What's new

This section describes new AppScan Standard product features and enhancements in this release, as well as deprecations and anticipated changes, where relevant.

New in HCL AppScan Standard 10.4.0

  • Re-designed Non-vulnerables and AppScan Connect interfaces.
  • Vulnerable component updates to include the latest CVE that provides better scan coverage.
  • Introduced Multi-Factor Authentication (MFA) based on security questions for login management.
  • Added Display density settings to adjust the visual density of the user interface.
  • New Regulatory Compliance report: [SA] Protection of Personal Information Act (PoPIA), 2013.
  • Updated Regulatory Compliance reports:
    • [US] The Federal Risk and Authorization Management Program (FedRAMP), Revision 5.
    • [US] DISA's Application Security and Development STIG, V5R2
    • [US] Federal Information Security Modernization Act (FISMA) , 2014.
  • Enhanced DAST scan accuracy and efficiency with an IAST subscription. For more information, refer to the blog.
  • Two new extensions are available:

Fixes and security updates

New security rules in this release include:
  • Improved accuracy for credit card detection in several rules:
    • SecurityRule_GD_CreditCardAmericanExpress
    • SecurityRule_GD_CreditCardAmericanExpressNotSSL
    • SecurityRule_GD_CreditCardDinersClub SecurityRule_GD_CreditCardDinersClubNotSSL
    • SecurityRule_GD_CreditCardDiscover SecurityRule_GD_CreditCardDiscoverNotSSL
    • SecurityRule_GD_CreditCardMasterCard SecurityRule_GD_CreditCardMasterCardNotSSL
    • SecurityRule_GD_CreditCards SecurityRule_GD_CreditCardsNotSSL
    • SecurityRule_GD_CreditCardVisa
    • SecurityRule_GD_CreditCardVisaNotSSL
  • attText4Shell - Added Tailored Web Server detection support for RCE
  • attZencartRemoteCommandExecutionAdnsCVE20213291 - Added Tailored Web Server detection support for RCE
  • attSessionFixation - Modified the detection rule to avoid testing requests with no previous request
  • attAPIBrokenObjectLevelAuthorization - Expanded the rule to test all numeric directories (Inc and Dec)
  • CORSArbitraryOrigin - Modified to include a bogus Origin header everywhere

For a complete list of fixes, new and updated security rules, and RFEs in this release, see AppScan Standard Fix List.

Changed in this release

Upcoming change

  • The ability to export scan results as XML for versions of AppScan Enterprise earlier than will be removed in the next release.
  • The embedded Internet Explorer browser will be removed in a future version of AppScan.