What's new in HCL AppScan® Enterprise

This section describes new AppScan Enterprise product features and enhancements in this release, as well as deprecations and anticipated changes, where relevant.

New in HCL AppScan® Enterprise 10.4.0

  • Enhanced DAST scan accuracy and efficiency with an IAST subscription. For more information, refer to the blog.
  • AppScan Enterprise Third-Party Vulnerable Components updates:
    • Added new APIs for the Vulnerable Component:
      API Name Description
      get/vulnerablecomponent/server/status Get the vulnerable component update status for the server.
      post/vulnerablecomponent/update Update the vulnerable component package's latest version in AppScan Enterprise Server.
      get/vulnerablecomponent/client/status Get the vulnerable component update status for the client.
    • Includes the latest CVE for better scan coverage.
    • Third-party vulnerable components detected in ASD are now visible in the AppScan Enterprise Monitor Tab - Components View.
    • Components are now available in the AppScan Enterprise Security reports.
    • Job ID API (GET /issues/{jobId}) can now share CWE and CVE ID for Third-Party Vulnerable Components.
  • AppScan Enterprise now supports encrypted AppScan Activity Recorded File, ensuring secure storage of login credentials and other PII.
  • Added Scanned URLs to AppScan Enterprise Security report, enabling users to measure scan coverage.
  • New regulatory compliance report: [SA] Protection of Personal Information Act (PoPIA), 2013.
  • Updated regulatory compliance reports:
    • [US] The Federal Risk and Authorization Management Program (FedRAMP), Revision 5.
    • [US] DISA's Application Security and Development STIG, V5R2.
    • [US] Federal Information Security Modernization Act (FISMA), 2014.
  • Added support for Microsoft SQL Server 2022 Standard and Enterprise versions.

IAST changes

.NET:
  • Enhanced support for customers using System.Net.WebClient in both .Net Framework and .Net Core.
  • Improved IAST log now includes date and time.
  • A new issue type - Detected APIs, replaces the Miscellaneous issue type for the issues that report the complete list of the application's APIs.
  • Sensitive API Requires Logging issue type is now supported for customers using the ILogger, Nlog, Serilog, and log4net.
NodeJS:
  • Updated the IAST log to include both date and time.
  • Improved error messages in Console output.
JAVA:
  • A new issue type - Detected APIs, replaces the Miscellaneous issue type for the issues that report the complete list of the application's APIs.
  • Improved deployment process: Setting of BC_SB environment variable is no longer needed in Java versions 9 and later.
  • Additional framework support for Java: Spring 6.
  • Improved the error message when the user sets incorrect proxy settings.
  • The IAST log now includes the date and time.

APAR fix list

The following Authorized Program Analysis Reports (APARs) were fixed:

APAR No. Description
KB0106642 Issue count difference between AppScan Enterprise and AppScan Standard in some cases.
KB0106569 Large scan file download fails from the job statistics page under the scan tab.
KB0105848 Can not delete a job when the combined length of the job name and the FolderItemId exceeds 255 characters.

Fixes and security updates

New security rules in this release include:
  • Improved accuracy for credit card detection in several rules:
    • o SecurityRule_GD_CreditCardAmericanExpress
    • SecurityRule_GD_CreditCardAmericanExpressNotSSL
    • SecurityRule_GD_CreditCardDinersClub
    • SecurityRule_GD_CreditCardDinersClubNotSSL
    • SecurityRule_GD_CreditCardDiscover
    • SecurityRule_GD_CreditCardDiscoverNotSSL
    • SecurityRule_GD_CreditCardMasterCard
    • SecurityRule_GD_CreditCardMasterCardNotSSL
    • SecurityRule_GD_CreditCards
    • SecurityRule_GD_CreditCardsNotSSL
    • SecurityRule_GD_CreditCardVisa
    • SecurityRule_GD_CreditCardVisaNotSSL
  • attText4Shell - Added Tailored Web Server detection support for RCE.
  • attZencartRemoteCommandExecutionAdnsCVE20213291 - Added Tailored Web Server detection support for RCE.
  • attSessionFixation - Modified detection rule to avoid testing requests with no previous request.
  • attAPIBrokenObjectLevelAuthorization - Expanded rule to test all numeric directories (Inc and Dec).
  • CORSArbitraryOrigin - Modified to include a bogus Origin header everywhere.
  • Chromium is updated to version 116 to enhance security and address a critical vulnerability, CVE-2023-4863. For more information, see Chromium updated to version 116.

This release's complete list of fixes, updates, and RFEs is listed here.

Changed in this release

The search limit of 100 to view variables in the Portfolio & Application Tab in the Monitor tab has been removed, allowing users to view all variables and customize searches.

Removed in this release

  • The support for Windows Server 2012 and Windows Server 2012 R2 is deprecated as Microsoft announced EOS for these platforms.
  • The embedded Internet Explorer browser is removed.

Upcoming changes

The following will be removed in a future release:

  • CVSS attribute field on issues will be replaced with a non-editable CVSS vector string.
  • Create Job using AppScan Source, AppScan Standard template, and Import Job flow using AppScan Results Import will be removed from the Scans tab. Alternatively, users can import AppScan Source and AppScan Standard results using the Monitor tab.
  • The Web Services, The Vital Few, and Developer Essentials test policies will be removed as similar results can now be achieved using other policies. For information, see Predefined Test Policies.
  • WebSphere portal scan will be removed.