To ensure that our customers are succeeding in the Digital+ economy, HCLSoftware is always updating our application security testing software with new capabilities and functionality.
Our newest release is Version 10.5.0 for three of our on-prem application security testing solutions: HCL AppScan Standard, Enterprise, and Source. Customer feedback and requests played a large role in determining the updates for this new version. Many of the innovations are designed to both improve the user experience and accelerate the time to remediation.
New Test Policies and Export Features
HCL AppScan Standard and HCL AppScan Enterprise have added new test policies for the most updated versions of both the OWASP Top 10 for API Security Risks (2023) and the OWASP Top 10 (2021). Previously users could filter OWASP policy results from larger test sets. In Version 10.5.0 organizations can set the test parameters exclusively for these policies which reduces the total test time if those are the only results needed.
The OWASP lists are widely used for test criteria and this new feature is a direct result of customer feedback.
Also based on customer requests, HCL AppScan Standard has added the capability to easily export complete lists of tests from the test policy to a CSV file, irrespective of whether the tests are enabled. This reporting feature enables another layer of oversight and accountability by allowing teams to easily share information across platforms.
Scan Request/Response Details Support Faster Remediation
When viewing issues in the HCL AppScan Standard dashboard, there is an advanced search function that allows users to effortlessly navigate through data by searching for keywords for factors such as issue type, severity, status, URL, fix recommendation, etc.
In Version 10.5.0, users can now search specific strings within Request/Response for even more context on how the issue was triggered. This granular level of analysis provides developers with information useful in prioritizing results during triage and understanding the most critical issues in need of remediation.
Updated Industry/Regulatory Standard Compliance Reports:
- OWASP API Security Top 10, 2023
- [US] DISA's Application Security and Development STIG. V5R3
- CWE Top 25 Most Dangerous Software Weaknesses 2023
- The Payment Card Industry Data Security Standard (PCI DSS) - V4
More Control With Read-Only Permissions
HCL AppScan Enterprise Version 10.5.0 has now added Read-Only permissions for the first-level support users. This permission grants users the ability to:
- View scans and logs across the organization
- Access the new scan details for read-only users
In a typical DevOps environment there are teams responsible for initial debugging of all the security tests being run throughout the pipeline. Often these users are tasked with looking only at scans for pass/fail and then relaying their findings to the respective teams. Since Read-Only permissions prevent a user from adding, deleting or changing scans, they give organizations more control by clearly dividing the work between discovery and orchestration.
Call Stacks With IAST Total
With an IAST (Interactive Application Security Testing) subscription, HCL AppScan Enterprise Version 10.5.0 can now leverage IAST Total to provide a call stack for detected vulnerabilities. This information enables deeper insights into the application components, parameters, endpoints, etc. and detects the exact vulnerability location, which helps in faster triaging and remediation.
Improved Historical Data Management
HCL AppScan Enterprise can now also store historical data for scans imported from HCL AppScan Source. This feature helps AppScan Source users find the history of rescans within HCL AppScan Enterprise after importing their issues from HCL AppScan Source. To retrieve historical data, two new APIs are introduced in 10.5.0:
- historicdata/issues
- historicdata/metadata
Note: Prior to this innovation, old data was overwritten when new data was imported for a rescan scenario/reimport. This new feature is not enabled by default and has to be set up by the support team.
Support for Folder Scanning, Visual Studio 2022
The newest version of HCL AppScan Source for analysis clients now supports scanning folders directly through the user interface (previously only available in the CLI) and can be done without the need to create .PAF/.PPF configuration files. Folder scanning considers all languages supported by HCL AppScan Source, and it scans all related sub-folders and files in the folder. This new scanning option is accessed via a node in the explorer view of the dashboard.
Version 10.5.O of HCL AppScan Source also includes an updated plugin for Visual Studio 2022. Visual Studio is a popular integrated development environment (IDE) from Microsoft used to develop websites, web apps, web services and mobile apps.
HCL AppScan Source has also added language support for scanning cascading style sheets (CSS), policy support for OWASP Top 10 for API Security Risks (2023), and extended support for a number of file extensions including:
- IaC: .conf, .curl, .ini, .properties, tf.json
- RPG: .rpgl, .sqlrpgle
- VB.NET: .vbs
All the updates in Version 10.5.0 are the result of both a continuous push for innovation and a partnership ethos that works to meet all customer feedback with meaningful improvements in our products. The results are enhanced user experiences, wider security coverage, and faster remediation times.
Visit HCL AppScan online today to learn more about these on-prem application security solutions as well as our flagship cloud offering, HCL AppScan on Cloud (free trials available), and our cloud-native offering, HCL AppScan 360.