Static application security testing (SAST) scans the source code in web applications and APIs, looking for vulnerabilities that could turn into security risks. One of the persistent challenges with this type of code scanning is that these tools can produce a tremendous number of findings. Figuring out which of these findings are critical vulnerabilities that need to be fixed can be a difficult and time-consuming task.
HCL AppScan has a number of solutions to help with these challenges, starting with built in AI that dramatically reduces the number of scan findings (from thousands to hundreds) and practically eliminates false positives.
The addition of Fix Groups to both our cloud and cloud-native platforms (HCL AppScan on Cloud and HCL AppScan 360º) significantly improves triage and remediation time even further by grouping findings by what they have in common so that a single fix can correct them all.
HCL AppScan supports three types of Fix Groups:
- Common Fix Point – This Fix Group applies to compiled languages like .Net and Java where the static scanner performs data flow analysis to produce trace findings. This Fix Group combines all findings with the same vulnerability type where the trace flows through a common node. By fixing the issue in that common node, all findings within this Fix Group could be resolved.
- Common API – The common API group gathers all findings that are related to a specific API in use across a project. These issues can then all be solved together as a group by either using a different API, or by changing the way the original API is used.
- Common Open Source – The open-source group shows all issues that are related to a vulnerable library. Once the library vulnerability is identified, all related issues can be fixed as a group by either updating or changing the library.
How the different Fix Groups are used
Fix group main view
In the new Fix Group view, there are two KPIs to understand how efficient the work with Fix group can be for the triage process – the total number of remediation tasks to be undertaken, and the total number of issues found in the groups related to those tasks.
The new Fix Group design has an improved UI with a grid where users can apply different filters to sort findings when applicable. Columns can be sorted by fix group type, severity, policies, and more.
Rows can be selected in this review that will open the Fix group details drawer where there is now an option to add multiple comments and view the audit for each Fix group.
Fix group issues
The Fix Group issues view has been updated so that users can now see issues that relate to each group click on the Fix group ID in the column. Details can be seen at the top of the screen and comments can be viewed or added. The table of the Fix group issues has been reorganized with relevant columns for each Fix group type. For example, the source, sink, and file name are available for the Common Fix Point; the Context and File name are shown for the Common API; the location is listed for the Open-source CVE.
If you are already using HCL AppScan on Cloud or HCL AppScan 360º for your static analysis, give the Fix Groups a try and see for yourself how this improved capability can accelerate your triage and remediation.
If you are not yet using HCL AppScan SAST, take a free trial to see how this powerful technology can transform your application security.
More about HCL AppScan on Cloud
More about HCL AppScan 360º.