start portlet menu bar

HCLSoftware: Fueling the Digital+ Economy

Display portlet menu
end portlet menu bar
Select Page

If you haven’t looked at AppScan on Cloud recently, you’re missing out on some fantastic new features that make scanning more convenient and meaningful than ever. The last few months of 2021 introduced multiple improvements that provide significant advantages to our users. This blog will look at some of the newest features and benefits offered by AppScan on Cloud.

Log4j specific testing

With all the news surrounding the Log4j vulnerability, it was the logical next step for AppScan on Cloud to add testing capabilities to detect and provide remediation guidance for Log4j.  Specifically, a new security rule was added for DAST testing and automatically included for all Test Optimization types, so you can still prioritize speed without compromising the ability to scan for Log4j.  ASoC’s OSA testing also detects vulnerabilities associated with all 4 of the CVEs that have been identified with Log4j.  Figure 1 below illustrates an example of the new test result finding a potential remote command execution vulnerability.  You can watch the entire process of this DAST testing in below YouTube example.

Video image Video Play Button

scan for latest vulns

Figure 1:  Finding Log4j Vulnerabilities in AppScan on Cloud 

New Single Scan Reporting  

Another innovative feature that has been added to ASoC is the single scan view. The single scan view is a detailed report on a scan that can even be viewed while the scan is running. Using the “Overview” tab of the single scan view provides visibility into the number of visited pages, tested elements, and vulnerability issues as they are found. Users can drill down to specific issues first discovered in the scan as they show up on their scan card. Figure 2 below provides an example of what this new view looks like. Once the scan is completed, issues can be viewed and filtered and reports can be downloaded. Columns in the scan report are clickable and lead to a filtered list in the “Issues” tab. On the “Issues” tab, comments can be added to an individual issue by selecting the “Comments” option. This allows users to effectively share feedback with their team members. 

appscan on cloud execution

Figure 2:  New Single Scan View in AppScan on Cloud 

New Language Supported 

ASoC recently announced support for the Report Program Generator, or RPG, a programming language used for business applications and primarily found on IBM I or OS/400 systems.  For more information about RPG as a language, see this site.  Now ASoC users can now include file types of. rpg, .rpgl and .rpgle in static analysis.  At the time of this writing, AppScan on Cloud now supports over 30 different languages. 

Greater flexibility and control 

A constant area of focus for AppScan on Cloud is to make it easier to run scans that are meaningful and effective at vulnerability remediation.  As part of this effort, we have added a new report type for the 2021 OWASP Top 10 and several new capabilities to increase the amount of flexibility ASoC users have for controlling scans.    

Specifically, we have added the following: 

  • Support for both including and excluding .NET namespaces. 
  • Support for specifying cache locations when Java parallel processing is used.   
  • A new Rider plugin. 
  • Greater support for viewing issues found for the first time in the application.  
  • Easier processes for scheduling and editing a configured schedule
  • New icons to indicate the “Scheduled” and “Repeat” status of scans.   
  • An automatic log-out following an inactivity period of 30 minutes as well as two changes for how business units are managed.   
  • Support for merging two business units and the ability to add a limit to the number of business units allowed in the organization. 

Specific to IAST 

No discussion on ASoC would be complete without highlighting new features added for Interactive Application Security Testing (IAST). With the most recent upgrade, we added the ability to update the IAST agent configuration and made changes to improve overall performance: Java 17 support and enhanced support for communication with AppScan Enterprise in environments where the proxy is set through Java properties. Additionally, there are several new security features for IAST, including the capability to identify XXE on a JAXB class (more information on this particularly vulnerable class can be found at the OWASP XXE site) and detect JSON XSS informational issues (an XSS variant of vulnerable data written to responses as JSON). 


We are confident that our existing AppScan on Cloud users will enjoy the benefits of these new additions.  If you are not yet an AppScan on Cloud user, we encourage you to visit our AppScan on Cloud site and sign up for our free trial to experience our new features first-hand. 

Comment wrap
Secure DevOps | December 20, 2023
Secure Application Code Against Vulnerabilities Faster with HCL AppScan Fix Groups
Stop in for an update on how HCL AppScan helps find vulnerabilities and security risks, starting with built in AI that dramatically reduces the number of scan findings and practically eliminates false positives.
Secure DevOps | December 5, 2023
HCLSoftware Named a Strong Performer in The Forrester Wave™ - Static Application Security Testing, Q3 2023
HCLSoftware has been named a strong performer in The Forrester Wave™ - Static Application Security Testing, Q3 2023 Report. Read the blog to know more.
Secure DevOps | August 2, 2023
Wider Application Security Coverage with HCL AppScan DAST and Vulnerable Third-Party Component Detection
HCL AppScan DAST (dynamic application security testing) is an industry-leading technology that scans your applications and APIs against potential vulnerabilities.