Welcome
Managing application risk
Follow this workflow to manage application security risks in your organization.
Step 3: Determining risks and prioritizing vulnerabilities
Learn how to determine risks and prioritize vulnerabilities identified in an application.
Determining risk
Now that management and security analysts have a comprehensive view of the applications across the enterprise, it's time to get a complete picture of the application security risk. Use formulas to create rules for automated application asset classification. The automated calculation of an application security risk rating is based on the application's description and discovered vulnerabilities.
Determining issue severity
Security analysts can use CVSS scores to determine issue severity and prioritize vulnerability fixes for their organization.
CVSS scores
The Common Vulnerability Scoring System (CVSS) score shows the overall security impact of a vulnerability. AppScan Enterprise calculates the score based on available information for one or more metrics. The more information available, the more precise the score becomes.

Welcome
Welcome to the HCL AppScan Enterprise 10.11.0 documentation, where you can find information about how to install, maintain, and use HCL AppScan Enterprise.
Accessibility features for AppScan® Enterprise
Accessibility features assist users who have a disability, such as restricted mobility or limited vision, to use information technology content successfully.
Overview
Learn general information about the product.
Installing
Learn how to install the product.
Upgrading and migrating
Learn how to upgrade the product.
Integrating
Learn how to integrate the product with other solutions.
DevOps
Learn how to extend the product with REST APIs and plugins.
Best practices
Learn best practices for using the product.
Configuring
Learn how to configure the product.
Administering
Learn how to administer the product.
Managing application risk
Follow this workflow to manage application security risks in your organization.
- Step 1: Creating an application inventory
  Learn how to create an application inventory.
- Step 2: Testing applications for vulnerabilities
  Learn how to test vulnerabilities identified in an application.
- Step 3: Determining risks and prioritizing vulnerabilities
  Learn how to determine risks and prioritize vulnerabilities identified in an application.
  - Determining risk
    Now that management and security analysts have a comprehensive view of the applications across the enterprise, it's time to get a complete picture of the application security risk. Use formulas to create rules for automated application asset classification. The automated calculation of an application security risk rating is based on the application's description and discovered vulnerabilities.
    - Formula components
      Product administrators can use any of the following components in your attribute formulas.
    - Examples of Functions
      These functions are used in the attribute formulas.
    - Built-in Formulas
      Use built-in formulas as a starting point to create or customize your own formulas.
    - Customizing the risk rating formula
      The risk rating formula is the most important attribute that you use to describe your applications. Use this example to customize the built-in risk rating. In this example, the business impact is calculated automatically, based on different application attributes.
    - Creating attributes with formulas
      Create and edit attributes that contain formulas to calculate the risk ratings for applications or to display issue information in application summaries. Delete formula attributes that are no longer relevant.
    - Modifying formulas
      You can modify AppScan Enterprise's built-in formulas to customize them for your business needs. For example, the Open Issues formula includes new, open, and reopened issues in its calculations. That might not fit with your requirements, so you can modify it to only include open and reopened issues.
    - Determining issue severity
      Security analysts can use CVSS scores to determine issue severity and prioritize vulnerability fixes for their organization.
      - CVSS scores
        The Common Vulnerability Scoring System (CVSS) score shows the overall security impact of a vulnerability. AppScan Enterprise calculates the score based on available information for one or more metrics. The more information available, the more precise the score becomes.
      - How issue severity is determined
        AppScan® Enterprise determines issue severity by using a Severity formula or by using a 'Severity Value' issue attribute.
      - Changing the severity of an issue by modifying its CVSS score
        Changing issue severity is done on an issue by issue basis so that you analyze each vulnerability as it relates to your business risk. During issue triage, you can change the severity of an issue by manually overriding the precalculated CVSS score with the severity value so that you can prioritize its severity relative to other issues. Modifying the severity helps you convey an issue's criticality to development and management so that the more critical vulnerabilities are fixed first.
  - Prioritizing Vulnerabilities
    Learn how to prioritize vulnerabilities identified in an application.
- Step 4: Remediating risks
  Learn how to remediate risks identified in an application.
- Step 5: Measuring progress and demonstrating compliance
  Learn how to measure progress and demonstrate compliance.
Troubleshooting and support
To help you understand, isolate, and resolve problems with your HCL® software, the troubleshooting and support information contains instructions for using the problem-determination resources that are provided with your HCL products.
Reference
Review reference information for the product.
Glossary

CVSS scores

The Common Vulnerability Scoring System (CVSS) score shows the overall security impact of a vulnerability. AppScan Enterprise calculates the score based on available information for one or more metrics. The more information available, the more precise the score becomes.

AppScan Enterprise calculates and displays scores for both CVSS 3.1 and CVSS 4.0:

CVSS 3.1: Uses a combined approach of Base and Temporal metrics at the issue level and Environmental metrics at the application level.
CVSS 4.0: Calculates the score based on Base attributes but doesn't include Environmental metrics. Modifying the environmental attributes of an application impacts only the CVSS 3.1 calculation.

Attribute mapping and constraints

AppScan Enterprise maps metric values to the attributes of an issue (security vulnerability) or the application where the issue was found.

Note:

You can't delete or modify these attributes in AppScan Enterprise, but you can change their values.

CVSS 4.0 implementation

AppScan Enterprise calculates CVSS 4.0 scores alongside CVSS 3.1. When you modify CVSS attributes for an issue, AppScan Enterprise recalculates both versions. New attributes are available to store the CVSS 4.0 score and CVSS 4.0 vector string.

Table 1. CVSS metrics
Metrics group	Metrics name	Issue or Application attribute	Definition required to calculate the CVSS score
Base	Attack Vector	Issue	Yes
	Attack Complexity	Issue	Yes
	Privileges Required	Issue	Yes
	User Interaction	Issue	Yes
	Scope	Issue	Yes
	Confidentiality Impact	Issue	Yes
	Integrity Impact	Issue	Yes
	Availability Impact	Issue	Yes
Temporal	Exploit Code Maturity	Issue	No*
	Remediation Level	Issue	No*
	Report Confidence	Issue	No*
Environmental These metrics also contribute to the overall severity rating of the application.	Modified Base Metrics	Application	No*
	Availability Requirement	Application	No*
	Confidentiality Requirement	Application	No*
	Integrity Requirement	Application	No*

Note:

* While it is not a requirement that these attributes be defined, the CVSS score is more focused when more metrics are defined to describe the issue.
Any optional attribute that is not defined is not included in the CVSS score calculation.
The CVSS score cannot be calculated if any required attribute is not defined. In this case, the issue severity is categorized as Undetermined.
For more information on the details of the CVSS metrics, refer the following links: