Welcome
Welcome to the documentation for HCL AppScan Standard version 10.7.0
Getting started
This section provides a short tour of basic product features and procedures, including using the wizard to set up a scan.
What's new
This section describes new AppScan Standard product features and enhancements in this release, as well as deprecations and anticipated changes, where relevant.
System requirements
A summary of the minimum hardware and software required for the machine that runs AppScan Standard.
Installing
The installation wizard guides you through the fast and simple process.
License
This section describes for the trial and paid versions of AppScan Standard.
How an automatic scan works
This topic explains the difference between the "stages" and "phases" of a scan.
Exploration methods for web applications and APIs
This topic explains the different methods available for exploring sites, before AppScan tests them.
Web application automatic scan workflow
Provides a simple workflow of an automatic scan of a web application.
Web API automatic scan workflow
Provides a simple workflow of an automatic scan of a web API.
Home screen
Describes the options available from the home screen that opens when you load AppScan Standard.
Tour of the main screens
Describes the components of the AppScan main screen (Issues view), and all menus and toolbars.
Tutorial
This simple tutorial goes through the steps of configuring a simple application scan using the Scan Configuration wizard, running the scan, and reviewing the results.
Sample files
The sample files can help give you a feel for using AppScan and what scan results look like.
Configuration
You configure a scan by choosing settings that best describe your application, and the kind of testing you want.
Presets
Presets give you the main configuration views needed for a particular type of scan.
Scan file structure
Explains the basic structure of an AppScan Standard SCAN file.
Scan templates
A scan template is simply a scan configuration that has been saved so that you can use it again.
Manual exploring
Manual exploring enables you to explore specific parts of your application, filling in fields and forms as you go. This can be a way of ensuring that particular areas of the site are covered, and that AppScan has the information needed to complete forms correctly.
Using a browser
For web applications, you can usually use the build-in Chromium browser for manual exploring. Where necessary an external browser can be used.
Using an external client
You can manually explore RESTful or other non-SOAP web APIs - or SOAP APIs that do not require security envelopes - using a mobile phone, simulator, or emulator. AppScan displays the domains and requests in its External Traffic Recorder, and create appropriate tests from the input.
Scanning
Learn how to start a scan, and what happens during the scan; how to manually manipulate the Explore stage, and how to export the results of a scan.
Data
Data view is populated with information about the structure of the site during the Explore stage of the scan.
Issues
Issues view provides access to the results of a scan. You can view results at a high level or select specific tests or objects and access more details. These details include how to fix, requests/responses, and differences between the test variants that resulted in issues. You can manipulate the severity of issues, resend tests (with or without modifications), and create reports based on Issues.
Customizing the report layout
Using the Customize report layout option of the Create report dialog box, you can customize the appearance of your reports. This feature is optional, as you can simply generate reports using the default layouts.
Viewing and saving reports
Reports can be generated, viewed, and saved in various formats.
Creating partial reports
You can create a Security Report or a Template-Based Report for a subset of the scan results by right-clicking on the URL or folder for which you want to create the report.
Earlier versions of report templates
Earlier versions of some Industry Standard and Regulatory Compliance templates are saved in the "Old Versions" folder.
Security reports
The Security report provides information about security issues discovered, and you can choose from a variety of templates depending on the type of content you need.
Compliance reports
Compliance reports consist of the Regulatory Compliance reports and the Industry Standards reports. The regulatory compliance reports let you know if your application complies with specific regulations or legal standards. The industry standards reports let you know if your application complies with standards of a selected industry committee.
Delta Analysis reports
The Delta Analysis report compares two sets of scan results and shows the difference in URLs and/or security issues that were discovered in them.
Template-based reports
The Template-based tab of the Create report dialog box enables you to create reports in Microsoft® Word DOC and DOCX formats, with exactly the data you want, and the document formatting you define.
Tools
This section explains how to use additional tools provided with HCL AppScan Standard.
Options dialog box
This section describes options you can control, to customize AppScan, from the Options dialog box in Tools > Options.
Web API Wizard extension
This extension lets you scan using OpenAPI description files. It is available from Tools > Extensions > Web Services Wizard (OpenAPI), and the extension is enabled by default.
PowerTools
AppScan offers access to five utilities (PowerTools), each providing a specific feature to help you manage your application security or to help you use AppScan.
Logs
Logs can help you troubleshooting.
Searching Results
You can filter the Result List in any of the views, for specific data.
Integrations
This section describes integrations of other applications with AppScan Standard:
AppScan on Cloud
This section describes ways AppScan Standard can interact with HCL AppScan on Cloud, to scan apps on the cloud.
AppScan 360°
This section describes ways AppScan Standard can interact with HCL AppScan 360°.
AppScan Enterprise
This section describes ways AppScan Standard and Enterprise editions can interact.
Automation Frameworks
You can use scripts written for your QA automation framework (such as Selenium) to create Manual Explore recordings for an AppScan scan.
Best practices
This section contains some best practices and use cases for advanced users.
Workflow for advanced users
This workflow can help users with experience in the field of web security achieve a more thorough scan.
Sites that use parameter-based navigation
Sites in which all pages are reached using a single URL, need a specific scan configuration.
Scanning live production environments
The following risks and suggestions should be considered before scanning a live site with AppScan.
Understanding Test Optimization
This section describes how Test Optimization works and how best to incorporate it into your development lifecycle.
General FAQ
This topic addresses general application questions.
External traffic recorder not recording
If your external device is configured correctly, AppScan's external login recorder and external traffic recorder will show the traffic sent from the device as you send it. This section offers suggestions if it does not.
License troubleshooting
This section deals troubleshooting with licenses issued by HCL.
Login troubleshooting
Tips for troubleshooting session detection problems in Scan Configuration > Login Management view.
Multi-step operation troubleshooting
Some suggestions for troubleshooting action-based multi-step operations.
Out-of-session troubleshooting
Some suggestions for troubleshooting out-of-session issues.
Postman Collection scan
Some suggestions for troubleshooting a Postman Collection scan.
Server not responding
Some suggestions for troubleshooting if the server is not responding.
Extended Support Mode
Extended Support Mode logs all AppScan activity, for packing and sending to your support provider to help troubleshooting a problematic procedure.
Changing the default browser
You can configure AppScan to use a browser other than its built-in browser.
Logs
This section includes explanations of Scan Log messages (View > Scan Log).
CLI
This section describes the syntax and options available using the Command line interface.
References
Menus and toolbar summaries, and glossary
Browser toolbar
The icons on the toolbar of the embedded AppScan® browser, used to display and save screenshots of application responses.
Keyboard shortcuts
AppScan offers these keyboard shortcuts.
Temp files
Describes where AppScan® saves its temporary files during normal operation, and how to change the location.
Glossary
This glossary explains terms and acronyms used in the AppScan® Standard user interface and documentation.
CWE support
CWE (Common Weakness Enumeration) is an industry standard list that provides common names for publicly known software weaknesses. The following CWE IDs, and their parent or child IDs, are supported in the current version of AppScan Standard.