Getting started

Security is about protecting your valuable assets. Some of the most important assets your organization owns are in the form of information, such as intellectual property, strategic plans, and customer data. Protecting this information is critical for your organization to continue to operate, be competitive, and meet regulatory requirements.


HCL AppScan on Cloud (ASoC) is a SaaS solution for all application security testing needs. It consolidates all HCL Security’s testing capabilities into a single service that provides a uniform experience for all technologies. HCL Security ASoC can scan web, mobile, and desktop applications using dynamic and static techniques.
Dynamic Analysis (DAST)
ASoC performs security scans for web-applications for production, staging and development environments. For development environments it is aided by Private Site Scanning technology to scan applications not accessible to the open Internet. See Dynamic (DAST) scanning
Static Analysis (SAST)
ASoC performs security scans for web and desktop applications. Its Static Analysis includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA). IFA can dramatically reduce the manual effort of triaging security findings to focus only on positive, high-value issues. ICA helps reduce, or avoid entirely, the complex configuration required in other technologies, improving scan accuracy automatically. See Static (SAST) scanning
Mobile Analysis
ASoC performs runtime security analysis for both Android and iOS apps. By simply uploading the application image (APK or IPA files) a runtime analysis is performed, and issues found are provided with reproduction instructions for ease of debugging and resolution. As with dynamic analysis, pre-production mobile apps with service backends accessible only within the organization can be tested using the Private Site Scanning technology. See Mobile scanning
Interactive Analysis (IAST)
Using an agent installed on your application, ASoC identifies security vulnerabilities in your app during runtime, by monitoring all interactions, both legitimate and malicious. The process is "passive", in the sense that IAST does not send its own tests, and can therefore run indefinitely. See Interactive (IAST) monitoring
Open Source Analysis
ASoC identifies open source packages that are used in the application, reports those that have known vulnerabilities, and offers remediation advice. Open source testing can be run alone or as part of a static scan. See Open Source testing

ASoC has a web UI that enables all its functionality. However, IDE and automation systems plugins can also be used, so interaction with the service itself is not required if it is not needed. Developers, for example, remain in their own Integrated Development Environment (IDE) without having to go back-and-forth between the IDE and the browser. The IDE plugins also enable code interactions that would be impossible using the web UI.

To complement its functionality, ASoC also exposes a comprehensive set of REST APIs which drive operations in ASoC. This is makes ASoC ideal for integration into automation environments. Customers can compose their own workflows using the REST APIs, rather than being tied to an ASoC workflow.

ASoC aids security policy compliance. By using predefined policies, or defining custom policies, it is easy to identity which applications are non-compliant and require attention. By filtering according to defined policies, issue fixes can be prioritized. Instead of getting lost in a sea of issues, filtering according to specific policies helps prioritize fixes to target specific compliances.

ASoC also lets you run Personal Scans, that appear in the list of scans for an application, but whose scan data is not merged with the rest of the application results. This enables developers to run scans without the issues found appearing in the overall application data. The results of personal scans can thus be examined for critical issues before the code is pushed to the main code stream.

ASoC helps leverage all scanning capabilities to scan many types of applications, manage the security compliance of the whole organization, and automate security scanning operations.