start portlet menu bar

HCLSoftware: Fueling the Digital+ Economy

Display portlet menu
end portlet menu bar
Close
Select Page

Dynamic Application Security Testing (DAST) is a black-box testing technique that involves scanning a running web application to identify security vulnerabilities by simulating external attacks. This is done by crawling websites and injecting faulty inputs to observe how an application handles unexpected or erroneous data. These types of inputs should trigger an Error Page; and when they don’t, they can signal that a page is revealing sensitive information or indicate underlying vulnerabilities due to improper error handling.

Validation Methods and Edge Cases

HCL AppScan DAST has two primary methods to validate these types of vulnerabilities. In one case the DAST engine has been trained on what to look for and uses heuristics to recognize common patterns in error messages indicative of vulnerabilities. These can include common database error messages (e.g., MySQL or SQL Server errors), or certain keywords or phrases like "null reference," "syntax error," or "exception" that need to be flagged as potential security issues. 

Additionally, DAST uses a second method that looks at all faulty inputs without being trained on what to look for. This second process, in particular, relies on Error Page Detection. A faulty input should trigger an error page; and if it doesn’t, the results are considered vulnerabilities. However, there are challenging edge cases where the error message is not very pronounced, or the page with an error looks very similar to a regular page. If the scan misses these signs, the page can be misinterpreted as a non-erroneous response and result in a false positive. In other words, the scan reports a potential vulnerability or mishandling of information when it’s not there.

Introducing GenAI

Beginning with HCL AppScan Version 10.7.0, the DAST technology now has the ability to leverage Gen AI to reduce the risks inherent in these edge cases. Simply put, a prompt is sent to the AI asking whether a given page displays an error to the user. Based on real-world tests with issues raised by customers, the AI has an excellent record of detecting errors in edge cases and compliments HCL AppScan DAST heuristics.

In order to keep any increase in scan time to a minimum, the AI is only queried when the scan rules require error page detection; and even then, only if HCL AppScan DAST fails to detect the error page using heuristics alone. If HCL AppScan managed to detect a response as erroneous without the help of AI, verification isn’t necessary as false positives in this regard are rare or non-existent. 

Introducing GenAI

Screenshot showing the AI configuration in HCL AppScan Standard (DAST tool)
(Note: The customer will need to provide their own LLM endpoint and token.)

HCL AppScan has been incorporating AI into testing tools for years now, primarily to reduce false positives in static application security testing (SAST). This new adoption of Gen AI in the DAST engine, along with its use in a new AutoFix function for faster remediation, both represent cutting-edge innovation that is defining HCL AppScan as a global leader in application security testing.

Learn more here about additional updates in HCL AppScan Version 10.7.0; and contact us today to see how we can help you improve your application security posture and reduce business risk in the Digital+ economy.

Comment wrap

Start a Conversation with Us

We’re here to help you find the right solutions and support you in achieving your business goals.

  |  November 27, 2024
The Hidden Cost of Security Fixes for Software Developers
Developers spend up to 19% of their time on security tasks, costing companies $28K per developer annually. Learn how to reduce this burden and improve your application security posture with HCL AppScan.
  |  November 8, 2024
Protecting Software Supply Chains with SBOM & PBOM
Learn how SBOM and PBOM are transforming software supply chain security. Explore how these tools help organizations identify vulnerabilities, ensure compliance and mitigate risk from cyberattacks targeting third-party vendors and open-source components.
  |  October 29, 2024
HCL AppScan 360º v1.4.0: Redefining AppSec with Powerful New Features
Explore HCL AppScan 360º v1.4.0 with VM installation, GitHub integration, GenAI AutoFix, and enhanced DAST/SAST features for seamless security management.