Getting started

Security is about protecting your valuable assets. Some of the most important assets your organization owns are in the form of information, such as intellectual property, strategic plans, and customer data. Protecting this information is critical for your organization to continue to operate, be competitive, and meet regulatory requirements.

Introduction

HCL AppScan on Cloud (ASoC) is a SaaS solution for all application security testing needs. It consolidates all HCL Security’s testing capabilities into a single service that provides a uniform experience for all technologies. HCL Security ASoC can scan web, mobile, and desktop applications using dynamic and static techniques.

Dynamic (DAST) analysis: ASoC performs security scans for web-applications for production, staging and development environments. For development environments it is aided by Private Site Scanning technology to scan applications not accessible to the open Internet. See Dynamic (DAST) scanning
Static (SAST) analysis: ASoC performs security scans for web and desktop applications. Its Static Analysis includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA). IFA can dramatically reduce the manual effort of triaging security findings to focus only on positive, high-value issues. ICA helps reduce, or avoid entirely, the complex configuration required in other technologies, improving scan accuracy automatically. See Static analysis
Interactive (IAST) analysis: Using an agent installed on your application, ASoC identifies security vulnerabilities in your app during runtime, by monitoring all interactions, both legitimate and malicious. The process is "passive", in the sense that IAST does not send its own tests, and can therefore run indefinitely. See Interactive (IAST) monitoring
Software Composition Analysis (SCA): ASoC identifies open source packages that are used in the application, reports those that have known vulnerabilities, and offers remediation advice. SCA testing can be run alone or as part of a static scan. See Software Composition Analysis (SCA) testing

ASoC has a web UI that enables all its functionality. However, IDE and automation systems plugins can also be used, so interaction with the service itself is not required if it is not needed. Developers, for example, remain in their own Integrated Development Environment (IDE) without having to go back-and-forth between the IDE and the browser. The IDE plugins also enable code interactions that would be impossible using the web UI.

To complement its functionality, ASoC also exposes a comprehensive set of REST APIs which drive operations in ASoC. This is makes ASoC ideal for integration into automation environments. Customers can compose their own workflows using the REST APIs, rather than being tied to an ASoC workflow.

ASoC aids security policy compliance. By using predefined policies, or defining custom policies, it is easy to identity which applications are non-compliant and require attention. By filtering according to defined policies, issue fixes can be prioritized. Instead of getting lost in a sea of issues, filtering according to specific policies helps prioritize fixes to target specific compliances.

ASoC also lets you run Personal Scans, that appear in the list of scans for an application, but whose scan data is not merged with the rest of the application results. This enables developers to run scans without the issues found appearing in the overall application data. The results of personal scans can thus be examined for critical issues before the code is pushed to the main code stream.

ASoC helps leverage all scanning capabilities to scan many types of applications, manage the security compliance of the whole organization, and automate security scanning operations.