Welcome
Overview
Learn general information about the product.
Interactive Application Security Testing (IAST) in AppScan Enterprise
OWASP Benchmark with IAST agent
The OWASP Benchmark Project is a Java test suite designed to evaluate software vulnerability detection tools. The HCL AppScan IAST Java Agent is fully compliant with the OWASP Benchmark.

Welcome
Welcome to the HCL AppScan Enterprise 10.10.0 documentation, where you can find information about how to install, maintain, and use HCL AppScan Enterprise.
Accessibility features for AppScan® Enterprise
Accessibility features assist users who have a disability, such as restricted mobility or limited vision, to use information technology content successfully.
Overview
Learn general information about the product.
- Application security management
  Security is about protecting your valuable assets. Some of the most important assets your organization owns are in the form of information, such as intellectual property, strategic plans, and customer data. Protecting this information is critical for your organization to continue to operate, be competitive, and meet regulatory requirements.
- AppScan® Enterprise components
  HCL® AppScan® Enterprise enables organizations to mitigate application security risk, strengthen application security program management initiatives and achieve regulatory compliance. Security and development teams can collaborate, establish policies and scale testing throughout the application lifecycle. Enterprise dashboards classify and prioritize application assets based on business impact and identify high-risk areas, permitting you to maximize your remediation efforts. Performance metrics are provided that help you monitor the progress of your application security programs.
- Getting started with application security management
  Depending on your role, you can get started with different areas of the product.
- What's new in HCL AppScan® Enterprise
  This section describes new AppScan Enterprise product features and enhancements in this release, as well as deprecations and anticipated changes, where relevant.
- Interactive Application Security Testing (IAST) in AppScan Enterprise
  - Licensing for IAST agent
  - Configuring IAST Communication Service in AppScan Enterprise Server
    The IAST Communication service is automatically configured while running the Configuration Wizard.
  - Downloading and deploying Java IAST agent on the Web server
    You must download and deploy an IAST agent on the tested application's web server to monitor traffic sent during runtime and report vulnerabilities it finds.
  - Downloading and deploying .NET or .NET Core IAST agent type
    You can deploy an IAST agent on the tested application's web server that supports Java, .NET, .NET Core, or Node.js based applications. This section explains about creating .NET or .NET Core IAST agent type on your web server.
  - Downloading and deploying Node.js IAST agent type
    You can deploy an IAST agent on the tested application's web server that supports Java, .NET, or Node.js based applications. This section explains about creating Node.js agent type on your web server.
  - Downloading and deploying PHP IAST agents
    Use this procedure to download the AppScan Enterprise PHP IAST agent and deploy it to your application server environment (Windows, Ubuntu, or Red Hat). The PHP IAST agent monitors your running web application during runtime testing (manual or automated) and reports vulnerabilities to AppScan Enterprise.
  - Managing IAST agents in AppScan Enterprise
    AppScan Enterprise can support multiple IAST agents for a single application.
  - OWASP Benchmark with IAST agent
    The OWASP Benchmark Project is a Java test suite designed to evaluate software vulnerability detection tools. The HCL AppScan IAST Java Agent is fully compliant with the OWASP Benchmark.
- Vulnerable components detection using AppScan
  AppScan enhances application security by identifying and reporting vulnerabilities in third-party components, ensuring businesses are protected from potential threats. This helps prevent undetected vulnerabilities and ensures business continuity.
- Smarter DAST scans with Intelligent Finding Analytics (IFA)
  Intelligent Finding Analytics (IFA) uses artificial intelligence (AI) to improve DAST scan accuracy by minimizing false positives and optimizing test selection.
- Supported technologies
- Known issues and workarounds
  These are known issues and their workarounds.
- Deprecated features
  If you are migrating from an earlier release of AppScan® Enterprise, you should be aware of the various features that have been deprecated in this release.
- AppScan Enterprise Legal Notices
- Statement of Good Security Practices
Installing
Learn how to install the product.
Upgrading and migrating
Learn how to upgrade the product.
Integrating
Learn how to integrate the product with other solutions.
DevOps
Learn how to extend the product with REST APIs and plugins.
Best practices
Learn best practices for using the product.
Configuring
Learn how to configure the product.
Administering
Learn how to administer the product.
Managing application risk
Follow this workflow to manage application security risks in your organization.
Troubleshooting and support
To help you understand, isolate, and resolve problems with your HCL® software, the troubleshooting and support information contains instructions for using the problem-determination resources that are provided with your HCL products.
Reference
Review reference information for the product.
Glossary

OWASP Benchmark with IAST agent

The OWASP Benchmark Project is a Java test suite designed to evaluate software vulnerability detection tools. The HCL AppScan IAST Java Agent is fully compliant with the OWASP Benchmark.

Procedure

To run OWASP Benchmark with AppScan IAST Java agent:

Clone BenchmarkJava and BenchmarkUtils from https://github.com/OWASP-Benchmark.
Open a command prompt, change to the BenchmarkUtils directory and, run mvn install -DskipTests.
In AppScan Enterprise: Start an IAST Java session and download the agent zip as described in Downloading and deploying Java IAST agent on the Web server.
Extract the contents of the zip file.
In the extracted JAR, locate secagent.jar in the jar_deployment folder and copy it to BenchmarkJava\tools\HCL.
From a command prompt, run runBenchmark_wHCL.bat, and wait for a few moments until the message '[INFO] Press Ctrl-C to stop the container...' is displayed.
Open another command prompt and run BenchmarkJava\runCrawler.bat.
After the crawl is complete, press Ctrl+C to stop the Benchmark Tomcat instance. When asked 'Terminate batch job (Y/N)?', enter N.
Run BenchmarkJava\createScorecards.bat

The test results can be found in:BenchmarkJava\scorecard\Benchmark_v1.2_Scorecard_for_HCL_AppScan_IAST_v{IAST_version} files

Figure: OWASP Benchmark v1.2 result comparison