HCL AppScan continues to push forward on an accelerated innovation roadmap with the release of version 10.3.0 for three on-prem software products: HCL AppScan Standard, Enterprise, and Source. Organizations with a focus on building secure applications and understanding their software supply chain can now benefit from even wider vulnerability coverage, an improved user experience and the addition of secrets scanning. Version 10.3.0. is expected to be adopted quickly by new and existing customers looking to leverage these enhancements and improvements throughout the three platforms.
Finding Vulnerable Third-Party Components
The fast pace of software development relies on the use of third-party components and libraries so that engineers don’t have to develop every portion of application code from scratch. Over time it becomes increasingly difficult to keep track of these components and, most importantly, determine whether they have introduced vulnerabilities to your codebase. Cataloguing all third-party components and establishing which ones have known vulnerabilities is crucial to avoiding data breaches.
Vulnerable Third-Party Component Detection is a new feature in version 10.3.0 of both HCL AppScan Standard and HCL AppScan Enterprise that uses fingerprinting to identify the most-used client and server-side technologies and reporting their vulnerabilities. DAST (Dynamic Application Security Testing) together with Vulnerable Third-Party Component Detection provides you with much wider vulnerability coverage, allowing you to identify libraries with known vulnerabilities and see those findings alongside all your DAST results.
Secrets Scanning with HCL AppScan Source
Another step forward for software supply chain security comes with the addition of Secrets Scanning in Version 10.3.0. Using the SAST (Static Application Security Testing) scanning engine found in HCL AppScan Source, customers can now identify secrets, credentials, social security numbers, API Keys, etc., that developers and software engineers have accidentally stored in source code repositories during development. While secrets are rarely left embedded in files intentionally, they can be overlooked and represent an opportunity for malicious hackers if they gain access to a repository.
The OWASP Foundation spearheads community-led, open-source projects to study and provide guidance in application security. Their API Security Top 10 list focuses on the most common vulnerabilities and security risks of Application Programming Interfaces (APIs).
HCL AppScan 10.3.0 now covers 100% of vulnerabilities and security risks on the list including authorizations, unrestricted access to sensitive business flows and server-side request forgeries. 9 out of 10 of these issues can be found with DAST in both HCL AppScan Standard and Enterprise. The 10th issue is located with IAST (Interactive Application Security Testing) for HCL AppScan Enterprise customers.
Intuitive Dashboards for Easier Workflow
HCL AppScan continues to improve the configuration UI (User Interface) with each quarterly release, streamlining the customer experience to reflect the context for every action. Cumbersome tool bars have been replaced with easy-to-understand scan action buttons that reflect where a user is in their scan workflow and what they need to take the next step. In version 10.3.0, specific attention has been paid to improving the ways users work with and have visibility over test policies and incremental scanning.
More Language Support, Automations, and Compliance Reporting
HCL AppScan uses a common SAST engine in all products including HCL AppScan Source, HCL AppScan 360º, and HCL AppScan on Cloud. This allows for faster adoption of new languages and enhancements by all three platforms. With the release of version 10.3.0, HCL AppScan source adds language support for Rust as well as enhancements to the support for both Java and Ruby scanning.
Customers are always looking for more ways to automate processes such as documenting workflows to provide examples for other engineers to follow. HCL AppScan Source has made improvements to the command line interface with version 10.3.0 that makes automation easier, including adding Podman support and improved automation with Jenkins and Azure.
HCL AppScan Enterprise has also improved compliance reporting to support the newest guidelines from NIST (National Institute of Standards and Technology) – SP 800-53A Rev. 5. NIST provides methodology and procedures for assessing security and privacy controls in an organization.