HCL AppScan Releases Version 10.2.0 for Three Application Security Testing Solutions

With the new release of version 10.2.0, HCL AppScan continues to demonstrate an unwavering commitment to innovative application security testing. Three on-premises products have now been updated with critical capabilities and user experience functionality, all based on extensive security research and customer feedback. The updates are all part of an innovation roadmap that’s looking ahead to meet not just today’s security needs, but those of tomorrow as well.

Let’s take a look.

HCL AppScan Standard is an on-premises dynamic analysis product featuring industry-leading DAST technology. As part of version 10.2.0, new updates include:

CVSS 3.1 scoring

• Issue severity and CVSS score are now based on CVSS 3.1 scoring.
  Scans that are run in earlier HCL AppScan versions (which used 2.0 scoring) can have 3.1 scoring applied (this may change some issue scores and severities) or viewed as they are.
• New Critical severity for issues has been added, in line with CVSS 3.1.

New configuration view

• The previous Configuration dialog box has been revamped, reorganized, and integrated as a native view in the main user interface.
• Web API scans are now configured in the new Configuration view (see API).
• The scan wizards have been replaced with Presets in the new Configuration view, showing you the essential options for fast setup.

Updated regulatory compliance report template:

• [US] California Consumer Privacy Act (CCPA) – AB-375.

New security rules in this release include:

• MaxLengthVuln – Search for “maxlength” attributes with a very large constraint
• LeakedSecretTokens – Search for secret tokens in the response
• SecurityRule_AbstractContentSecurityPolicyRule – New abstract CSP rule added (containing common detection and mutation)
• attNoHttpsRedirection – Check for https redirection when http scheme is used
• attText4Shell – Added new rule for Text4Shell Vulnerability (CVE-2022-42889)
• attGraphqlIntrospectionMutation – Check whether introspection is enabled in GraphQL

HCL AppScan Enterprise is a scalable on-premises application security testing tool offering SAST, DAST, IAST as well as extensive risk-management visibility and oversight. As a part of version 10.2.0, new updates include:

CVSS 3.1 scoring

• Issue severity and CVSS score are now based on CVSS 3.1 scoring. Any new scans will be based on CVSS 3.1 scoring. Scan findings prior to the upgrade will be preserved using CVSS 2.0 scoring until rescan. For more information, see the CVSS 3.1 Specification.

Improved user controls:

• Read-only users can now comment on issues if the global option is enabled.
• Granular access control to restrict modification of the issue status.
• Mandated comment on the status change of an issue.
• New API to report findings of the scan. API: /issues/(jobID)
• Activity Log is updated with multi-level filtering and other improvements.

Updated regulatory compliance report template:

• [US] California Consumer Privacy Act (CCPA) – AB-375.

New security rules in this release include:

• MaxLengthVuln – Search for “maxlength” attributes with a very large constraint
• LeakedSecretTokens – Search for secret tokens in the response
• SecurityRule_AbstractContentSecurityPolicyRule – New abstract CSP rule added (containing common detection and mutation)
• attNoHttpsRedirection – Check for HTTPS redirection when HTTP scheme is used
• attText4Shell – Added new rule for Text4Shell Vulnerability (CVE-2022-42889)
• attGraphqlIntrospectionMutation – Check whether introspection is enabled in GraphQL API
• oHttpsRedirection – Added a check for HTTPS redirection when HTTP scheme is used

HCL AppScan Source is an on-premises static analysis product featuring SAST technology and IFA Machine Learning for a 98% reduction in false positives. As a part of version 10.2.0, new updates include:

Enhanced and new functionality

• Configure license inactivity time in the license config file.
• HCL AppScan® Source CLI now allows for source-code-only scanning when scanning folders.
• Project file extensions preferences now list available language/project types in a drop-down list instead of on tabs.
• Supports Red Hat Linux 8.6.
• Supports .NET 7

Additional HCL AppScan Source and HCL AppScan Enterprise interoperability information

• HCL AppScan Enterprise version 10.2.0 has upgraded support for CVSS 3.1. As an HCL AppScan Source user, if you upgrade to the HCL AppScan Enterprise version 10.2.0, there might be a discrepancy in severity values due to the nature of the CVSS 3.1 specification.