What's new
This section describes new AppScan Standard product features and enhancements in this release, as well as deprecations and anticipated changes, where relevant.
New in HCL AppScan Standard 10.5.0
- Redesigned the AppScan Connect - AppScan Enterprise interface to allow for immediate or deferred scan execution and the ability to choose the scanning method.
- Ability to easily export the complete list of tests (excluding variants) from the test policy to a CSV file, irrespective of whether the tests are enabled.
- Advanced Search in Issues view: to effortlessly navigate through your data by searching for specific strings within Request/Response or in the issues table.
- Added new test polices:
- OWASP Top 10 API Security Risks – 2023
- OWASP Top 10 – 2021
- Updated Regulatory Compliance reports:
- OWASP API Security Top 10 2023
- [US] DISA's Application Security and Development STIG. V5R3
- CWE Top 25 Most Dangerous Software Weaknesses 2023
- The Payment Card Industry Data Security Standard (PCI DSS) - V4
- Refactored error pages: now, you can define strings and regular expressions to identify error pages within response content, path, or both.
Fixes and security updates
New security rules in this release include:
- postMessageInfoLeak - postMessage() - Added to detect possible information leakage
- WordPressQEMPluginXSSCVE202323491 - Added for CVE-2023-23491 detection
- ApacheStrutsFileUploadRCE - Added a new test for "Apache Struts RCE via File Upload" (CVE-2023-50164)
- attWordPressInPostPluginXSSCVE202328666 - Detection for CVE-2023-28666
- attApacheStrutsCVE20190230RCEOGNL - Added Tailored Web Server detection support for RCE
- attAPIBrokenObjectLevelAuthorizationPath - Added path variants for "Broken Object Level Authorization"
- attOracleWebLogicRemoteCommandExecutionVulnerabilityInWindowsExtDns - Added Tailored Web Server detection support for RCE
- attOracleWebLogicRemoteCommandExecutionVulnerabilityInUnixExtDns - Added Tailored Web Server detection support for RCE
- Vulnerable component database updated to version 1.3
For a complete list of fixes, new and updated security rules, and RFEs in this release, see AppScan Standard Fix List.
Changed in this release
- The embedded Internet Explorer browser was removed.
- The ability to export scan results as XML for versions of AppScan Enterprise earlier than 9.0.3.1 was removed.
- In AppScan CMD, the 'xml_report' format is not supported. Instead, you can use the 'xml' report format.
Upcoming change
- The "Delete Issues" feature is accessible through the issues list, either by right-clicking or using the context menu, or through the Edit menu. However, the capability to delete issues will no longer be available from the next release.