start portlet menu bar

HCLSoftware: Fueling the Digital+ Economy

Display portlet menu
end portlet menu bar
start portlet menu bar end portlet menu bar
Close
Select Page
Secure DevOps
  | July 17, 2020

Achieve Private Site Scanning with AppScan on Cloud

Shahar Sperling
Shahar Sperling
Chief Architect at HCL AppScan
Achieve Private Site Scanning with AppScan on Cloud

As suggested by its very name, HCL AppScan on Cloud (ASoC) is a cloud-based service. It features a Web-Application Dynamic Analysis Security scanner that lives outside the organization’s network.

ASoC can easily scan publicly available web applications. However, development and test applications typically are deployed inside the organization, behind the firewall and/or inside labs. To scan those applications, you need to use Private Site Scanning (PSS).

How to achieve Private Site Scanning from the Cloud

The obvious but arduous and expensive solution is to add network components, such as VPNs and proxies, or change the network to allow the scanner access into the organizational network. That approach is not ideal and is frowned upon by CIOs and IT security teams.

The ASoC PSS solution requires no specialized hardware or changes to your network that might introduce additional risk. The ASoC PSS client is set up in your network and requires only outgoing access to the Internet (directly or via proxy) and access to the site being scanned. This client can be installed on any machine in the organization and requires relatively few resources.

PSS is part of the AppScan Presence package which provides capabilities such as a recording proxy and uses the service to receive instructions from the ASoC service.

ASoC PSS consists of two endpoints that create a secure (TLS-encrypted) TCP/IP tunnel:

  • The tunnel server endpoint resides in the cloud network, alongside the scanner. This endpoint receives requests that the scanner generates and forwards them down the tunnel to the client.
  • The tunnel client endpoint initiates the tunnel connections. This is key to avoiding network restrictions, as outgoing connections to the Internet can be easily allowed in organizations. The client receives the traffic sent down the tunnel from the server, forwarding it to the tested application. The responses make the same trip, in reverse.

In ASoC, mark the tested application as a PSS and select the location of the AppScan Presence to use. After that everything is automatic.

Security considerations with ASoC PSS

ASoC enables security scanning, so security considerations were key in developing and implementing the ASoC PSS solution. ASoC developers focused on the security of our customers’ networks and the security of the tunnel connection.

As noted, PSS does not require any changes to your network; no special concessions are required by the PSS tunnel client. This allows you to apply the organizational security policies on the host machine that’s running the PSS tunnel client. Additionally, there are no changes required to the organizational firewall, such as allowing incoming connections on certain ports or IP addresses.

Each Presence instance has a unique key that serves as its ID. The key is used to identify the Presence instance and provides it with the correct scan tasks. The key can be renewed at any time, and so can conform to organizational security policies that require periodic updates. Once a key is renewed on the server, the Presence instance stops receiving tasks until the key is physically placed on the Presence machine.

To secure the connection at the PSS level, it is crucial that the tunnel server and tunnel client can trust each other to prevent external access to the private network from an unvalidated location. When a scan is ready to run and the tunnel server is started, PSS generates two certificates: one for itself and one for the client.

The server certificate, along with the client-side certificate and private key, are passed to the tunnel client, along with the scan task details (via the secured communication between the Presence service and the SaaS service). The tunnel client and tunnel server can then validate the identity of the remote connection. The certificates are invalidated once the scan is completed, and are never reused, even for rescanning.

All this put together, Application Security on Cloud Private Site Scanning provides a mechanism to leverage cloud-based security scanners to scan deployed applications within an organization in a simple and secure manner.

For more technical information regarding PSS, please see

https://help.hcltechsw.com/appscan/ASoC/appseccloud_private_site_scanning.html

Learn More

To test-drive HCL AppScan on Cloud on your own, register now for our 30-day free trial.

Comment wrap
Shahar Sperling
Shahar Sperling
Chief Architect at HCL AppScan
Shahar Sperling is the chief architect at HCL AppScan. He has 23 years of experience in professional software development. He has spent the last 13 years with the AppScan team, developing a variety of new products and technologies.
Read more

Topics in this article:

Application Security TestingAppScan on CloudAppSecASoCDevOps

Submit a Comment

Your email address will not be published. Required fields are marked *

* HCL provides software and services to the U.S. Federal Government through its partner Four, Inc. Please contact Four, Inc. at the U.S. Federal Government contact page.


appscan
Secure DevOps | August 2, 2023
Find More Vulnerabilities Than Ever Before with the new HCL AppScan Version 10.3.0
HCL AppScan continues to push forward on an accelerated innovation roadmap with the release of version 10.3.0 for three on-prem software products: HCL AppScan Standard, Enterprise, and Source.
Uffe Sorensen
Adam Cave
Product Marketing Manager, HCL AppScan
appscan
Secure DevOps | July 5, 2023
HCL AppScan's Dynamic Start to 2023: A First Quarter Event Recap
Get the scoop on HCL AppScan’s first quarter of 2023 as we recap our active engagement in industry-leading events around the world.
Uffe Sorensen
Courtney Coleman
appscan
Digital Solutions | February 14, 2023
What You'll Learn in AppScan's February Innovation Workshop
This month, we are pleased to present the second installment of our Integrated tools innovation workshops.
Uffe Sorensen
Courtney Coleman
start portlet menu bar end portlet menu bar