What's new in AppScan on Cloud

Discover upcoming and recently added features.

Updates: AppScan on Cloud announcements, including advance notice of planned changes and scheduled maintenance that might affect your workflow, can be found on AppScan News. To be notified when there is an announcement, you can subscribe to AppScan News.
Translations: If you are reading this page in translation, please be aware that it may not include the latest additions. To see the latest version of this page, switch to the English version, using the "Change Language" option at the top right of the menu bar.

New on July 21, 2024

  • New IAST Java agent (1.17.1)
    • Support RabbitMQ as a source and sink.
    • Support vulnerabilities of type Privacy.DataLeakage, reported when a password is written unencrypted to the database or response.
    • Support vulnerabilities of type AppDOS.Flood, reported when a Vert.x app does not set limits to the request body.
    • Merge repeated reports on insecure and HTTP-only cookies when the source is similar.
  • New IAST .NET agent (1.11.1)
    • Reduce agent dependencies to avoid application conflicts.

New on July 10, 2024

New on June 20, 2024

  • AppScan Go! updated to version 2.1.0.
  • Added the ability to scan SCM repositories in AppScan Go! with a URL.
  • AppScan Go! now auto-recommends scan mode, either bytecode/compiles or source code.
  • Bug fixes

New on May 29, 2024

  • Static analysis client updated to 8.0.1570.
  • Client-only update.
  • Retrieving key for IRX encryption fixed.

New on May 29, 2024

  • Static Analysis:
    • SAST scans can now be configured and scheduled to pull source code directly from a public GitHub repository. See Scan a GitHub repository.
    • While triaging SAST findings, users can view the relevant source code directly on GitHub.com.
    • Findings can now be filtered by filename or path, making triaging more efficient by focusing on specific areas of the codebase.
  • Dynamic Analysis:
    • The Domain verification wizard is enhanced to allow users to test the connection after placing the file in the root folder. Domains pending verification for more than 30 days will be deleted. Domains remain in a pending state until the verification file is detected in the root folder, or the email verification is confirmed.
  • Compliance Reports and Policies:
    • Two new industry-standard reports were added:
      • OWASP API Security Top 10 2023
      • CWE Top 25 Most Dangerous Software Weaknesses 2023
    • The following reports were updated:
      • [US] DISA's Application Security and Development STIG, Version 5 Release 3
      • The Payment Card Industry Data Security Standard (PCI DSS) - Version 4
  • AppScan on Cloud service status page:
    • This page provides real-time information on the operational status of the AppScan on Cloud service and planned maintenance. It is now accessible from the AppScan on Cloud portal.
    • You can access this page from the following locations:
      • Within the AppScan on Cloud portal, the AppScan Resources page is accessible under the Support menu at the top of each page. A link to the service status page is at the bottom of the AppScan Resources page.
      • AppScan on Cloud documentation: The link to the status page is included on the Getting started page under the Product Resources section.
      • You can bookmark the URL directly: AppScan on Cloud Service Status page.

New on May 28, 2024

  • Static analysis client updated to 8.0.1569.
  • Support for Makefile/GNUMakefile.
  • Improvements to rules.
  • General bug fixes.

New on May 16, 2024

  • New IAST Java agent (1.16.2)
    • Support for Vertx version 3.x.
    • API endpoint discovery for Vertx.
  • New IAST .NET agent (1.10.1)
    • Update dependencies
    • Alternative deployment of the .NET core agent during runtime without need for build (Beta).

New on April 17, 2024

  • Static analysis client updated to 8.0.1567.
  • Software Composition Analysis (SCA) now supports config scanning of package.json files from NPM packages.
    SCA can retrieve essential package dependency information from the scan, providing users with comprehensive insights into project dependencies. Package dependencies detected by the NPM package manager scans are seamlessly integrated into the Software Bill of Materials (SBOM) report, facilitating a clearer understanding of project dependencies.
    Note: Issues found during config scanning are consolidated results from other config scan only. To disable config scanning, use the -nc flag with appscan prepare.
  • Improvements to secrets scanner.
  • Improvements to Java source code scanner.
  • General bug fixes.

New on April 14, 2024

  • User experience (UX) improvements:
    • The Create scan dialog box has been redesigned to streamline workflow for DAST scanning.
    • The Settings page has been redesigned with improved organization, and now requires confirmation of changes to page settings.
    • The Correlation groups page has been redesigned for greater ease-of-use.
  • A date filter has been added to the Fix groups page. View fix groups according to a date range and/or according to time-related properties associated with component issues.
  • A share option has been added to the Issue details pane. Copy a link or issue ID to share issue details quickly and efficiently via text or email.

New on March 27, 2024

New on March 25, 2024

  • New IAST Java agent (1.16.1)
    • Improved support for customers using the Vertx framework.
    • Support components discovery and more accurate stack report for IAST Total.
  • New IAST PHP agent (1.0.1)
    • Support PHP 8.3 on Ubuntu.
    • Support environment variables from server config files.

New on March 9, 2024

  • Static analysis client updated to 8.0.1561.

  • General bug fixes.

New on March 8, 2024

New on February 21, 2024

  • New IAST Java agent (version 1.16.0):
    • Added support for the VertX framework.
  • New IAST .NET agent (version 1.10.0):
    • Added support for .NET 8.
    • Enhanced support for IAST Total on .NET.
    • Optimization.

New on February 18, 2024

  • REST API update: Version 4 of our REST API is available now. Please review the technical overview for assistance in migrating to the updated API.
  • Default issues view: By default, ASoC displays non-compliant issues only at the application level.
  • Fix groups filtering: ASoC supports filtering fix groups by vulnerability and policy, in addition to existing filters. With additional filtering capabilities, you can pinpoint issues and optimize fixes for faster remediation.
  • Issue properties tab: New Properties tab on the Issue details pane lists expanded issue details, including how and when the issue was found, type, status, severity, scanner, and location, and including issue ID.
  • Auto-close of issues: ASoC auto-closes issues when they do not appear in rescans, thus reducing the manual effort of closing issues.
  • 2k scan limit: When auto-cleanup is not enabled at the organization level, ASoC enforces the 2k scan limit.

New on February 14, 2024

  • AppScan Go! updated to version 2.0.0

    AppScan Go! steps you through configuring and running a static, SCA, or secrets scan with a refreshed and improved user interface and refined workflow. You can run a complete scan, prepare an IRX file for scanning later, or configure files for automating scans with AppScan plugins. You can also view account information within the tool.

New on January 19, 2024

New on January 15, 2024

  • Software Composition Analysis (SCA):
    • Software Bill of Materials (SBOM) report: New support for Software Bill of Materials (SBOM) reports. Generate an SPDX industry-standard report of open source libraries in your application
    • Open source library search: SCA users can search for open source libraries in applications to which they have access through asset groups. The ability to locate all instances of a library increases the speed and confidence with which users can remediate library-related issues and concerns.
    • Open source library details: Library search results include license details of libraries found in applications. Details include license information that enables you to evaluate the legal risks and benefits of a particular library.
  • Static analysis (SAST):
    • Source code view: The Issue details pane includes the ability to access source code in the local directory structure or, if the scan was created in GitHub, to view the code in the GitHub repository.
    • C++ scanner: Improved source code-only scanning for C++.
  • Enhanced DAST scanning with IAST Total: IAST Total provides enhanced automatic configuration, quicker scan and remediation processes, detailed call stack information for detected vulnerabilities, and deeper insight into the application backend. For more information, see IAST Total.
  • User experience (UX) improvements:
    • Asset groups: The new delete asset group flow simplifies the process of deleting an asset group. Users with the delete asset group permission (default roles like Administrator and Manager, as well as custom roles) can delete an asset group along with its associated applications, including scans and findings, facilitating the removal of unnecessary applications. Users can also opt to move the applications to another asset group, either with or without their members.
    • Fix groups: Comments field added to security report for fix groups, allowing for better inclusion and tracking of notes and comments.

Previous updates 2023

Previous updates 2021-2022

Previous updates 2019-2020

Previous updates 2016-2018