What's new in HCL AppScan® Enterprise

Features and enhancements new to AppScan® Enterprise.

New in HCL AppScan® Enterprise 10.0.0

This section describes new product features and enhancements in this release, as well as deprecations and anticipated changes, where relevant.

Test Optimization

The new Test Optimization feature lets you control the extent of trade-off between issue coverage and scan speed. Test Optimization selectively sends tests most likely to discover significant issues in your application, so during product development you can take advantage of faster scans with a relatively small loss of thoroughness. You can choose between four optimization levels for various needs such as initial testing, DevSecOps, pre-release, compliance and more. The fastest option includes a Test stage up to 10 times faster than a non-optimized scan, with approximately 70% of the vulnerability coverage.

For details, see Content scan job and ADAC scan job.

Note: For new scans, the Fast setting is selected by default.

To configure test optimization using the REST API, use POST /jobs/{jobId}/dastconfig/updatescant.

Incremental scans

This new feature offers shorter re-scans by identifying changes in the application to greatly reduce the number of tests sent during a re-scan.

Options are:
  • Test only new parts of the application.
  • Test new parts of the application, and retest parts where issues were previously found. Tests that did not reveal vulnerabilities in the original scan are not re-sent to the same parts of the site in the re-scan.

Incremental scanning feature is available in the REST API only. Use POST /jobs/{jobId}/actions to create an incremental scan using the REST API.

For details, see Incremental scans.

Optimized Explore with Machine Learning

Machine learning is now used to improve Explore stage filtering for better coverage, particularly of large sites. AppScan identifies and ignores links that are likely to lead to duplicate parts of the site, and instead explores new areas. For details, see Use Machine Learning to analyse and skip redundant actions check box in the Action-Based tab of ADAC.

AppScan DNS for Out-Of-Band vulnerabilities

Improved detection of vulnerabilities that cannot be directly detected through the tested application, such as OS Commanding, SSRF, and XXE attacks, using AppScan DNS resolution.

Integration with Jenkins Plugin

HCL AppScan Jenkins Plug-in 1.3.0 release supports integration with HCL AppScan Enterprise for creation and execution of security scans. To use this integration, you must have access to a running instance of AppScan Enterprise Server version 9.0.3.14 or later. Please note that Content Scan jobs are not supported through this integration.

Service account password change command Plugin

A new command line utility supports a simple change of the Service account password. This utility will be available on both AppScan Enterprise server and AppScan Enterprise dynamic scanning agents.

For details see Resetting AdminUtil Password in AppScan Enterprise.

Proxy server enhancements
  • Support for running Proxy server as a Windows service.
  • New API to close all proxies (instead of using StopProxy 0).

Scan data retention configuration

Retention duration for scan logs and scan files can now be configured through AppScan Enterprise administrator console.

For details see Configuring scan data retention duration.

Documentation

The documentation is now available in English, French, Japanese, Simplified Chinese and Traditional Chinese languages.

Removed in this version

The following features have been removed as of this release:
  • Flash execution and parsing
  • Glass Box Scanning
  • HCL AppScan Enterprise Server on Linux platform.

Capabilities nearing end of life

The following will be removed in a future release:

  • Generic Service Client (GSC)
  • X-Force categorization in Advisories and Issue Details
  • HCL AppScan Enterprise server on 32 bit Windows OS.
  • HCL AppScan Enterprise plug-in for IE browser.
  • Manual explorer.

For information about HCL AppScan Enterprise 9.0.3.x version documentation, refer to HCL AppScan Enterprise 9.0.3.x Knowledge Center