HCL AppScan V10.0.8 Release Updates

HCL AppScan recently released HCL AppScan Source 10.0.8. In this blog, I highlight some of the new releases for AppScan V.10.0.8, by product line.

What’s new in HCL AppScan® Source 10.0.8

The AppScan® Source command line interface (CLI) has been containerized, thus allowing the application and security scanning to be more efficient and more robust. Once installed and configured, a testing environment can be created on-demand, and quickly, and scans can be run concurrently.

AppScan® Source provides a License Manager utility that is used for loading and updating license information on your client machine.

V10.0.8 enhancements for AppScan Source include the following:

• AppScan® Source supports Terraform.
• Support for the following reports:
  • OWASP Top 10 API Security 2019 report.
  • CWE 2021 Top 25 report.
• Support for the following report filters:
  • OWASP Top 10 API Security 2019 report filter.
  • CWE 2021 Top 25 report filter.
  • OWASP Top 10 2017 and 2021 report filters
• Updated the icons and splash screen to use new product logo

APAR fixes in AppScan® Source version 10.0.8

• Security Profile Report uses metrics just from the first project in a multi project assessment, CQPAR00237855
• AppScan® Source for Analysis creating .dmp files in temp folder for DFA scan, KB0096327
• AppScan®delta.sh does not recognize filesystem paths if they contain spaces on Linux,KB0097634
• Net Assembly Projects are Failing in case Visual Studio is not installed on the machine, KB0097692

Dropped Features

• OWASP Top 10 2013 report

What’s New in HCL AppScan® Standard 10.0.8

Automatic API scanning using an imported Postman Collection file. HCL AppScan runs its own Explore stage using the collection and displays the resulting data in Dashboard and Data views. You choose whether AppScan continues automatically to the Test stage, to complete the scan, or whether you prefer to start the Test stage later.

V10.0.8 enhancements for AppScan Standard include the following:

• New: OWASP API Security Top 10 2019 Industry Standard Report.
• Improved automatic update functionality.
• Security updates:
  • attSpringRemoteCommandExecution – Remote Command Execution on Spring Framework (CVE-2022-22965)
  • probeSpring – Probe Spring RCE (CVE-2022-22965)

APAR fixes in AppScan® Standard version 10.0.8

The APARs resolved and security updates included in this fix pack are listed here.

What’s New in HCL AppScan® Enterprise 10.0.8

V10.0.8 enhancements for AppScan Enterprise include the following:

• Automatic API scanning using a Postman Collection. See How to scan using a Postman Collection.
• New OWASP API Security Top 10 2019 Industry Standard Report.
• Granular access control to restrict modification of Severity value and CVSS attributes.
• The db_owner permission is not mandatory to configure and run AppScan® Enterprise. Only a minimum of ddladmin, datawriter and datareader permissions are required.
• Activity Log on the Administration console is available as a Technology Preview Code.
• Support for Microsoft Edge browser.

Fixes and security updates in AppScan® Enterprise version 10.0.8

New security rules in this release include:

• attSpringRemoteCommandExecution – Remote Command Execution on Spring Framework (CVE-2022-22965)
• probeSpring – Probe Spring RCE (CVE-2022-22965)

Other fixes:

• Option provided in configuration wizard to opt out of Simple Recovery Mode for SQL Server Database.
• In some cases, AppScan® Enterprise uses a lower version of TLS. Fix applied to use TLS 1.2 (when enabled on the system) for all internal communication.

The complete list of fixes, updates, and RFEs in this release is listed here.

Removed in this release

• Internet Explorer (IE) browser support for v8.0 and v9.0.

Upcoming changes

The following will be removed in a future release:

• The Web Services, The Vital Few, Developer Essentials test policies will be removed as similar results can now be achieved using other policies. For information, see Predefined Test Policies.
• Internet Explorer (IE) browser support for v10.0 and v11.0 will be removed.
• CVSS 2.0 scoring will be dropped and replaced with CVSS 3.1.
• Ability to edit CVSS ratings on an issue.
• Import of issues from Mobile Analyzer report.

To learn more, please visit our Customer Support Page. Want to start today but don’t know where to begin? Click here and fill out our form for a free trial and someone from our HCL AppScan team will connect with you!

We would also like to invite you to our next Webinar. On August 2^nd you’ll be able to witness Automatic Issue Correlation that is now part of HCL AppScan. Learn about how you can enhance the strengths of each approach while reducing the weakness, how auto correlation enhances each AST approach, and improve your prioritization process. Register Today!