What's new in HCL AppScan® Enterprise

Important Notice

For HCL AppScan Enterprise version 10.0.2 and newer, an HCL license is required. HCL AppScan Enterprise versions 10.0.2 and newer do not support IBM licenses. See the product documentation for instructions on installing an HCL License. For more information contact your HCL representative or HCL Support.

New in HCL AppScan® Enterprise 10.0.5

This section describes new product features and enhancements in this release, as well as deprecations and anticipated changes, where relevant.

IAST (Interactive Application Security Testing)

IAST is now officially released.
In addition to Java, IAST now supports .NET and Node.js. For more information, see Interactive Application Security Testing (IAST) in AppScan Enterprise.

“How to fix” information

New and improved Advisory and Fix Recommendation content for many issues, consolidated into the new How to Fix format.
New and detailed code-specific "How to Fix" information for many code languages.

Azure DevOps Plugin added. See the Plugin documentation.

ASE Admin utility: Enhanced to enable automated password change. For more information, see Resetting Service Account Password using AdminUtil.

Performance and scalability improvements

Compliance report upgrade: DISA STIG V5R1

Security testing

Improved XSS analysis through browser-based validation for some rules.
New application tests:
- Referrer policy – Detect misconfigured or insecure referrer policy.
- Host header injection – Test if host header is parsed dynamically in the application.
- CORS arbitrary origin – Test if CORS policy originated from arbitrary origin header value.
New infrastructure tests:
- CVE-2020-5398 - Detect Reflected File Download on Spring Framework.
- CVE-2020-7246 - Remote Command Execution on qdPM.
- CVE-2020-9006 - Popup Builder WordPress Plugin SQL Injection.
- CVE-2020-11022/11023 - Detect XSS in JQuery before version 3.5.0.
- CVE-2020-17530 - Apache Struts 2 Forced Multi OGNL Evaluation.

Fixes and security updates

Fixes and security updates are listed here.

Removed in this release

Malware detection
X-Force categorization in Advisories and Issue Details (Integration with IBM SiteProtector)
.NET, J2EE, and PHP-specific information is no longer included in reports, but new code-specific information for many languages, including these three, is available in the UI.
AppScan Enterprise server on 32-bit Windows Operating System
AppScan Enterprise plug-in for Internet Explorer browser

Will be removed in a future release

The following will be removed in a future release:

SSL 3.0 support.
Test policies: Web Services, The Vital Few, Developer Essentials; as similar results can now be achieved using other policies. For information, see Predefined Test Policies.