start portlet menu bar

HCLSoftware: Fueling the Digital+ Economy

Display portlet menu
end portlet menu bar
Close
Select Page

With the new release of version 10.2.0, HCL AppScan continues to demonstrate an unwavering commitment to innovative application security testing. Three on-premises products have now been updated with critical capabilities and user experience functionality, all based on extensive security research and customer feedback. The updates are all part of an innovation roadmap that’s looking ahead to meet not just today’s security needs, but those of tomorrow as well.

Let’s take a look.

AppScan Standard

HCL AppScan Standard is an on-premises dynamic analysis product featuring industry-leading DAST technology. As part of version 10.2.0, new updates include:

CVSS 3.1 scoring

  • Issue severity and CVSS score are now based on CVSS 3.1 scoring.
    Scans that are run in earlier HCL AppScan versions (which used 2.0 scoring) can have 3.1 scoring applied (this may change some issue scores and severities) or viewed as they are.
  • New Critical severity for issues has been added, in line with CVSS 3.1.

New configuration view

  • The previous Configuration dialog box has been revamped, reorganized, and integrated as a native view in the main user interface.
  • Web API scans are now configured in the new Configuration view (see API).
  • The scan wizards have been replaced with Presets in the new Configuration view, showing you the essential options for fast setup.

Updated regulatory compliance report template:

  • [US] California Consumer Privacy Act (CCPA) – AB-375.

New security rules in this release include:

  • MaxLengthVuln – Search for “maxlength” attributes with a very large constraint
  • LeakedSecretTokens – Search for secret tokens in the response
  • SecurityRule_AbstractContentSecurityPolicyRule – New abstract CSP rule added (containing common detection and mutation)
  • attNoHttpsRedirection – Check for https redirection when http scheme is used
  • attText4Shell – Added new rule for Text4Shell Vulnerability (CVE-2022-42889)
  • attGraphqlIntrospectionMutation – Check whether introspection is enabled in GraphQL

 

AppScan Enterprise

HCL AppScan Enterprise is a scalable on-premises application security testing tool offering SAST, DAST, IAST as well as extensive risk-management visibility and oversight. As a part of version 10.2.0, new updates include:

CVSS 3.1 scoring

  • Issue severity and CVSS score are now based on CVSS 3.1 scoring. Any new scans will be based on CVSS 3.1 scoring. Scan findings prior to the upgrade will be preserved using CVSS 2.0 scoring until rescan. For more information, see the CVSS 3.1 Specification.

Improved user controls:

  • Read-only users can now comment on issues if the global option is enabled.
  • Granular access control to restrict modification of the issue status.
  • Mandated comment on the status change of an issue.
  • New API to report findings of the scan. API: /issues/(jobID)
  • Activity Log is updated with multi-level filtering and other improvements.

Updated regulatory compliance report template:

  • [US] California Consumer Privacy Act (CCPA) – AB-375.

New security rules in this release include:

  • MaxLengthVuln – Search for “maxlength” attributes with a very large constraint
  • LeakedSecretTokens – Search for secret tokens in the response
  • SecurityRule_AbstractContentSecurityPolicyRule – New abstract CSP rule added (containing common detection and mutation)
  • attNoHttpsRedirection – Check for HTTPS redirection when HTTP scheme is used
  • attText4Shell – Added new rule for Text4Shell Vulnerability (CVE-2022-42889)
  • attGraphqlIntrospectionMutation – Check whether introspection is enabled in GraphQL API
  • oHttpsRedirection – Added a check for HTTPS redirection when HTTP scheme is used

 

AppScan Source

HCL AppScan Source is an on-premises static analysis product featuring SAST technology and IFA Machine Learning for a 98% reduction in false positives. As a part of version 10.2.0, new updates include:

Enhanced and new functionality

  • Configure license inactivity time in the license config file.
  • HCL AppScan® Source CLI now allows for source-code-only scanning when scanning folders.
  • Project file extensions preferences now list available language/project types in a drop-down list instead of on tabs.
  • Supports Red Hat Linux 8.6.
  • Supports .NET 7

Additional HCL AppScan Source and HCL AppScan Enterprise interoperability information

  • HCL AppScan Enterprise version 10.2.0 has upgraded support for CVSS 3.1. As an HCL AppScan Source user, if you upgrade to the HCL AppScan Enterprise version 10.2.0, there might be a discrepancy in severity values due to the nature of the CVSS 3.1 specification.

 

Comment wrap
Secure DevOps | December 20, 2023
Secure Application Code Against Vulnerabilities Faster with HCL AppScan Fix Groups
Stop in for an update on how HCL AppScan helps find vulnerabilities and security risks, starting with built in AI that dramatically reduces the number of scan findings and practically eliminates false positives.
Secure DevOps | August 2, 2023
Wider Application Security Coverage with HCL AppScan DAST and Vulnerable Third-Party Component Detection
HCL AppScan DAST (dynamic application security testing) is an industry-leading technology that scans your applications and APIs against potential vulnerabilities.
Secure DevOps | August 2, 2023
Find More Vulnerabilities Than Ever Before with the new HCL AppScan Version 10.3.0
HCL AppScan continues to push forward on an accelerated innovation roadmap with the release of version 10.3.0 for three on-prem software products: HCL AppScan Standard, Enterprise, and Source.