start portlet menu bar

HCLSoftware: Fueling the Digital+ Economy

Display portlet menu
end portlet menu bar
start portlet menu bar end portlet menu bar
Close
Select Page
Secure DevOps
  | February 15, 2022

What's New in AppScan on Cloud?

Rob Cuddy
Rob Cuddy
Global Application Security Evangelist
What's New in AppScan on Cloud?

If you haven’t looked at AppScan on Cloud recently, you’re missing out on some fantastic new features that make scanning more convenient and meaningful than ever. The last few months of 2021 introduced multiple improvements that provide significant advantages to our users. This blog will look at some of the newest features and benefits offered by AppScan on Cloud.

Log4j specific testing

With all the news surrounding the Log4j vulnerability, it was the logical next step for AppScan on Cloud to add testing capabilities to detect and provide remediation guidance for Log4j.  Specifically, a new security rule was added for DAST testing and automatically included for all Test Optimization types, so you can still prioritize speed without compromising the ability to scan for Log4j.  ASoC’s OSA testing also detects vulnerabilities associated with all 4 of the CVEs that have been identified with Log4j.  Figure 1 below illustrates an example of the new test result finding a potential remote command execution vulnerability.  You can watch the entire process of this DAST testing in below YouTube example.

Close icon
Video image Video Play Button
 

scan for latest vulns

Figure 1:  Finding Log4j Vulnerabilities in AppScan on Cloud 

New Single Scan Reporting  

Another innovative feature that has been added to ASoC is the single scan view. The single scan view is a detailed report on a scan that can even be viewed while the scan is running. Using the “Overview” tab of the single scan view provides visibility into the number of visited pages, tested elements, and vulnerability issues as they are found. Users can drill down to specific issues first discovered in the scan as they show up on their scan card. Figure 2 below provides an example of what this new view looks like. Once the scan is completed, issues can be viewed and filtered and reports can be downloaded. Columns in the scan report are clickable and lead to a filtered list in the “Issues” tab. On the “Issues” tab, comments can be added to an individual issue by selecting the “Comments” option. This allows users to effectively share feedback with their team members. 

appscan on cloud execution

Figure 2:  New Single Scan View in AppScan on Cloud 

New Language Supported 

ASoC recently announced support for the Report Program Generator, or RPG, a programming language used for business applications and primarily found on IBM I or OS/400 systems.  For more information about RPG as a language, see this programmer.io site.  Now ASoC users can now include file types of. rpg, .rpgl and .rpgle in static analysis.  At the time of this writing, AppScan on Cloud now supports over 30 different languages. 

Greater flexibility and control 

A constant area of focus for AppScan on Cloud is to make it easier to run scans that are meaningful and effective at vulnerability remediation.  As part of this effort, we have added a new report type for the 2021 OWASP Top 10 and several new capabilities to increase the amount of flexibility ASoC users have for controlling scans.    

Specifically, we have added the following: 

  • Support for both including and excluding .NET namespaces. 
  • Support for specifying cache locations when Java parallel processing is used.   
  • A new Rider plugin. 
  • Greater support for viewing issues found for the first time in the application.  
  • Easier processes for scheduling and editing a configured schedule
  • New icons to indicate the “Scheduled” and “Repeat” status of scans.   
  • An automatic log-out following an inactivity period of 30 minutes as well as two changes for how business units are managed.   
  • Support for merging two business units and the ability to add a limit to the number of business units allowed in the organization. 

Specific to IAST 

No discussion on ASoC would be complete without highlighting new features added for Interactive Application Security Testing (IAST). With the most recent upgrade, we added the ability to update the IAST agent configuration and made changes to improve overall performance: Java 17 support and enhanced support for communication with AppScan Enterprise in environments where the proxy is set through Java properties. Additionally, there are several new security features for IAST, including the capability to identify XXE on a JAXB class (more information on this particularly vulnerable class can be found at the OWASP XXE site) and detect JSON XSS informational issues (an XSS variant of vulnerable data written to responses as JSON). 

Conclusion 

We are confident that our existing AppScan on Cloud users will enjoy the benefits of these new additions.  If you are not yet an AppScan on Cloud user, we encourage you to visit our AppScan on Cloud site and sign up for our free trial to experience our new features first-hand. 

Comment wrap
Rob Cuddy
Rob Cuddy
Global Application Security Evangelist
Rob is currently a Global Application Security Evangelist for HCL providing thought leadership for the application security space, particularly as it relates to DevOps and DevSecOps initiatives. Prior to this role, Rob was with IBM for 14 years with roles in Application Security Evangelism, Worldwide Sales Enablement, Tiger Teams and Field Services for the Management and Platform Segment offerings in IBM Cloud. Rob has worked with clients all over the world to help address their challenges in ways that bring a positive impact to the business bottom line. Rob has spoken at numerous events and conferences, including Evanta CISO Summits, THINK, InterConnect, DevloperConnect, IBM Top Guns and many customer events. Prior to IBM, Rob spent 13 years with 5 different companies working as a configuration management specialist with an emphasis on Rational tooling. Rob graduated from the University of Southern California with a degree in Aerospace Engineering and is an avid fan of college football. When not at work, Rob enjoys spending time with his family, serving with his church, running and cycling. You can connect with Rob through the Application Paranoid podcast, via LinkedIn, Facebook and Instagram but the best way is by joining the “Robservatory” on twitter using the handle @Robservatory.
Read more

Topics in this article:

AppScanASoCcloudhcl appscanJSONOWASP Top 10

Submit a Comment

Your email address will not be published. Required fields are marked *

* HCL provides software and services to the U.S. Federal Government through its partner Four, Inc. Please contact Four, Inc. at the U.S. Federal Government contact page.


appscan
Secure DevOps | December 20, 2023
Secure Application Code Against Vulnerabilities Faster with HCL AppScan Fix Groups
Stop in for an update on how HCL AppScan helps find vulnerabilities and security risks, starting with built in AI that dramatically reduces the number of scan findings and practically eliminates false positives.
Uffe Sorensen
Itay Levin
Design Lead for HCL AppScan
appscan
Secure DevOps | December 5, 2023
HCLSoftware Named a Strong Performer in The Forrester Wave™ - Static Application Security Testing, Q3 2023
HCLSoftware has been named a strong performer in The Forrester Wave™ - Static Application Security Testing, Q3 2023 Report. Read the blog to know more.
Uffe Sorensen
Adam Cave
Product Marketing Manager, HCL AppScan
appscan
Secure DevOps | August 2, 2023
Wider Application Security Coverage with HCL AppScan DAST and Vulnerable Third-Party Component Detection
HCL AppScan DAST (dynamic application security testing) is an industry-leading technology that scans your applications and APIs against potential vulnerabilities.
Uffe Sorensen
Kamal Kumar Chandrashekar
Senior Product Manager, HCL AppScan
start portlet menu bar end portlet menu bar