What's new

This section describes new AppScan Standard product features and enhancements in this release, as well as deprecations and anticipated changes, where relevant.

New in HCL AppScan Standard 10.4.0

Re-designed Non-vulnerables and AppScan Connect interfaces.
Vulnerable component updates to include the latest CVE that provides better scan coverage.
Introduced Multi-Factor Authentication (MFA) based on security questions for login management.
Added Display density settings to adjust the visual density of the user interface.
New Regulatory Compliance report: [SA] Protection of Personal Information Act (PoPIA), 2013.
Updated Regulatory Compliance reports:
- [US] The Federal Risk and Authorization Management Program (FedRAMP), Revision 5.
- [US] DISA's Application Security and Development STIG, V5R2
- [US] Federal Information Security Modernization Act (FISMA) , 2014.
Enhanced DAST scan accuracy and efficiency with an IAST subscription. For more information, refer to the blog.
Two new extensions are available:
- Import URLs
- Burp Traffic Importer

Fixes and security updates

New security rules in this release include:

Improved accuracy for credit card detection in several rules:
- SecurityRule_GD_CreditCardAmericanExpress
- SecurityRule_GD_CreditCardAmericanExpressNotSSL
- SecurityRule_GD_CreditCardDinersClub SecurityRule_GD_CreditCardDinersClubNotSSL
- SecurityRule_GD_CreditCardDiscover SecurityRule_GD_CreditCardDiscoverNotSSL
- SecurityRule_GD_CreditCardMasterCard SecurityRule_GD_CreditCardMasterCardNotSSL
- SecurityRule_GD_CreditCards SecurityRule_GD_CreditCardsNotSSL
- SecurityRule_GD_CreditCardVisa
- SecurityRule_GD_CreditCardVisaNotSSL
attText4Shell - Added Tailored Web Server detection support for RCE
attZencartRemoteCommandExecutionAdnsCVE20213291 - Added Tailored Web Server detection support for RCE
attSessionFixation - Modified the detection rule to avoid testing requests with no previous request
attAPIBrokenObjectLevelAuthorization - Expanded the rule to test all numeric directories (Inc and Dec)
CORSArbitraryOrigin - Modified to include a bogus Origin header everywhere

For a complete list of fixes, new and updated security rules, and RFEs in this release, see AppScan Standard Fix List.

Changed in this release

Chromium is updated to version 116.0.5845.188 to enhance security and address a critical vulnerability CVE-2023-4863. For more information, see Chromium updated to version 116.0.5845.188.

Upcoming change

The ability to export scan results as XML for versions of AppScan Enterprise earlier than 9.0.3.1 will be removed in the next release.
The embedded Internet Explorer browser will be removed in a future version of AppScan.