Welcome
Welcome to the documentation for HCL AppScan Standard version 10.0.6
This section provides a short tour of basic product features and procedures, including using the wizard to set up a scan.
What's new
This section describes new product features and enhancements in this release, as well as deprecations and anticipated changes, where relevant.
System requirements
A summary of the minimum hardware and software required for the machine that runs AppScan Standard.
Installing
The installation wizard guides you through the fast and simple process.
License
This section describes for the trial and paid versions of AppScan Standard.
How an automatic scan works
This topic explains the difference between the "stages" and "phases" of a scan.
Web applications vs. web services
This topic explains the different methods available for exploring sites, before AppScan tests them.
Basic workflow
A diagram showing a simple AppScan workflow using the scan configuration wizard.
Tour of the main window
Describes the components of the AppScan main window, and all menus and toolbars.
Welcome screen
Describes the options available from the Welcome Screen that opens when you load AppScan.
Tutorial
This simple tutorial goes through the steps of configuring a simple application scan using the Scan Configuration wizard, running the scan, and reviewing the results.
Sample scans
The sample scans can help give you a feel for using AppScan and what scan results look like.
You configure a scan by choosing settings that best describe your application, and the kind of testing you want.
Scan Configuration Wizards
You can quickly configure basic scans using the wizards.
Scan file structure
Explains the basic structure of an AppScan Standard SCAN file.
Scan templates
A scan template is simply a scan configuration that has been saved so that you can use it again.
Manual exploring enables you to explore specific parts of your application, filling in fields and forms as you go. This can be a way of ensuring that particular areas of the site are covered, and that AppScan has the information needed to complete forms correctly.
Using a browser
For web applications, you can usually use the build-in Chromium browser for manual exploring. Where necessary the built-in IE vbrowser, or an external browser can be used.
Using an external client
You can manually explore RESTful or other non-SOAP web services - or SOAP services that do not require security envelopes - using a mobile phone, simulator, or emulator. AppScan displays the domains and requests in its External Traffic Recorder, and create appropriate tests from the input.
Learn how to start a scan, and what happens during the scan; how to manually manipulate the Explore stage, and how to export the results of a scan.
AppScan displays scan results in three views:
Application Data
AppScan offers three ways of viewing and working with scan results: Application Data, Security Issues, and Remediation Tasks. This section describes Application Data View.
Security Issues
AppScan offers three ways of viewing and working with scan results: Security Issues, Remediation Tasks, and Application Data. This section deals with Security Issues View.
Remediation Tasks
AppScan offers three ways of viewing and working with scan results: Security Issues, Remediation Tasks, and Application Data. This section deals with Remediation Tasks view.
This section describes how to generate reports from the scan results.
Security reports
The Security report provides information about security issues discovered, and you can choose from a variety of templates depending on the type of content you need.
Industry Standard and Compliance reports
Industry Standards reports let you know if your application complies with standards of a selected industry committee; Regulatory Compliance reports let you know if your application complies with specific regulations or legal standards.
Delta Analysis reports
The Delta Analysis report compares two sets of scan results and shows the difference in URLs and/or security issues that were discovered in them.
Template-based reports
The Template Based tab of the Create Report dialog box enables you to create reports in Microsoft® Word DOC and DOCX formats, with exactly the data you want, and the document formatting you define.
This section explains how to use additional tools provided with HCL AppScan Standard.
Options dialog box
This section describes options you can control, to customize AppScan, from the Options dialog box (Tools > Options).
Web Services Wizard extension
This extension lets you scan using Open API description files. It is available from Tools > Extensions > Web Services Wizard (Open API), and the extension is enabled by default.
PowerTools
AppScan offers access to five utilities (PowerTools), each providing a specific feature to help you manage your application security or to help you use AppScan.
Logs
Logs can help you troubleshooting.
Searching Results
You can filter the Result List in any of the views, for specific data.
This section describes integrations of other applications with AppScan Standard:
AppScan Enterprise
This section describes ways AppScan Standard and Enterprise editions can interact.
AppScan on Cloud
This section describes ways AppScan Standard can interact with HCL AppScan on Cloud, to scan apps on the cloud.
Automation Frameworks
You can use scripts written for your QA automation framework (such as Selenium) to create Manual Explore recordings for an AppScan scan.
This section contains some best practices and use cases for advanced users.
Workflow for advanced users
This workflow can help users with experience in the field of web security achieve a more thorough scan.
Sites that use parameter-based navigation
Sites in which all pages are reached using a single URL, need a specific scan configuration.
Scanning live production environments
The following risks and suggestions should be considered before scanning a live site with AppScan.
Understanding Test Optimization
This section describes how Test Optimization works and how best to incorporate it into your development lifecycle.
General FAQ
This topic addresses general application questions.
Login troubleshooting
Tips for troubleshooting session detection problems in Scan Configuration > Login Management view.
Out-of-session troubleshooting
Some suggestions for troubleshooting out-of-session issues.
Server not responding
Some suggestions for troubleshooting if the server is not responding.
External traffic recorder not recording
If your external device is configured correctly, AppScan's external login recorder and external traffic recorder will show the traffic sent from the device as you send it. This section offers suggestions if it does not.
Long or never-ending Explore stage
For some types of site the Explore stage may take a long time or never end.
Multi-step operation troubleshooting
Some suggestions for troubleshooting action-based multi-step operations.
Replacing unsigned extensions
If you want to use an unsigned extension that you used with a previous version of AppScan, you can either elect to trust it, or see if a signed version is available to replace it with.
Extended Support Mode
Extended Support Mode logs all AppScan activity, for packing and sending to your support provider to help troubleshooting a problematic procedure.
Changing the default browser
You can configure AppScan to use a browser other than its built-in browser.
Logs
This section includes explanations of Scan Log messages (View > Scan Log).
This section describes the syntax and options available using the Command line interface.
Menus and toolbar summaries, and glossary
Browser toolbar
The icons on the toolbar of the embedded AppScan® browser, used to display and save screenshots of application responses.
File menu
Used for creating, opening, and saving scans.
Edit menu
Used for customizing scan results.
View menu
Used to determine how the main window appears and what data is displayed.
Scan menu
Used to control the scan.
Tools menu
Provides various reporting and customization tools, including the HCL PowerTools.
Help menu
Used for accessing documentation, getting support help, and getting a new license.
Accessibility controls
Describes all keyboard shortcuts and controls.
Temp files
Describes where AppScan® saves its temporary files during normal operation, and how to change the location.
Glossary
This glossary explains terms and acronyms used in the AppScan® Standard user interface and documentation.
CWE support
CWE (Common Weakness Enumeration) is an industry standard list that provides common names for publicly known software weaknesses. The following CWE IDs, and their parent or child IDs, are supported in the current version of AppScan Standard.