About HCL AppScan on Cloud

Security is about protecting your valuable assets. Some of the most important assets your organization owns are in the form of information, such as intellectual property, strategic plans, and customer data. Protecting this information is critical for your organization to continue to operate, be competitive, and meet regulatory requirements.

Introduction

HCL AppScan on Cloud (ASoC) is a SaaS solution for all application security testing needs. It consolidates HCL Security’s testing capabilities into a single service that provides a uniform experience for all technologies. HCL Security AppScan on Cloud can scan web, mobile, and desktop applications using dynamic and static techniques.

Dynamic analysis (DAST): ASoC performs security scans for web applications for production, staging, and development environments. For development environments ASoC is aided by Private Site Scanning technology to scan applications not accessible to the open Internet. See Dynamic scanning (DAST).
Static analysis (SAST): ASoC performs security scans for web and desktop applications. Static analysis includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA). IFA dramatically reduces the manual effort of triaging security findings to focus only on positive, high-value issues. ICA helps reduce, or avoid entirely, the complex configuration required in other technologies, improving scan accuracy automatically. See Static (SAST) scanning.
Interactive monitoring (IAST): Using an agent installed on your application, ASoC identifies security vulnerabilities in your application during runtime, by monitoring all interactions, both legitimate and malicious. The process is "passive," in that IAST does not send its own tests, and can therefore run indefinitely. See About interactive monitoring (IAST).
Software Composition Analysis (SCA): ASoC identifies open source packages that are used in an application, reports those that have known vulnerabilities, and offers remediation advice. SCA testing can be run alone or as part of a static scan. See About Software Composition Analysis (SCA).

ASoC has a web interface that enables all its functionality. However, IDE and automation systems plugins also can be used; interaction with the service itself is not required if it is not needed. Developers, for example, remain in their own integrated development environment (IDE) without having to switch between the IDE and the browser. The IDE plugins also enable code interactions that would be impossible using the web interface.

To complement its functionality, ASoC also exposes a comprehensive set of REST APIs which drive operations in ASoC. This is makes ASoC ideal for integration into automation environments. Customers can compose their own workflows using the REST APIs, rather than being tied to an ASoC workflow.

ASoC aids security policy compliance. By using predefined policies, or defining custom policies, it is easy to identity which applications are non-compliant and require attention. By filtering according to defined policies, issue fixes can be prioritized. Instead of getting lost in a sea of issues, filtering according to specific policies helps prioritize fixes to target specific compliances.

ASoC also lets you run personal scans. Personal scan appear in the list of scans for an application, but scan data is not merged with the rest of the application results. This enables developers to run scans without the issues found appearing in the overall application data. The results of personal scans can thus be examined for critical issues before the code is pushed to the main code stream.

ASoC helps leverage all scanning capabilities to scan many types of applications, manage the security compliance of the whole organization, and automate security scanning operations.