HCL AppScan
HCL AppScan
AppScan is a provider of application security testing tools that help software publishers detect and remediate vulnerabilities, and comply with regulations and security best practices. Its powerful static, dynamic and interactive scanning engines can deploy in every phase of the development lifecycle and test web applications, APIs and mobile applications. AppScan’s scanning engines are maintained by expert security researchers and continuously updated to remain current with new technologies and attack tactics.
- DevOps-ready application security testing that can work in harmony with most CI/CD pipelines
- Shift-left security to help businesses identify issues early in the development lifecycle, when they are easier and cheaper to fix
- A complete security testing suite that orchestrates multiple scanning technologies – DAST, SAST, SCA and IAST – to find more vulnerabilities
- Continuous vulnerability scanning to automate the testing of every incremental release and discover the vulnerabilities that can leave you open to risks
- Continuous compliance with regulations and industry best practices to ensure you are always in compliance
DAST (Dynamic application security Testing) VS SAST (Static application Security Testing)
Dramatic acceleration of our DAST scans is enabled via a combination of new capabilities, including:
- Test optimizations focus on the more severe vulnerabilities, and those that are more likely to be identified, ensuring that shorter scans yield useful findings.
- Focusing scans on the significant vulnerabilities, and continuously adapting test policies to the current threat landscape, dramatically reduces scan times.
- In AppScan V10, users can choose to trade-o between speed (in some cases, up to 90% shorter test time) and depth or can still run full scans as needed.
- Incremental scans that focus only on the parts of the application that changed enable dramatic acceleration of scan times.
- Instead of analyzing the entire application for every release, scanners automatically identify those portions of the application that changed, and targets testing on that new functionality.
Faster SAST scans are enabled via three new capabilities introduced in our SAST scanning engine:
- Configurable scanning allowing operators to trade off speed for depth
- Distributed analytics used to accelerate computationally intensive processing by distributing it across multiple compute resources
- Incremental scans enabling shorter scans that focus only on parts of the code that changed
- More accurate scans are made possible using AI-based filtering and prioritization that focus attention on the high-severity vulnerabilities that require immediate attention.
Game-Changing IAST
AppScan V10 introduces an all new Interactive Application Security Testing solution that is easy to install, introduces a lower performance impact, and delivers better vulnerability detection. The IAST agent automatically instruments the application’s runtime and monitors for vulnerable code executions that require attention. More specifically, it monitors taint propagation and the quality of the application’s sanitizers.
AppScan IAST can be used in passive mode, without any deliberate eorts to exploit the application, or in active mode, where a DAST scanner is used to actively “attack” the application.
AppScan IAST can be used at any stage in the development lifecycle – IDE to production – to pinpoint vulnerable code executions for developers testing their code from the IDE, QA and security experts analyzing the application in a test environment, or operations teams monitoring the application in production.
Developer-Centric Testing Tools
AppScan V10 helps businesses implement shift-left security testing by introducing testing tools adapted for developer-use. AppScan’s IDE plug-in enables developers to run real-time scans on the code in the IDE. Vulnerable code is marked up – like a spellchecker would mark-up a misspelled word – and developers can easily fix the problem using contextual fix recommendations. AppScan also supports private SAST, DAST and IAST, to help developers identify problems in private, before they commit their code, and more importantly, before they impact the release cycle.
DevOps-Ready Automation
Improved APIs
AppScan V10 features dozens of new or improved APIs for triggering scans, modifying configurations, managing users, and more.
Improved plug-ins
The AppScan security testing suite features a rich set of plug-ins to ensure it works in harmony with other DevOps tools. V10 introduces major improvements to the Jenkins and UrbanCode plug-ins.
Cloud
AppScan on Cloud (ASoC) continues to deliver a comprehensive suite of security testing tools from the cloud, including SAST, DAST, IAST, SCA and mobile scanning. Customers can start scanning their applications without installing any software, and without any upfront license fees.
On-Premise
AppScan Standard is a dynamic application security testing tool designed for security experts and pen- testers. Using a powerful scanning engine, AppScan automatically crawls the target app and tests for vulnerabilities.
AppScan Enterprise delivers scalable application security testing and risk-management capabilities, to help enterprises manage risk and compliance. AppScan enables security, DevOps teams to collaborate, establish policies and perform testing throughout the application development lifecycle. AppScan Enterprise’s REST interface enables integration with various automation tools to ensure seamless integration with DevOps’ CI/CD pipelines.
AppScan Source helps organizations develop more secure software, and avoid costly vulnerabilities that surface late in the development lifecycle. By integrating security testing early in the development cycle – i.e. shift-left security – AppScan reduces risk exposure and reduces remediation costs.