United States government regulation compliance

Compliance with United States government security and information technology regulations help to remove sales impediments and roadblocks. It also provides a proof point to prospects worldwide that HCL® is working to make their products the most secure in the industry. This topic lists the standards and guidelines that AppScan® Source supports.

Internet Protocol Version 6 (IPv6)

AppScan Source is enabled for IPv6, with these exceptions:

  • Inputting IPv6 numerical addresses is not supported and a host name must be entered instead. Inputting IPv4 numerical addresses is supported.
  • IPv6 is not supported when connecting to Rational Team Concert™.

Federal Information Processing Standard (FIPS)

On Windows™ and Linux™ platforms that are supported by AppScan Source, AppScan Source supports FIPS Publication 140-2, by using a FIPS 140-2 validated cryptographic module and approved algorithms. On macOS platforms that are supported by AppScan Source, manual steps are needed to operate in FIPS 140-2 mode.

To learn background information about AppScan Source FIPS compliance - and to learn how to enable and disable AppScan Source FIPS 140-2 mode, see these technotes:

National Institute of Standards and Technology (NIST) Special Publication (SP) 800-131a

NIST SP 800-131A guidelines provide cryptographic key management guidance. These guidelines include:

  • Key management procedures.
  • How to use cryptographic algorithms.
  • Algorithms to use and their minimum strengths.
  • Key lengths for secure communications.

Government agencies and financial institutions use the NIST SP 800-131A guidelines to ensure that the products conform to specified security requirements.

NIST SP 800-131A is supported only when AppScan Source is operating in FIPS 140-2 mode. To learn about enabling and disabling AppScan Source FIPS 140-2 mode, see Federal Information Processing Standard (FIPS).

Important:
If the AppScan Enterprise Server that you will connect to is enabled for NIST 800-131a compliance, you must set AppScan Source to force Transport Layer Security V1.2. If Transport Layer Security V1.2 is not forced, connections to the server will fail.
  • If you are not installing the AppScan Source Database (for example, you are only installing client components), you can force Transport Layer Security V1.2 by modifying <data_dir>\config\ounce.ozsettings (where <data_dir> is the location of your AppScan Source program data, as described in Installation and user data file locations)). In this file, locate this setting:
    <Setting
		 name="tls_protocol_version"
		 read_only="false"
		 default_value="0"
		 value="0"
		 description="Minor Version of the TLS Connection Protocol"
		 type="text"
		 display_name="TLS Protocol Version"
		 display_name_id=""
		 available_values="0:1:2"
		 hidden="false"
		 force_upgrade="false"
	/>

    In the setting, change value="0" to value="2" and then save the file.

  • If you are installing the AppScan Source Database, you force Transport Layer Security V1.2 in the HCL® AppScan Enterprise Server Database Configuration tool after installing both AppScan Source and the Enterprise Server.

Windows 7 machines that are configured to use the United States Government Configuration Baseline (USGCB)

AppScan Source supports scanning applications on Windows 7 machines that are configured with the USGCB specification.

Note: On machines that are configured with the USGCB specification, AppScan Source does not support defect tracking system integration with HP Quality Center or Rational® ClearQuest®.