What's new in HCL AppScan® Enterprise

This section describes new AppScan Enterprise product features and enhancements in this release, as well as deprecations and anticipated changes, where relevant.

New in HCL AppScan® Enterprise 10.5.0

  • Improved Historical Data management and reporting:
    • AppScan Enterprise now stores Historical Data for scans imported from AppScan Source. This feature helps AppScan Source users find the history of Rescans within AppScan Enterprise after importing their Issues from AppScan Source. To retrieve historical data, two new APIs are introduced in AppScan Enterprise 10.5.0:
      • historicdata/issues
      • historicdata/metadata
    • The Historical Data API is disabled by default and can be enabled by contacting the support team.
  • Read-only permissions: This new permission has been introduced for the first-level support users. This permission grants users the ability to:
    • View scans and logs across the organization
    • Access the new scan details page for read-only users
    This helps in debugging scans across the organization without the risk of inadvertent modifications.
  • New attributes in the Monitor tab:
    • The Monitor tab user interface (UI) has been revamped to include the new Component and Branch metadata columns, which are imported from AppScan Source.
    • The application-wise filter now includes the Component and Branch filter.
  • With an IAST subscription, AppScan Enterprise now offers deeper vulnerability insights by providing call stack information for each identified Issue.
  • AppScan now provides a breakdown of the total number of identified vulnerabilities by severity level in the PDF and HTML reports.
  • Added two new industry-standard test policies:
    • OWASP Top 10 API Security Risks - 2023
    • OWASP Top 10 - 2021
  • Updated Regulatory Compliance reports:
    • OWASP API Security Top 10 2023
    • [US] DISA's Application Security and Development STIG. V5R3
    • CWE Top 25 Most Dangerous Software Weaknesses 2023
    • The Payment Card Industry Data Security Standard (PCI DSS) - V4

IAST changes

JAVA:
  • Added support for the Vert.x web application framework.
  • Added new methods to specify a proxy to the agent for accessing AppScan Enterprise:
    • Environment variables: IAST_PROXY_HOST and IAST_PROXY_PORT
    • Custom Java properties: Iast.proxyHost and Iast.proxyPort
.NET:
  • Added support for .NET 8

APAR fix list

The following Authorized Program Analysis Reports (APARs) were fixed:

APAR No. Description
KB0110378 The default settings wizard is incorrectly creating templates.
KB0110497 Advisory information is showing an error for the issue type 'API Security: Broken Object Level Authorization.'

Fixes and security updates

New security rules in this release include:

  • postMessageInfoLeak - postMessage() - Added to detect possible information leakage

  • WordPressQEMPluginXSSCVE202323491 - Added for CVE-2023-23491 detection

  • ApacheStrutsFileUploadRCE - Added a new test for "Apache Struts RCE via File Upload" (CVE-2023-50164)

  • attWordPressInPostPluginXSSCVE202328666 - Detection for CVE-2023-28666

  • attApacheStrutsCVE20190230RCEOGNL - Added Tailored Web Server detection support for RCE

  • attAPIBrokenObjectLevelAuthorizationPath - Added path variants for "Broken Object Level Authorization"

  • attOracleWebLogicRemoteCommandExecutionVulnerabilityInWindowsExtDns - Added Tailored Web Server detection support for RCE

  • attOracleWebLogicRemoteCommandExecutionVulnerabilityInUnixExtDns - Added Tailored Web Server detection support for RCE

  • Vulnerable component database updated to version 1.3

This release's complete list of fixes, updates, and RFEs is listed here.

Changed in this release

  • AppScan Enterprise Scanner now includes enhanced reporting for vulnerable component issues in exported PDF and HTML files. This update ensures that the issue cause and its descriptions are displayed clearly in both formats.
  • The GET/issues and GET/issues/v2 API endpoints have been updated to return scan names in reverse chronological order by default. This modification ensures the most recently executed scan appears first, followed by scans executed at progressively earlier dates and times. This update provides a more intuitive and user-friendly experience when navigating through past scans.

Removed in this release

  • The OWASP API Security Top 10 2019 Industry Standard Report is no longer available on the Monitor tab.
  • The CWE Top 25 2021 and DISA VR1 reports are no longer supported within the Scans tab.

Upcoming changes

The following will be removed in a future release:

  • The CVSS attribute field on issues will be replaced with a non-editable CVSS vector string.
  • The Web Services and test policies will be removed. For more information, see Predefined Test Policies.