Jump to main content
Welcome to the documentation for HCL AppScan on Cloud.
Getting started
Security is about protecting your valuable assets. Some of the most important assets your organization owns are in the form of information, such as intellectual property, strategic plans, and customer data. Protecting this information is critical for your organization to continue to operate, be competitive, and meet regulatory requirements.
Recent updates
Discover upcoming and recently added features.
System requirements
This topic provides links to system requirements and supported operating systems and languages for the ASoC analyzers. Also learn about the supported browsers and minimum resolution for the service.
Data center selection
Create an ASoC account
My Subscriptions shows the status of all your organization's subscriptions, including the number applications or scans left, and the start and end dates.
This section outlines a typical ASoC workflow for an authorized user with a valid subscription.
Sample apps and scripts
Use these sample applications to practice scanning with ASoC.
Demo videos
These 'how-to' videos demonstrate using ASoC and how it fits into your workflow, and offer tips and tricks.
Contact and Support
Some useful links.
ISO/IEC certificates.
Service Description
The service description describes the HCL AppScan on Cloud service.
Trial Terms of Use
This section describes the items on the main ASoC menu bar, and links to more detailed information.
All applications
The Applications page lists all applications in your organization that are within the asset groups to which you are assigned. You can use it to create new applications, and open individual application pages.
All Scans
Scans view lists all scans in all your applications.
The main dashboard is the third item on the main menu bar. It gives you a detailed overview of the current state and history of all your applications.
Domains view lists the domains for which you have permission to run dynamic (DAST) scans, and lets you verify additional domains for scanning.
Define users, applications, policies, and configure DevOps integrations.
User management helps you restrict access to sensitive apps by assigning them to asset groups and then adding specific users to those groups.
An application is a collection of scans related to the same project. It can be a web site, a desktop app, a mobile app, a web service, or any component of an app. Applications enable you to asses risk, identify trends, and make sure that your project is compliant with industry and organization policies.
You can apply the pre-defined policies - as well as your own custom policies - to show only data for the issues that are relevant for you.
Tools for incorporating ASoC in your SDLC.
Personal scans
A personal scan is a way of evaluating the relative security of an application in development without affecting overall application scan data, or compliance.
Scan status
Audit trail
The audit trail (Organization > Audit trail) logs user activity.
AppScan on Cloud performs security scans for web-applications for production, staging and development environments. For development environments it is aided by Private Site Scanning technology to scan applications not accessible to the open Internet.
Dynamic (DAST) scanning
ASoC can perform dynamic analysis of an application that runs in a browser or a web API. Use the configuration options available in ASoC, or upload an AppScan Standard configuration (template file) or a full scan file.
AppScan Presence
An AppScan Presence on your server enables you to scan sites not accessible from the Internet, and to incorporate scanning as part of your functional testing.
AppScan Traffic Recorder
The AppScan Traffic Recorder (DAST proxy) enables you to record traffic to use as Explore data. Traffic Recorder instances can be created on demand to record traffic that will later be used for a DAST scan.
Private sites
An AppScan Presence on your server enables you to scan sites not accessible from the Internet.
Using an agent installed on your application, ASoC identifies security vulnerabilities in your app during runtime, by monitoring all interactions, both legitimate and malicious. The process is "passive", in the sense that IAST does not send its own tests, and can therefore run indefinitely.
Interactive (IAST) monitoring
ASoC can monitor normal application runtime behavior, to detect vulnerabilities.
Start IAST Session
Install the IAST Agent on your application server, and configure the scan.
Deploy IAST Agent
You need to deploy the IAST agent on the application server, so it can monitor communication with the application, and report to ASoC.
IAST using the REST API
You can configure and start an IAST scan, including agent deployment, through the REST API.
IAST configuration file
You can configure a JSON file to override the default IAST settings, and report only the vulnerabilities you want to know about.
User settings
Some low level IAST behavior can be controlled with user parameters.
Static analysis
Use static analysis (SAST) to scan applications for security vulnerabilities. To accomplish this, either use AppScan Go! or download a small client utility and use its command line interface (CLI) perform security analysis on on either source code or binary files for all supported languages. Static analysis plug-ins for Eclipse and Visual Studio are available through their respective marketplaces. Once plugins are installed, you can scan Java projects in Eclipse or .NET (C#, ASP.NET, VB.NET) projects in Visual Studio. Additional information on plugins and integrations is listed here.
System requirements for static analysis
This section describes the supported operating systems and the types of files, locations, and projects that can be scanned by ASoC when you perform static analysis.
Scanning for security vulnerabilities
To scan source code for security vulnerabilities, follow the steps in these topics.
Sample apps and scripts
Use these sample applications to practice scanning with ASoC.
Troubleshooting static analysis
If you experience problems with static analysis, you can perform these troubleshooting tasks to determine the corrective action to take.
The Scan History tab of your application displays your scan results (including scan statistics) and rescan options.
Sample Security Reports
Application reports
Scan data
The Issues page for an application shows all issues found. You can apply a variety of filters to see the issues you need, and click on any issue to open the detailed issue information pane.
Auto Issue Correlation
AppScan analyzes issues found by IAST, DAST and SAST, to identify common weak links in the code - or "correlations" - that spot where multiple vulnerabilities can be resolved with a single or consolidated remediation effort.
Fix Groups
Fix Groups currently apply only to issues found in Static Analysis.
You can generate reports for issues discovered in an application, to send to developers, internal auditors, penetration testers, managers, and the CISO. Security information might be extensive, and can be filtered depending on your requirements.
Triaging issues
All issues are classified as new by default. You can see an issue classification by viewing the issue status.
Issue status
Issues can be classified as Open, In Progress, Noise, Reopened, Passed, and Fixed.
Issue severity
Issues can be classified as appear in the Issues grid of an app.
After the risks are determined and the vulnerabilities are prioritized, your security team can start the remediation process.
Following your first scan, if you fix issues you can scan the same app again multiple times and overwrite the previous results, so the dashboard always displays the current results. When you scan again (rather than starting a new scan), the new scan overwrites the previous one.
IAST scan results
An Interactive (IAST) Scan entry shows results since the last time the scan was started.
If you experience problems with this service, you can perform these troubleshooting tasks to determine the corrective action to take.
AppScan Presence
This section suggests troubleshooting tasks for errors found when working with the AppScan Presence.
FAQ & Reference
Frequently asked questions, information about integrating ASoC into the product lifecycle (SDLC), and ASoC API documentation.
Some frequently asked questions.
Threat Class and CWE
Tables showing Threat Classes of issues tested for by ASoC, and their related CWE numbers.
Understand DAST Scanning
An ASoC Dynamic (DAST) scan consists of two stages: Explore and Test. It is useful to understand the principal behind this, even though most of the scan process is seamless to the user, and no input is required until the scan is complete. The Explore stage can be run automatically as part of the automatic scan, or manually by the user, or a combination of both.
Understand Private Site Scanning
ASoC provides Dynamic Application Security Testing (DAST) from a cloud-based scanner as SaaS. This capability requires the cloud-based scanner to be able to access the tested application. Publicly available web-based applications can be scanned without issue. However, Private Site Scanning (PSS) is only possible after adding network components (such as VPNs or proxies) or changing the network to allow the scanner to access the web application’s host server.
CSV format
This section describes how to save response data as in CSV format.