What's new

This section describes new AppScan Standard product features and enhancements in this release, as well as deprecations and anticipated changes, where relevant.

Attention: A new version of HCL AppScan Standard 10.9.1 is available. This update includes security fixes for multiple Chromium vulnerabilities, along with other improvements. It is recommended to upgrade to this version. For more information, see the Fix list and refer to 10.9.0 documentation.

New in HCL AppScan Standard 10.9.0

  • Custom scripts enhanced with the following updates:
    • Code-editor: Improved syntax checking and enhanced auto-complete features for better usability.
    • Multi-step operations: Added support to dynamically adjust parameters using custom scripts.
    • Dynamic form-filler parameters: Introduced support for dynamic parameters in form-fillers.
  • Support for WebSocket protocol that uses JSON or XML messages for data exchange.
  • Compliance report updates:
    • [US] DISA's Application Security and Development STIG. V6R3
    • CWE Top 25 Most Dangerous Software Weaknesses 2024
  • Automatic Login improvements: AppScan can now perform automatic logins more accurately, which improves the overall success rate.
  • AppScan Unit-level DAST Intelligence Tester (AUDIT): A developer-focused DAST approach empowers developers to efficiently run targeted scans on specific endpoints and detect vulnerabilities early in the SDLC, seamlessly integrating within their IDE. For more information, see the article AppScan Unit-level DAST Intelligence Tester (AUDIT).

Fixes and security updates

New security rules in this release include:

  • attWordpressGalleryPluginPathTraversalCVE20233279 - Wordpress Gallery Plugin Path Traversal CVE-2023-3279
  • attWordPressBackupMigrationplugincve20235737 - WordPress Backup and Migration plugin Broken Access CVE-2023-5737
  • attMobileMouseRCECVE202331902 - Mobile Mouse Remote Command Execution CVE-2023-31902
  • attOpenWireApacheServerRCECVE202346604 - OpenWire Apache Server RCE for CVE-2023-46604
  • attApacheHugeGraphRCECVE202427348 - Apache HugeGraph RCE CVE-2024-27348 attApacheOFBizRCECVE202438856 - Apache OFBiz RCE for CVE-2024-38856 attCactiRCECVE202425641 - Cacti RCE CVE-2024-25641
  • attLMSBlindSqlInjectionTimeoutCVE20248529 - Wordpress Learnpress Plugin SQL Injection CVE-2024-8529
  • attWordPressUltimateExporterRCECVE202456278 - Wordpress Ultimate Exporter RCE for CVE-2024-56278
  • JwtWeakSecretKey - detect weak JWT secret keys
  • Vulnerable component database updated to version 1.7

For a complete list of fixes, new and updated security rules, and RFEs in this release, see AppScan Standard Fix List.

Changed in this release

  • Accessibility: significant enhancements to improve accessibility in our product. Key updates include:
    • Keyboard navigation: Improved functionality for easier navigation using keyboard shortcuts and keyboard.
    • Screen reader support: Enhanced compatibility to ensure UI elements are accessible.
    • Color Contrast: Increased contrast ratios for better visibility.
    • Font size: Enhanced accessibility with the ability to zoom up to 200% maximum.
    • A comprehensive VPAT assessment has been completed to document compliance with accessibility standards like Section 508 and WCAG. For more information, see Accessibility.

Upcoming change

  • AppScan Standard versions 10.6.0 and earlier will reach End of Support (EOS) by June 2025. It is recommended that you upgrade to the latest version available before then.
  • Support for Microsoft® Windows® 10 and Microsoft® Windows® Server 2019 will be removed in a future version of AppScan because they have reached the end of their main support period.
  • The Web API Wizard (OpenAPI) extension will be removed in a future version of AppScan.
  • The report component will only be available through the product level (UI/AppScanCMD) and not at the SDK level.