What's New in AppScan on Cloud
Discover upcoming and recently added features.
Updates: AppScan on Cloud announcements, including advance notice of planned changes and
scheduled maintenance that might affect your workflow, can be found
on AppScan News. To be
notified when there is an announcement, you can subscribe to AppScan
News.
Translations: If you are
reading this page in translation, please be aware that it may not
include the latest additions. To see the latest version of this
page, switch to the English version, using the "Change Language"
option at the top right of the menu bar.
New on September 28, 2023
- New IAST Java agent (version 1.14.3):
- Corrected the message displayed when the user sets incorrect proxy settings.
- Updated the IAST log to include both date and time.
- IAST Java agent (version 1.14.2) previously released:
- "Detected APIs", a new issue type is used instead of the "Miscellaneous" issue type for the issues that report the full list of the application's APIs.
- Improved deployment process: Setting of
BC_SB
environment variable is no longer needed in Java versions 9 and later. - Additional framework support for Java: Spring 6.
- OWASP testing: Improved logging for demo purposes. For more information, see OWASP Benchmark with IAST agent.
New on September 10, 2023
- DAST:
- Support for incremental scanning that significantly shortens the DAST rescans by identifying new areas and changes in the application and focusing the scan on them.
-
An update: As described in New on September 5, 2023, only AppScan Standard results uploaded to AppScan on Cloud via AppScan Connect will include vulnerable component results. Currently, DAST scanning on ASoC does not support this capability.
- SAST: AppScan on Cloud allows upload of archive files for scanning without first generating an IRX file. This saves the user time by offloading the preparation of the files to ASoC.
- ServiceNow plugin: Issues can now be triaged in ServiceNow by importing vulnerability data from AppScan on Cloud (DAST or SAST findings) into the ServiceNow Vulnerability Response platform by using the ServiceNow plugin.
- User experience (UX) improvements:
- Single scan view: Now includes the option to display Active Issues, in addition to Total Issues, and New Issues. Active issues are issues whose status is "New (deprecated)", "Open", "In progress", or "Reopened". In addition, improvements were made to the "Issues by severity" graph.
- You can now assign up to three unique presences and restrict the application's scanning exclusively to those presences.
New on September 5, 2023
- Correction to New on July
31, 2023: DAST engine update: Dynamic
Analysis engine updated to AppScan Standard version
10.3.0 on July 31, 2023. See AppScan Standard
Fix List.Note:
- Although the identification of third-party components is a new feature in AppScan Standard 10.3.0, it is not supported for scans run in ASoC.
- The July 31, 2023, release stated that scans initiated via "scan" or "scant" files from AppScan Standard include detection of vulnerable components. However, this support will be disabled in the upcoming deployment.
- Scan results imported to ASoC from AppScan Standard via AppScan Connect will still include vulnerable components detected by AppScan Standard.
New on August 22, 2023
- Static analysis client updated to 8.0.1542.
- Additional performance improvements for source code scanners.
- General bug fixes.
New on August 16, 2023
- Static analysis client updated to 8.0.1537.
- Secrets scanning is disabled by
default.
Use the
--enableSecrets
and--secretsOnly
options to scan secrets. - Improved performance for source code scanners.
- General bug fixes.
New on July 31, 2023
- DAST engine update: Dynamic Analysis engine updated to
AppScan Standard version
10.3.0. See AppScan Standard
Fix List.Attention: Refer to New on September 5, 2023, for the latest information on third-party component support in ASoC. The following note is no longer valid. Only scan results uploaded to ASoC via AppScan Connect will include vulnerable components if they are detected.Note: Although identifying third-party components is a new feature in AppScan Standard 10.3.0, it is not supported in ASoC. However, scans or templates imported from AppScan Standard (if the option is selected in AppScan Standard) will include third-party components.
New on July 20, 2023
- Static analysis client updated to 8.0.1535.
- General bug fixes.
New on July 16, 2023
- Updated Create and Edit Application dialogs.
- Create application: The new quick setup lets you create the application by assigning a name and asset group only. You can add additional parameters later using Edit application.
- Users with permission can now create a new asset group from within the Create and Edit application dialogs.
- Plugins: Added VS 2022 plugin.
- Open-source issues now include library Location.
- Industry Standard Report "NIST Special Publication 800-53" updated to version 5.
New on June 30, 2023
- Static analysis client updated to 8.0.1533.
- Expanded support for secrets scanning.
New on June 20, 2023
- Static analysis client updated to 8.0.1531.
- Support for secrets scanning.
New on June 11, 2023
- DAST:
- Scan configuration wizard now supports adding additional domains to the scan.
- Dashboard: ‘Applications with most active issues’ graph replaces the 'Common issue types’ graph.
- Option to select Staging or Production environment has been removed due to the addition of the new configuration options like automatic form fill. For details, see Why can I no longer specify the environment to be Staging or Production?
- API:
- Create scan API: DAST number of threads now supports up to 20 threads.
- Open-source information is now displayed with more consolidated and accurate data, on a library level and not on a file level.
New on May 31, 2023
- AppScan Go! updated to version 1.0.2
- Updated icons and logos
- General bug fixes
New on May 18, 2023
- New IAST Java agent (version 1.12. 10501):
- Performance improvements
- Added new vulnerabilities:
- Sensitive API Requires Logging – CWE 778, (A09:2021 –Security Logging and monitoring in OWASP top10 2021 list). Supported for applications using log4j.
- Regex injection (CWE 624).
- API detection: A new issue reports all detected APIs in an application. Supported for Spring applications.
New on May 15, 2023
- Static analysis client updated to 8.0.1530.
- New language support for Rust.
- Improved accuracy for Java and Ruby.
- Inline tutorials for fix groups, Jenkins plugin setup, Azure plugin setup, and CodeSweep action.
- General bug fixes.
New on April 23, 2023
- When you delete a scan, SCA libraries that belong to that scan only are now also deleted, like issues.
- SAST/SCA: Improved data flow display in Issue details pane.
- Subscriptions page: Added ‘AppScan for You’ service details.
New on April 18, 2023
- New IAST .NET agent (version 1.7.3)
New on March 29, 2023
- DAST engine update: Dynamic Analysis engine updated to AppScan Standard version 10.2.0. See AppScan Standard Fix List.
New on March 26, 2023
- Audit trail page added (Organization > Audit trail).
- CVSS scoring for DAST issues is now based on v3.1. CVSS version can be added as a column in issues view See CVSS. Note that as CVSS thresholds vary between versions, there can be different CVSS scores for the same issue in scans run before and after this update.
- API: Added support for Postman collections (Scans/FileUpload and Scans/DynamicAnalysisWithFiles).
New on March 21, 2023
- Static analysis client updated to 8.0.1524.
- General bug fixes.
New on March 13, 2023
- New IAST .NET agent (v 1.7.2): Bug fixes
New on March 5, 2023
- New IAST .NET agent (v 1.7.1):
- Bug fixes and performance improvements
- Support for WebSockets in .NET core
- New vulnerability types: Missing "Content-Security-Policy" header (CWE 1032), Missing "Referrer policy" Security Header (CWE 200)
- Basic support for customers that use System.Net.WebClient
New on February 19, 2023
- Issue status “New” is deprecated and new issues found are now classified as “Open”. Issues marked "New" in previous scans are not affected unless also found in the new scan (see Issue status).
- When creating a DAST scan, the default Environment
("ScanType" in the API) has been changed from
production to staging (see Creating a DAST scan.Attention: If you are scanning a live production environment it is important that you change this setting when creating your scan.
- New regulatory compliance policy and report: [US] California Consumer Privacy Act (CCPA) - AB-375.
- Scan statistics are now shown to administrators graphically in the organization’s ‘Scans and Sessions’ view.
- ‘Automatic cleanup’ configuration added to organization and application settings (see Cleanup).
- Correlation data added to Correlation groups view.
- Roles API: ‘IsAssignable’ added to the role model, to indicate that the user can invite users with this role or change the role of another user to this role.
New on February 6, 2023
- Static analysis client updated to 8.0.1521.
- Improvements to Software Composition Analysis (SCA) discovery and reporting.
- Improved accuracy for C, C++, and Python scans.
- General bug fixes.
New on January 23, 2023
- Added "Last Found" to the Date filter for issues.
- Issue status "New" deprecated: UI now has an announcement that from February issues that would have been marked “New” will instead be marked “Open”. Existing “New” issues will not be changed, unless they are found in a new scan, in which case they will be set to “Open”. You will be able to change the status of a “New” issue to any other status, but will not be able to set an issue’s status to “New”. See Issue status.
New on January 16, 2023
- IAST Java agent (version 1.12.10400): Various fixes and enhancements.
New on January 15, 2023
- New "Last found" column in the Issues list, shows the
most recent date that the issue was found.Note: This will apply only to issues found in scans run after this update. For older scans the "Last found" field will be empty.