-
Digital Transformation
- HCL Aftermarket Cloud サービスライフサイクル管理プラットフォーム
- HCL Commerce Cloud B2C / B2B 向けのエンタープライズ eコマースプラットフォーム
- HCL Connections エンタープライズコラボレーションプラットフォーム
- HCL Customer Data Platform 柔軟でカスタマイズ可能な顧客データ プラットフォーム
- HCL Discover 顧客体験のための行動インサイト
- HCL Domino 迅速なアプリケーション開発プラットフォーム
- HCL DX DX を実現するポータルプラットフォーム
- HCL Marketing Cloud AI を活用して大規模な精密マーケティングを推進
- HCL Sametime エンタープライズで安全なビデオ会議とチャット
- HCL Unica エンタープライズマーケティングオートメーションプラットフォーム
- HCL Volt MX マルチデバイス対応ローコードアプリ開発
その他の注目製品
-
Data & Analytics
- HCL Actian データドリブンな企業を強化
- HCL Actian Data Platform データサービススイート;柔軟な導入
- HCL DataConnect ローコード統合プラットフォーム
- HCL Ingres Transactional Database 伝説的なトランザクション RDBMS
- HCL OneDB データベース駆動型エンタープライズアプリケーションの構築
- HCL Informix ハイパフォーマンスマルチモデルデータベース
- HCL Nippon ワークフォース分析ソリューション
- HCL Vector Analytics 高パフォーマンスの BI と分析
- HCL Zen Edge Data Management 埋め込み可能なエッジデータ管理
その他の注目製品
- AI & Automation
- Enterprise Security
- Cloud
-
Digital Transformation
- Digital Transformation ??? ??????????????????
- ?????????????????????
- HCL Commerce CloudB2C / B2B ??????????? e????????????
- HCL Connections????????????????????????
- HCL Customer Data Platform?????????????????????????
- HCL Discover???????????????
- HCL Domino?????????????????????
- HCL DXDX ?????????????????
- HCL Marketing CloudAI ?????????????????????
- HCL Sametime??????????????????????
- HCL Unica???????????????????????????????
- HCL Volt MX???????????????????
- ????????
- HCL Now
- HCL SoFy
- HCL Cloud Native
- Data & Analytics
- Data & Analytics ??? ???????????????????????
- HCL Actian?????????????
- HCL Actian Data Platform???????????;?????
- HCL DataConnect???????????????
- HCL Ingres Transactional Database???????????? RDBMS
- HCL OneDB????????????????????????????
- HCL Informix?????????????????????
- HCL Nippon????????????????
- HCL Vector Analytics????????? BI ???
- HCL Zen Edge Data Management???????????????
- ????????
- HCL Now
- HCL SoFy
- HCL Cloud Native
- AI & Automation
- Enterprise Security
- Cloud
- ??
-
????????
- AI and Automation
- HCL DevOps Velocity
- HCL Automation Orchestration
- HCL Automation Power Suite
- HCL Clara
- HCL DevOps Plan
- HCL DRYiCE
- HCL Hero
- HCL Secure DevOps
- HCL DevOps Deploy
- HCL DevOps Test
- HCL DevOps Test Embedded
- HCL DevOps Model RealTime
- HCL DevOps Code ClearCase
- HCL Workload Automation
- HCL Mainframe Solutions
- HCL Z Asset Optimizer
- HCL Z Data Tools
- HCL Z Abend Investigator
- HCL Z and I Emulator
- Data and Analytics
- HCL Actian
- HCL Actian Data Platform
- HCL DataConnect
- HCL Ingres Transactional Database
- HCL Vector Analytics
- HCL OneDB
- HCL Zen Edge Data Management
- Digital Transformation
- HCL Commerce
- HCL Discover
- HCL DX
- HCL Marketing Cloud
- HCL Unica
- HCL Connections
- HCL Customer Data Platform
- HCL Domino
- HCL Sametime
- HCL Volt MX
- Enterprise Security
- HCL AppScan
- HCL BigFix
- ????????
- HCL Cloud Native
- HCL HCL Now
- HCL Sofy
- ?????????
-
??????????
- Telecom & 5G
- HCL Augmented Network Automation (SON)
- HCL iCE.X
- HCL NFV AccelerationNetwork performance accelerator
- HCL X-HaulComplete modern IP suite
- HCL SMARTWiFiIntelligent WiFi cloud platform
- Entreprise Cloud AI
- HCL IntelliService
- HCL IntelliSearch
- Digital Manufacturing
- HCL CAMWorks
- HCL DFMPro
- HCL Glovius
- Field Service
- Quest Informatics SolutionsEfficient inventory management
- ???
-
????????
- Learn & Support
- ?????
- ??????
![](/wps/wcm/connect/409d81db-4109-4db4-adb6-419421977eee/Image+3.jpg?MOD=AJPERES&CACHEID=ROOTWORKSPACE-409d81db-4109-4db4-adb6-419421977eee-oGUlTSD)
Increasing the Application Security Testing (AST) coverage without changing the Software Development Lifecycle (SDLC).
Industry: Information Technology
Products: HCL AppScan
Region: North America/US
Business Challenges
Our customer was faced with the following business challenges:
- Improving the security protection of their products without disrupting the current SDLC process.
- Reducing the probability of a security issue that could delay shipping of new versions.
Solution
Integrate IAST into the customer’s existing QA process and leverage automatic, manual and sanity tests to extend Application Security Testing (AST) coverage and transform DevOps to DevSecOps.
Results
Improved AST coverage and remediation processes, due to informative records of security issues such as full call stacks and exploit examples that are reported by the IAST agent.
We were surprised by the deployment process. We were expecting something more complicated than deploying a WAR file to our Tomcat!
Technical Manager DevOps team
Business Case for IAST
The company was already utilizing DAST as part of their SDLC, mostly in the late stages. This common practice provided good results, but had several downsides to it:
- When a significant security vulnerability was discovered, it caused a delay in the release, since DAST was introduced as one of the last steps before a new version was shipped. Remediation efforts for security vulnerabilities were high due to the DAST scanner's less detailed information.
- There was a significant time gap between writing the code and discovering vulnerabilities.
Integrating IAST
The company has an extensive Quality Assurance (QA) process due to its codebase's size and complexity. The QA process includes automated and manual testing that ranged from simple sanity scenarios to complicated edge cases. Every new version also added more functionality, so further tests was introduced into the QA process.
The QA infrastructure is Docker-based and orchestrated using Jenkins. Since the team didn't want to change their existing containers, they decided to integrate IAST by using a simple script that utilizes AppScan's APIs to download and deploy the agent to the web server, after applications are successfully built and published.
Effects
A significant benefit that developers instantly reported was the amount of information the security vulnerabilities contained. Having the line of code that originated the issue, along with an example of an exploit that triggered it, reduced remediation efforts significantly. Since the QA process is adjacent to the development process, the code changes that resulted in new security vulnerabilities are fresh in developers minds when approaching to resolve security issues.
Another benefit that the security team reported was reducing issues detected in DAST scanning, since the QA process now helped to resolve issues earlier in the SDLC.
From a maintenance perspective, the Security and DevOps teams were impressed since integrating the IAST agent only requires a single straightforward script, and the agent itself is evergreen (meaning that it updates automatically). Another great thing is that the QA team can keep adding new tests for every new functionality it develops, keeping AST coverage up to date with every new version. The process keeps improving as a byproduct of the SDLC itself.
The amount of information I receive per issue is beneficial for the prioritization and remediation process.
System Architect
About the Company
Due to the cybersecurity domain's sensitive nature, the company requested to stay anonymous in this particular case study. The company is a software company in the IT e market that provides services to SMBs and large enterprises.
The technology stack used in this case study is:
- Java
- Tomcat
- Docker
- Jenkins