Jump to main content
Welcome
Welcome to the HCL AppScan Enterprise 10.4.0 documentation, where you can find information about how to install, maintain, and use HCL AppScan Enterprise.
Accessibility features for AppScan® Enterprise
Accessibility features assist users who have a disability, such as restricted mobility or limited vision, to use information technology content successfully.
Overview
Learn general information about the product.
Application security management
Security is about protecting your valuable assets. Some of the most important assets your organization owns are in the form of information, such as intellectual property, strategic plans, and customer data. Protecting this information is critical for your organization to continue to operate, be competitive, and meet regulatory requirements.
AppScan® Enterprise components
HCL® AppScan® Enterprise enables organizations to mitigate application security risk, strengthen application security program management initiatives and achieve regulatory compliance. Security and development teams can collaborate, establish policies and scale testing throughout the application lifecycle. Enterprise dashboards classify and prioritize application assets based on business impact and identify high-risk areas, permitting you to maximize your remediation efforts. Performance metrics are provided that help you monitor the progress of your application security programs.
Getting started with application security management
Depending on your role, you can get started with different areas of the product.
What's new in HCL AppScan® Enterprise
This section describes new AppScan Enterprise product features and enhancements in this release, as well as deprecations and anticipated changes, where relevant.
Interactive Application Security Testing (IAST) in AppScan Enterprise
Vulnerable components detection using AppScan
AppScan enhances application security by identifying and reporting vulnerabilities in third-party components, ensuring businesses are protected from potential threats. This helps prevent undetected vulnerabilities and ensures business continuity.
Supported technologies
Known issues and workarounds
These are known issues and their workarounds.
Deprecated features
If you are migrating from an earlier release of AppScan® Enterprise, you should be aware of the various features that have been deprecated in this release.
AppScan Enterprise Legal Notices
Statement of Good Security Practices
Installing
Learn how to install the product.
Planning the deployment and installation
The configuration you use depends on a number of factors: what you plan to do with the software, how your organization and website or applications are structured, and how the information is to be distributed. Before you install the current release, review the information about hardware and software requirements, licensing, and other deployment considerations.
Preinstallation tasks
Before you install AppScan® Enterprise, you will need to prepare and configure your system.
Installation tasks
This section provides the instructions for installing AppScan® Enterprise.
Post installation tasks
After you install AppScan® Enterprise, complete these postinstallation tasks.
Advanced installation scenarios
Upgrading and migrating
Learn how to upgrade the product.
Product changes when you upgrade from a previous version
Learn about changes that might affect your scans or report data when you upgrade from a previous version. Make sure that you read all the topics so that you understand the upgrade process.
Fix pack installation
Fix packs are available for download from FNO.
Replacing Jazz™ Team Server with WebSphere® Liberty - Frequently asked questions
Beginning with v9.0.1, AppScan® Enterprise includes an architecture redesign to reduce the installation footprint and to remove Rational® Jazz™ Team Server (Jazz Team Server) as the user authentication component.
Migrating Jazz Team Server users to Liberty in AppScan Enterprise
To migrate Jazz Team users to use the Liberty authentication method, export a .csv file of users by using a command before you begin upgrading to v9.0.1 and higher. Then, you can follow one of the following two methods and register the same users in Liberty so that they can access AppScan Enterprise v9.0.1 and higher.
Upgrading to the latest version of AppScan Enterprise
For a successful upgrade to the latest version of AppScan Enterprise, read this topic carefully.
Configuring the SQL Server database for AppScan® Enterprise
The AppScan® Enterprise Server configuration needs information about SQL Server. Configure the SQL Server first to save time during the AppScan configuration. If you upgrade SQL Server to a newer version, follow these instructions as well.
Configuring a basic user registry for the Liberty profile
Using a certificate in your certificate store with Liberty
This procedure describes how to use Liberty certificates to secure IIS.
Upgrading the AppScan® Source LDAP connection with an Oracle database
If you are changing LDAP settings (such as the server name or alias name) or if you are moving the AppScan® Enterprise Server to another computer, you must update the asc.properties file to reflect those changes.
Enabling FIPS 140-2 or NIST SP800-131a on WebSphere Liberty Profile
Use one of these procedures to enable FIPS 140-2 or NIST SP800-131a on WebSphere Liberty Profile.
Integrating
Learn how to integrate the product with other solutions.
Integrating with QA automation systems
Learn how to integrate the product with QA automation systems.
Integrating with Defect Tracking Systems
Learn how to integrate the product with Defect Tracking Systems.
DevOps
Learn how to extend the product with REST APIs and plugins.
REST API
Learn about REST API in AppScan Enterprise.
Plugins and integrations
Best practices
Learn best practices for using the product.
Best practices for content scanning
Determine the technologies in use on your application that the content job will scan and refer to the following best practices for each type.
Best practices for running a security scan in a production environment
Performing a security scan in a production environment is risky; however, it might be necessary to scan a production environment, perhaps to comply with audit requirements, to detect whether your site has been hacked, or to validate that the SDLC process for integrating security scans is being employed.
Best practices for performance
The scan engine conducts over 1000 different tests and performs them multiple times.
Understanding Test Optimization
Frequently asked questions
This topic addresses general application questions.
Configuring
Learn how to configure the product.
Configuring your user settings
There are several settings that you can personalize for your needs.
Configuring the Enterprise Console
The Enterprise Console is the main user interface that supports administration, item configuration, and reporting.
Configuring log retention period property
The log files generated during a scan run are saved in the server for certain time frame. The time limit until when such log files are retained by the server is referred as log retention period. After this retention period, these log files become outdated while redundantly occupying memory space in the server. You can configure a time limit as a log retention period in the AppScan Enterprise, to automatically delete such log files after this preset period exceeds.
Administering
Learn how to administer the product.
Managing users, groups, and access permissions
Learn how to manage user groups and access permission.
SAML Single Sign-On in AppScan Enterprise
Configuring and downloading log files for Enterprise Console and AppScan Server
Administrators can configure the settings for log files for the Enterprise Console and AppScan Server and download them when they need to troubleshoot issues. This function eliminates the need to search the file system of the computer where the Enterprise Console or AppScan Server is installed.
Resetting Service Account Password in AppScan Enterprise through the ASE AdminUtil tool
The AdminUtil tool helps users to avoid rerun the configuration wizard on the AppScan Enterprise Server and the DAST Scanner(s) to reset the password. You can run the utility in two modes - Interactive mode and Silent mode. For more information about resetting service account password through interactive mode, see Resetting Service Account Password in AppScan Enterprise through the ASE AdminUtil tool in silent mode
Resetting Service Account Password in AppScan Enterprise through the ASE AdminUtil tool in silent mode
The AppScan Enterprise (ASE) AdminUtil tool helps users to avoid rerun the configuration wizard on the AppScan Enterprise Server, IAST Communication service, DAST scanner(s), Database service, and Alert services to reset the password of service account. You can achieve this by running the utility in two modes - Interactive mode and Silent mode. For more information about resetting service account password through interactive mode, see Resetting Service Account Password in AppScan Enterprise through the ASE AdminUtil tool
Monitoring AppScan Enterprise usage
Create an Activity Log report to determine who is using AppScan Enterprise and what they are doing with it. The report lists the users that made changes and when the changes were made. Because the log is always recording activity, all you must do is create the report. Only Administrators can create the Activity Log report; however, any user can be given access to it as part of a report pack's properties. If you do not want other users to see the Activity Log report, change `All Other Users' to No Access on the Users and Groups page for the report pack.
Activity Log
Activity Log helps determine who is using AppScan Enterprise and what they are doing with it. It lists the users that made changes and when the changes were made. This is useful for security auditing to detect possible unauthorized or unusual activities performed by users. Only Administrators can view the Activity log. By default, the activity log data is retained for one year.
Managing a server
Product Administrators are responsible for managing each server to its optimal performance.
Managing the scan queue
See the status of scan jobs currently running or waiting to run so that you can prioritize the order in which your key scan jobs run. For example, you might have scan jobs that are part of a time-sensitive deliverable, like a holiday shopping special. You can move them to the top of the queue to make sure that they are prioritized first in the schedule.
Updating security rules
The security rules are updated as a part of your AppScan® Enterprise releases. You can verify the version and release date of the security rules by looking in the About link in the AppScan Enterprise main menu.
Importing user-defined tests from AppScan Standard
AppScan® Standard provides a database of thousands of tests. However, if your web application has issues that are specific to it, or if you want to write your own advisories for fixing issues, you can create your own tests. These tests are saved and included in your AppScan database of tests. You can also export them as a *.udt file to import into AppScan Enterprise.
Maintaining your SQL Server database
SQL Server database maintenance includes upgrading SQL servers, SQL database backup, log file configuration, and database usage.
Preparing for Security Testing
Learn how to prepare for security testing in AppScan Enterprise.
Creating scan templates
Learn how to create scan templates in AppScan Enterprise.
Managing application risk
Follow this workflow to manage application security risks in your organization.
Step 1: Creating an application inventory
Learn how to create an application inventory.
Step 2: Testing applications for vulnerabilities
Learn how to test vulnerabilities identified in an application.
Step 3: Determining risks and prioritizing vulnerabilities
Learn how to determine risks and prioritize vulnerabilities identified in an application.
Step 4: Remediating risks
Learn how to remediate risks identified in an application.
Step 5: Measuring progress and demonstrating compliance
Learn how to measure progress and demonstrate compliance.
Troubleshooting and support
To help you understand, isolate, and resolve problems with your HCL® software, the troubleshooting and support information contains instructions for using the problem-determination resources that are provided with your HCL products.
Troubleshooting a problem
Troubleshooting is a systematic approach to solving a problem. The goal of troubleshooting is to determine why something does not work as expected and explain how to resolve the problem.
Template: Contacting HCL® Support
HCL® Support provides assistance with product defects, answers FAQs, and helps users resolve problems with the product.
Troubleshooting the Dynamic Analysis Scanner
Learn how to troubleshoot the Dynamic Analysis scanner.
Troubleshooting the Enterprise Server
Learn how to troubleshoot the Enterprise Server.
Messages
These messages explain serviceability codes for: internal product messages, scan log messages, and web Services messages
Reference
Review reference information for the product.
Configuring Wizard topics
Learn about configuring wizard topics.
Folder Explorer topics
Learn about folder explorer topics.
Triage with reports
Reports are automatically generated after a job has run. They provide a way of managing issues so that you can helps you manage issues that are important to your organization and do so in a way that is supported both by the Enterprise Console's workflow and the workflows of other processes within your organization.
Configuration Manager
AppScan resources
A GitHub collection of integrations, helper scripts, utilities, useful examples, libraries, and other resources related to HCL AppScan.