United States government regulation compliance

Compliance with United States government security and information technology regulations help to remove sales impediments and roadblocks. It also provides a proof point to prospects worldwide that HCL® is working to make their products the most secure in the industry. This topic lists the standards and guidelines that AppScan® Source supports.

Internet Protocol Version 6 (IPv6)

AppScan® Source is enabled for IPv6, with these exceptions:

  • Inputting IPv6 numerical addresses is not supported and a host name must be entered instead. Inputting IPv4 numerical addresses is supported.
  • IPv6 is not supported when connecting to Rational Team Concert.

Federal Information Processing Standard (FIPS)

On Windows and Linux platforms that are supported by AppScan® Source, AppScan® Source supports FIPS Publication 140-2, by using a FIPS 140-2 validated cryptographic module and approved algorithms.

To learn background information about AppScan® Source FIPS compliance - and to learn how to enable and disable AppScan® Source FIPS 140-2 mode, see these technotes:

National Institute of Standards and Technology (NIST) Special Publication (SP) 800-131a

NIST SP 800-131A guidelines provide cryptographic key management guidance. These guidelines include:

  • Key management procedures.
  • How to use cryptographic algorithms.
  • Algorithms to use and their minimum strengths.
  • Key lengths for secure communications.

Government agencies and financial institutions use the NIST SP 800-131A guidelines to ensure that the products conform to specified security requirements.

NIST SP 800-131A is supported only when AppScan® Source is operating in FIPS 140-2 mode. To learn about enabling and disabling AppScan® Source FIPS 140-2 mode, see Federal Information Processing Standard (FIPS).

Important:
If the AppScan® Enterprise Server that you will connect to is enabled for NIST 800-131a compliance, you must set AppScan® Source to force Transport Layer Security V1.2. If Transport Layer Security V1.2 is not forced, connections to the server will fail.
  • If you are not installing the AppScan® Source Database (for example, you are only installing client components), you can force Transport Layer Security V1.2 by modifying <data_dir>\config\ounce.ozsettings (where <data_dir> is the location of your AppScan® Source program data, as described in Installation and user data file locations)). In this file, locate this setting:
    <Setting
		 name="tls_protocol_version"
		 read_only="false"
		 default_value="0"
		 value="0"
		 description="Minor Version of the TLS Connection Protocol"
		 type="text"
		 display_name="TLS Protocol Version"
		 display_name_id=""
		 available_values="0:1:2"
		 hidden="false"
		 force_upgrade="false"
	/>

    In the setting, change value="0" to value="2" and then save the file.

  • If you are installing the AppScan® Source Database, you force Transport Layer Security V1.2 in the HCL® AppScan® Enterprise Server Database Configuration tool after installing both AppScan® Source and the Enterprise Server.

Windows machines that are configured to use the United States Government Configuration Baseline (USGCB)

AppScan® Source supports scanning applications on Windows machines that are configured with the USGCB specification.

Note: On machines that are configured with the USGCB specification, AppScan® Source does not support defect tracking system integration with HP Quality Center or Rational® ClearQuest®.