United States government regulation compliance

Compliance with United States government security and information technology regulations help to remove sales impediments and roadblocks. It also provides a proof point to prospects worldwide that HCL® is working to make their products the most secure in the industry. This topic lists the standards and guidelines that AppScan® Source supports.

Internet Protocol Version 6 (IPv6)

AppScan Source is enabled for IPv6, with these exceptions:

  • Inputting IPv6 numerical addresses is not supported and a host name must be entered instead. Inputting IPv4 numerical addresses is supported.
  • IPv6 is not supported when connecting to Rational Team Concert™.

Federal Information Processing Standard (FIPS)

On Windows™ and Linux™ platforms that are supported by AppScan Source, AppScan Source supports FIPS Publication 140-2, by using a FIPS 140-2 validated cryptographic module and approved algorithms.

To learn background information about AppScan Source FIPS compliance - and to learn how to enable and disable AppScan Source FIPS 140-2 mode, see these technotes:

National Institute of Standards and Technology (NIST) Special Publication (SP) 800-131a

NIST SP 800-131A guidelines provide cryptographic key management guidance. These guidelines include:

  • Key management procedures.
  • How to use cryptographic algorithms.
  • Algorithms to use and their minimum strengths.
  • Key lengths for secure communications.

Government agencies and financial institutions use the NIST SP 800-131A guidelines to ensure that the products conform to specified security requirements.

NIST SP 800-131A is supported only when AppScan Source is operating in FIPS 140-2 mode. To learn about enabling and disabling AppScan Source FIPS 140-2 mode, see Federal Information Processing Standard (FIPS).

Important:
If the AppScan Enterprise Server that you will connect to is enabled for NIST 800-131a compliance, you must set AppScan Source to force Transport Layer Security V1.2. If Transport Layer Security V1.2 is not forced, connections to the server will fail.
  • If you are not installing the AppScan Source Database (for example, you are only installing client components), you can force Transport Layer Security V1.2 by modifying <data_dir>\config\ounce.ozsettings (where <data_dir> is the location of your AppScan Source program data, as described in Installation and user data file locations)). In this file, locate this setting:
    <Setting
    		 name="tls_protocol_version"
    		 read_only="false"
    		 default_value="0"
    		 value="0"
    		 description="Minor Version of the TLS Connection Protocol"
    		 type="text"
    		 display_name="TLS Protocol Version"
    		 display_name_id=""
    		 available_values="0:1:2"
    		 hidden="false"
    		 force_upgrade="false"
    	/>

    In the setting, change value="0" to value="2" and then save the file.

  • If you are installing the AppScan Source Database, you force Transport Layer Security V1.2 in the HCL® AppScan Enterprise Server Database Configuration tool after installing both AppScan Source and the Enterprise Server.

Windows machines that are configured to use the United States Government Configuration Baseline (USGCB)

AppScan Source supports scanning applications on Windows machines that are configured with the USGCB specification.

Note: On machines that are configured with the USGCB specification, AppScan Source does not support defect tracking system integration with HP Quality Center or Rational® ClearQuest®.