Security vulnerabilities testing by using HCL® AppScan

You can use HCL® AppScan to scan all HTTP traffic that is generated as part of integration testing in HCL DevOps Test Integrations and APIs (Test Integrations and APIs) for security vulnerabilities.

Prerequisites

Before you use HCL® AppScan to scan the HTTP traffic to and from Test Integrations and APIs, you must consider the following prerequisites:
  • You must have installed a licensed version of HCL® AppScan Enterprise or HCL® AppScan Standard edition. Visit the AppScan family of products page to select your product and version to view the documentation. You can refer to the documentation for the installation instructions for the HCL® AppScan version that you want to use.
  • You must be familiar with configuring and using HCL® AppScan to scan applications or web services for security vulnerabilities.

Overview of tasks

You can find the tasks that you can perform for scanning the HTTP traffic to and fromTest Integrations and APIs in the following table:
Task
1. Install HCL® AppScan or the HCL® AppScan Dynamic Analysis Client.
2. Set up Test Integrations and APIs as the application to scan, in the HCL® AppScan server or the HCL® AppScan Dynamic Analysis Client.
You can use any of the following methods to set up the application:
  • Login Management
  • Manual Explore
  • External Traffic Recorder
Refer to the AppScan documentation for the details on these methods in the version of AppScan that you want to use.
3. Start Test Integrations and APIs from the command line. See Starting DevOps Test Integrations and APIs from the command line.
4. Verify if the HTTP traffic to and fromTest Integrations and APIs is scanned by HCL® AppScan by creating a project, setting up a physical transport, and creating tests to send and receive messages in Test Integrations and APIs. After you run the tests, you can view the scan reports in HCL® AppScan.