What's new

This section describes new AppScan Standard product features and enhancements in this release, as well as deprecations and anticipated changes, where relevant.

New in HCL AppScan Standard 10.3.0

  • Third-party components are now identified and shown in the new Components tab in Data view, and related vulnerabilities are reported in Issues view.
  • CVSS vector links added to Issue information for all issues, including third-party components.
  • Support for password protecting scan files (File > Set password).
  • Test policy and optimization view has been improved.
  • Updated regulatory compliance report template: NIST Special Publication 800-53 Revision 5 (...\HCL\AppScan Standard\Policies).

Fixes and security updates

New security rules in this release include:
  • attAPIBrokenObjectLevelAuthorization - Check for Broken Object Level Authorization
  • attGraphqlSqli - Check for SQL Injections in GraphQL API
  • WeakJWTExpiration - Check if there is a JWT without an expiration date or with a late expiration date
  • WebSocketCSRF - Check if there is an authentication vulnerability in a WebSocket connection

For a complete list of fixes, new and updated security rules, and RFEs in this release, see AppScan Standard Fix List.

Changed in this release

  • The Incremental scan wizard is removed. Incremental scans are started from the File menu (File > New scan > Incremental)
  • The ability to start recording a multi-step operation by right-clicking on a node in the application tree (and selecting Record multi-step operation) is removed. Multi-step operations are now recorded only from Configuration > Multi-step operations).
  • The Web Services, The Vital Few, and Developer Essentials test policies have been removed from the Test Policies drop-down selection, as similar results can be obtained using other policies. They are still available in the Policies folder:
    C:\Program Files (x86)\HCL\AppScan Standard\Policies

Upcoming changes

The following will be removed in a future release:
  • The embedded Internet Explorer browser will be removed in a future version of AppScan.
  • The Web Services, The Vital Few, and Developer Essentials test policies will be removed, as similar results can now be achieved using other policies (see here)
  • The ability to export scan results as XML for versions of AppScan Enterprise earlier than 9.0.3.1.