In the recent large-scale data breach at Equifax (one of the three major credit reporting agencies in the United States) personal information such as names, social security numbers, birthdates, addresses, and driver's license numbers of 147 million Americans was compromised. That’s nearly half of the U.S. population. This breach and others like it have far-reaching consequences and clearly illustrate the importance of integrating security into the development of web applications.
In the era of digital transformation, much of this development has moved to the cloud, and cloud computing has fast become a vital part of all business operations. Amazon Web Services (AWS) is one of the leading cloud service providers and offers a robust infrastructure for hosting applications and services.
For those using AWS (Amazon Web Services), HCL AppScan now offers solutions that allow you to integrate comprehensive testing into your DevOps cycle without leaving the platform. Like integrations with Jenkins, Azure DevOps, Bamboo, and others, the AWS integration provides an efficient workstream when identifying and mitigating vulnerabilities in your web applications.
Benefits of Integrating HCL AppScan with AWS
- Continuous Security: AWS allows for dynamic scaling and frequent updates, making it essential to maintain continuous security testing. HCL AppScan can be integrated into your AWS CodeBuild/ CodePipeline, ensuring that every change that is deployed undergoes security scanning, reducing the risk of vulnerabilities slipping through the cracks.
- Customizable Policies: HCL AppScan allows you to define custom security policies based on your organization's specific obligations and compliance standards. These policies can be tailored to align with AWS best practices, enhancing your overall security posture.
- Actionable Insights: HCL AppScan provides comprehensive, detailed security test reports that contain scan issues along with remediation guidance for the issues reported. You can view sample reports. We can configure different report formats like html, pdf, xml, and csv.
- Fail build: Many organizations have security compliance standards that need to be met. Fail build criteria ensure that your application complies with these standards, reducing security risks and potential legal implications. If we have a requirement of conditionally deploying the application in production depending on security issues found, we can configure the build to fail based on the count of severity of vulnerabilities. If failure conditions are met, the following message is displayed: The number of security results exceeds the specified threshold.
Optionally, we can fail a build when compliance policies are not met, producing the following message: Scan result contains non-compliant issues with respect to the policies associated with the selected application.
By defining clear rules and thresholds, we can maintain the integrity of the web application and protect it from potential security breaches. By doing so, we’ll be better equipped to proactively address vulnerabilities and strengthen the application's security posture. - Test Optimization: HCL AppScan offers intelligent test filtering to achieve faster scans when speed is needed, with minimal loss of issue coverage. These are based on statistical analysis and filter out certain tests – or even specific test variants – to produce a shorter scan that identifies the more common, severe, and otherwise important vulnerabilities only. You can reduce scan time by choosing a balance between speed and issue coverage. Read more about test optimization.
- Private Site Scans: We can scan sites not accessible from the Internet using HCL AppScan Presence. See AppScan Presence for instructions and for further details on how private site scanning works "under the hood," refer to Understanding Private Site Scanning.
- Issue Migration: We can use the HCL AppScan Issue Management Gateway serviceto migrate Issues created during the security scan from HCL AppScan on Cloud to other issue management applications like Jira, Azure, and Rational Team Concert.
How to Integrate?
Integration is easy with the newly developed HCL AppScan command-line utility (CLI) .The CLI is available on HCL OpenSource GitHub Repository and can be leveraged to integrate with AWS Codebuild and Code Pipeline and other 3rd party tools as well. More details here. In 1.0 release, only DAST (Dynamic Application Security Testing) scan is supported using the CLI tool. More features will be added in upcoming releases of the CLI. The integration is extremely easy and seamless and the CLI supports multiple features that can be used for extensive DAST testing.
Get more information on the entire HCL AppScan suite of application security testing solutions or start your 30-day free trial of HCL AppScan On Cloud today.
Start a Conversation with Us
We’re here to help you find the right solutions and support you in achieving your business goals.