What's new

Features and enhancements new to AppScan® Enterprise.

New in

This section describes new product features and enhancements in this release, as well as deprecations and anticipated changes, where relevant.

New in HCL AppScan® Enterprise


Following the acquisition of AppScan products earlier this year by HCL, this release is an HCL branded version.

Performance improvements
  • Scans page is optimized to load faster.
  • The report generation functionality in the Monitor view is improved to avoid failures on big reports generation.
  • Traffic data in the reports is truncated to 4000 characters by default to improve report generation performance.
  • JRE for the AppScan Enterprise server is now upgraded to 64-bit.

Proxy server

Capability added to turn on the option to encrypt the traffic data, AppScan Enterprise can now, also accept encrypted traffic file through REST APIs.

Upgrade simplification

  • After upgrading an Agent, it is not necessary to run Config Wizard.
  • While upgrading an Agent, it is not necessary to bring down Server console and other Agents.
  • While upgrading Server, it is not necessary to bring down Agents but necessary to make sure no scans or report packs are running.

Capabilities nearing end of life

The following features are nearing end of life, and will be removed in future release:

  • Flash execution and parsing.
  • Glass Box Scanning.
  • Generic Service Client (GSC).
  • HCL AppScan Enterprise server on 32 bit Windows OS, and will be supported on 64 bit Windows OS only.
  • HCL AppScan Enterprise Server on Linux platform.
  • HCL AppScan Enterprise plug-in for IE browser.
  • Manual explorer.
Note: The JavaScript Analyzer (JSA) component has now been replaced by the Cross-Site Scripting Analyzer, to discover security issues more accurately.

New in

AppScan Issue Management Gateway Service v 0.3.0 improvements
  • Support migration of issues from AppScan Enterprise to Rational Team Concert.
  • Support migration of issues from AppScan Enterprise to Azure DevOps.
  • Https support for Issue Gateway REST APIs.
  • Support for Java 8, 9, 11 runtime.
  • Support for Spring Boot Framework 2.0.
  • Bug fixes - https://github.com/hclproducts/appscan-issue-gateway/releases/tag/0.3.0
AppScan Activity Recorder v 1.0.3 improvements
  • Added log window to display recording activities.
  • Improvements to filtering mechanism for a smaller size of traffic file.
Action-Based Explore improvements in DAST scanning Engine
  • Able to select items from drop-down lists.
  • Able to click on elements with a lower z-index (such as when there is a dialog box or other element in front of them).
  • Identifies new cookies created by JavaScript.
  • Improved URL filters.

Server-Down improvements

The Server Down heartbeat for target application, now tests the full Starting URL for the scan rather than just its root path, to handle cases where the server is up but the application is down.

Request-Based JavaScript Execution change

Due to the efficiency of Action-Based JavaScript Execution, these two redundant Request-Based JavaScript configuration options (and related Advanced Configuration Options) have been removed:
  • Execute JavaScript to discover URLs and dynamic content.
  • Execute JavaScript when replaying login.

The above options are removed both in ADAC and web UI for both DAST and Content Scan jobs. If you load a scan saved in an earlier version, in which one or both of these check boxes was selected, the selection is now ignored. See the section below for the reasoning behind this change.

Improved Cross-Site Scripting analysis

Due to the improvements to the Cross-Site Scripting Analyzer, that enable it to better detect DOM-Based Cross-Site Scripting, when creating new scans all JavaScript Analyzer (JSA) rules are now disabled in the Default Test Policy, and will be removed altogether in a future version. Your existing scans and templates are not affected by this change.

Configuration wizard upgrade improvement

Configuration Wizard utility is updated to modify security rules in the database seamlessly while upgrading the server.

New in

Automation and DevOps
  • New REST APIs
    • Search scan Jobs and report packs.
    • Configure Email Alerts for Jobs and report packs.
    • Download a scan file that can be opened in AppScan Standard.
    • Delete scan Jobs and report packs.
    • Enable additional domains in DAST scan jobs.
  • Consistent REST API response format
    • A few REST APIs that return a response in XML format have been modified to return a response in JSON data or XML data, depending on the input parameter.
    • A new set of REST APIs have been created to return the response in JSON format and these are intended to replace those APIs that return a response in XML format (APIs whose name ends with /XML).
  • Integration with Issue Management System

    AppScan Issue Management Gateway service is integrated with AppScan Enterprise to migrate issues to JIRA, which is a tool to track issues.

Request-Based JavaScript Execution

Due to the efficiency of Action-Based JavaScript Execution, Request-Based JavaScript Execution is now redundant, and this option is disabled by default in all the pre-defined templates. If you load a scan job in which the option was selected, it will remain selected, though we recommend clearing it.

JavaScript Execution option is present in the following locations:
  • AppScan Dynamic Analysis Client (ADAC) for DAST scan jobs: Explore Options > Request-Based > Execute JavaScript to discover URLs and dynamic content.
  • Web UI for Content scan jobs: Explore Options > Execute JavaScript to discover URLs and dynamic content.

Understanding the JavaScript Execution change

Over the last few years, we have developed a replacement mechanism for Request-Based Exploring, which imitated and approximated the workings of a browser. The new mechanism, Action-Based Exploring, utilizes an actual, embedded (Chromium-based) browser. Both mechanisms include JavaScript Execution (JSX), but we are now in the process of retiring the Request-Based JSX mechanism, as the newer technology duplicates and surpasses it.

Action-Based JSX more closely resembles the way a user interacts with the browser. It offers increased coverage and accuracy, and better support for new JavaScript frameworks as they emerge.

Request-Based JSX is, therefore, being phased out by stages:
  • In this fix pack, the JavaScript Execution check box is cleared by default, but you can still select it if you find that Action-Based Exploring fails for a specific application.
  • In future releases, the mechanism will be removed entirely. Note that when you load a saved scan or template in which the JSX check box was selected it will remain selected. However, we suggest clearing the check box.

    If you see a difference in the results due to this change, we urge you to open a Support Ticket so we can either explain the difference to you or fix the Action-Based mechanism.

  • Change Host in traffic file: If StartingURL of a scan job is changed through the API POST /jobs/{jobid}/dastconfig/updatescant or user interface (web UI or ADAC), URLs in traffic data are modified automatically to update host, port and scheme.
  • Scan file download: A scan file that can be opened in AppScan Standard can be downloaded from the scan job statistics page.
  • SQL Server 2017 (Enterprise and Standard) is now supported.
  • .NET framework 4.7.2 is now a system requirement, and is installed as part of the installation.

New in

Test Optimization

A full regular AppScan® Enterprise scan typically sends thousands of tests and may take hours, in some cases days, to complete. During the early stages of development, or for a quick overall evaluation of the current security posture of your product, you can use Test Optimization to get the results you need in a shorter time frame.

App Scan’s intelligent test filters are based on statistical analysis, and select tests for the more common, severe and otherwise important vulnerabilities. AppScan updates keep your Test Optimization up-to-date with the latest optimization filters. Using Test Optimization can greatly reduce overall scan time when speed is more important to you than scan depth.

Test Optimization can be activated from both the AppScan Dynamic Analysis Client and API.

For more information, refer Understanding Test Optimization.

Chrome Extension for Actions and Traffic recording - AppScan Activity Recorder

AppScan’s new Chrome extension simplifies web application security testing. During web application testing, you can record manual crawl, login, and multi-step data (traffic and actions) for an AppScan Dynamic Analysis scan. The data is saved as a file that can be uploaded to AppScan Enterprise to be used in a scan. Upload is supported both by the UI and by the REST API.

For more information, refer Capturing Traffic and Actions using AppScan Activity Recorder.

Automation and DevOps
  • New REST APIs
    • Search Users, Folders, Applications, and Server groups.
    • Schedule scan jobs and configure job-level blackouts.
    • Remove specific domains from imported manual explore data.
  • ADAC - Ability to import manual explore data.
  • Improved BURP results import: now includes traffic data.
  • Support multiple AppScan Enterprise installations on a single machine, using a common database.
  • Support for Rational Team Concert 6.0.6 integration.

New in

REST APIs for DevOps and Automation

  • Scan Management REST APIs are now integrated unified with the Application Management APIs through Swagger.
  • New authentication API to use Key and Secret strings.
  • New APIs added to support the following capabilities:
    • Create, edit, and delete folders.
    • Provide user access to folders.
    • List the existing permissions to create/edit user-types.
    • Create, edit, and delete user-types.
    • Edit and delete console user.
    • API GET /consoleusers/{userId} is enhanced to return folders and server groups that a user has access.
    • List the existing server groups.
    • Create, edit and delete server groups.
    • Provide user access to server groups.
    • Change the scan to Explore Only or Test Only.

Documentation Improvements

Improved APIs documentation in Swagger (https://<domain>:9443/ase/api/pages/apidocs.html).

Important Fixes
  • User-defined tests created using AppScan Standard can be added to AppScan Enterprise.
  • Scan view is now available for Quick Scan users.
  • Editing a scan job copied from AppScan Standard or ADAC is possible.
  • ASOC scanners are enhanced to read additional data in the XML reports generated from ASOC.

New in

  • Improved Action-Based Scanning: Updated Dynamic Analysis engine for greater compatibility with newer web apps, and improved coverage to reveal additional vulnerabilities.
  • Windows 2016 Server support.
  • Import HTTP Archive (HAR) traffic files for content scan jobs.
    • To be used as login sequence data in Login Management page.
    • To be used as explore data in What to Scan page.
  • Users search capability in the Administration tab.
  • OWASP Top 10 2017 Report in scan view.
  • New ADAC capabilities.
    • Greatly Improved Login Management Configuration: Login Management includes many improvements to help you configure and manage how AppScan logs in to your application, and maintains sessions.
    • New Action-Based Explore Options give you greater control, and the Action-Based tab includes new settings to help achieve more efficient Action-Based exploring.
    • Communication and Proxy settings allows to:
      • Configure local proxy settings.
      • Configure the local proxy with the same settings as the ASE Agent.
    • Improved Chrome-based embedded browser provides greater compatibility with newer web apps.
  • APIs for DevOps
    • Enhanced WebHook capability to post job status to endpoint URL.
    • Enhanced REST API to support exclusions with exceptions for content scan jobs.
    • New REST API for uploading a template file.
    • New REST API for creating a job using a template file.
    • Updated REST API to generate a report for a scan with no issues.
  • Script to delete old and unused issue records included in downloads folder.
  • Enhanced scanners in monitor view to compute CVSS for issues imported from AppScan Standard.

New in

  • Security updates and APAR fixes
  • DAST for DevOps
    • Integration with Deployment tools (for example: UDeploy) to automate creating and initiating Scans; and now added capability to subscribe for receiving notifications about Scan status ( completed, failed, suspended etc. ). For more information, refer to the technote -http://www.ibm.com/support/docview.wss?uid=swg22015122.
    • REST APIs for improved automation.
      • Unable to upload a multi-line HAR format manual explore data via Scan Management REST API.
      • Uploading a HAR file manual explore data with JSON POST body does not get seen after import via the Scan Management REST API.
      • New capability enables importing of traffic file(s) containing multi-step sequence via the Application Management REST API.
  • Other Improvements

New in

  • Security updates and APAR fixes
  • Enhanced DAST Scanning Engine
    • Improved Cross-Site Scripting testing: If a traditional XXS test fails, the test is automatically sent again using an actual browser. This approach enables finding additional vulnerabilities that were not found before.
    • Improved Automatic Login: Various techniques were added to increase the success of Automatic Login.
    • Improved Action-Based Crawling: Action-based crawling is more accurate and thorough, increasing application coverage.
    • Improved scan accuracy: A variety of security rule updates reduce false positive results.
  • DAST for DevOps
    • HAR file support: Traffic recorded with CI/CD tools and saved in HAR format can now be imported and used as part of an ASE job using the REST API.
    • New REST APIs for improved automation.
      • Update credentials of recorded Action-Based Login and Automatic Login.
      • Import traffic file including login requests for Request-Based Login.
    • Proxy Server and Automation APIs were added in iFix2. For more information, refer to the Other Improvements section.
  • Other Improvements
    • Includes latest JRE 1.8 SR5.
    • Export issues from Security Reports in Excel format from Monitor tab.
    • Import issues exported from AppScan Source in OZASMT format.

New in

  • Support was added for Microsoft™ SQL Server 2016 and for the .NET 4.6.2 framework
  • You can delete selected 3rd party scanner issue imports from an application
  • A new compliance report was added: Regulation (EU) 2016/679 of the European Parliament and of the Council - General Data Protection Regulation

New in

This fix pack synchronizes the versions across the AppScan product suite to simplify centralized management (the installation or updating of client components). AppScan Enterprise 9.0.3 fix pack versions are (released on 04/26/16) and

  • Importing user-defined tests from AppScan Standard.
  • New features in the AppScan Dynamic Analysis Client:
    • AppScan Dynamic Analysis Client now offers a second Automatic Explore method: Action-based Explore. This complements the existing Request-based Explore, in the Automatic Explore stage of the scan. By default both methods are used, with a 30 minute time limit for the Action-based Explore stage. See the "Explore Options view" topic in the AppScan Dynamic Analysis Client online help.
      Note: You can also access this feature on the Explore Options page of a content scan job. The options are turned on by default.
    • You can now change the host, scheme or port of the Starting URL in a scan configuration and AppScan will update, verify and confirm the necessary changes.
    • You can now set individual requests in a multi-step sequence to "Don't Test".
    • You can now delete individual URLs from a Manual Explore recording.
  • Ability to see the issue imports for an application.
  • Scan results (*.scan files) are now exported in the Support download logs.
  • Ability to export reports in XML format.

New in iFix2

  • A new capability to filter issues by scan coverage findings (new default) was added.
  • The Overdue Issues formula was modified to include scan coverage findings.
  • The SANS/CWE Top 25 Most Dangerous Programming Errors v1.03 report was updated to match issue types by CWE value, rather than by threat class.
  • Support for Common Access Card (CAC) was added to the AppScan Dynamic Analysis Client (available in the AppScan Standard fixpack).

New in iFix1

New in

: What's new in AppScan Enterprise v9.0.3.1

  • Usability improvements:
    • Ability to add or import user comments to applications and issues in the About this Issue dialog.
    • Added the ability to filter based on the DOM in the Explore options of a content scan job.
    • Custom error pages can now be specified for each job (used to be global option). Global update supports modifying custom error pages for multiple jobs
    • Added the ability to convert a scan configuration that was created in AppScan Standard so that you can edit it directly in the AppScan Dynamic Analysis Client.
  • Reporting improvements:
    • Ability to include application and issue attributes in an exported Security Report
    • Enhancements were made to the Activity Log report to track activities from the Monitor view:
      • issue classification
      • create, modify, and delete applications
      • issue imports
      • change user permissions
    • New compliance report: Federal Risk and Authorization Management Program (FedRAMP)
  • Added defect tracking with HCL Rational Team Concert™ to the Monitor view
  • Improved security rules update process
  • New and updated REST APIs.

New in 9.0.3 iFix3

  • Security/APAR fixes (details are provided in the iFix3 readme file)
  • New issue import scanner: HCL Security Guardium®
  • Removed the version restrictions on the publishing integration between AppScan Enterprise and AppScan Source. Read this technote for details.

New in 9.0.3 iFix2

  • Security/APAR fixes (details are provided in the iFix2 readme file)
  • New issue import scanners: HP Fortify and Veracode
  • Updated MSL library

New in 9.0.3 iFix1

  • Security/APAR fixes (details are provided in the iFix1 readme file)
  • New AppScan Dynamic Analysis Client
  • New issue import scanners: HP WebInspect, Burp Suite Professional, Black Duck, Nessus Vulnerability Scanner

New in 9.0.3

  • Reporting: From the Monitor view, export issues to reports in PDF or HTML formats.
  • Issue import: Ability to import issues exported from a report in XML format from AppScan Standard v9.0.3
  • New and updated dashboard charts:
    • OWASP Top Ten 2013: Identifies applications that contain issues that match the 10 most critical web application security risks.
    • CWE/SANS Top 25 Most Dangerous Software Errors: Identifies applications that contain issues that match the CWE/SANS Top 25 Most Dangerous Software Errors.
    • Top Issue Types (App): Updated to reflect the number of apps that are affected by the top issues that are discovered in your portfolio
  • Issue management:
    • Track overdue issues. From the Portfolio view, track the number of applications with overdue issues. At the application level, track the overdue status for each individual issue.
    • New issue attributes:
      • Fixed Date: The date and time stamp when an issue was fixed.
      • Overdue: An issue that is not fixed by a predetermined date.
      • Customize the issue list view so that issues with a particular status are hidden from view: noise, passed, or fixed. From an application, go to List menu > Customize View to make your selections. As you classify issues with one of these statuses, they disappear from the list so that you can continue focusing on the issues that need attention.
    • Edit multiple applications simultaneously
  • Portfolio triage:
  • New and updated REST APIs
  • Page structure (DOM) filtering capability in the AppScan Dynamic Analysis Client.

New in iFix1

  • Support for Mozilla Firefox 38 (ESR) was added
  • Changes in scan management APIs
  • Ability to import issues in XML format from HCL Security Cloud offerings: AppScan Mobile Analyzer, AppScan Dynamic Analyzer, and AppScan Static Analyzer

New in

  • Editing multiple issues simultaneously
  • New dashboard trend chart: Open Issues by Severity
  • Support was added for Microsoft SQL Server 2014
  • Support for Liberty was upgraded from v8.5.5.4 to v8.5.5.6
  • Standard Users can edit Basic and Additional options in the AppScan Dynamic Analysis Client. This capability can be given to other users as a custom user permission.
  • Changes in the AppScan Dynamic Analysis Client:
    • New Proxy pane. If AppScan Enterprise uses a proxy server during the scan, you can use your Internet Explorer proxy settings (if configured), or enter custom settings.
    • Ability to log in to the Client from the desktop by using LDAP authentication.
  • New and updated REST APIs
  • Changes in content and layout of the About this Issue dialog

New in 9.0.2 iFix1

  • Integration with JIRA for defect tracking.
  • New REST APIs for Defect Tracking System integration.
  • The search and filter fields in the Portfolio and Application tabs are combined into one field for simplicity and improved usability.

New in 9.0.2

  • A new Dashboard tab displays the charts that were previously displayed in the Portfolio tab, and adds more metrics to assess the current status and progress of an application security initiative. This includes
    • trend of portfolio risk status
    • the number of applications with open security issues
    • trend of overall open issues
    • trend of applications test status
  • A new approach to create scans consistent with AppScan Standard, for both the security team who creates the templates and for the developers who create the scans. See Overview of scan configuration differences in v9.0.2 and higher and in previous versions.
  • New built-in formulas include new issues, open issues, fixed issues, and total issues.
  • Enhancements to issue management:
    • A 'new' classification has been added for issue management. All issues that are scanned or imported from 3rd party scanners and that have not been triaged before are now classified as 'new' in both the Monitor and the Scans views.
    • Group issues by Status in an application tab.
  • New and updated Application Security Management REST APIs.

For further details on what's new and changed since v9.0.1.1, read this whitepaper.

New in

  • Security rules can be updated from Fix Central. See Deprecated features.
  • When a scan is associated with an application, the Status and Severity Value for any issues that are triaged from the Monitor view are propagated in the reports in the Scans view. Reports do not need to be rerun to see the changes.
  • Added support for Windows™ Server 2012 R2.
  • Improved the way that CVSS scores are calculated for Static Analysis (SAST) issues that are imported from AppScan Source.
  • Added a horizontal scroll bar for easier viewing in both the Applications and Issues tabs.
  • Added a new compliance report: DISA's Application Security and Development STIG Category 1, V3R9.

New in 9.0.1

  • Redesigned Application Security Management user interface for easier navigation and access to information.
  • Capability to import application security vulnerabilities discovered using manual pen-testing or third-party tools.
  • Scoring and ranking vulnerabilities in application context using Common Vulnerability Scoring System (CVSS). See Determining issue severity.
  • Architecture redesign to reduce installation footprint and replacement of HCL Rational® Jazz™ user authentication component with HCL WebSphere® Liberty. See Replacing Jazz Team Server with WebSphere Liberty - Frequently asked questions before upgrading.
  • A built-in REST API interface provides you with a way to visualize RESTful web services that are used for creating and updating applications, setting up application access for users, and adding or updating issues. Use the framework to interact with the API and get clear insight into how the API responds to parameters and options. See Enabling the Application Security Management REST API interactive framework.
  • Glass box .NET agent now supports invisible parameters This enables AppScan to identify HTTP parameters that are not visible to black box scanners, improving scan coverage. No special configuration is needed. Until now, invisible parameters were supported only for Java™ platforms.