Home
Navigation
This section describes the items on the main AppScan on Cloud menu bar, with links to more detailed information.
Dashboard
The main dashboard is the third item on the main menu bar. It gives you a detailed overview of the current state and history of all your applications.
Risk rating
The Risk rating for an application is a function of the highest severity of active issues in the application, and the business impact defined for the application. Higher numbers indicate increased risk.

Getting started
Welcome to the documentation for HCL AppScan on Cloud, where you can find information about how to install, maintain, and use this service.
Navigation
This section describes the items on the main AppScan on Cloud menu bar, with links to more detailed information.
- All applications
  The Applications page lists all applications in your organization that are within the asset groups to which you are assigned. From the Applications page, you can create new applications and open individual application pages.
- Scans and sessions
  This view lists all scans and sessions in all your applications.
- Open source libraries
  Search for, review, and take action on open source libraries associated with applications.
- Dashboard
  The main dashboard is the third item on the main menu bar. It gives you a detailed overview of the current state and history of all your applications.
  - Risk rating
    The Risk rating for an application is a function of the highest severity of active issues in the application, and the business impact defined for the application. Higher numbers indicate increased risk.
- Organization
  Organization is your go-to hub for managing policies, domains, settings, subscriptions, and audit trails – it's where you control and organize it all.
Administration
Define users, applications, policies, and configure DevOps integrations.
Dynamic analysis
AppScan on Cloud performs security scans for web-applications for production, staging and development environments. For development environments it is aided by Private Site Scanning technology to scan applications not accessible to the open Internet.
Interactive monitoring
Using an agent installed on your application, ASoC identifies security vulnerabilities in your application during runtime by monitoring all interactions, both legitimate and malicious. The process is "passive," in the sense that IAST does not send its own tests, and can therefore run indefinitely.
Software Composition Analysis
Use Software Composition Analysis (SCA) to scan for security vulnerabilities in open source and third-party packages used by your code. SCA includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).
Static analysis
Use static analysis (SAST) to scan for security vulnerabilities in web and desktop applications. Static analysis includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).
Results
The Scans and Sessions page lists the scans under the categories DAST, SAST, SCA, and IAST, where you can view your scan results, including scan statistics. To view, rescan, or download reports, select a scan.
Troubleshooting
If you experience problems with this service, you can perform these troubleshooting tasks to determine the corrective action to take.
FAQ & Reference
Frequently asked questions, information about integrating ASoC into the product lifecycle (SDLC), and ASoC API documentation.

Risk rating

The Risk rating for an application is a function of the highest severity of active issues in the application, and the business impact defined for the application. Higher numbers indicate increased risk.

Severity and Business impact are each assigned numerical values, and multiplied together to produce a risk value. This value is converted to the Risk rating.

[Risk rating value] = [Severity of highest active issue] x [Business impact of application]

Severity values

The severity of the highest active issue in an application is converted to a numerical value following this table:

Severity	Value
Critical	5
High	4
Medium	3
Low	2
Informational	1

Note: Active issues are issues whose status is New (deprecated), Open, In Progress, or Reopened. You can edit this in Issue status.

Business impact

The Business impact assigned to the application is converted to a numerical value following this table:

Business impact	Value
Critical	5
High	4
Medium	3
Low	2
Unspecified	0

Note: The default Business impact setting is Medium (3). You can change this to a different value, and also set it to Undefined. When Business impact is Unspecified, Risk rating will be Unknown.

To define business impact:

On the main toolbar, click Applications, to open Application view.
Locate the application you want to edit, and click on the right hand side of its row.
Use the Business impact combo-box to select the value you want: Critical, High, Medium, or Low.

Risk rating calculation

Value	Risk rating
20-25	Critical
15-19	High
9-14	Medium
1-8	Low
0	Unknown

Note: If an application contains at least one scan, even though there are no active issues, its Risk rating is set as Low.