What's new

This section describes new AppScan Standard product features and enhancements in this release, as well as deprecations and anticipated changes, where relevant.

Welcome to the new AppScan Standard!

  • Introducing a whole new user experience

    Brand new look, improved workflow, better guidance, and easier self-troubleshooting

  • Quick and clear scan assessment

    The new dashboard gathers essential scan information including scan health and result summary

  • New dark mode

    Choose the mode (light or dark) that works best for you

New in HCL AppScan Standard 10.0.7

  • New and improved user experience:
    • New home page to start your scans
    • Navigation bar on the left of the screen gives you fast access to the main steps in your workflow
    • Dashboard gathers together essential scan data, and updates in real time as the scan runs
    • Issues and Tasks views are consolidated into the new Issues view
    • Responsive UI design
    • Redesigned scan log.
    • Redesigned Options dialog box (Tools > Options)
    • Select your work preference for light mode or the new dark mode
    See highlights of the practical changes here.
  • OS Support: Windows Server 2022 (Enterprise and Pro), and Windows 11
  • TLS 1.3 is supported (for the two new operating systems only)
  • MFA: Support for TOTP and URL-generated OTP (see Configure OTP)
  • Export security issues to CSV format (see Export to CSV)
  • New Industry Standard reports:
    • "CWE/SANS Top 25 Most Dangerous Errors" has been replaced by "CWE Top 25 Most Dangerous Software Weaknesses 2021"
    • "OWASP TOP 10 - 2021"
New in 10.0.7.28150
  • Fixed KB0098002
  • Added a security update to test for Spring4Shell vulnerability CVE-2022-22965. The test is included in the Invasive Test Policy. (Note that no version of AppScan itself was or is subject to this vulnerability.)

Fixes and security updates

New security rules in this release include:
  • attApacheHttpPathTraversalUnix - Path traversal vulnerability in Apache HTTP Server (CVE-2021-41773)
  • attZencartRemoteCommandExecutionAdns - Authenticated RCE on ZenCart (CVE-2021-3291)
  • attApacheHttpPathTraversalUnix - Apache HTTP Server Path traversal and RCE (CVE-2021-42013)
  • attAPIBrokenFunctionLevelAuthorization - API Security Rule on Broken function level authorization (Check with Original request with other HTTP Methods)
  • attConfluenceRemoteCommandExecutionAdns - Confluence Server Webwork OGNL injection (CVE-2021-26084) using ADNS
  • attAPIMassAssignment - API Security Rule on Mass Assignment (request with admin parameters/objects and gain access)
  • attAPILackResourcesRateLimit - API Security Rule on Lack of resources and Rate Limiting (set larger values for the request parameters which puts the server under stress)
  • attCSRFinGraphQL - Detect CSRF vulnerability in GraphQL endpoints
  • attCSPInjection - Detect if website is vulnerable to CSP policy injection
  • attAPIImproperAssetsManagement - API Security Rule on ImproperAssets Management (Request for unexposed paths)
  • attAPIImproperAssetsManagementDomain - API Security Rule on ImproperAssets Management (Request for unexposed domains)
  • attbootstrapXSS - Outdated Bootstrap rule detection
For a complete list of fixes, updates, and RFEs in this release see AppScan Standard Fix List.

Removed in this release

  • Scan Expert
  • Ability to edit CVSS ratings

Upcoming changes

The following will be removed in a future release:
  • The Web Services, The Vital Few, and Developer Essentials test policies will be removed, as similar results can now be achieved using other policies (see here)
  • The old UI is accessible in this release, but will be removed altogether in a future release (see here)