-
Products
- Alphabetical List
- Business & Industry Applications
- Cybersecurity
- Data and Analytics
- AI and Intelligent Operations
- Total Experience
- Sovereign Collaboration
- Specialized Software
- HCL Actian
- HCL Actian Data Platform
- HCL Actian Ingres
- HCL Aftermarket Cloud
- HCL AppScan
- HCL Automation Orchestrator
- HCL Automation Orchestrator Suite
- HCL BigFix
- HCL CAMWorks
- HCL Commerce Cloud
- HCL Clara
- HCL Connections
- HCL Customer Data Platform
- HCL DataConnect
- HCL DFMPro
- HCL Discover
- HCL Domino
- HCL DX
- HCL DevOps Code ClearCase
- HCL DevOps Code RealTime
- HCL DevOps Deploy
- HCL DevOps Plan
- HCL DevOps Model RealTime
- HCL DevOps Test
- HCL DevOps Test Embedded
- HCL DevOps Velocity
- HCL Glovius
- HCL Hero
- HCL iAutomate
- HCL iObserve
- HCL iControl
- HCL Informix
- HCL IntelliOps
- HCL IntelliOps Event Management
- HCL Leap
- HCL Link
- HCL Mainframe Solutions
- HCL Marketing Cloud
- HCL MyCloud
- HCL MyXalytics
- HCL Nippon
- HCL Notes
- HCL Now
- HCL OneDB
- HCL SafeLinx
- HCL Sametime
- HCL Secure DevOps
- HCL SoFy
- HCL SX
- HCL TX Platform
- HCL Unica
- HCL Verse
- HCL Volt MX
- HCL Vector Analytics
- HCL Workload Automation
- HCL Z Asset Optimizer
- HCL Z Abend Investigator
- HCL Z and I Emulator
- HCL Zeenea Data Discover Platform
- HCL Zen Edge Data Management
- HCL Aftermarket Cloud Service lifecycle management platform
- HCL Commerce Cloud Enterprise e-commerce for B2C and B2B
- HCL CDP Flexible and customizable customer data platform
- HCL Discover Behavioral insights for customer journeys
- HCL Marketing Cloud Fueling precision marketing at scale with AI
- HCL Unica Enterprise marketing automation platform
- HCL AppScan Scans for application vulnerabilities
- HCL BigFix Secure endpoint management
- HCL BigFix Compliance Ensure security with continuous, real-time compliance monitoring
- HCL BigFix CyberFOCUS Supercharging IT operations to secure the enterprise
- HCL BigFix Remediate Automate, remediate & secure endpoints
- HCL Actian Empowers the data-driven enterprise
- HCL Actian Data Platform Data services suite; flexible deployment
- HCL Actian Ingres Legendary transactional RDBMS
- HCL DataConnect Low-code integration platform
- HCL Zeenea Data Discover Platform Cloud-native data governance solution
- HCL Zen Embeddable edge data management
- HCL Automation Orchestrator Suite Accelerate IT and business automation
- HCL BigFix Secure endpoint management
- HCL BigFix AEX AI-driven employee experience accelerating productivity and innovation
- HCL BigFix Enterprise+ An all-in-one IT infrastructure automation offering enabling you to stay ahead of cyber threats
- HCL BigFix Workspace+ Fueling GenAI within the Digital+ experience
- HCL iControl HCL iControl is a business flow and process observability solution
- HCL MyXalytics Cloud finOps visibility and insights
- HCL SX Service management for everything-as-a-service delivery
- HCL Workload Automation Simplify and automation business workflows
- HCL Connections Collaboration and task management in one workspace
- HCL Domino Rapid application development platform
- HCL Leap No code citizen app dev
- HCL Link Connectivity across your digital ecosystem
- HCL Notes Comprehensive email and collaboration hub
- HCL SafeLinx Secure and flexible remote access to enterprise applications
- HCL Sametime Secure meetings, video, and chat communications
- HCL Verse Smart and secure enterprise email for seamless workflow
- HCL Augmented Network Automation (SON)Intelligent RAN automation platform
- HCL Automation Orchestrator Suite Accelerate IT and business automation
- HCL DFMProCAD integrated Design-for-Manufacturing platform
- HCL CAMWorksCAM for machining productivity
- HCL GloviusModern lightweight CAD Viewer
- HCL Mainframe Optimization Optimize, modernize, and innovate your mainframe investments
- HCL Secure DevOps Automated testing and security scanning
- Industries
- Partners
-
Persona
- HCL Commerce Cloud Enterprise e-commerce for B2C and B2B
- HCL CDP Flexible and customizable customer data platform
- HCL DX The DXP for the moments that matter
- HCL Marketing Cloud Fueling Precision Marketing At Scale with AI
- HCL Unica Enterprise marketing automation platform
- HCL Volt MX Multi-experience low code app dev
- HCL Actian Ingres Legendary transactional RDBMS
- HCL Actian Data Platform Data services suite; flexible deployment
- HCL AppScan Scans for Application Vulnerabilities
- HCL BigFix Secure endpoint management
- HCL BigFix AEX AI-driven employee experience accelerating productivity and innovation
- HCL BigFix Enterprise+ An all-in-one IT infrastructure automation offering enabling you to stay ahead of cyber threats
- HCL BigFix Workspace+ Fueling GenAI within the Digital+ experience
- HCL DataConnect Low-code integration platform
- HCL Foundry Secure Backend Services
- HCL iControl HCL iControl is a business flow and process observability solution
- HCL MyXalytics Cloud FinOps visibility and insights
- HCL SX Service management for everything-as-a-service delivery
- HCL Universal Orchestrator Orchestrate and optimize business automation
- HCL Vector Analytics A high-performance, secure vectorized columnar analytics database
- HCL Workload Automation Simplify and automation business workflows
- HCL Zen Embeddable edge data management
- Learn & Support
What we achieved
-
Zero Configuration deployment process
-
Leveraged existing processes in the SDLC
-
Detailed security vulnerability records
To who
-
Industry: Information Technology
-
Products: HCL AppScan
-
Region: North America/US
Overview
-
Part 1
Challenge
Our customer was faced with the following business challenges:
Improving the security protection of their products without disrupting the current SDLC process.
Reducing the probability of a security issue that could delay shipping of new versions.
-
Part 2
Solution
Integrate IAST into the customer’s existing QA process and leverage automatic, manual and sanity tests to extend Application Security Testing (AST) coverage and transform DevOps to DevSecOps.
-
Part 3
Results
Improved AST coverage and remediation processes, due to informative records of security issues such as full call stacks and exploit examples that are reported by the IAST agent.
The Challenge
Business Case for IAST
The company was already utilizing DAST as part of their SDLC, mostly in the late stages. This common practice provided good results, but had several downsides to it:
- When a significant security vulnerability was discovered, it caused a delay in the release, since DAST was introduced as one of the last steps before a new version was shipped. Remediation efforts for security vulnerabilities were high due to the DAST scanner's less detailed information.
- There was a significant time gap between writing the code and discovering vulnerabilities.
We were surprised by the deployment process. We were expecting something more complicated than deploying a WAR file to our Tomcat!
Technical Manager DevOps team
The Solution
Integrating IAST
The company has an extensive Quality Assurance (QA) process due to its codebase's size and complexity. The QA process includes automated and manual testing that ranged from simple sanity scenarios to complicated edge cases. Every new version also added more functionality, so further tests was introduced into the QA process.
The QA infrastructure is Docker-based and orchestrated using Jenkins. Since the team didn't want to change their existing containers, they decided to integrate IAST by using a simple script that utilizes AppScan's APIs to download and deploy the agent to the web server, after applications are successfully built and published.
The amount of information I receive per issue is beneficial for the prioritization and remediation process.
System Architect
The Results
A significant benefit that developers instantly reported was the amount of information the security vulnerabilities contained. Having the line of code that originated the issue, along with an example of an exploit that triggered it, reduced remediation efforts significantly. Since the QA process is adjacent to the development process, the code changes that resulted in new security vulnerabilities are fresh in developers minds when approaching to resolve security issues.
Another benefit that the security team reported was reducing issues detected in DAST scanning, since the QA process now helped to resolve issues earlier in the SDLC.
From a maintenance perspective, the Security and DevOps teams were impressed since integrating the IAST agent only requires a single straightforward script, and the agent itself is evergreen (meaning that it updates automatically). Another great thing is that the QA team can keep adding new tests for every new functionality it develops, keeping AST coverage up to date with every new version. The process keeps improving as a byproduct of the SDLC itself.
About the company
Due to the cybersecurity domain's sensitive nature, the company requested to stay anonymous in this particular case study. The company is a software company in the IT e market that provides services to SMBs and large enterprises.
The technology stack used in this case study is:
- Java
- Tomcat
- Docker
- Jenkins
Related Capabilities
Business & Industry Applications
Robust business applications designed to set a new benchmark in organizational efficiency. Encompassing marketing, e-commerce, value chain, and behavioral insights.
Learn moreAI and Intelligent Operations
AI and automation combined with simplicity, security and ease of use — empowering you to make informed decisions, predict market trends and enhance agility and efficiency to an unprecedented degree.
Learn moreTotal Experience
TX software that interconnects the best to solve the most complex challenges organizations face, incorporating customer experience (CX), employee experience (EX), user experience (UX) and multi-experience (MX).
Learn moreData and Analytics
The tools you need to distill complex data into clear, actionable insights — to predict outcomes, profile customers, optimize operations and identify new opportunities through data patterns and market analysis.
Learn moreCybersecurity
Vulnerability detection, mitigation and remediation solutions that deliver secure DevOps and compliance from application to endpoint.
Learn more