Home
Managing application risk
Follow this workflow to manage application security risks in your organization.
Step 2: Testing applications for vulnerabilities
Learn how to test vulnerabilities identified in an application.
Scenarios for creating scans
These scenarios are targeted at developers and the security team. Choose the user role that most closely matches your situation.
Developers
The developer team creates scan templates using different methods and user interfaces in AppScan.
Creating a scan from a template
Depending on the method your security team uses to create a scan template, you might use the AppScan Dynamic Analysis Client or the AppScan Enterprise user interface to create your scans. These topics describe each task you might need.
Creating a scan using the GraphQL template
GraphQL template can be used to scan the APIs that contain GraphQL queries. Being the initial version of the template, the capabilities are limited to only the APIs with GraphQL queries and not the web applications.
Recording the APIs using the ADAC client using Postman or SoapUI
Create a GraphQL scan by Recording the APIs using the ADAC client using Postman or SoapUI.

Welcome
Welcome to the HCL AppScan Enterprise 10.4.0 documentation, where you can find information about how to install, maintain, and use HCL AppScan Enterprise.
Accessibility features for AppScan® Enterprise
Accessibility features assist users who have a disability, such as restricted mobility or limited vision, to use information technology content successfully.
Overview
Learn general information about the product.
Installing
Learn how to install the product.
Upgrading and migrating
Learn how to upgrade the product.
Integrating
Learn how to integrate the product with other solutions.
DevOps
Learn how to extend the product with REST APIs and plugins.
Best practices
Learn best practices for using the product.
Configuring
Learn how to configure the product.
Administering
Learn how to administer the product.
Managing application risk
Follow this workflow to manage application security risks in your organization.
- Step 1: Creating an application inventory
  Learn how to create an application inventory.
- Step 2: Testing applications for vulnerabilities
  Learn how to test vulnerabilities identified in an application.
  - Importing issues from internal or third-party scanners
    Learn how to import issues from internal and 3rd-party scanners.
  - Scenarios for creating scans
    These scenarios are targeted at developers and the security team. Choose the user role that most closely matches your situation.
    - Developers
      The developer team creates scan templates using different methods and user interfaces in AppScan.
      - Creating a scan from a template
        Depending on the method your security team uses to create a scan template, you might use the AppScan Dynamic Analysis Client or the AppScan Enterprise user interface to create your scans. These topics describe each task you might need.
        Types of scan templates
        These are the available scan templates in AppScan Enterprise. The security team might also create templates that are specific to your organization.
        Creating a scan based on a template using AppScan Standard scan properties
        Create scans that use templates that are based on scan configuration options from AppScan Standard. An easy-to-use wizard (AppScan Dynamic Analysis Client) takes you through the scan configuration options, including action-based login and manual explore features.
        Creating a scan based on a template using AppScan Enterprise scan properties
        A QuickScan crawls your site to discover its content using parameters set in a scan template created by an Administrator. After it is collected by the scan, the data is stored in a database for analysis by the reporting engine and made available to you through report packs, which are collections of reports. Most of your data analysis tasks will focus on the data provided in these reports.
        Creating a scan using the GraphQL template
        GraphQL template can be used to scan the APIs that contain GraphQL queries. Being the initial version of the template, the capabilities are limited to only the APIs with GraphQL queries and not the web applications.
        Adding the APIs using AppScan Enterprise Postman REST API
        Create a GraphQL scan by adding the APIs using AppScan Enterprise Postman REST API
        Recording the APIs using the ADAC client using external tools and proxy ports
        Create a GraphQL scan by recording the APIs using the ADAC client using external tools and proxy ports.
        Recording the APIs using the ADAC client using Postman or SoapUI
        Create a GraphQL scan by Recording the APIs using the ADAC client using Postman or SoapUI.
        Creating a scan from AppScan Standard using AppScan Connect
        You can import the Postman collection in a scan job using AppScan Standard and then replicate this job in AppScan Enterprise.
      - Editing a scan
        You can edit a basic scan to modify configuration options. If you need help editing your scan or you need more settings added to it, ask your security team to help you. They can edit your scan from an advanced view in the AppScan Dynamic Analysis Client.
      - Creating an import scan
        An import QuickScan uploads AppScan® files using parameters set in a scan template created by a Product Administrator. After the file is uploaded, its data is stored in a database for analysis by the reporting engine and made available to you through report packs, which are collections of reports.
    - Security Team
      Using scan configuration authored in AppScan standard, the security team creates templates.
    - Converting scan configurations from AppScan® Standard in the AppScan® Dynamic Analysis Client
      If you have an existing content scan that is based on a scan template (*.scant) from AppScan® Standard, you can convert the scan configuration so that you can edit it directly in the AppScan Dynamic Analysis Client. However, after you convert the scan configuration, you cannot open it again in AppScan Standard.
  - Running and scheduling jobs
    Learn how to run and schedule a job in AppScan Enterprise.
  - Copying a scan between two Enterprise Consoles
    Export scan properties and creating a new scan based on those properties. This is the method you use to copy a scan between two Enterprise Console instances.
  - Stopping a job and then resuming it
    There are three methods you can use to stop a job while it is running. Each method is used for a different reason, which largely depends on whether you want to keep the data or you want to continue running the job from the point where it left off. You can resume a suspended job to continue the scan from where it stopped. A resumed job is handled by the next free agent on any available agent server.
- Step 3: Determining risks and prioritizing vulnerabilities
  Learn how to determine risks and prioritize vulnerabilities identified in an application.
- Step 4: Remediating risks
  Learn how to remediate risks identified in an application.
- Step 5: Measuring progress and demonstrating compliance
  Learn how to measure progress and demonstrate compliance.
Troubleshooting and support
To help you understand, isolate, and resolve problems with your HCL® software, the troubleshooting and support information contains instructions for using the problem-determination resources that are provided with your HCL products.
Reference
Review reference information for the product.
Glossary

Recording the APIs using the ADAC client using Postman or SoapUI

Create a GraphQL scan by Recording the APIs using the ADAC client using Postman or SoapUI.

Procedure

On the AppScan Enterprise Scan page, click Create Folder Item.
Select the Job using template radio-button and in the drop-down list, select the option GraphQL template.
Click the Create button. The browser launches the AppScan Dynamic Analysis Client (ADAC).
Navigate to the Manual Explore section, click Add, select External client, and then select Postman or SoapUI.
AppScan opens the selected tool (i.e., Postman or SoapUI) and automatically configures it to work with AppScan as it’s recording proxy.
Once the tool launches, run the collection.
After you run the collection, in the Record Traffic window, click the Stop Recording button and then click Save.
In ADAC window, select the checkbox under domains detected for the domains to be included in the scanning.
Navigate to Job Properties, select a desired Test Policy, and click Create Job.
Run the scan.