Home
DAST
AppScan on Cloud performs security scans for web-applications for production, staging and development environments. For development environments it is aided by Private Site Scanning technology to scan applications not accessible to the open Internet.
Dynamic (DAST) scanning
ASoC can perform dynamic analysis of an application that runs in a browser or a web API. Use the configuration options available in ASoC, or upload an AppScan Standard configuration (template file) or a full scan file.

Welcome
Welcome to the documentation for HCL AppScan on Cloud.
Getting started
Security is about protecting your valuable assets. Some of the most important assets your organization owns are in the form of information, such as intellectual property, strategic plans, and customer data. Protecting this information is critical for your organization to continue to operate, be competitive, and meet regulatory requirements.
Navigation
This section describes the items on the main ASoC menu bar, and links to more detailed information.
Administration
Define users, applications, policies, and configure DevOps integrations.
DAST
AppScan on Cloud performs security scans for web-applications for production, staging and development environments. For development environments it is aided by Private Site Scanning technology to scan applications not accessible to the open Internet.
- Dynamic (DAST) scanning
  ASoC can perform dynamic analysis of an application that runs in a browser or a web API. Use the configuration options available in ASoC, or upload an AppScan Standard configuration (template file) or a full scan file.
  - Create scan
    Provide the Starting URL and user credentials for the scan, select the type of site, and (if not previously done) verify your permission to scan the site.
  - Create scan from template
    You can upload your own AppScan Standard template (SCANT) file to run an ASoC scan.
  - Create scan from scan file
    You can upload your own AppScan Standard scan (SCAN) file to run an ASoC scan.
  - Recording traffic
    You can download and install the free AppScan Activity Recorder browser extension (for Chrome or Edge), the AppScan Traffic Recorder extension, or use AppScan Standard.
  - Using AppScan Standard
  - Test policy
    The AppScan Standard Default test policy is used when running scans from the ASoC UI, but other policies can be applied with imported scans, or scans run from the API.
  - Test optimization
    Test Optimization uses intelligent test filtering to achieve faster scans, when speed is needed, with minimal loss of issue coverage. You choose between four optimization levels depending on your needs.
  - Test automation
    This section describes how to incorporate dynamic scanning in your functional testing.
  - Client certificates
- AppScan Presence
  An AppScan Presence on your server enables you to scan sites not accessible from the Internet, and to incorporate scanning as part of your functional testing.
- AppScan Traffic Recorder
  The AppScan Traffic Recorder (DAST proxy) enables you to record traffic to use as Explore data. Traffic Recorder instances can be created on demand to record traffic that will later be used for a DAST scan.
- Private sites
  An AppScan Presence on your server enables you to scan sites not accessible from the Internet.
IAST
Using an agent installed on your application, ASoC identifies security vulnerabilities in your app during runtime, by monitoring all interactions, both legitimate and malicious. The process is "passive", in the sense that IAST does not send its own tests, and can therefore run indefinitely.
Static analysis
Use static analysis (SAST) to scan for security vulnerabilities in web and desktop applications. Static analysis includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).
Results
The Scan History tab of your application displays your scan results (including scan statistics) and rescan options.
Troubleshooting
If you experience problems with this service, you can perform these troubleshooting tasks to determine the corrective action to take.
FAQ & Reference
Frequently asked questions, information about integrating ASoC into the product lifecycle (SDLC), and ASoC API documentation.

Dynamic (DAST) scanning

ASoC can perform dynamic analysis of an application that runs in a browser or a web API. Use the configuration options available in ASoC, or upload an AppScan Standard configuration (template file) or a full scan file.

The DAST scan wizard offers three paths:


Option	Description
Create a new scan	Configure and run your scan in using the ASoC wizard options. You can upload a recording of the login procedure, if needed. You can upload a traffic file (DAST.CONFIG) to ensure that specific parts of the application are covered. Create a new scan (full configuration)
Upload template file	If you have an AppScan Standard template (SCANT) file, you can use it as the configuration for your ASoC scan. This lets you benefit from all the configuration options available in AppScan Standard. An AppScan Standard template also includes the login recording and Multistep configuration. The template does not include a Manual Explore, but you can upload a traffic recording (DAST.CONFIG file) to ensure that specific parts of the application are covered. Create a new scan from a template file
Upload scan file	If you have an AppScan Standard scan (SCAN) file, you can use it as the configuration for your ASoC scan. Manual Explore, Multistep operations, and Web API files such as a Postman Collection saved in the SCAN file will be included in the scan. You can run a full scan or use the existing Explore date from the file and run only the Test stage of the scan. Create a new scan from a scan file

Scanning web APIs

When scanning a web API, be aware of the following:

Automatic Explore will not work for a web API, so you must provide a traffic recording. See Recording traffic
If you have a Postman Collection, you can import it to AppScan Standard, save as a SCAN file, and then Create a new scan from a scan file.

Related topics

For a list of Threat Classes tested for in Dynamic Analysis, and their related CWEs, see Dynamic Analysis.