Jump to main content
HCL Logo Help Center
Welcome to the documentation for HCL AppScan on Cloud.
Security is about protecting your valuable assets. Some of the most important assets your organization owns are in the form of information, such as intellectual property, strategic plans, and customer data. Protecting this information is critical for your organization to continue to operate, be competitive, and meet regulatory requirements.
Recent updates
Discover upcoming and recently added features.
System requirements
This topic provides links to system requirements and supported operating systems and languages for the ASoC analyzers. Also learn about the supported browsers and minimum resolution for the service.
Access management
My Subscriptions shows the status of all your organization's subscriptions, including the number applications or scans left, and the start and end dates.
This section outlines a typical ASoC workflow for an authorized user with a valid subscription.
Main menu
This section describes the items on the main ASoC menu, and provides links to the relevant documentation.
Demo videos
These 'how-to' videos demonstrate using ASoC and how it fits into your workflow, and offer tips and tricks.
Contact and Support
Here are some links you might find useful.
ISO/IEC certificates.
Service Description
Trial Terms of Use
User management helps you restrict access to sensitive apps by assigning them to asset groups and then adding specific users to those groups.
Managing users
Examine your users and decide who needs access to which apps and asset groups. Consider grouping them by business unit or geography. By default, all users who are not designated as administrators in Cloud Marketplace are application testers. Decide which users need to be only report viewers and change their role.
User roles
Users are assigned to asset groups by an administrator. Predefined user roles cannot be deleted.
Asset groups
Asset groups represent abstract components of your organization, like "finance" or "engineering". Administrators can restrict access to specific applications by assigning them to an asset group and limiting the users who belong in the group.
Application attributes
Application attributes are the properties of the application, and appear as column headers in the My Applications tab. You can use them to filter application lists to focus on what you want to investigate. The following table explains the predefined attributes that you can edit (Date Created and Last Updated are controlled by ASoC).
Creating an application
Create an app and import issues so that you can track security testing progress against the business impact on your critical web apps.
Filtering your application inventory
When you have many apps to test for security issues, how can you find the ones that you are interested in when the list is so huge? Filter your inventory by business unit or risk rating to reduce the testing scope.
Importing a list of applications
Importing an inventory list of your apps can save you time by reducing redundant manual work effort. Start with a sample spreadsheet of application attributes, or merge the sample spreadsheet with your existing list. Your list of apps must be in a CSV format. Make sure that you use a spreadsheet editor, such as Microsoft™ Excel or Apache OpenOffice Calc, to edit your CSV file.
An AppScan Presence on your server enables you to scan sites not accessible from the Internet, and to incorporate scanning as part of your functional testing.
System requirements
Creating the AppScan Presence
For private web or mobile apps, or for including a scan as part of your functional testing procedure, you must create an AppScan Presence, with access to the web app or back-end server, and to the Internet. The same presence can be used for Android apps, iOS apps and websites. Proxy connections are supported.
Starting the AppScan Presence
Configuring the Proxy Server
To use the Proxy Server in the AppScan Presence, you must both activate and configure it.
Using the Proxy Server
You can use the AppScan Presence Proxy Server to record traffic, save it as a CONFIG file, and import it to run an ASoC scan. You can optionally encrypt this file, as described in the sub-section following procedure below.
Configuring Private Site Server proxy
If your private network requires the Private Site Server to use a proxy to connect with the web app or back-end server (internal proxy), or with the Internet (outgoing proxy), configure it as follows.
Configuring a PAC file
If a proxy auto-config (PAC) file is required in order to reach the various domains in your site, configure the AppScan Presence as follows.
Renewing the Presence key
When you originally download the presence, it includes a key to activate it. When that key expires, you must replace it with a valid key.
Learn how to run scans and IAST monitoring sessions on your apps, and import issues from 3rd party scanners.
Sample apps and scripts
Use these sample applications to practice scanning with ASoC.
Mobile scanning
ASoC can perform interactive and static analysis of iOS and Android applications.
Dynamic (DAST) scanning
ASoC can perform dynamic analysis of an application that runs in a browser.
Static (SAST) scanning
Use static analysis to scan source code for security vulnerabilities. To accomplish this, either use AppScan Go! or download a small client utility and use its command line interface (CLI) perform security analysis on all supported languages. The client utility also contains a Maven plugin that can be used to scan Java projects. Static analysis plug-ins for Eclipse, IntelliJ IDEA, and Visual Studio are available through their respective marketplaces. Once plugins are installed, you can scan Java projects in Eclipse and IntelliJ IDEA, or .NET (C#, ASP.NET, VB.NET) projects in Visual Studio.
Interactive (IAST) monitoring
ASoC can monitor normal application runtime behavior, to detect vulnerabilities.
Personal scans
A Personal scan is a way of evaluating the relative security of an application in development without affecting overall application scan data, or compliance.
Private sites
an AppScan Presence on your server enables you to scan sites not accessible from the Internet.
Importing issues from 3rd party scanners
Whether you use third-party scanners or conduct manual pen tests to discover issues, you can import the issues from a CSV file into ASoC for triaging.
You can create or use pre-defined policies to filter issues discovered in scans, and associate one or more policies with an application.
Custom policies
If you have the required permissions, you can create/delete your own custom policies.
Associating with an app
App compliance status
The Scan History tab of your application displays your scan results (including scan statistics) and rescan options.
Sample Security Reports
Application data
Scan data
Issue data
Fix Groups
Fix Groups currently apply only to issues found in Static Analysis.
Generating reports
You can generate an HTML security report for issues that were discovered in an application and send them to developers, internal auditors, penetration testers, managers, and the CISO. Security information might be extensive, and can be filtered depending on your requirements.
Triaging issues
All issues are classified as new by default. You can see an issue classification by viewing the issue status.
Issue status
Issues can be classified as New, Open, In Progress, Noise, Reopened, Passed, and Fixed. Issues classified Open, In Progress and Reopened appear in the Issues grid of an app.
After the risks are determined and the vulnerabilities are prioritized, your security team can start the remediation process.
Following your first scan, if you fix issues you can scan the same app again multiple times and overwrite the previous results, so the dashboard always displays the current results. When you scan again (rather than starting a new scan), the new scan overwrites the previous one.
Static analysis scan results
This topic describes the features available in static analysis scan results.
IAST scan results
An Interactive (IAST) Scan entry shows results since the last time the scan was started.
Measuring progress
Use the dashboard to track various metrics and trends of the applications in your organization. Depending on your user role, you will only see dashboard charts of the asset groups you belong to.
Tools for incorporating ASoC in your SDLC.
The built-in REST API interface provides you with a way to visualize RESTful web services. The API documentation is built by using Swagger, where you can test API operations and instantly view the results to help you scan your applications faster.
Webhooks can be used to receive notifications about events that occur in AppScan On Cloud.
Plugins and integrations
HCL AppScan on Cloud includes the following plugins and integrations.
If you experience problems with this service, you can perform these troubleshooting tasks to determine the corrective action to take.
AppScan Presence
This section suggests troubleshooting tasks for errors found when working with the AppScan Presence.
Static analysis
If you experience problems with static analysis, you can perform these troubleshooting tasks to determine the corrective action to take.
Frequently asked questions, information about integrating ASoC into the product lifecycle (SDLC), and ASoC API documentation.
Some frequently asked questions.
Threat Class and CWE
Tables showing Threat Classes of issues tested for by ASoC, and their related CWE numbers.
Understanding Private Site Scanning
ASoC provides Dynamic Application Security Testing (DAST) from a cloud-based scanner as SaaS. This capability requires the cloud-based scanner to be able to access the tested application. Publicly available web-based applications can be scanned without issue. However, Private Site Scanning (PSS) is only possible after adding network components (such as VPNs or proxies) or changing the network to allow the scanner to access the web application’s host server.