What's new
This section describes new AppScan Standard product features and enhancements in this release, as well as deprecations and anticipated changes, where relevant.
New in HCL AppScan Standard 10.3.0
- Third-party components are now identified and shown in the new Components tab in Data view, and related vulnerabilities are reported in Issues view.
- CVSS vector links added to Issue information for all issues, including third-party components.
- Support for password protecting scan files (File > Set password).
- Test policy and optimization view has been improved.
- Updated regulatory compliance report template: NIST Special Publication 800-53 Revision 5 (...\HCL\AppScan Standard\Policies).
Fixes and security updates
New security rules in this release include:
- attAPIBrokenObjectLevelAuthorization - Check for Broken Object Level Authorization
- attGraphqlSqli - Check for SQL Injections in GraphQL API
- WeakJWTExpiration - Check if there is a JWT without an expiration date or with a late expiration date
- WebSocketCSRF - Check if there is an authentication vulnerability in a WebSocket connection
For a complete list of fixes, new and updated security rules, and RFEs in this release, see AppScan Standard Fix List.
Changed in this release
- The Incremental scan wizard is removed. Incremental scans are started from the File menu (File > New scan > Incremental)
- The ability to start recording a multi-step operation by right-clicking on a node in the application tree (and selecting Record multi-step operation) is removed. Multi-step operations are now recorded only from Configuration > Multi-step operations).
- The Web Services, The Vital Few, and Developer Essentials test policies have
been removed from the Test Policies drop-down selection, as similar results
can be obtained using other policies. They are still available in the
Policies
folder:
C:\Program Files (x86)\HCL\AppScan Standard\Policies
Upcoming changes
The following will be removed in a future release:
- The embedded Internet Explorer browser will be removed in a future version of AppScan.
- The Web Services, The Vital Few, and Developer Essentials test policies will be removed, as similar results can now be achieved using other policies (see here)
- The ability to export scan results as XML for versions of AppScan Enterprise earlier than 9.0.3.1.