Jump to main content
Welcome to the documentation for HCL AppScan on Cloud.
Security is about protecting your valuable assets. Some of the most important assets your organization owns are in the form of information, such as intellectual property, strategic plans, and customer data. Protecting this information is critical for your organization to continue to operate, be competitive, and meet regulatory requirements.
Recent updates
Discover upcoming and recently added features.
System requirements
This topic provides links to system requirements and supported operating systems and languages for the ASoC analyzers. Also learn about the supported browsers and minimum resolution for the service.
Data center selection
Create an ASoC account
My Subscriptions shows the status of all your organization's subscriptions, including the number applications or scans left, and the start and end dates.
This section outlines a typical ASoC workflow for an authorized user with a valid subscription.
Demo videos
These 'how-to' videos demonstrate using ASoC and how it fits into your workflow, and offer tips and tricks.
Contact and Support
Some useful links.
ISO/IEC certificates.
Service Description
The service description describes the HCL AppScan on Cloud service.
Trial Terms of Use
This section describes the items on the main ASoC menu bar, and links to more detailed information.
All applications
The Applications page lists all applications in your organization that are within the asset groups to which you are assigned. You can use it to create new applications, and open individual application pages.
All Scans
Scans view lists all scans in all your applications.
The main dashboard is the third item on the main menu bar. It gives you a detailed overview of the current state and history of all your applications.
Domains view lists the domains for which you have permission to run dynamic (DAST) scans, and lets you verify additional domains for scanning.
User management helps you restrict access to sensitive apps by assigning them to asset groups and then adding specific users to those groups.
Managing users
Examine your users and decide who needs access to which apps and asset groups. Consider grouping them by business unit or geography. By default, all users who are not designated as administrators in Cloud Marketplace are application testers. Decide which users need to be only report viewers and change their role.
User roles
Users are assigned to asset groups by an administrator. Predefined user roles cannot be deleted.
Asset groups
Asset groups represent abstract components of your organization, like "finance" or "engineering". Administrators can restrict access to specific applications by assigning them to an asset group and limiting the users who belong in the group.
An application is a collection of scans related to the same project. It can be a web site, a desktop app, a mobile app, a web service, or any component of an app. Applications enable you to asses risk, identify trends, and make sure that your project is compliant with industry and organization policies.
Creating an application
Create an app and import issues so that you can track security testing progress against the business impact on your critical web apps.
Importing a list of applications
Importing an inventory list of your apps can save you time by reducing redundant manual work effort. Start with a sample spreadsheet of application attributes, or merge the sample spreadsheet with your existing list. Your list of apps must be in a CSV format. Make sure that you use a spreadsheet editor, such as Microsoft™ Excel or Apache OpenOffice Calc, to edit your CSV file.
An AppScan Presence on your server enables you to scan sites not accessible from the Internet, and to incorporate scanning as part of your functional testing.
System requirements
Creating the Presence
For private web apps, or for including a scan as part of your functional testing procedure, you must create an AppScan Presence, with access to the web app or back-end server, and to the Internet. Proxy connections are supported.
Starting the Presence
Configuring Private Site Server proxy for legacy Presence
If your private network requires the Private Site Server to use a proxy to connect with the web app or back-end server (internal proxy), or with the Internet (outgoing proxy), configure it as follows.
Configuring a PAC file
If a proxy auto-config (PAC) file is required in order to reach the various domains in your site, configure the AppScan Presence as follows.
Renewing the Presence key
When you originally download the presence, it includes a key to activate it. When that key expires, you must replace it with a valid key.
Log files
Upgrading to the new AppScan Presence
If you already have a V1 AppScan Presence installed and you want to upgrade to V2, follow these instructions.
Legacy AppScan Presence
This section describes the legacy version of the AppScan Presence, V1. This version will be supported only until October 1, 2022.
The AppScan Traffic Recorder (DAST proxy) enables you to record traffic to use as Explore data. Traffic Recorder instances can be created on demand to record traffic that will later be used for a DAST scan.
System requirements
This section describes the changes you can make in the configuration file: Settings.json
You can either simply start the traffic recorder, or run it as a service. Note that you cannot do both in parallel.
Once the traffic recorder has started, you can start new instances, to record your application's traffic.
API commands
Private site server proxy
If your private network requires the Private Site Server to use a proxy to connect with the web app or back-end server (internal proxy), or with the Internet (outgoing proxy), configure it as follows.
Learn how to run scans and IAST monitoring sessions on your apps, and import issues from 3rd party scanners.
Sample apps and scripts
Use these sample applications to practice scanning with ASoC.
Dynamic (DAST) scanning
ASoC can perform dynamic analysis of an application that runs in a browser. Use the configuration options available in ASoC, or upload an AppScan Standard configuration.
Static (SAST) scanning
Use static analysis to scan applications for security vulnerabilities. To accomplish this, either use AppScan Go! or download a small client utility and use its command line interface (CLI) perform security analysis on on either source code or binary files for all supported languages. Static analysis plug-ins for Eclipse, IntelliJ IDEA, and Visual Studio are available through their respective marketplaces. Once plugins are installed, you can scan Java projects in Eclipse and IntelliJ IDEA, or .NET (C#, ASP.NET, VB.NET) projects in Visual Studio. Additional information on plugins and integrations is listed here.
Open source testing
Open source testing locates and analyzes open source packages in your code. Our Software Composition Analysis (SCA) aggregates information from a variety of sources, constantly monitoring for new vulnerabilities in an automated process that keeps our information up-to-date daily. Sources include the most popular security vulnerability databases (NVD, Github advisory, Microsoft MSRC), and a wide range of lesser-known security advisories and open source project issue trackers.
Interactive (IAST) monitoring
ASoC can monitor normal application runtime behavior, to detect vulnerabilities.
Scan status
Personal scans
A personal scan is a way of evaluating the relative security of an application in development without affecting overall application scan data, or compliance.
Private sites
An AppScan Presence on your server enables you to scan sites not accessible from the Internet.
You can apply the pre-defined policies - as well as your own custom policies - to show only data for the issues that are relevant for you.
Custom policies
If you have the required permissions, you can create/delete your own custom policies.
Associating with an app
App compliance status
The Scan History tab of your application displays your scan results (including scan statistics) and rescan options.
Sample Security Reports
Application reports
Scan data
The Issues page for an application shows all issues found. You can apply a variety of filters to see the issues you need, and click on any issue to open the detailed issue information pane.
Auto Issue Correlation
AppScan analyzes issues found by IAST, DAST and SAST, to identify common weak links in the code - or "correlations" - that spot where multiple vulnerabilities can be resolved with a single or consolidated remediation effort.
Fix Groups
Fix Groups currently apply only to issues found in Static Analysis.
You can generate reports for issues discovered in an application, to send to developers, internal auditors, penetration testers, managers, and the CISO. Security information might be extensive, and can be filtered depending on your requirements.
Triaging issues
All issues are classified as new by default. You can see an issue classification by viewing the issue status.
Issue status
Issues can be classified as New, Open, In Progress, Noise, Reopened, Passed, and Fixed. Issues classified Open, In Progress and Reopened appear in the Issues grid of an app.
Issue severity
Issues can be classified as appear in the Issues grid of an app.
After the risks are determined and the vulnerabilities are prioritized, your security team can start the remediation process.
Following your first scan, if you fix issues you can scan the same app again multiple times and overwrite the previous results, so the dashboard always displays the current results. When you scan again (rather than starting a new scan), the new scan overwrites the previous one.
Static analysis scan results
This topic describes the features available in static analysis scan results.
IAST scan results
An Interactive (IAST) Scan entry shows results since the last time the scan was started.
Tools for incorporating ASoC in your SDLC.
The built-in REST API interface provides you with a way to visualize RESTful web services. The API documentation is built by using Swagger, where you can test API operations and instantly view the results to help you scan your applications faster.
Webhooks can be used to receive notifications about events that occur in AppScan On Cloud.
Plugins and integrations
Plugins and integrations are listed on the AppScan on Cloud Plugins & APIs page.
If you experience problems with this service, you can perform these troubleshooting tasks to determine the corrective action to take.
AppScan Presence
This section suggests troubleshooting tasks for errors found when working with the AppScan Presence.
Static analysis
If you experience problems with static analysis, you can perform these troubleshooting tasks to determine the corrective action to take.
Frequently asked questions, information about integrating ASoC into the product lifecycle (SDLC), and ASoC API documentation.
Some frequently asked questions.
Threat Class and CWE
Tables showing Threat Classes of issues tested for by ASoC, and their related CWE numbers.
Understand DAST Scanning
An ASoC Dynamic (DAST) scan consists of two stages: Explore and Test. It is useful to understand the principal behind this, even though most of the scan process is seamless to the user, and no input is required until the scan is complete. The Explore stage can be run automatically as part of the automatic scan, or manually by the user, or a combination of both.
Understand Private Site Scanning
ASoC provides Dynamic Application Security Testing (DAST) from a cloud-based scanner as SaaS. This capability requires the cloud-based scanner to be able to access the tested application. Publicly available web-based applications can be scanned without issue. However, Private Site Scanning (PSS) is only possible after adding network components (such as VPNs or proxies) or changing the network to allow the scanner to access the web application’s host server.
CSV format
This section describes how to save response data as in CSV format.