Previous updates

Lists features that were added in previous updates to the AppScan on Cloud service.

New on November 23, 2021

  • UI:
    • Schedule scans: You can now schedule a DAST scan to run later, with or without repetition (Create scan > Schedule step). You can edit a configured schedule (Scan actions menu > Edit schedule). New icons indicate “Scheduled” and “Repeat” status of scans.
    • IAST: Added ability to update IAST Agent configuration.
    • Automatic log out: Users are now logged out if there is no activity for 30 minutes.
    • Business units can now be merged (Admins only: Organization > Settings).
    • Single scan view: Columns are now clickable and lead to a filtered list in the issues tab.
  • API:
    • Support for scan scheduling (with additional settings).
    • Support for merging two business units, and ability to add a limit to the number of business units allowed in the organization.

New on November 16, 2021

New on October 24, 2021

  • UI:
    • Administrators only: New Settings view added (Organization > Settings), to create and manage business units.
    • IAST: When deleting an agent, the UI now offers you the option to delete agent configuration only, or the agent configuration and also the issues found by the agent.
    • New scan status added: “Initializing” (before scan actually starts).
  • API: SAST and IAST issues set as Fixed will not be reopened if found again.

New on October 18, 2021

IAST monitoring:
  • Java agent (version 1.9.10100):
    • Pause execution when memory consumption (threshold) is too high
    • New Config file parameter to specify names of apps to be monitored
    • Memory and GC debug flags
    • Reduced memory consumption
    • New security features:
      • Improved CSRF rule (less FP)
      • Improved coverage of Insecure Login rule
    • Fixed: XSS bug on Spring
  • .NET agent (version 1.3.1):
    • Pause execution when memory consumption (threshold) is too high
    • Filter issues from being reported based on header/cookie name
    • Performance improvements
    • Issue Information tab for IAST issues:
      • New Additional Info section
      • Exploit Example included for many more issues
    • New security features:
      • Path traversal algorithm
      • Improved coverage of Insecure Login rule
    • Fixed: Bug when issues are sent to ASoC/ASE
  • Node.js agent (version 1.2.1):
    • Pause execution when memory consumption (threshold) is too high
    • Filter issues from being reported based on header/cookie name
    • Issue Information tab for IAST issues:
      • New Additional Info section
      • Exploit Example included for many more issues
    • New security features:
      • Path traversal algorithm
      • Improved coverage of Insecure Login rule
    • Fixed: Handle Communication EPIPE error

New on October 12, 2021

AppScan Go! updated to version 0.1.8, including the following enhancements:
  • New opening page design.
  • Source code-only scanning support.
  • Ability to generate appscan-config.xml for open source-only scans.
  • Consolidation of targets and excludes in appscan-config.xml files.
  • Ability to disable automatic update of AppScan Go! on startup.
  • Ability to manually update AppScan Go!.
  • Refreshed logic for excluded files and clarified error messages.
  • General fixes and improvements.

New on October 10, 2021

  • Single scan view: "Manage Execution" options button added
  • DAST: When creating a scan, you can now choose whether the scan will be fully automatic or assisted by the scan enablement team if needed
  • SAST: Single scan view added, as for DAST scans
  • IAST:
    • Sessions are now displayed in Scans view
    • Scan report can be created
    • If you manually stopped an IAST session, you can now restart it from the UI even if the agent is disconnected, and monitoring will begin automatically when the agent is connected. Previously this was possible only through the API.

New on September 30, 2021

  • Static analysis client updated to 8.0.1461
  • Support for scanning Dart.
  • Support for scanning Java source code with the source code-only option.
  • General fixes and functionality improvements.

New on September 12, 2021

  • DAST scans: You can now upload multiple DAST.CONFIG files for a single scan (see Explore with guidance).

New on August 4, 2021

  • Static analysis client updated to version 8.0.1448.
  • General fixes and functionality improvements.

New on August 2, 2021

  • DAST scanning:
    • New single scan page:
      • Gives you access to detailed data about the scan, with three tabs: Overview, Issues, Configuration, and the scan log pane (see Single scan view.
      • Shows real-time status of running scans.
      • Scan log can now be viewed while scan runs.
      • New indicator for scans that were handled by an enabler from the scan support team to review their configuration.
    • Scan wizard additions:
    • API:
      • Create a scan with multiple files.
      • Choose between automatic explore and explore with guidance.
      • Added automatic timeout
      • The number of issues new to the application is now included in the scan results.
  • IAST monitoring, Java agent (version 1.8.10110):
    • Now supports uploading a CONFIG file.
    • Monitoring will now reflect changes you make to the CONFIG file on your local server.
    • Issue Information tab for IAST issues:
      • New Additional info section.
      • Exploit example included for many more issues.
    • Security rule updates:
      • path traversal advanced algorithm
      • Deserialization - Xtream, xmlDecode
      • Reduce FP on escapeHtml
    • Fixes and memory improvements for wildfly server.
  • Export icon: Lets you export applications, scans, single application scans, fix groups, fix group issues, single scan issues, users, asset groups.
  • List of domains is now visible to all users.

New on July 13, 2021

New on June 29, 2021

New on June 23, 2021

  • UI:
    • New “Ask an expert” feature added
    • Export to CSV/JSON added to applications and issues pages
    • Create Scan: Added Timeout and Number of threads configuration
    • Fix group ID {“Group ID”) added to issue panel
    • IAST: Additional info added to issue panel
    • Column configurations and filters are now saved between sessions
    • Sample Applications CSV: Description and Tags columns removed
    • New plugin: Github
  • API:
    • Added ability to add comments to ScanExecution
    • DAST configuration: Added ability to configure Number of threads and Communication timeout
  • General bug fixes

New on May 27, 2021

  • IAST scanning:
    • Node.js agent (version 1.1.0) now supported in addition to Java and .NET
    • .NET agent (version 1.2.2):
      • Now supports .NET 4.6.2
      • Library updates
      • Support setting host and token through environment variables and through Web.config file
    • Java agent (version 1.8.10000:
      • Performance improvements
      • Support 32-bit JRE environments
      • Support more Java environments for auto-attach
      • New rules to detect spring sanitization (reduce Spring FP)
    • Change env var names to IAST_HOST and IAST_ACCESS_TOKEN
    • Report attCookieNotSecureSSL instead of SessionManagement.Cookies
    • Simplified reports
    • Bug fixes

New on May 26, 2021

  • Static analysis client updated to version 8.0.1436.
  • Support for source-code scanning for VB.NET, which is enabled by the source code-only option.

New on May 23, 2021

  • Asset groups: New design, and ability to add a user as contact person for the group
  • IAST: JavaScript Agent added
  • Reports: DISA report upgraded to version 5, release 1

New on May 11, 2021

  • DAST automation updates:
    • Various Java libraries updated to newer versions
    • Proxy Server now supports TLS connections
    • You can now start a Recording Proxy with a range of ports rather than a specific port (the lowest available port in the range will be used)
    • You can now set the port for the Proxy Server in Settings.json
    • Fixed a bug importing JKS certificates to the Proxy Server

New on April 28, 2021

  • Static analysis client updated to version 8.0.1433.
  • General fixes and functionality improvements.
  • APAR fixes.
  • Improvements to Java parallel processing.

New on April 27, 2021

  • UI:
    • Accept invitation to join an organization from the "Choose an Organization" dialog
    • Added Cipher Suite information to issue details
  • Reports: Cipher Suite information added
  • API:
    • Scan ID added to ScanExecution model
    • Export data in CSV format
  • Invitations to new users are now valid for 30 days.

New on April 12, 2021

  • UI: Applications can now be imported using a CSV file.
  • Reports:
    • IAST: Additional info table added.
    • Fix groups table added to the CSV format of the security report.

New on April 7, 2021

  • Static analysis client updated to version 8.0.1431.
  • New and faster source code-only scanning for C#, ASP.NET, and C.
  • Additional functionality for the queue_analysis CLI command for both Windows and Linux. These parameters are optional:
    • Enable or disable email notification on analysis completion.
    • Run the scan as a personal scan.
  • AppScan Go! is now supported on Mac.

New on March 21, 2021

  • Improved and updated user interface including the following changes:
    • Collapsible menu bar with a new order and several new menu items.
    • Navigate between all views with breadcrumbs.
    • Applications page: The create application wizard flow has been updated.
    • Single application page: A new dashboard gives you a graphic overview of the status of your application with risk rating and compliance status, scan status, issues by severity, most common issue types found, and more.
    • Policies:
      • Improved Policies page now shows a list of policies, and the applications associated with each policy, rather than the reverse.
      • Many new predefined policies are now available to associate with your applications.
      • Baseline policy is now set directly from the application page, rather than the Policies page.
    • Create scan wizard: Improved flow, and for DAST scans there is now a separate path for creating scans with an uploaded file.
    • Email and personal scan preferences are now set on the new Summary page.
    • Select which columns to display in tables, adjust width and change column order.
    • Share pages with other authorized users by simply sending them the link (ID) to the specific page.
  • Issues: Improved content and functionality
    • New and updated content for many issues.
    • How to fix: Advisory and Fix Recommendation sections have been consolidated into a comprehensive “How to fix” tab.
    • For many issues custom “How to fix” content for specific code languages is available.
    • Share issues with other authorized users by simply sending them the link (ID) to the specific issue in the application.
  • Reports include the new “How to fix” content.
  • API: You can now upload your own configuration for IAST monitoring.

New on March 4, 2021

  • AppScan Go! version 0.1.7 for Mac is now available, in addition to the Linux and Windows versions.

New on February 22, 2021

New on February 21, 2021

  • API: IAST agent can now be downloaded (with or without key) using the API (in addition to the UI).

New on February 3, 2021

  • Static analysis client updated to version 8.0.1422.
  • General fixes and functionality improvements.
  • Improved performance and memory utilization around parallel processing functionality for Java applications.

New on January 31, 2021

  • UI: Updated calculation of an application’s “Risk rating":
    • New applications are now assigned Business Impact “Medium” by default, but existing applications with the previous default of “Undefined” will not be changed. “Undefined” can still be assigned to an application manually.
    • If an application contains a completed scan, even though there are no active issues, the Risk rating is now set to "Low" (previously it was set to "Unknown").
  • API and UI: Scan files now download faster.

New on January 26, 2021

  • IAST:
    • Support for Tomcat 10
    • Improved taint tracking
    • Revised OS Commanding detection rules

New on December 28, 2020

  • UI:
    • New Dashboard page
    • New Domains page and Domain Verification dialog
    • CSV file improvements for imported issues
  • API:
    • Added ability to modify an existing custom policy: PUT /api/V2/Policies/{id}
    • Issue types can now be displayed in different locales by adding a locale parameter to: GET /api/v2/Issues/{scope}/{scopeId}
    • IAST agents now support multiple authentication keys: When you download a second IAST agent for an existing session, both new and old agent keys will be valid (unless you revoke the old key using the Generate new key option). See Start IAST Session
  • Fixes:
    • REST API: WebHooks POST method response has null value for AssetGroupId even though AssetGroupId is defined
    • Import issue: Supported fields

New on December 16, 2020

New on December 7, 2020

  • DAST engine update: Dynamic Analysis engine updated to AppScan Standard version 10.0.3. See AppScan Standard Fix List
  • Plugins & APIs page: HackEDU added

New on November 30, 2020

  • CSV file changes: The column headers used in CSV files when importing issues to ASoC have been changed to bring them in line with the ASoC UI:
    • Renamed:
      • Status > Issue Status
      • Severity Value > Severity
      • Source File > File Name
    • Added: External Id and CVSS
    • Removed: Protocol
    Note: CWE and Scan Technology values are not currently supported.

New on November 9, 2020

  • Mobile Scanning now supports iOS versions up to 14.1.

New on November 3, 2020

  • New language support for Vue.js.
  • Upgraded Java analysis engine for faster and more accurate scans. The upgraded Java engine delivers near-incremental scanning while maintaining scan depth and accuracy. While the engine provides mostly the same results as before, some change in results is expected. See Parallel processing for Java applications to learn more about the new scanning techniques.

New on November 2, 2020

  • Downloadable logs added for SAST and DAST demo scans.
  • Graph in landing page updated now includes APIs.
  • APAR fixed: Users of expired subscriptions in grace period cannot generate scan report.

New on October 19, 2020

  • Reports: Test Policy added back to the DAST scan report.
  • API: Added two new values for policies: Created by, and Number of associated applications.

New on October 11, 2020

  • The translated versions of the documentation have been updated.

New on October 7, 2020

New on October 6, 2020

  • UI: The title bar now includes a link to the new Plugins and APIs page
  • API: Administrators can now update organization details (put /api/V2/Account/TenantInfo)
  • Reports: If PDF report creation fails you now receive an HTML report
  • APAR fixes:
    • Creating a 'NIST Special Publication 800-53' app report instead creates a 'Sarbanes-Oxley Act (SOX)' report
    • Open source security issues not shown as non-compliant although included in application policy

New on September 21, 2020

  • As previously announced, all Personal scans more than 30 days old have been deleted. Going forward the current behavior will continue: Every Personal scan will be deleted when it is 30 days old, unless it is promoted within that time. For details, see Personal scans.

New on September 15, 2020

  • General bug fixes and improvements.

New on September 14, 2020

  • IAST monitoring now supports .NET Framework.
  • SAST: Added ability to download logs (Actions > Log File).
  • CSV Reports: Dates are now shown in ISO 8601 format.
  • Bug fixes:
    • Application Data is now (as expected) included in Reports only when the Metadata > Coverage checkbox is selected in the UI, or the Coverage flag used in the REST API.
    • PRB0067750: Optimization Level changes when scan job is transferred for scanning agent, is fixed.

New on September 9, 2020

New on September 6, 2020

  • IP Ranges: In System Requirements the list of IP ranges used by ASoC for Mobile scans has been updated, but this does not represent any change in practice. We changed this range: to this more standard notation:, but the two ranges are in fact identical.

New on August 24, 2020

  • Updated Sample DAST scan results and report
  • General bug fixes and improvements

New on August 5, 2020

  • Support for AngularJS 8 and 9.
  • Support for Ionic Framework.
  • New language support for TypeScript.
  • General bug fixes and improvements.

New on August 4, 2020

  • Mobile: Android 10 is now supported
  • DAST: Scan logs can now be downloaded from the UI
  • SAST: Updated the uniqueness (hash) calculation for SAST findings to reduce duplicates; existing findings will be transitioned automatically to the new hash version
  • API:
    • Implemented an API function that returns the number of issues per Status
    • Domains API added
    • Swagger functions now include the possible error response codes
  • Reports: Parameters, comments, Java Scripts, Cookies and Filtered URLs were added to the Application Data section in the DAST scan report

New on July 19, 2020

  • Exported Users CSV file now includes Inviter name column.
  • Fix Group ID is now included in CSV Reports (it was already included in other formats).
  • API: New “InformationalIssues” field added to the application, showing the number of Active Informational issues it contains.
    Note: Since all Applications include this new field, the ‘Last Updated’ field in the UI has changed to the time of this change.

New on July 12, 2020

  • User interface:
    • Scans “Under Review” can now be deleted
    • Swagger can now be opened automatically from the UI Settings page if the user is logged in
  • API: DAST Scan Log download is now available
  • Documentation: The online Help menubar now includes a "Change Language" drop-down list that lets you switch easily between languages on any page.

New on June 28, 2020

  • IAST:
    • IAST technology is now referred to as “IAST Monitoring Session” or "IAST Session" rather than “IAST Scan”
    • Simplified the wizard for starting an IAST Session
    • Agent download now always includes the agent key
  • Reports: DISA report updated to R4V10
  • API:
    • Improved error notification
    • Last few characters of FlexNet LicenseKey are now exposed on GetTenantInfo

New on June 24, 2020

New on June 22, 2020

  • iOS: StackTrace of insecure connection is added to the Scan Report.

New on June 10, 2020

  • IAST: Additional security rules (server and x-powered-by header detection, password leakage), bug fixes and performance enhancements.

New on June 7, 2020

  • Reports: Users can now create CSV format application reports and filtered issues reports.

New on May 25, 2020

  • Execution date and time added to scan details, so that duration represents Scan Execution time, excluding any queue or pending time.
  • Quick filter on the Fix Groups tab changed to ‘Non-Compliant’ (instead of ‘Active Status’).
  • Link to IAST documentation added to Create IAST Scan dialog.
  • New API added for getting count of issues by severity.
  • Webhooks added to the API, to receive notifications about events that occur in AppScan On Cloud. Two event types are supported: completion of scan execution and change in application counters or status. For more details see Webhooks.
  • Improved filtering of duplicate issues for SAST scans: The Hash algorithm used to uniquely identify SAST Issues has been improved to reduce duplicate Issues. New Issues will be stored with the new internal hash. However the hash value of existing Issues will not be changed.
  • Reports: Fix Groups ID added to the Fix Group sections on the report.
Advance Notice: See Personal Scans: Important Change

New on May 21, 2020

New on May 10, 2020

  • Rename scans: You can now rename scans in the UI. Previously found Issues remain listed under the old scan name, but new and repeat issues will be listed with the new name.
  • Reports:
    • Changed SAST Custom Advisory structure.
    • Unified cover page for all reports.
    • DAST XML report: The order of the "URL Group" and "Entity Group" sections in DAST XML reports has been changed. Other versions of the report are not affected.
  • Dashboard: Improved performance.
  • Scan History: Improved loading, especially when there are many scans in the list.
  • General bug fixes.
Advance Notice: See Personal Scans: Important Change

New on April 22, 2020

  • Scan Reports:
    • SAST Fix Group name and content now match those shown in the UI and Application Reports.
    • SAST Scan Reports now include Custom Advisories, as in Application Reports.
    • Cover page updated and TOC added, to match Application Reports.
    • Discussion and History check boxes added to the Metadata options.
  • User Interface: Search capability added in "Users & Roles" and "Asset Groups".
  • Improved performance and bug fixes.

New on April 15, 2020

  • General bug fixes and improvements.

New on April 7, 2020

  • Documentation: The localized versions of the documentation (French, Japanese, Simplified Chinese, and Traditional Chinese) have been updated.

New on April 6, 2020

  • User interface improvements:
    • You can now sort the Issues and AppScan Presences columns in the All Issues tab by clicking the column header.
    • Added an auto-complete to the URL field when creating a Dynamic Scan.
  • General improvements and bug fixes

New on April 3, 2020

New on March 27, 2020

  • New language support for Kotlin and Swift.
  • .NET analysis improvements to reduce false positives.
  • Improved PHP support.
  • General bug fixes and improvements.

New on March 25, 2020

  • IAST Scans: Our latest scan technology uses an agent deployed on the web server of the tested application to monitor traffic sent during runtime, and report vulnerabilities it finds. Unlike other ASoC scans, an IAST scan doesn't generate its own traffic, but monitors your system tests, or traffic sent during a DAST Scan. So you can have ongoing identification of runtime issues without the need to send dedicated test requests. See Interactive (IAST) monitoring.
  • Test Optimization for DAST Scans: The DAST scan setup wizard has a new Test Optimization slider that lets you control the extent of tradeoff between issue coverage and scan speed. Test Optimization selectively sends tests most likely to discover significant issues in your application, so during product development you can take advantage of faster scans with a relatively small loss of thoroughness. You can choose between four optimization levels, for various needs such as initial testing, DevSecOps, pre-release, compliance and more. The fastest option includes a Test stage up to 10 times faster than a non-optimized scan, with approximately 70% of the vulnerability coverage. See Test optimization.
  • Test Policy for DAST Scans: The AppScan Standard Default Test Policy is now applied to all DAST scans configured using the wizard. You can apply a different Test Policy by configuring the scan in AppScan Standard, or through the API.
  • General improvements and bug fixes.

New on March 17, 2020

  • Improved support for SSL (HTTPS) using self-signed root certificates
  • General improvements and bug fixes

New on March 10, 2020

  • General bug fixes and improvements.

New on March 5, 2020

New on February 26, 2020

  • Enhanced details and guidance for SAST issues.
  • New DAST engine with stability bug fixes.
  • General improvements and bug fixes.

New on February 18, 2020

  • General improvements and bug fixes.

New on February 10, 2020

  • New language support for ASP Classic.
  • Improvements to NodeJS scanning:
    • 37 new articles
    • Refined 29 rules
    • These improvements ultimately should reduce the overall number of findings.
    • However, updates could cause some existing findings to appear as new findings.

New on February 5, 2020

  • General improvements and bug fixes

New on February 2, 2020

  • Dynamic Analysis engine updated to AppScan Standard version iFix001. See Fix List here.

New on January 21, 2020

  • DAST Proxy now supports DAST.CONFIG file encryption
  • ASoC now supports scanning encrypted DAST.CONFIG files
  • Changes to Proxy Server CLI commands and REST API commands

New on January 19, 2020

  • In the Application > All Issues tab:
    • The default listing now shows only non-compliant issues (New, Open, In-Progress, Reopened)
    • New filter display
    • SAST scans: A Fix Group link is added to each Issue in the All Issues list, to open the Fix Group tab for that Issue
  • Security Reports:
    • You can now generate a report even when there are no issues, or all issues are compliant
    • SAST scans: “Issues by Fix Group” section added to the Application Security Report
  • General improvements and bug fixes

New on January 12, 2020

  • Mobile Analysis now supports iOS versions up to 13.3.

New on January 1, 2020

New on December 19, 2019

  • Improved Golang analysis.
  • General bug fixes.

New on December 17, 2019

  • For SAST Fix Groups you can now:
    • Change status per Issue
    • Add notes per Fix Group
    • Filter Issues by compliance to a specific Policy or Policies

New on December 16, 2019

New on December 5, 2019

  • Dynamic Analysis engine updated to AppScan Standard version See Fix List here.

New on November 18, 2019

  • New CIAM (Customer Identity Access Management) system: Users are now required to create an HCL Software ID to use the product. Existing ASoC users can continue to log in with their IBMid until December 18, 2019, but are encouraged to create an HCL Software ID as soon as possible, to ensure your workflow is uninterrupted. This can be done per organization, or per user. Once you have created your HCL Software ID, you simply log in and continue to work with ASoC as usual. For details, see Create an ASoC account.
  • A new function was added to ASoC REST API:

    GET /api/v2/Issues/{scope}/{scopeId}

    This function returns issues for the given scope (Application, Scan or Scan Execution). It accepts the regular odata parametes (filter and paging) and it also has a parameter that determines if and which policies should be applied to filter issues. This new function is replaces all the following functions (that are now marked as Obsolete):

    GET /api/V2/Issues/Count

    GET /api/v2/Apps/{id}/NonCompliantCount

    GET /api/v2/Apps/{id}/NonCompliantIssues

    GET /api/v2/Apps/{id}/Issues

    GET /api/v2/Apps/{id}/IssuesAsPage

    GET /api/v2/Apps/{id}/IssuesCount

    GET /api/v2/Scans/Executions/{executionId}/Issues

    GET /api/v2/Scans/{scanId}/Executions/{executionId}/Issues

    GET /api/v2/Scans/{scanId}/NonCompliantIssues

    GET /api/v2/Scans/{scanId}/NonCompliantCount

    GET /api/v2/Scans/{scanId}/Issues

New on November 7, 2019

  • The latest update to the AppScan on Cloud GUI, AppScan Go!, introduces the ability to specify the "Thorough" scan speed. Thorough scans deliver the most comprehensive analyses to identify the maximum number of vulnerabilities. Thorough scans also take the longest time to complete.

    To take advantage of this scan speed, download and install the latest version of AppScan Go!

    Note: Thorough scans are also available through the command line interface by adding -Dpreset_hint=thorough to the appscan prepare command. For example, appscan prepare -Dpreset_hint=thorough.

New on November 5, 2019

  • General bug fixes.

New on October 30, 2019

  • Fix groups are now shown in the UI: Issues found in Static Analysis are assigned to fix groups, where all issues in the group share a common fix point, API, or Open Source. For details, see Fix Groups.
    Note: The new Fix Groups tab in Application view appears only if you have run a Static Analysis scan. The tab is populated only with issues found in new scans. Scans run before the feature was added will not be assigned to fix groups.
  • Dynamic Analysis engine updated to AppScan Standard version See Fix List here.
  • Your Organization ID is added to your Subscriptions page, to use when raising support requests.

New on October 24, 2019

  • PHP analysis is now achieved with a optimized scanner, thus making scans easier to leverage. For more information, see PHP Analysis.
  • Please upgrade to version 8.x of the Static Analyzer Command Line Utility:
    • Plugins automatically download the latest Static Analyzer Command Line Utility when they run.
    • If you try to prepare code for scanning using Static Analyzer Command Line Utility version 7.x or earlier, you see an error message. Upgrade to the latest Static Analyzer Command Line Utility based on your operating system (Windows, Linux, Mac).
    • If you are using AppScan Go!, accept and install the latest update if an update is offered.
  • General bug fixes.

New on September 25, 2019

  • New “Fix Groups” API for Issues found in Static Analysis. Each Issue now belongs to a “Fix Group”, that is shown in Scan Reports. You can use the API to:
    • List or update the Issues in a Fix Group, at Application or Scan level.
    • Set the Status (New, Open, Noise, etc.) for all Issues in a Fix Group to:
      • StickyStatus=True: Applied automatically to any additional Issues in that Fix Group found in future scans), or
      • StickyStatus=False: If a new Issue from this Fix Group is found, its status remains New and the group status changes to Mixed.
    Currently this feature is available only through the API, but it will soon be added to the UI. See!/FixGroups
  • Dynamic Analysis: You can now configure a scan and save it to run later.
  • A performance issue when displaying the status of multiple running scans has been fixed.
  • General bug fixes.

New on September 9, 2019

New on August 6, 2019

  • Improved DAST engine:
    • Identifies new cookies created by JavaScript; Improved URL filters; Improved coverage
    • Improved Cross-Site Scripting analysis: Better detection of DOM-Based Cross-Site Scripting
    • Improved Server/application-down detection: The server/application-down heartbeat now tests the full Starting URL for the scan rather than just its root path, improving scan accuracy.
  • General bug fixes.

New on July 31, 2019

  • Scan reports can now be downloaded in CSV format, in addition to the other formats.
  • DAST Scans can now be Paused and Resumed.
  • A new IP range has been added to the list of IP ranges used by ASoC. Please make sure not is not blocked by your firewall (see the IP List in the new System Requirements tab in the user interface).

New on July 18, 2019

  • DAST scans: You can now upload to ASoC a login sequence recorded using the AppScan Activity Recorder (a Chrome extension).
  • Android: Now supports Network Security Configuration (Android API Level 24 and later): Identifies lack of certificate pinning, and other security vulnerabilities, through the NSC configuration file.

New on July 9, 2019

  • New wizards simplify setting up all scan types when you click New Scan.
  • Domain verification can now be done before you create a scan (Menu > Settings > Domain Verification).
  • DAST scan file can now be downloaded from ASoC, to open in AppScan Standard for advanced review.
  • When deleting a scan, you can choose to remove from the application all issues that were found only in that scan.

New on July 1, 2019

"IBM Application Security on Cloud" has moved to a new location:, and is now called "HCL AppScan on Cloud."
  • The new domain uses a different IP:, so verify that you can access it. If your organization blocks unknown IPs, make sure that the new IP is whitelisted.
  • If you use ASoC REST API in your tools or scripts, you must change the domain of all API calls from to
  • We have released new versions of all tools and DevOps plugins used with ASoC, and these are set to use the new domain. If you use ASoC through one of the tools or plugins, please update to the latest version to implement this change.
The change includes the following updates:
  • New Create Scan dialog box, and improved Create Scan flow.
  • New Create Presence dialog box, improved Create Presence flow, and improved AppScan Presences view.
  • New Add Users dialog box and improved Add Users flow.
  • You can set the User Role when inviting new users.
  • Updated Application > Scan History view, and Scans view.
  • Option to delete all the Issues found in a scan when deleting the scan itself, if your role permits this. Issues found also in other scans are not deleted.
  • The scan configuration file for a DAST scan (.scan) can now be downloaded after scan completes, to review and configure using AppScan Standard. The file is available to download for 60 days after the scan.
  • Scan Optimization for DAST scans is available, and active by default.
  • Settings > Domain Verification can now be performed before you start a scan.
  • API: API/V2/Account/IBMIdLogin was deprecated on June 17th and has now been removed. Please use API/V2/Account/ApiKeyLogin instead.

New on June 17, 2019

  • Improved report generation: In the case of Static Analysis HTML reports for large scans, up to five times faster.
  • API change: API/V2/Account/IBMIdLogin is deprecated and will be removed in the next two weeks. Please use API/V2/Account/ApiKeyLogin instead.
  • ASoC Issue ID (as shown in the UI), is now included in all reports (XML, HTML, PDF).
    Note: (XML Reports only) The <issue><item id>, an additional ID that appears in XML reports only, is not the same as the <asoc-issue-id> referred to here.
  • General improvements and bug fixes.

New on June 13, 2019

  • General bug fixes.

New on May 22, 2019

  • New language support for Perl, PL/SQL, and TSQL.
  • Apex support for the VisualStudio framework.
  • Command line interface (CLI) "dry run" option to check for validation issue prior to a full scan.
  • Support for Weblogic as a JSP compiler.
  • New Java staging capability: a new, faster method for determining which files to scan within Java projects offers more comprehensive analysis of user code.

    The new Java stager process allows for more intelligent handling of Java projects to determine which files will be analyzed and which files will be treated as dependencies. Rather than a time-consuming process of unzipping all war files, jar files, sub jar files and so on, and saving all the uncompressed files to disk before determining which files to analyze, the stager process employs a surgical approach to evaluating the Java project.

    Using the new Java stager process, examination of ear, war, jar, and jar of jar files is substantially faster than the previous process. War files with jar files in the lib are processed more completely, but may exhibit a slower IR time as such. The findings, however, are more complete as the process better identifies user code if it is in jar file or class file form anywhere within the war file.
    • Findings

      Using the new Java stager process on projects that were previously analyzed may produce similar findings that appear new, as well as actual new findings given the more comprehensive analysis of war files.

    • Logging

      In addition to more robust handling of Java projects, the new stager process generates additional logging. This logging lists currently analyzed Java packages and can be useful in discovering missing Java exclusion entries.

    For example:
    For example:
    D:\apps\app\appscan prepare -n app -DSTAGE_INFO=true
    Discovering targets...
    Target added: app
    Staging D:\apps\app\app.jar
    Evaluating Entry: app.jar.files/lib/tomcat-coyote-7.0.12.jar
    Java Packages To Be Analyzed For app:
    No problems found during validation.
    Generating IRX file...
    IRX file generation successful.

New on May 14, 2019

  • System Requirements: A new IP address has been added to the list of IP ranges used. These must not be blocked by your firewall.

New on May 6, 2019

  • General updates and bug fixes.

New on April 10, 2019

  • APEX support
  • Visual Studio 2019 plugin and CLI support
  • JSP compile arguments can be used in appscan-config.xml.

New on April 2, 2019

  • Test Optimization
    • This new feature for DAST scans (active by default, and controlled during scan setup) speeds up scanning for those occasions when fast results are more important to you than a thorough, in-depth scan. See Test Optimization.
    • The General Information section of DAST scan reports now indicates whether or not the scan was Optimized.

New on March 28, 2019

  • System Requirements: A new IP address has been added to the list of IP ranges used. These must not be blocked by your firewall.

New on March 18, 2019

  • New Testing Status behavior (see Application Attributes):
    • When you Create a Scan, Testing Status for the application changes to "In Progress".
    • When you Reset an application (UI: Edit > Reset > Delete all… | API: Apps/Reset/Delete Issues), the application's Testing Status changes to "Not Started".
  • New API options:
    • Filters added to GET Presences API function, for example:GET: ..Presences/?$select=PresenceName%2C%20Idreturns a list of all Presences and their IDs
    • Download a DAST Scan file using:GET ..Scans/DynamicAnalyzerScanFile/{executionId}
  • The XML Scan Report is back. To align it with AppScan Enterprise there have been changes to its content and structure, including the order of some of the main sections. The changes are detailed in technote:
  • If a scan reveals more than 20,000 issues, ASoC now selects 20,000 representative issues, and includes only them in the Scan Results.

New on March 6, 2019

  • In Users and Roles view, the new Export User List button lets you download the list of users to your machine, as a CVS file.
  • ColdFusion support.
  • Expanded Azure DevOps (VSTS) and Team Foundation Server (TFS) support.
  • Improved include/exclude behavior for SAST scans using appscan-config.xml.

New on February 26, 2019

  • General updates and bug fixes.

New on February 20, 2019

  • Open Source Report now includes Library Version for relevant entries.
  • Personal Scans: It is now possible to create Users with permission to create Personal Scans only (not regular scans).

New on February 14, 2019

  • SAST bug fixes.

New on February 13, 2019

New on February 6, 2019

  • User Management: When creating or editing User Roles (User Management > Users & Roles > Add/Edit Role), Admins can now enable them to "View Users and Roles" without giving them Edit permissions. This gives view-only access to the User Management views.

New on January 24, 2019

  • Regulatory Compliance Reports: Two new reports are now available:
    • Payment Application Data Security Standard
    • US DISA’s Application Security and Development STIG. V4R3
Note: Two additional IP ranges will be added to System Requirements as of January 29, 2019. Please make sure they are not blocked by your firewall.

New on January 16, 2019

  • Javascript scanner enhancements.

    Enhancements include performance improvements, automatic exclusion of third-party files, improved rules analysis, and bug fixes.

New on January 15, 2019

  • Industry Standard Reports: Four new reports are now available:
    • International Standard - ISO 27001
    • International Standard - ISO 27002
    • NIST Special Publication 800-53
    • WASC Threat Classification v2.0
  • Regulatory Compliance Reports: Four new reports are now available:
    • CANADA Freedom of Information and Protection of Privacy Act (FIPPA)
    • US Electronic Funds and Transfer Act (EFTA)
    • US Federal Information Security Mgmt. Act (FISMA)
    • US Sarbanes-Oxley Act (SOX)
  • Sample Reports: The sample reports have all been updated, and a new Open Source License sample report has been added.
  • Static Analysis Report: The bug causing Fix Groups to be omitted from Static Analysis reports has been fixed.

New on January 10, 2019

  • iOS version 12.1 is now supported for scanning iOS mobile apps.

New on January 8, 2019

  • Private site scanning:
    • You can now run the AppScan Presence as a service on Linux OS as well as Windows.
    • In Windows OS the AppScan Presence is now started with EXE files.
    See Creating the legacy Presence for details.
  • Industry Standard and Regulatory Compliance Reports can now be run for individual scans, from the Scan Reports dialog box.
  • Application Reports are now run from a dialog that opens from the Application Report button at the top of the screen. The options are unchanged.

New on December 30, 2018

  • Updated Security Scan Report: The Security Scan report is now generated on request rather than at the time of the scan, so that now as with the other reports, Issues whose status has been changed (such as to “Fixed”) will now show with their current status in the report. (Does not apply to scans run before October 2017.)
  • New Open Source License Report for Static Analysis scans (Open Source subscription required): Generate a report for a scan listing all Open Source libraries found in your code. (Applies only to scans run after December 30, 2018.)
  • Personal Scans can now be promoted from the user interface (in addition to the API, as before): Issues in the Personal Scan are merged with the issues in the application and a message indicates how many issues were "New" (issues not previously found in the application), "Merged" (issues found in both the Personal Scan and in the application), and "Reopened" (issues found in the personal Scan that were marked as Fixed in the Application, are reopened).
  • Additional Industry Standard Report: OWASP Top 10 Mobile 2016.
  • Scan History view now shows the name of the user who created each scan.

New on December 3, 2018

  • Support for Visual Studio Team Services (VSTS) plugin.

New on November 29, 2018

  • Enhanced JavaScript scanner for static analysis.
  • Support for AngularJS.

New on November 19, 2018

  • New Dynamic Analysis engine
  • The list of IPs used for Private Site Scanning has been updated in System Requirements.

New on November 7, 2018

  • Additional lists are now divided into pages (10 per page by default, configurable): Asset Group list, Asset Group Users list (Grant User Access), Asset Group Applications list (Move Applications), Users list.
  • For dynamic scanning: Mouse-click on the Info icon next to a scan now shows scan ID and Starting URL.
  • Starting URL field now verifies the URL as you type it.
  • For private site scanning: AppScan Presence status is now displayed during the scan.

New on October 28, 2018

New on October 17, 2018

  • My Scans tab list is now divided into pages (five per page by default, configurable).
  • Fixed a defect in Private Site Scanning with a PAC file.

New on October 9, 2018

  • Mobile Analysis now supports iOS versions between 7 and 12 inclusive, and all versions of Swift up to and including 4.2.
  • Dynamic Analysis now supports sites that require HTTP authentication.
  • Private Site Scanning now supports proxy auto-config (PAC) files, see Configuring a PAC file (legacy Presence).
  • Redesigned landing page.
  • Fixed a defect where promoting a personal scan did not work properly if there were more than 200 issues.
  • Added a missing fix recommendation for SAST in the application report.
  • General bug fixes.

New on September 20, 2018

HCL AppScan on Cloud Static Analyzer Command Line Utility is supported on 64-bit Linux only.

New on September 5, 2018

Application Security on Cloud supports scanning directly from your integrated development environment (IDE) or your build system using the following plugins:
  • Eclipse
  • IntelliJ
  • Visual Studio
  • Jenkins
  • Gradle
  • Maven
Note: The Maven ASoC plugin is now live in the Maven Central Repository; it no longer needs to be installed manually.

New on August 29, 2018

  • Language support: Application Security on Cloud now supports Python scanning.
Dynamic Analysis Engine updates:
  • Added check for latest Apache Struts 2 CVE-2018-11776 to discover critical remote code execution flaw. Available in Dynamic and Open Source Analysis.
  • Added Dynamic Analysis checks for ‘XML External Entity File Disclosure on JSON’ and ‘Older TLS Version is Supported’.
  • Improved existing ‘Apache Struts 2 Remote Command Execution’ check with new variants to improve coverage and accuracy.

New on August 14, 2018

  • Dynamic Analysis engine update, with general improvements and bug fixes.

New on August 7, 2018

  • Personal scans are now indicated as such in the list of scans for the application.

New on August 1, 2018

  • Language support: Application Security on Cloud now supports COBOL scanning.
  • Static Analyzer reporting improvements: Application Security on Cloud has improved fix group categorization, as seen in both reports and the assessment viewer.
  • Pipeline support: The Jenkins plugin has been updated to include support for Jenkins Pipeline.

New on July 10, 2018

  • New Dynamic Analysis engine, with advanced Automatic Explore capabilities, improves speed and testing coverage.

New on July 2, 2018

AppScan on Cloud IDE plugin support for policies includes these changes to security scans:
  • The Scan issues column replaces the Result column in the Security scans view.

    When clicked, Scan issues displays all non-compliant static security issues discovered during the scan.

  • The Application issues column replaces the Report column.

    When clicked, Application issues displays all non-compliant static security issues discovered during scans of this application..

IDE plugins for Static Analyzer are now available through the IDE marketplace for the specific plugin flavor. For more information, see Scanning in integrated development environments.

New on June 27, 2018

  • Subscription management: The new Subscriptions view (Main menu > My Subscriptions) shows the status of all your organization's subscriptions, including the number applications or scans left, and the start and end dates.
  • New Policy Filters in the UI let you easily filter Issues based on either associated or unassociated Policies. For example you can create a Policy to include only High Severity Issues found after a certain date, and then filter the Issues to create a Regulatory Compliance Report for those issues only.
  • API: New report APIs let you create: Issues Report, Security Report, and Regulation Reports for selected issues, and with a defined scope.

New on May 30, 2018

  • Mobile Analysis now supports Android versions up to 8.0.

New on May 9, 2018

  • New policy functionality:
    • Create custom policies through the user interface.
    • Quickly enable or disable associated policies using the new Policy tab in the Application view.
  • Error when trying to import a CSV file using Issue Management > Import Issues has been fixed.

New on April 25, 2018

  • New predefined HIPAA policy identifies issues that fail to comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). See Policies.

New on April 17, 2018

  • In the Advisory tab for an Issue, some of the links to external reference sites were broken. These have been fixed.
  • The new Compliant column header in the Application table lets you sort issues as Compliant or Not Compliant with the application's associated policies.
  • AppScan on Cloud supports scanning of .NET Core projects through the Command Line Interface (CLI) and through the Visual Studio 2017 plugin on Windows only. For more information, see Generating an IRX for a .NET Core project.
    Note: AppScan on Cloud does not support the portable .pdb format. For more information, see .NET scan results show the assembly file instead of the source file.

New on March 18, 2018


You can now associate one or more policies with an application, allowing you to evaluate the application's compliance with those policies and focus remediation efforts on related vulnerabilities. Policies are applied through the user interface.

Subsequently, impact of policies on a scan and compliance with policies by an application can be highlighted in reports. A new Application Report function is available at the application level. From this function, you can run security and issues reports, as well as the following new compliance reports:
  • CWE/SANS top 25 report
  • EU General Data Protection Regulation (GDPR) report
  • OWASP Top 10 2017 report
  • PCI compliance report
Note: Policies currently are available only on the web and are not compatible with Static Analyzer tools (IDE, CLI, and Jenkins).

New on March 8, 2018

  • The IDE plugins now prompt every scan for the application association, instead of only once per workspace.
  • PHP applications no longer encounter memory limits during IRX generation.
  • The Help Me Fix This button is no longer reactivated in Visual Studio after resolving a fix group.

New on March 5, 2018

  • When an AppScan Standard configuration was used to run an ASoC scan, tests were sent to domains that had been specifically excluded from the scan. This bug is now fixed.
DEPRECATION NOTICE: Some Issue Properties columns will be removed on March 19, 2018

When working with scan results, six Issue Properties are displayed by default: Status, Location, CVSS, Issue Type, Severity, and Scan Name. Columns for additional properties can be added (or removed) using the Column Selection drop-down list). To streamline the UI, the following column options will be removed on March 19, 2018:

Access Complexity, Access Vector, Application Name, Authentication, Availability Impact, Classification, Confidentiality Impact, Description, Discovery Method, Exploitability, Fix Recommendation, Friendly ID, Integrity Impact, Is Third Party, Nessus Plugin ID, Project Name, Protocol, Remediation Level, Report Confidence, Severity Value, Steps to Reproduce, Summary, WhiteHatSecVulnId

As of March 19, 2018 these properties will no longer appear as options in the Column Selection drop-down list, and if selected in a previous scan, will no longer be displayed in the scan results.

New on February 26, 2018

  • The Application Report, that previously downloaded as an HTML file, now downloads as a PDF file.
  • The data included in reports by default is now: Table of Contents, Summary, and Details. The other four categories (Discussion, History, Advisory, and Fix Recommendation), can be selected for inclusion when generating the report.

New on January 30, 2018

  • For scans created in a language other than English, Issue severity was shown correctly in reports but incorrectly shown as "Undetermined" in the online UI. This is now fixed.
  • Incorrect message when rescanning after 30 days is now fixed.

New on January 8, 2018

  • Reset Application Data: Added as a new option in Edit Application, this function permanently deletes all scans and issues from an app while retaining its name and configuration
  • Dynamic Analysis new behavior: If you load a scan file you are given the option to Full Scan or Test Only:
    • Full Scan: Ignores all results saved in the scan and runs a new scan with the same configuration (previously the scan would preserve existing results and continue the scan till completion)
    • Test Only: Ignores any Test stage results and runs a new Test stage using the Explore stage results in the file (previously the Test stage would preserve existing Test stage results and continue till completion)
    Note that in both cases any Manual Explore data and Multi-Step Operations saved in the file are included in the new scan.

New on December 31, 2017

  • New Dynamic Analysis agent.

New on December 26, 2017

  • When generating a report, you can now:
    • Include Details and Discussion (Comments) metadata.
    • Include all issues found by clicking Report without selecting any issues. If you do select issues, the report will, as previously, contain only those issues.

New on December 13, 2017

  • You can now add Comments to Issues Found in your app, that are displayed as a new column in Application view and Issues view.
    Note: Existing users will first need to add the Comments column as one of the displayed columns in the Issues Found tab.
  • Users who are members of more than one organization now have a drop-down list next to their name in User Management, to select which organization’s dashboard to display.

New on December 5, 2017

  • AppScan on Cloud now supports Open Source only scanning through us of the -openSourceOnly option with appscan prepare
  • Improvements to C/C++ scanning and resulting IRX files
  • Edge-case stability improvements for Intelligent Code Analytics (ICA) and Intelligent Findings Analytics (IFA)

New on November 22, 2017

  • Policies: You can now define and use "policies", using the REST API, to show only issues found after a certain date or of a specified minimum severity. See Policies.
  • DAST and Android engines updated with new version that includes bug fixes and improved performance.

New on November 14, 2017

  • New History tab in Issues view shows the Audit Trail for the selected Issue. Note that the trail starts only from the time of this update.
  • DAST and Mobile engines updated with new version that includes bug fixes and improved performance.

New on October 23, 2017

  • You can now use the API to delete issues, scans or application chart data without deleting the application.
  • New Discussion tab in Issues view lets you add your own Comments to Issues in your application.

New on October 20, 2017

  • Improvements to Intelligent Findings Analytics

    Previously, java.sql.Statement.executeBatch and InetAddress returned noisy findings. We improved Intelligent Findings Analytics (IFA) to filter out these false positive findings.

New on October 10, 2017

  • "Update Issue Status" has been added to the permissions you can control.
  • Paging is now available for apps as well as issues.

New on October 3, 2017

  • Mobile Analysis now supports iOS 11.
  • New issue type in Android and iOS scans: Credential Leakage.
  • The main toolbar now shows which organization that the user is currently logged into, next to the Username.

New on September 10, 2017

  • User roles
  • The AppID that is generated automatically has changed from an integer to a GUID. This is transparent to users since the new ID is returned automatically, and the APIs for submitting scans are backwards compatible.

New on August 24, 2017

  • Improvements to Open Source Analyzer support:

    Improved performance with Open Source Analyzer and Eclipse when running multiple scans in the same session.

  • Improvements to C/C++ support:

    Better discovery of C++ macros and compiler options.

  • Identification of Static Analysis issues without trace has changed:

    We improved the Static Analysis engine, and with it the hash algorithm for non-trace findings has been improved. Due to this change, many static analysis findings detected after deploying this latest update will be duplicated once in the Issues tab. This change primarily affects Node.js, Ruby, and JavaScript findings but may also affect other languages.

New on August 14, 2017

  • Removed: The ability to create Application Profile Templates, with customized attributes, has been removed.

New on July 24, 2017

  • Additional iOS support: ASoC now supports scanning iOS mobile apps up to version 10.3.
  • New IP range: One of the IP ranges used by ASoC has changed. See Which IPs does ASoC use?
  • New UI functionality: The new check box at the top of the scan results table lets you Select All scans, and the new Delete button there deletes all scans whose check box is selected. See Results

New on June 22, 2017

  • AppScan on Cloud now supports scanning iOS apps that require entitlements.
  • Better support for C/C++, including Visual Studio 2015:

    C/C++ scanning improvements include the ability to scan 64-bit projects that target the Visual Studio 2015 platform toolset.

  • Better logging for .NET:

    Improvements to logging and stabilizations for all .NET-related projects.

  • Javascript improvements:

    Javascript traces stabilization so that incomplete traces don't cause issues with returning results.

New on June 15, 2017

  • Scan queue: If you try to start a scan when the maximum number of concurrent scans for your subscription are already running, the scan is now added to a queue and will start automatically as soon as possible.
  • OWASP Top 10 Risks in Mobile Analysis reports now follow "Mobile Top 10 2016":
  • Improved support for NodeJS and Ruby:

    Node.js and Ruby scans are fully integrated with the Intelligent Findings Analytics (IFA), providing dramatically faster scan times.

  • Improvements for Client Side Javascript:

    We improved the display of trace and non-trace findings generated by the Javascript engine.

New on March 26, 2017

  • Application Security on Cloud now supports Open Source testing:
    1. Locates Open Source packages in your code
    2. Identifies Open Source packages that are known to be vulnerable
    3. Suggests alternatives to the vulnerable packages
    Results appear in Static Analysis reports and in your Application Security on Cloud portal.
    Note: Open Source testing requires an additional subscription. Once the subscription is active, Open Source testing is automatically included in Static analysis scans.
  • The AppScan Presence now includes an optional Proxy Server for incorporating scanning (of web apps only) as part of your functional testing.

New on February 3, 2017

  • When using the Jenkins plug-in:
    • Dynamic analysis is now supported. With this feature, you can perform analysis of an application that runs in a browser.
    • Using a generated API key is now required when specifying login credentials.
    Note: Connecting to Bluemix from the Jenkins plug-in is not supported.

New on January 25, 2017

  • Intelligent Code Analytics (ICA) is now applied during C/C++ static analysis scans.

    ICA was previously introduced for Java, .NET, and PHP scans. With this technology, new application programming interfaces (API) are discovered and assessed for security impact. Through ICA, all third-party API and frameworks are reviewed and assigned the right security impact. This allows for more complete scan results.

New on December 21, 2016

New on December 14, 2016

New on December 13, 2016

New on November 16, 2016

  • Static analysis scans now make use of Intelligent Code Analytics (ICA). ICA automatically discovers new application programming interfaces (API) and assesses them for security impact. Through ICA, all third-party API and frameworks are reviewed and assigned the right security impact. This allows for more complete scan results.
    Note: ICA is currently only applied when scanning Java, C/C++, .NET, and PHP.

New on October 19, 2016

  • Changes in the User Management pages:
    • The "Manage Users" button on the Users & Roles page was removed. The Administration link from the banner to IBM Cloud Marketplace is now also available from the Main menu.
    • The "Invite Users" link on the banner to IBM Cloud Marketplace is also available from the Main menu > User Management > Users & Roles.

New on October 12, 2016

  • Create an application profile template. (This functionality was later removed.)
  • Customize the risk rating formula. (This functionality was later removed.)
  • Determine risk with customized formulas. (This functionality was later removed.)

New on October 5, 2016

New on September 28, 2016

  • Import a list of apps to help build your application inventory
  • View issue details, advisories, and fix recommendations
  • Dynamic analysis now supports scans using your own AppScan Standard configuration (SCAN or SCANT file).

New on September 14, 2016

New on September 7, 2016

  • Scanning iOS mobile apps no longer requires the use of the IPAX Generator to create and upload an IPAX file. You can now create and upload an IPA file.

New on August 23, 2016

New on August 3, 2016

  • New Users capabilities. User management helps you restrict access to sensitive apps by assigning them to asset groups and then adding specific users to those groups.
  • New user management REST APIs.
  • Support for filters and statistics on scans (completed successfully, in progress, or failed).

New on July 20, 2016

New on July 11, 2016

New on June 29, 2016

  • Support for scanning Android mobile apps that require login

New on June 22, 2016

  • Request help from an expert. You can buy Consulting Services Engagement Units as add-ons to your subscription. During your subscription, you can use these Engagement Units to request and receive any combination of OnDemand Consulting services, depending on how many units these services require.
  • Static Analysis now includes support for these languages:
    • Client-side JavaScript
    • PHP
    • Ruby
  • Detect information leakage in both iOS and Android mobile apps

New on June 8, 2016

  • New My Scans page contains a flat list of scans, regardless of the app they belong to
  • You can now select a specific Test Set when scanning with Dynamic Analysis
  • Support for scanning additional verified domains with Dynamic Analysis

New on June 1, 2016

New on April 5, 2016

  • Build an inventory of your application assets to understand what you need to protect
  • Classify and rank your applications by business impact to find out what is most important to protect
  • Organize your Analyzer scans by application to get a complete assessment
  • Obtain a security rating for each application to rank your assets by risk
  • Prioritize vulnerabilities and manage their resolution
  • View a dashboard to understand your application security posture and see whether you are making progress
  • Scan Android apps on an Android 6 emulator with Mobile Analyzer to find more vulnerabilities
  • Scan and view vulnerabilities with Static Analyzer from the convenience of your IntelliJ IDE.