What's new

This section describes new AppScan Standard product features and enhancements in this release, as well as deprecations and anticipated changes, where relevant.

New in HCL AppScan Standard 10.5.0

  • Redesigned the AppScan Connect - AppScan Enterprise interface to allow for immediate or deferred scan execution and the ability to choose the scanning method.
  • Ability to easily export the complete list of tests (excluding variants) from the test policy to a CSV file, irrespective of whether the tests are enabled.
  • Advanced Search in Issues view: to effortlessly navigate through your data by searching for specific strings within Request/Response or in the issues table.
  • Added new test polices:
    • OWASP Top 10 API Security Risks – 2023
    • OWASP Top 10 – 2021
  • Updated Regulatory Compliance reports:
    • OWASP API Security Top 10 2023
    • [US] DISA's Application Security and Development STIG. V5R3
    • CWE Top 25 Most Dangerous Software Weaknesses 2023
    • The Payment Card Industry Data Security Standard (PCI DSS) - V4
  • Refactored error pages: now, you can define strings and regular expressions to identify error pages within response content, path, or both.

Fixes and security updates

New security rules in this release include:

  • postMessageInfoLeak - postMessage() - Added to detect possible information leakage
  • WordPressQEMPluginXSSCVE202323491 - Added for CVE-2023-23491 detection
  • ApacheStrutsFileUploadRCE - Added a new test for "Apache Struts RCE via File Upload" (CVE-2023-50164)
  • attWordPressInPostPluginXSSCVE202328666 - Detection for CVE-2023-28666
  • attApacheStrutsCVE20190230RCEOGNL - Added Tailored Web Server detection support for RCE
  • attAPIBrokenObjectLevelAuthorizationPath - Added path variants for "Broken Object Level Authorization"
  • attOracleWebLogicRemoteCommandExecutionVulnerabilityInWindowsExtDns - Added Tailored Web Server detection support for RCE
  • attOracleWebLogicRemoteCommandExecutionVulnerabilityInUnixExtDns - Added Tailored Web Server detection support for RCE
  • Vulnerable component database updated to version 1.3

For a complete list of fixes, new and updated security rules, and RFEs in this release, see AppScan Standard Fix List.

Changed in this release

  • The embedded Internet Explorer browser was removed.
  • The ability to export scan results as XML for versions of AppScan Enterprise earlier than 9.0.3.1 was removed.
  • In AppScan CMD, the 'xml_report' format is not supported. Instead, you can use the 'xml' report format.

Upcoming change

  • The "Delete Issues" feature is accessible through the issues list, either by right-clicking or using the context menu, or through the Edit menu. However, the capability to delete issues will no longer be available from the next release.