Previous updates 2019-2020

• Renamed:
  • Status > Issue Status
  • Severity Value > Severity
  • Source File > File Name
• Added: External Id and CVSS
• Removed: Protocol

• Creating a 'NIST Special Publication 800-53' app report instead creates a 'Sarbanes-Oxley Act (SOX)' report
• Open source security issues not shown as non-compliant although included in application policy

• Application Data is now (as expected) included in Reports only when the Metadata > Coverage checkbox is selected in the UI, or the Coverage flag used in the REST API.
• PRB0067750: Optimization Level changes when scan job is transferred for scanning agent, is fixed.

• Implemented an API function that returns the number of issues per Status
• Domains API added
• Swagger functions now include the possible error response codes

• Scans “Under Review” can now be deleted
• Swagger can now be opened automatically from the UI Settings page if the user is logged in

• IAST technology is now referred to as “IAST Monitoring Session” or "IAST Session" rather than “IAST Scan”
• Simplified the wizard for starting an IAST Session
• Agent download now always includes the agent key

• Improved error notification
• Last few characters of FlexNet LicenseKey are now exposed on GetTenantInfo

• Changed SAST Custom Advisory structure.
• Unified cover page for all reports.
• DAST XML report: The order of the "URL Group" and "Entity Group" sections in DAST XML reports has been changed. Other versions of the report are not affected.

• SAST Fix Group name and content now match those shown in the UI and Application Reports.
• SAST Scan Reports now include Custom Advisories, as in Application Reports.
• Cover page updated and TOC added, to match Application Reports.
• Discussion and History check boxes added to the Metadata options.

• You can now sort the Issues and AppScan Presences columns in the All Issues tab by clicking the column header.
• Added an auto-complete to the URL field when creating a Dynamic Scan.

• 37 new articles
• Refined 29 rules
• These improvements ultimately should reduce the overall number of findings.
• However, updates could cause some existing findings to appear as new findings.

• The default listing now shows only non-compliant issues (New, Open, In-Progress, Reopened)
• New filter display
• SAST scans: A Fix Group link is added to each Issue in the All Issues list, to open the Fix Group tab for that Issue

• You can now generate a report even when there are no issues, or all issues are compliant
• SAST scans: “Issues by Fix Group” section added to the Application Security Report

• Change status per Issue
• Add notes per Fix Group
• Filter Issues by compliance to a specific Policy or Policies

GET /api/v2/Issues/{scope}/{scopeId}

This function returns issues for the given scope (Application, Scan or Scan Execution). It accepts the regular odata parametes (filter and paging) and it also has a parameter that determines if and which policies should be applied to filter issues. This new function is replaces all the following functions (that are now marked as Obsolete):

GET /api/V2/Issues/Count

GET /api/v2/Apps/{id}/NonCompliantCount

GET /api/v2/Apps/{id}/NonCompliantIssues

GET /api/v2/Apps/{id}/Issues

GET /api/v2/Apps/{id}/IssuesAsPage

GET /api/v2/Apps/{id}/IssuesCount

GET /api/v2/Scans/Executions/{executionId}/Issues

GET /api/v2/Scans/{scanId}/Executions/{executionId}/Issues

GET /api/v2/Scans/{scanId}/NonCompliantIssues

GET /api/v2/Scans/{scanId}/NonCompliantCount

GET /api/v2/Scans/{scanId}/Issues

The latest update to the AppScan on Cloud GUI, AppScan Go!, introduces the ability to specify the "Thorough" scan speed. Thorough scans deliver the most comprehensive analyses to identify the maximum number of vulnerabilities. Thorough scans also take the longest time to complete.

To take advantage of this scan speed, download and install the latest version of AppScan Go!

• Plugins automatically download the latest Static Analyzer Command Line Utility when they run.
• If you try to prepare code for scanning using Static Analyzer Command Line Utility version 7.x or earlier, you see an error message. Upgrade to the latest Static Analyzer Command Line Utility based on your operating system (Windows, Linux, Mac).
• If you are using AppScan Go!, accept and install the latest update if an update is offered.

• Identifies new cookies created by JavaScript; Improved URL filters; Improved coverage
• Improved Cross-Site Scripting analysis: Better detection of DOM-Based Cross-Site Scripting
• Improved Server/application-down detection: The server/application-down heartbeat now tests the full Starting URL for the scan rather than just its root path, improving scan accuracy.

The new Java stager process allows for more intelligent handling of Java projects to determine which files will be analyzed and which files will be treated as dependencies. Rather than a time-consuming process of unzipping all war files, jar files, sub jar files and so on, and saving all the uncompressed files to disk before determining which files to analyze, the stager process employs a surgical approach to evaluating the Java project.

-DSTAGE_INFO=true
For example:
D:\apps\app\appscan prepare -n app -DSTAGE_INFO=true
Discovering targets...
Target added: app
Validating...
Staging D:\apps\app\app.jar
Evaluating Entry: app.jar.files/lib/tomcat-coyote-7.0.12.jar
Java Packages To Be Analyzed For app:
        com.app.java.test
No problems found during validation.
Generating IRX file...
IRX file generation successful.

• This new feature for DAST scans (active by default, and controlled during scan setup) speeds up scanning for those occasions when fast results are more important to you than a thorough, in-depth scan. See Test Optimization.
• The General Information section of DAST scan reports now indicates whether or not the scan was Optimized.

• When you Create a Scan, Testing Status for the application changes to "In Progress".
• When you Reset an application (UI: Edit > Reset > Delete all… | API: Apps/Reset/Delete Issues), the application's Testing Status changes to "Not Started".

• Filters added to GET Presences API function, for example:GET: ..Presences/?$select=PresenceName%2C%20Idreturns a list of all Presences and their IDs
• Download a DAST Scan file using:GET ..Scans/DynamicAnalyzerScanFile/{executionId}

• Payment Application Data Security Standard
• US DISA’s Application Security and Development STIG. V4R3

Enhancements include performance improvements, automatic exclusion of third-party files, improved rules analysis, and bug fixes.

• International Standard - ISO 27001
• International Standard - ISO 27002
• NIST Special Publication 800-53
• WASC Threat Classification v2.0

• CANADA Freedom of Information and Protection of Privacy Act (FIPPA)
• US Electronic Funds and Transfer Act (EFTA)
• US Federal Information Security Mgmt. Act (FISMA)
• US Sarbanes-Oxley Act (SOX)

• You can now run the AppScan Presence as a service on Linux OS as well as Windows.
• In Windows OS the AppScan Presence is now started with EXE files.