Previous updates 2023

Lists features that were added in previous updates to the AppScan on Cloud service in 2023.

New on December 13, 2023

  • Static analysis client updated to 8.0.1556.
  • Major enhancements to Intelligent Findings Analytics (IFA) for Java, our AI/ML auto-triage technology, include more precise findings and reduced false positives. Users may notice additional findings in previously scanned code due to improved analysis and prioritization.
  • The Static Analyzer Command Line Utility (SAClientUtil) supports updated distinct workflows for SCA and SAST. The SAClientUtil, via the appscan queue_analysis command, kicks off two scans: one static analysis scan and one SCA scan for the open source findings. Static analysis and SCA scans are separated as a result.
  • Automatic discovery of Git repositories. File paths for new issues are relative to the repository root.
  • Increased coverage for RPG language.
  • General bug fixes.

New on December 04, 2023

New on December 3, 2023

  • IAST now supports PHP:
    • PHP agent (version 1.0.0) is supported in addition to Java, Node.js and .NET.
  • User experience (UX) improvements:
    • Source code tab on Issues detail pane: View source code associated with issues in the AppScan on Cloud interface for faster remediation.
    • Asset groups: The new interface simplifies the process of creating Asset groups and ensures that a default contact is set. The default contact cannot be cleared, although it can be modified.
    • Fix groups: Additional functionality in the Fix groups interface allows for more robust triaging and management of issues sorted into fix gropus.
  • New Regulatory Compliance report: [SA] Protection of Personal Information Act (PoPIA), 2013.
  • Updated Regulatory Compliance reports:
    • [US] The Federal Risk and Authorization Management Program (FedRAMP), Revision 5.
    • [US] DISA's Application Security and Development STIG, V5R2
    • [US] Federal Information Security Modernization Act (FISMA), 2014.
  • AWS integration added to the Plugins & APIs page:
    • The AWS CodeBuild and CodePipeline plugin enables effortless execution of Dynamic Application Security Testing (DAST) scans through AppScan on Cloud, ensuring seamless integration into your DevOps cycle.

New on November 1, 2023

  • New IAST Java agent (version 1.15.1):
    • New methods to specify a proxy to the agent for accessing ASoC:
      • Environment variables: IAST_PROXY_HOST and IAST_PROXY_PORT.
      • Custom Java properties: Iast.proxyHost and Iast.proxyPort

      This is in addition to the existing method of defining a proxy through the standard Java properties https.proxyHost and https.proxyPort.

New on October 29, 2023

  • Software Composition Analysis (SCA) and static analysis are now distinct workflows within AppScan on Cloud.

    This separation of static and open-source scanning technologies allows for greater flexibility in testing strategies. You can scan only open-source libraries using SCA and work with issues in an SCA-specific single scan view or run both static and open-source scanning on files, as your organization needs.

  • Send tests to login and logout pages as part of dynamic analysis.

    The DAST wizard test options allow you to specify whether to send tests to login and logout pages.

  • Updated user interface for creating and managing assets groups.

    Asset groups are a useful means for managing user access to data. With this updated user interface, you can easily define and manage asset groups, and thus better manage which team members work with specific data.

New on October 16, 2023

  • Static analysis client updated to 8.0.1546.
  • Support for scanning cascading style sheets (CSS files).

    AppScan on Cloud identifies security vulnerabilities in cascading style sheets, including cross-site scripting, injection, and validation.

  • Support for IBM WebSphere Application Server 9.x

    The Static Analyzer Command Line Utility can be configured to leverage a WebSphere environment to use the JSP compiler included with WebSphere.

  • Improved accuracy for PHP scanning.

    AppScan on Cloud improved verification of PHP content in HTML files.

  • General fixes.

    The AppScan development team regularly reviews functionality and code, making tweaks and adjustments on an ongoing basis to provide optimum scanning functionality.

New on September 28, 2023

  • New IAST Java agent (version 1.14.3):
    • Corrected the message displayed when the user sets incorrect proxy settings.
    • Updated the IAST log to include both date and time.
  • IAST Java agent (version 1.14.2) previously released:
    • "Detected APIs", a new issue type is used instead of the "Miscellaneous" issue type for the issues that report the full list of the application's APIs.
    • Improved deployment process: Setting of BC_SB environment variable is no longer needed in Java versions 9 and later.
    • Additional framework support for Java: Spring 6.
    • OWASP testing: Improved logging for demo purposes. For more information, see OWASP Benchmark with IAST agent.

New on September 10, 2023

  • DAST:
    • Support for incremental scanning that significantly shortens the DAST rescans by identifying new areas and changes in the application and focusing the scan on them.

    • An update: As described in New on September 5, 2023, only AppScan Standard results uploaded to AppScan on Cloud via AppScan Connect will include vulnerable component results. Currently, DAST scanning on ASoC does not support this capability.

  • SAST: AppScan on Cloud allows upload of archive files for scanning without first generating an IRX file. This saves the user time by offloading the preparation of the files to ASoC.
  • ServiceNow plugin: Issues can now be triaged in ServiceNow by importing vulnerability data from AppScan on Cloud (DAST or SAST findings) into the ServiceNow Vulnerability Response platform by using the ServiceNow plugin.
  • User experience (UX) improvements:
    • Single scan view: Now includes the option to display Active Issues, in addition to Total Issues, and New Issues. Active issues are issues whose status is "New (deprecated)", "Open", "In progress", or "Reopened". In addition, improvements were made to the "Issues by severity" graph.
    • You can now assign up to three unique presences and restrict the application's scanning exclusively to those presences.

New on September 5, 2023

  • Correction to New on July 31, 2023: DAST engine update: Dynamic Analysis engine updated to AppScan Standard version 10.3.0 on July 31, 2023. See AppScan Standard Fix List.
    Note:
    • Although the identification of third-party components is a new feature in AppScan Standard 10.3.0, it is not supported for scans run in ASoC.
    • The July 31, 2023, release stated that scans initiated via "scan" or "scant" files from AppScan Standard include detection of vulnerable components. However, this support will be disabled in the upcoming deployment.
    • Scan results imported to ASoC from AppScan Standard via AppScan Connect will still include vulnerable components detected by AppScan Standard.

New on August 22, 2023

  • Static analysis client updated to 8.0.1542.
  • Additional performance improvements for source code scanners.
  • General bug fixes.

New on August 16, 2023

  • Static analysis client updated to 8.0.1537.
  • Secrets scanning is disabled by default.

    Use the --enableSecrets and --secretsOnly options to scan secrets.

  • Improved performance for source code scanners.
  • General bug fixes.

New on July 31, 2023

  • DAST engine update: Dynamic Analysis engine updated to AppScan Standard version 10.3.0. See AppScan Standard Fix List.
    Attention: Refer to New on September 5, 2023, for the latest information on third-party component support in ASoC. The following note is no longer valid. Only scan results uploaded to ASoC via AppScan Connect will include vulnerable components if they are detected.
    Note: Although identifying third-party components is a new feature in AppScan Standard 10.3.0, it is not supported in ASoC. However, scans or templates imported from AppScan Standard (if the option is selected in AppScan Standard) will include third-party components.

New on July 20, 2023

  • Static analysis client updated to 8.0.1535.
  • General bug fixes.

New on July 16, 2023

  • Updated Create and Edit Application dialogs.
    • Create application: The new quick setup lets you create the application by assigning a name and asset group only. You can add additional parameters later using Edit application.
    • Users with permission can now create a new asset group from within the Create and Edit application dialogs.
  • Plugins: Added VS 2022 plugin.
  • Open-source issues now include library Location.
  • Industry Standard Report "NIST Special Publication 800-53" updated to version 5.

New on June 30, 2023

  • Static analysis client updated to 8.0.1533.
  • Expanded support for secrets scanning.

New on June 20, 2023

New on June 11, 2023

  • DAST:
    • Scan configuration wizard now supports adding additional domains to the scan.
    • Dashboard: ‘Applications with most active issues’ graph replaces the 'Common issue types’ graph.
    • Option to select Staging or Production environment has been removed due to the addition of the new configuration options like automatic form fill. For details, see Why can I no longer specify the environment to be Staging or Production?
  • API:
    • Create scan API: DAST number of threads now supports up to 20 threads.
    • Open-source information is now displayed with more consolidated and accurate data, on a library level and not on a file level.

New on May 31, 2023

  • AppScan Go! updated to version 1.0.2
    • Updated icons and logos
    • General bug fixes

New on May 18, 2023

  • New IAST Java agent (version 1.12. 10501):
    • Performance improvements
    • Added new vulnerabilities:
    • API detection: A new issue reports all detected APIs in an application. Supported for Spring applications.

New on May 15, 2023

New on April 23, 2023

  • When you delete a scan, SCA libraries that belong to that scan only are now also deleted, like issues.
  • SAST/SCA: Improved data flow display in Issue details pane.
  • Subscriptions page: Added ‘AppScan for You’ service details.

New on April 18, 2023

  • New IAST .NET agent (version 1.7.3)

New on March 29, 2023

New on March 26, 2023

  • Audit trail page added (Organization > Audit trail).
  • CVSS scoring for DAST issues is now based on v3.1. CVSS version can be added as a column in issues view See CVSS. Note that as CVSS thresholds vary between versions, there can be different CVSS scores for the same issue in scans run before and after this update.
  • API: Added support for Postman collections (Scans/FileUpload and Scans/DynamicAnalysisWithFiles).

New on March 21, 2023

  • Static analysis client updated to 8.0.1524.
  • General bug fixes.

New on March 13, 2023

  • New IAST .NET agent (v 1.7.2): Bug fixes

New on March 5, 2023

  • New IAST .NET agent (v 1.7.1):
    • Bug fixes and performance improvements
    • Support for WebSockets in .NET core
    • New vulnerability types: Missing "Content-Security-Policy" header (CWE 1032), Missing "Referrer policy" Security Header (CWE 200)
    • Basic support for customers that use System.Net.WebClient

New on February 19, 2023

  • Issue status “New” is deprecated and new issues found are now classified as “Open”. Issues marked "New" in previous scans are not affected unless also found in the new scan (see Issue status).
  • When creating a DAST scan, the default Environment ("ScanType" in the API) has been changed from production to staging (see Creating a DAST scan.
    Attention: If you are scanning a live production environment it is important that you change this setting when creating your scan.
  • New regulatory compliance policy and report: [US] California Consumer Privacy Act (CCPA) - AB-375.
  • Scan statistics are now shown to administrators graphically in the organization’s ‘Scans and Sessions’ view.
  • ‘Automatic cleanup’ configuration added to organization and application settings (see Cleanup).
  • Correlation data added to Correlation groups view.
  • Roles API: ‘IsAssignable’ added to the role model, to indicate that the user can invite users with this role or change the role of another user to this role.

New on February 6, 2023

  • Static analysis client updated to 8.0.1521.
  • Improvements to Software Composition Analysis (SCA) discovery and reporting.
  • Improved accuracy for C, C++, and Python scans.
  • General bug fixes.

New on January 23, 2023

  • Added "Last Found" to the Date filter for issues.
  • Issue status "New" deprecated: UI now has an announcement that from February issues that would have been marked “New” will instead be marked “Open”. Existing “New” issues will not be changed, unless they are found in a new scan, in which case they will be set to “Open”. You will be able to change the status of a “New” issue to any other status, but will not be able to set an issue’s status to “New”. See Issue status.

New on January 16, 2023

  • IAST Java agent (version 1.12.10400): Various fixes and enhancements.

New on January 15, 2023

  • New "Last found" column in the Issues list, shows the most recent date that the issue was found.
    Note: This will apply only to issues found in scans run after this update. For older scans the "Last found" field will be empty.