptions shows the status of all your organization's subscriptions, including the number applications or scans remaining, and the start and end dates.
Sample apps and scripts
Use these sample applications to practice scanning with ASoC.
Demo videos
These "how-to" videos demonstrate using ASoC and how it fits into your workflow, and offer tips and tricks.
Contact and support
Useful links to human and online resources.
Trial Terms of Use
TRIAL AGREEMENT FOR HCL APPSCAN ON CLOUD SERVICE
This section describes the items on the main AppScan on Cloud menu bar, with links to more detailed information.
Administration
Define users, applications, policies, and configure DevOps integrations.
Users
User management allows you to control access to sensitive applications by assigning them to asset groups and then adding specific users to those groups.
Applications
An application is a collection of scans related to the same project. It can be a web site, a desktop app, a mobile app, a web service, or any component of an app. Applications enable you to asses risk, identify trends, and make sure that your project is compliant with industry and organization policies.
Policies
You can apply the predefined policies, as well as your own custom policies, to show only data for the issues that are relevant for you.
DevOps
Tools for incorporating ASoC in your software development lifecycle.
Personal scans
A personal scan is a way of evaluating the relative security of an application in development without affecting overall application scan data (issues, for example), or compliance.
Audit trail
The audit trail (Organization > Audit trail) logs user activity.
Dynamic analysis
AppScan on Cloud performs security scans for web-applications for production, staging and development environments. For development environments it is aided by Private Site Scanning technology to scan applications not accessible to the open Internet.
About dynamic analysis (DAST)
An ASoC dynamic (DAST) scan consists of two stages: Explore and Test. Even though most of the scan process is seamless to the user, and no input is required until the scan is complete, understanding how dynamic scanning works can help you to better understand the role of scanning in your development process.
Dynamic scanning (DAST)
ASoC can perform dynamic analysis of an application that runs in a browser or a web API. Use the configuration options available for a web application or web API in ASoC, or upload an AppScan Standard configuration (template file) or a full scan file.
AppScan Presence
An AppScan Presence on your server enables you to scan sites not accessible from the Internet, and to incorporate scanning as part of your functional testing.
Recording traffic
You can record traffic as Explore data for DAST scans using the AppScan Activity Recorder browser extension (for Chrome or Edge), the HCL AppScan Traffic Recorder proxy server, or AppScan Standard.
HCL AppScan Traffic Recorder
The HCL AppScan Traffic Recorder (DAST proxy) enables you to record traffic to use as Explore data. Traffic Recorder instances can be created on demand to record traffic that will later be used for a DAST scan.
IAST Total
IAST Total (Interactive Application Security Testing), harnesses IAST capabilities to enhance Dynamic Analysis (DAST) scans, improving scan and remediation times while uncovering a broader spectrum of vulnerabilities.
Private sites
An AppScan Presence on your server enables you to scan sites not accessible from the Internet.
Interactive monitoring
Using an agent installed on your application, ASoC identifies security vulnerabilities in your application during runtime by monitoring all interactions, both legitimate and malicious. The process is "passive," in the sense that IAST does not send its own tests, and can therefore run indefinitely.
About interactive monitoring (IAST)
ASoC can monitor normal application runtime behavior to detect vulnerabilities.
Starting an IAST session
Install the IAST agent on your application server, and configure the scan.
Deploying an IAST agent
Deploy the IAST agent on the application server so it can monitor communication with the application and report to ASoC.
Deploy on Kubernetes
AppScan supports automatic installation of IAST agent on a Kubernetes cluster. Using a MutatingAdmissionWebhook, the IAST agent is automatically installed on any starting pod.
Deploy on Azure App Service
Use the IAST agent to monitor applications that run on Azure App Service.
IAST using the REST API
Configure and start an IAST scan, including agent deployment, through the REST API.
IAST configuration file
Configure a JSON file to override the default IAST settings, and report only the vulnerabilities you want to know about.
User settings
Some low-level IAST behavior can be controlled with user parameters.
IAST scan results
An interactive (IAST) scan entry shows results since the last time the scan was started.
Software Composition Analysis
Use Software Composition Analysis (SCA) to scan for security vulnerabilities in open source and third-party packages used by your code. SCA includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).
About Software Composition Analysis
Software Composition Analysis (SCA) locates and analyzes open source and third-party packages used by your code.
System requirements for SCA
The types of files that can be scanned by ASoC when you perform open source testing.
Scanning libraries and third-party code for security vulnerabilities
To scan open source libraries and third-party code for security vulnerabilities, follow the steps in these topics.
SCA scan results
Features available in SCA scan results.
Static analysis
Use static analysis (SAST) to scan for security vulnerabilities in web and desktop applications. Static analysis includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).
System requirements for static analysis
Supported operating systems and the types of files, locations, and projects that can be scanned by ASoC when you perform static analysis.
Scanning for security vulnerabilities
To scan source code for security vulnerabilities, follow the steps in these topics.
Sample apps and scripts
Use these sample applications to practice scanning with ASoC.
Static analysis troubleshooting
If you experience problems with static analysis, you can perform these troubleshooting tasks to determine the corrective action to take.
Results
The Scans and Sessions page lists the scans under the categories DAST, SAST, SCA, and IAST, where you can view your scan results, including scan statistics. To view, rescan, or download reports, select a scan.
Issues
The Issues page for an application, by default displays non-compliant issues only. You can apply a variety of filters to see the issues you need, and click on any issue to open the detailed issue information pane.
Correlation
AppScan analyzes issues found by IAST, DAST and SAST to identify common weak links in the code (correlations) where multiple vulnerabilities can be resolved with a single or consolidated remediation effort.
Fix groups
Fix groups currently apply only to issues found in static analysis scans.
Reports
Generate reports for issues discovered in an application. Send reports to send to developers, internal auditors, penetration testers, managers, and the CISO. Security information might be extensive, and can be filtered depending on your requirements.
Remediation
After risks are determined and vulnerabilities are prioritized, your security team can start the remediation process.
Rescanning
Following your first scan, as you fix issues you can scan the same application again multiple times and overwrite the previous results; the dashboard always displays the current results. When you scan again (rather than starting a new scan), the rescan overwrites the previous one.
IAST scan results
An interactive (IAST) scan entry shows results since the last time the scan was started.
Troubleshooting
If you experience problems with this service, you can perform these troubleshooting tasks to determine the corrective action to take.
AppScan Presence troubleshooting
Troubleshooting tasks for errors found when working with the AppScan Presence.
Static analysis troubleshooting
If you experience problems with static analysis, you can perform these troubleshooting tasks to determine the corrective action to take.
FAQ & Reference
Frequently asked questions, information about integrating ASoC into the product lifecycle (SDLC), and ASoC API documentation.
FAQ
Some frequently asked questions.
Threat Class and CWE
Tables showing threat classes of issues tested for by ASoC, and their related CWE numbers.
CSV
formatThis section describes how to save response data as in CSV format.