Home
Dynamic analysis
AppScan on Cloud performs security scans for web-applications for production, staging and development environments. For development environments it is aided by Private Site Scanning technology to scan applications not accessible to the open Internet.
Dynamic scanning (DAST)
ASoC can perform dynamic analysis of an application that runs in a browser or a web API. Use the configuration options available in ASoC, or upload an AppScan Standard configuration (template file) or a full scan file.
Creating an Incremental scan

Getting started
Welcome to the documentation for HCL AppScan on Cloud, where you can find information about how to install, maintain, and use this service.
Navigation
This section describes the items on the main AppScan on Cloud menu bar, with links to more detailed information.
Administration
Define users, applications, policies, and configure DevOps integrations.
Dynamic analysis
AppScan on Cloud performs security scans for web-applications for production, staging and development environments. For development environments it is aided by Private Site Scanning technology to scan applications not accessible to the open Internet.
- About dynamic analysis (DAST)
  An ASoC dynamic (DAST) scan consists of two stages: Explore and Test. Even though most of the scan process is seamless to the user, and no input is required until the scan is complete, understanding how dynamic scanning works can help you to better understand the role of scanning in your development process.
- Dynamic scanning (DAST)
  ASoC can perform dynamic analysis of an application that runs in a browser or a web API. Use the configuration options available in ASoC, or upload an AppScan Standard configuration (template file) or a full scan file.
  - Create scan
    Provide the starting URL and user credentials for the scan, select the type of site, and (if not previously done) verify your permission to scan the site.
  - Create scan from template
    You can upload your own AppScan Standard template (SCANT) file to run an ASoC scan.
  - Create scan from scan file
    You can upload your own AppScan Standard scan (SCAN) file to run an ASoC scan.
  - Creating an Incremental scan
  - Test policy
    The AppScan Standard Default Test Policy is used when running scans from the ASoC user interface, but other policies can be applied with imported scans, or scans run from the API.
  - Test optimization
    Test optimization uses intelligent test filtering to achieve faster scans with minimal loss of issue coverage. When speed is a consideration, choose between four optimization levels.
  - Test automation
    Incorporate dynamic scanning in your functional testing.
  - Client certificates
- AppScan Presence
  An AppScan Presence on your server enables you to scan sites not accessible from the Internet, and to incorporate scanning as part of your functional testing.
- Recording traffic
  You can record traffic as Explore data for DAST scans using the AppScan Activity Recorder browser extension (for Chrome or Edge), the HCL AppScan Traffic Recorder proxy server, or AppScan Standard.
- HCL AppScan Traffic Recorder
  The HCL AppScan Traffic Recorder (DAST proxy) enables you to record traffic to use as Explore data. Traffic Recorder instances can be created on demand to record traffic that will later be used for a DAST scan.
- IAST Total
  IAST Total (Interactive Application Security Testing), harnesses IAST capabilities to enhance Dynamic Analysis (DAST) scans, improving scan and remediation times while uncovering a broader spectrum of vulnerabilities.
- AppScan Standard
- Private sites
  An AppScan Presence on your server enables you to scan sites not accessible from the Internet.
Interactive monitoring
Using an agent installed on your application, ASoC identifies security vulnerabilities in your application during runtime by monitoring all interactions, both legitimate and malicious. The process is "passive," in the sense that IAST does not send its own tests, and can therefore run indefinitely.
Software Composition Analysis
Use Software Composition Analysis (SCA) to scan for security vulnerabilities in open source and third-party packages used by your code. SCA includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).
Static analysis
Use static analysis (SAST) to scan for security vulnerabilities in web and desktop applications. Static analysis includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).
Results
The Scans and Sessions page lists the scans under the categories DAST, SAST, SCA, and IAST, where you can view your scan results, including scan statistics. To view, rescan, or download reports, select a scan.
Troubleshooting
If you experience problems with this service, you can perform these troubleshooting tasks to determine the corrective action to take.
FAQ & Reference
Frequently asked questions, information about integrating ASoC into the product lifecycle (SDLC), and ASoC API documentation.

Creating an Incremental scan

About this task

An incremental scan can save time by utilizing the results of a previous scan and testing either:

New parts of the application as well as those parts of the application where an issue was previously found, or
Only new parts of the application

An incremental scan includes an Explore stage to discover the current structure of the application and identify what is new compared with the base scan. This is followed by a Test stage that offers the above two options.

Note: Incremental scanning can be very useful if you want to run frequent and faster scans, but it is recommended to run full scans from time to time, in case new bugs occur in previously error-free parts of your application.

Procedure

To execute an incremental scan, you can rescan a completed or partially completed DAST scan through any of the following methods:
1. Scans and sessions > DAST Scans. From the ellipsis menu , click Rescan.
2. Applications > Application name > Scans and sessions > DAST Scans. From the ellipsis menu , click Rescan.
Note: You can also access the Rescan option on an individual scan page from the Manage scan drop-down.
In the Rescan dialog box, select the Incremental scan option.
Select the base scan from the Base scan drop-down menu.
Note: Only scans that were executed within the last 60 days and were either completed or partially completed are available for selection.
Select which type of retest option you want to apply to the scan:
- Yes, test new parts of the application and also retest for previously found issues.
- No, test only new parts of the application.
Click Review and scan.
Review the summary and click Scan now.

What to do next

You can view the status of the scan on the Scans and sessions page. The icon indicates an incremental scan.