HCLSoftware announced the release of a new application security product at the beginning of June 2023 – HCL AppScan 360º. This unified platform, built on cloud-native architecture, is an extension of the HCL AppScan application security portfolio, designed to address the dynamic and growing needs of the modern-day application transformation environment.
During a break from recent meetings in London, Dario Debarbieri, Vice President and Head of Marketing, sat down with HCLSoftware Executive Vice President Rajesh Iyer for a wide-ranging discussion on trends in application security and why he is so excited about the role that HCL AppScan 360º will play in the future.
Dario Debarbieri, (DD) – Thank you so taking some time to discuss HCL AppScan 360º. Before we discuss the new software platform, I was hoping you could elaborate on some recent statements you made about “fundamental shifts” in the application security marketplace. I am interested in this democratizing of application security testing you described and how it is shifting left from the CISO’s office to the development shop.
Rajesh Iyer (RI) – Thanks so much Dario for the opportunity to talk about these critical subjects and about our new “baby,” HCL AppScan 360º. The shift that you mention has been in motion for a while and reflects how the digital economy has changed so many aspects of how we do business. Where it was acceptable a few years ago to test applications just prior to release, or even afterwards, security is no longer effective as an afterthought. That’s why developers have taken up the work of better integrating application security early on into their DevOps toolchains, resulting in what’s now referred to as “secure DevOps” or “DevSecOps” operations.
DD – Are these newer approaches to security part of what you have described as “The Digital+ Economy?”
RI – The Digital+ Economy is more than just the shifting left of application security testing. First, to stay competitive, companies are developing more applications and apps faster than ever before and deploying them across multiple devices and channels. This is resulting in an equally increasing number of ways you can be hacked, with no end in sight.
To address these threats, organizations are looking for application security capabilities in a variety of formats to meet their needs — on-premises, on the cloud as a service, on sovereign clouds and a combination of all the above. It’s not uncommon for a company to now want source code testing, or SAST largely on-prem or on private cloud (since they don’t want their code going to somebody else’s cloud). But the same company might also want to scan with DAST (dynamic application security testing) and continue to outsource that need to pen testers and run it on an as-a-service cloud.
Companies are no longer interested in just “application security scanning” at the unit level. They want to know their overall risk profile and operational risk exposure. For that, they need powerful reporting capabilities that give them visibility into their security posture at any point in time.
Lastly, let’s not forget that Digital+ isn’t just about security. It’s also about operational efficiency. Companies want all of the above and at the lowest possible TCO (Total Cost of Ownership).
DD – I am really interested in how HCL AppScan has been helping customers with this shift into a Digital+ Economy.
RI – As you know, AppScan had its origins over twenty years ago and has continually set the standard for application security. HCLSoftware’s team has expanded the platform in recent years to include the most extensive set of application security testing capabilities in the industry. We provide our customers with every kind of testing you can think of – static, dynamic, interactive, API, open source, etc. and we do so on-premises, and on the cloud through our HCL AppScan on Cloud (ASoC) as-a-service platform.
We’ve continued to use AI to radically increase scan accuracy reducing scan processing times – whether you’re a developer or security professional. Our mantra is “fast, accurate and agile security testing.” And for good reason!
And I’m excited to say that we’re taking all of this forward even further with the launch of our HCL AppScan 360º platform in June 2023.
DD – You have said that HCL AppScan 360º is the future of the AppScan platform. Can you expand on that for me?
RI – To start with, HCL AppScan 360º brings together our entire suite of application security testing capabilities – static, dynamic, interactive, supply chain, container, API testing etc. – into the industry’s broadest set of unified offerings that can be delivered on-prem, on-cloud or as-a-service. Organizations will benefit from both a centralized platform that gives them real visibility into their security posture, as well as choice in what scanning capabilities they use, how they use them, and how they want it all deployed.
While much of this technology suite has been available as-a-service with ASoC, we are integrating it with our on-premises offerings in a single platform and powering it all with a unified architecture. By doing so, HCL AppScan 360º lays the foundation for greatly enhanced feature velocity and CI/CD, substantially improving customers’ security profile.
What we have clearly seen is that there is no “one size fits all” approach to application security. The public cloud works great for many companies, but others want that same modern platform deployed on-prem, or on a private or sovereign cloud – possibly a hybrid of these options. HCL AppScan 360º provides all those choices.
DD – What kind of impact do you see this platform having on your current customers?
RI – A really positive impact, Dario. HCL AppScan 360º is completely designed to support the security needs of our customers in the Digital+ economy. They will have the opportunity to benefit from a more modern CI/CD as well as the increased number of integrations that this new solution provides. And we will continue to support and enhance our current HCL AppScan portfolio including ASoC. HCL AppScan 360º just adds yet another layer of consumability to our portfolio by making it available for private-cloud, sovereign cloud, and MSP based deployments.
DD – Can you say a little bit more about sovereign clouds and MSP based deployments and how HCL AppScan 360º helps with these?
RI – HCL AppScan 360º essentially takes ASoC, which is a SaaS service, and makes it available not only on-premises, but also on your private-cloud, sovereign-cloud, or MSP-led cloud. This radically changes the deployment options available to our customers.
Deploying HCL AppScan 360º on any cloud of your choice is the equivalent of accessing a completely custom version of ASoC specific to each organization’s needs. This can be a sovereign cloud to support federal and state governments, other sovereign clouds where there are data residency requirements, and so on. You can do so at the click of a button, since we’ve radically simplified deployment and operations.
We’re also in the process of enlisting MSP partners who can provide this on their own clouds as a service to their constituents. We’re seeing lots of interest from telco companies and SI and tech partners for a “BP-led ASoC” powered by HCL AppScan 360º.
DD – Are there any details on the June 2023 initial release you want to leave us with?
RI – Our first release of AS 360 will be AS 360º for SAST or source testing. We’ve introduced numerous features that enhance the developer experience, including better support for remediation and more plug-ins and languages that give developers unparalleled flexibility and choice. We will be adding technologies like DAST, IAST and SCA in the upcoming releases, along with an increasing number of deployment options.
We believe that the direction we are moving in with the release of HCL AppScan 360º will radically increase the footprint of HCl AppScan and prepare more and more customers for the Digital+ Economy.