Jump to main content
Security is about protecting your valuable assets. Some of the most important assets your organization owns are in the form of information, such as intellectual property, strategic plans, and customer data. Protecting this information is critical for your organization to continue to operate, be competitive, and meet regulatory requirements.
Recent updates
Discover upcoming and recently added features.
System requirements
This topic provides links to system requirements and supported operating systems and languages for the ASoC analyzers. Also learn about the supported browsers and minimum resolution for the service.
Data center selection
Create your HCL ID
My Subscriptions shows the status of all your organization's subscriptions, including the number applications or scans left, and the start and end dates.
This section outlines a typical ASoC workflow for an authorized user with a valid subscription.
Demo videos
These 'how-to' videos demonstrate using ASoC and how it fits into your workflow, and offer tips and tricks.
Contact and Support
Some useful links.
ISO/IEC certificates.
Service Description
Trial Terms of Use
This section describes the items on the main ASoC menu bar, and links to more detailed information.
The Applications page lists all applications in your organization that are within the asset groups to which you are assigned. You can use it to create new applications, and open individual application pages.
All Scans
Scans view lists all scans in all your applications.
The main dashboard is the third item on the main menu bar. It gives you a detailed overview of the current state and history of all your applications.
Domains view lists the domains for which you have permission to run dynamic (DAST) scans, and lets you verify additional domains for scanning.
User management helps you restrict access to sensitive apps by assigning them to asset groups and then adding specific users to those groups.
Managing users
Examine your users and decide who needs access to which apps and asset groups. Consider grouping them by business unit or geography. By default, all users who are not designated as administrators in Cloud Marketplace are application testers. Decide which users need to be only report viewers and change their role.
User roles
Users are assigned to asset groups by an administrator. Predefined user roles cannot be deleted.
Asset groups
Asset groups represent abstract components of your organization, like "finance" or "engineering". Administrators can restrict access to specific applications by assigning them to an asset group and limiting the users who belong in the group.
An application is a collection of scans related to the same project. It can be a web site, a desktop app, a mobile app, a web service, or any component of an app. Applications enable you to asses risk, identify trends, and make sure that your project is compliant with industry and organization policies.
Creating an application
Create an app and import issues so that you can track security testing progress against the business impact on your critical web apps.
Importing a list of applications
Importing an inventory list of your apps can save you time by reducing redundant manual work effort. Start with a sample spreadsheet of application attributes, or merge the sample spreadsheet with your existing list. Your list of apps must be in a CSV format. Make sure that you use a spreadsheet editor, such as Microsoft™ Excel or Apache OpenOffice Calc, to edit your CSV file.
An AppScan Presence on your server enables you to scan sites not accessible from the Internet, and to incorporate scanning as part of your functional testing.
System requirements
Creating the AppScan Presence
For private web apps, or for including a scan as part of your functional testing procedure, you must create an AppScan Presence, with access to the web app or back-end server, and to the Internet. Proxy connections are supported.
Starting the AppScan Presence
Activating the Proxy Server
To use the Proxy Server in the AppScan Presence, you must activate it, and configure the port.
Using the Proxy Server
You can use the AppScan Presence Proxy Server to record traffic, save it as a DAST.CONFIG file, and import it to run an ASoC scan. You can optionally encrypt this file, as described in a sub-section below.
Configuring Private Site Server proxy
If your private network requires the Private Site Server to use a proxy to connect with the web app or back-end server (internal proxy), or with the Internet (outgoing proxy), configure it as follows.
Configuring a PAC file
If a proxy auto-config (PAC) file is required in order to reach the various domains in your site, configure the AppScan Presence as follows.
Renewing the Presence key
When you originally download the presence, it includes a key to activate it. When that key expires, you must replace it with a valid key.
Learn how to run scans and IAST monitoring sessions on your apps, and import issues from 3rd party scanners.
Sample apps and scripts
Use these sample applications to practice scanning with ASoC.
Dynamic (DAST) scanning
ASoC can perform dynamic analysis of an application that runs in a browser. Use the configuration options available in ASoC, or upload an AppScan Standard configuration.
Static (SAST) scanning
Use static analysis to scan applications for security vulnerabilities. To accomplish this, either use AppScan Go! or download a small client utility and use its command line interface (CLI) perform security analysis on on either source code or binary files for all supported languages. Static analysis plug-ins for Eclipse, IntelliJ IDEA, and Visual Studio are available through their respective marketplaces. Once plugins are installed, you can scan Java projects in Eclipse and IntelliJ IDEA, or .NET (C#, ASP.NET, VB.NET) projects in Visual Studio. Additional information on plugins and integrations is listed here.
Interactive (IAST) monitoring
ASoC can monitor normal application runtime behavior, to detect vulnerabilities.
Personal scans
A personal scan is a way of evaluating the relative security of an application in development without affecting overall application scan data, or compliance.
Private sites
An AppScan Presence on your server enables you to scan sites not accessible from the Internet.
You can apply the pre-defined policies - as well as your own custom policies - to show only data for the issues that are relevant for you.
Custom policies
If you have the required permissions, you can create/delete your own custom policies.
Associating with an app
App compliance status
The Scan History tab of your application displays your scan results (including scan statistics) and rescan options.
Sample Security Reports
Application reports
Scan data
The Issues page for an application shows all issues found. You can apply a variety of filters to see the issues you need, and click on any issue to open the detailed issue information pane.
Fix Groups
Fix Groups currently apply only to issues found in Static Analysis.
Generating reports
You can generate an HTML security report for issues that were discovered in an application and send them to developers, internal auditors, penetration testers, managers, and the CISO. Security information might be extensive, and can be filtered depending on your requirements.
Triaging issues
All issues are classified as new by default. You can see an issue classification by viewing the issue status.
Issue status
Issues can be classified as New, Open, In Progress, Noise, Reopened, Passed, and Fixed. Issues classified Open, In Progress and Reopened appear in the Issues grid of an app.
After the risks are determined and the vulnerabilities are prioritized, your security team can start the remediation process.
Following your first scan, if you fix issues you can scan the same app again multiple times and overwrite the previous results, so the dashboard always displays the current results. When you scan again (rather than starting a new scan), the new scan overwrites the previous one.
Static analysis scan results
This topic describes the features available in static analysis scan results.
IAST scan results
An Interactive (IAST) Scan entry shows results since the last time the scan was started.
Tools for incorporating ASoC in your SDLC.
The built-in REST API interface provides you with a way to visualize RESTful web services. The API documentation is built by using Swagger, where you can test API operations and instantly view the results to help you scan your applications faster.
Webhooks can be used to receive notifications about events that occur in AppScan On Cloud.
Plugins and integrations
HCL AppScan on Cloud includes the following plugins and integrations. Plugins and integrations also are listed on the AppScan on Cloud Plugins & APIs page.
If you experience problems with this service, you can perform these troubleshooting tasks to determine the corrective action to take.
AppScan Presence
This section suggests troubleshooting tasks for errors found when working with the AppScan Presence.
Static analysis
If you experience problems with static analysis, you can perform these troubleshooting tasks to determine the corrective action to take.
Frequently asked questions, information about integrating ASoC into the product lifecycle (SDLC), and ASoC API documentation.
Some frequently asked questions.
Threat Class and CWE
Tables showing Threat Classes of issues tested for by ASoC, and their related CWE numbers.
Understand DAST Scanning
An ASoC Dynamic (DAST) scan consists of two stages: Explore and Test. It is useful to understand the principal behind this, even though most of the scan process is seamless to the user, and no input is required until the scan is complete. The Explore stage can be run automatically as part of the automatic scan, or manually by the user, or a combination of both.
Understand Private Site Scanning
ASoC provides Dynamic Application Security Testing (DAST) from a cloud-based scanner as SaaS. This capability requires the cloud-based scanner to be able to access the tested application. Publicly available web-based applications can be scanned without issue. However, Private Site Scanning (PSS) is only possible after adding network components (such as VPNs or proxies) or changing the network to allow the scanner to access the web application’s host server.
CSV format
This section describes how to save response data as in CSV format.