HCL AppScan's DAST Engine Enhancements Superpower Your Application Security Testing

HCL AppScan just gets better and better. We’ve made significant investment in our Dynamic Application Security Testing (DAST) technology over the past year, and we’ve announced three AppScan product releases in the past six months. The purpose of my blog is to spotlight several of our major DAST engine capability updates for you, so you can test-drive them for yourself.

Recap of AppScan V10 Updates

In March 2020, we celebrated the first major AppScan release since the product line became part of the HCL family.

AppScan DAST highlights in our V10 release included the following:

Test Optimization Slider – Offering faster scanning at different phases of DevSecOps. The Test Optimization slider lets you control the trade-off between issue coverage and scan speed with four optimization levels.

Incremental Scanning – Offering shorter scans, by identifying changes in the application to significantly reduce the number of tests sent during the test phase.

Optimized Action-Based Explore with Machine Learning – Improved Explore stage efficiency that utilizes Machine Learning. AppScan predicts actions that are likely to lead to already-discovered parts of your site, so it can avoid them.

Out-Of-Band Vulnerabilities using AppScan DNS – Improved detection of vulnerabilities that cannot be directly detected through a tested application, such as OS Commanding, SSRF, and XXE attacks, using AppScan DNS resolution.

AppScan V10 portfolio updates can be found in Eitan Worcel’s blog.

AppScan V10.0.1 and V10.0.2 Enhancements

Our DAST enhancements didn’t end there. HCL continues to make significant investment in core DAST engine capabilities to provide better support for modern web applications and to present more comprehensive and accurate results. Highlights of our new DAST capabilities are recapped below.

New and Improved Testing Capabilities

As applications become more complex and require more frequent updates, our users have asked for expanded testing capabilities. For that reason, we’ve introduced a series of new testing enhancements that provide you with greater coverage and leverage new security rules.

Our testing improvements updates in AppScan V10.0.1 and V10.0.2 releases include the following:

• Expansion of our AppScan Domain Name Server (ADNS) capabilities that rely on an application’s externally observable behavior rather than on its direct reflection. You can learn more about ADNS in Shahar Sperling’s comprehensive blog.
• New tests for Blind XPATH injection and Blind LDAP injection.
• Enhanced validation for multi-step testing.
• An expanded number of Directory Guessing options provide you with greater testing coverage.
• Our Cross-Site Scripting (XSS) Analyzer now supports the Referer Header.
• Many additional new security rules were added. Please refer to our detailed release-notes for the details.

Improved Coverage, Higher Accuracy and Better Results

Not only do our users require expanded testing capabilities, they want to experience greater scanning and to be presented with more accurate results. In fact, a recent report by the Ponemon Institute found that cyber-security personnel in US enterprises wasted approximately 25% of their time chasing false positives because the security alerts they received were erroneous. There has to be a better way.

We invest a lot of effort to make sure our DAST scanning engine generates a low percentage of false positive findings. And, with every new release, we improve the accuracy of the findings, based on feedback from our customer base and our own internal testing activities.

To further improve the coverage and accuracy of results that we present to users, we’ve incorporated the following improvements into AppScan V10.0.1 and V10.0.2:

• We continue to offer better coverage for modern applications, by using our unique Action-Based-Explore technique. We continuously enhance the Action-Based-Explore capabilities, and in our recent releases we specifically focused on improvements that are associated with scanning Angular applications providing better automatic coverage for them.
• We have significantly improved AppScan’s automatic detection for error-pages. Most applications use customized error pages to indicate application errors. When these are not identified correctly, AppScan may think that a vulnerability was found, leading to a False Positive result. With our improved algorithms for automatic error page detection, a higher accuracy rate is observed for your results.
• Issue consolidation improvements consolidate frequently-occurring issues, resulting in a more compact set of results for you to review and manage. For example, Issues that share a single source (such as a server configuration) that occur in multiple locations across an application, will now be consolidated into a single issue, while all of the details will appear as variants. Consolidation reduces the overall number of issues without losing the important detail that you require.

Integration Capabilities

Many of our customers use multiple AppScan products. For example, security experts in large organizations often use AppScan Standard to create scan configurations that are later used by developers when scanning their applications using AppScan Enterprise or AppScan on Cloud. They can download the scans from AppScan Enterprise or AppScan on Cloud back to AppScan Standard later for deep triaging when required. To simplify these flows, we introduced the AppScan Connect capability in V10, and improved it with more capabilities in our following releases.

Integrating AppScan into a DevOps environment enables organizations to automate their security testing. This is usually performed by our customers using the REST API of AppScan Enterprise or AppScan on Cloud. We keep adding and improving these APIs in almost every release, to help our customers with the needs of their automation projects. Recently, we added a Jenkins plugin to AppScan Enterprise to ease this process even more.

Learn More

To see all of our new capabilities for yourself, you can request a demo now. As a reminder, all of the updates presented in my blog require an HCLSoftware AppScan license to utilize them, so contact your HCL representative for all of the details.