start portlet menu bar

HCLSoftware: Fueling the Digital+ Economy

Display portlet menu
end portlet menu bar
Close
Select Page

Web applications face an increasing number of security threats every day. Fortunately, application security testing platforms like HCL AppScan are constantly evolving to recognize new vulnerabilities. But with DevOps teams releasing code at faster and faster rates, the time it takes to remediate issues can become a critical pain point. Prioritizing which problems to fix is becoming increasingly important in the face of sometimes overwhelming test results.

HCL AppScan is making that process easier and more efficient using an Auto Issue Correlation algorithm leveraging its IAST solution (Interactive Application Security Testing) available in both its AppScan Enterprise and AppScan on Cloud offerings. These security solutions also include DAST (Dynamic Application Security Testing), SAST (Static Application Security Testing) tools and Auto Issue Correlation makes full use of all of them.

Each testing engine has different strengths and weaknesses, but Automatic Issue Correlation pulls from the strengths when viewing all the data together. For instance, whereas DAST delivers very accurate results, it cannot see the code and provide the level of detail that you get from SAST and IAST scans. But with correlation, you can use your SAST and IAST scans to confirm and enrich the findings of your DAST results.

Likewise, SAST can produce an overwhelming number of findings making it hard to know what to prioritize for remediation. But the accuracy of IAST and DAST scans, when overlayed on top of the SAST results produces a subset of clearly critical issues that are now easier to remediate all at once.

Additionally, SAST fixes cannot be validated since the developers are “inside the box” and only looking at the code unlike DAST and IAST. If an issue can be confirmed as resolved with correlation from these additional engines in the form of status updates, users gain fix validation in addition to the complete coverage and short scan times inherent in SAST.

risk rating

Sample AppScan dashboard showing scans, issues found, and correlations.

Auto Issue Correlation extracts data from each IAST, DAST and SAST issue and then uses a variety of heuristics to identify correlations. This effectively reduces the overall number of vulnerabilities and remediation tasks by grouping issues together where they can be addressed quickly and completely. If a related issue was found by all three testing engines—IAST, DAST and SAST—it moves to the top of the list for remediation. Next in line are issues correlated from IAST and DAST or IAST and SAST. After that priority moves to issues found by IAST or DAST. And once all these fixes have been made, developers can move on to any remaining issues found exclusively by SAST.

IAST with Auto Issue Correlation delivers a more efficient and organized approach to fixing security issues, giving both developers and security teams greater confidence in the outgoing product, no matter how fast the updates keep coming.

Visit hcltechsw.com/AppScan to learn more or schedule a demo.

 

Comment wrap
Secure DevOps | July 15, 2024
A New Milestone: Cloud-Native Application Security with DAST
HCL AppScan 360º is a fully cloud-native application security platform that provides comprehensive security testing for on-prem, private cloud and hybrid environments.
Secure DevOps | June 26, 2024
Important Announcement: HCL AppScan Plans Licensing Changes to Take Effect June 2025
HCL AppScan announces a 12-month roadmap for enhanced features across all solutions. New licensing model, updated distribution platform, and end-of-support for older versions.
Secure DevOps | May 14, 2024
HCL AppScan 360º: Unlocking Scalability and Efficiency
HCL AppScan 360º gets a major upgrade! Kubernetes-powered architecture brings easier scaling, simplified management and stronger security. Learn more!