HCL AppScan is an application security solution that contains enterprise-level SAST, SCA, DAST and IAST tools.
11 min read
HCL AppScan is a set of tools to perform application security to protect your applications from compromising by malicious attacks.
AppScan on Cloud, AppScan Enterprise, AppScan Standard (DAST) and AppScan Source (SAST).
Also, there is a free Visual Studio Code plugin called AppScan CodeSweep.
You get all those scanning technologies available to you like a one-stop shop at that point. Also, you got full dashboarding capabilities. You have multiple plugins. You also have extensive APIs that are exposed.
It's a good product set for entry-level because you could purchase per scan and enterprise customers.
Because it gives so many capabilities that you can use while advancing in your application security program.
ASoC is nice because it can change with you while maturing in your application security program.
There is also AppScan Enterprise as an on-premise product. It performs DAST scanning and comes with a dashboard console in which you can bring in your static scan information and IAST results.
In AppScan Enterprise, you can keep all your records on-premise and still be spanned out across multiple servers for your scanner to scale for big organizations.
There is also another product in on-premise, AppScan Standard, that's probably something everybody's familiar with it.
This is really a starting DAST tool, and it came out about 20 years ago and still is the flagship product in HCL AppScan Suite. AppScan Standard integrates with all of our DAST solutions whether you're on the cloud or on-premise with AppScan Enterprise.
It gives you the capability to create your scan in a detailed way and then either run it locally from your desktop or upload it to the AppScan on Cloud or AppScan Enterprise environment to run.
You can also pull back results to your AppScan Standard to work on the findings on your desktop.
For SAST, there is AppScan Source. You can run your static code analysis on the desktop and upload your results to AppScan Enterprise. It can fully integrate within your CI/CD environment to scan the entire code base for issues.
AppScan CodeSweep is the community edition of AppScan Source, which is free. It is a plugin for Visual Studio Code and has all the detection capabilities of AppScan Source. The difference with AppScan Source is that CodeSweep scans only one file at a time.
AppScan has a very flexible pricing structure; you can buy per scan, per application, or go unlimited per technology like unlimited DAST or unlimited SAST.
Let's say you have 20 applications that you are continuously developing, and also, you may need some ad-hoc scans for temporary applications.
In this case, you can buy 20 application licenses to scan continuously and get 50 ad-hoc scans to use on different applications.
Now in AppScan, there is a cognitive capability called Intelligent Code Analytics (ICA) that adds a level of understanding of the code on the fly and makes decisions on how to mark up and proceed.
With ICA, the onboarding process no longer requires manual intervention.
It is dramatically changing the onboarding process within minutes where it used to take days, even a week, depending on how big the application is. It is available both on AppScan on Cloud and on-premise.
Another critical point is how to handle hundreds of issue tickets once you run your first SAST scan. It can be so overwhelming for the development team.
That is why there is Intelligent Findings Analytics (IFA) feature so that It can group and filter these issues to help prioritization. So your team would be able to focus on the most interesting and urgent issues and avoid noise with this feature.
It traces these issues within the code to find a common point and group them under the same ticket. This way, you will have a smaller set of issue tickets and make smart decisions on what to prioritize.
Anything I Missed?
So these are my favourite features in HCL AppScan and now I’d like to hear from you:
Is there any other feature that you love… but didn’t see in this article?
Or maybe you have a question. Either way, let me know by leaving a comment below right now.