HCL AppScan, previously known as IBM AppScan, is a family of desktop and web security testing and monitoring tools formerly from the Rational Software division of IBM. In July 2019, the product was acquired by HCL Technologies and currently slated under HCL Software, a product development division of HCL Technologies.
AppScan Standard: Dynamic application security testing to effectively identify, understand, and remediate web application vulnerabilities. (DAST)
AppScan on Cloud (ASoC): Cloud-based application security testing suite to perform static, dynamic, interactive, and open-source analysis on web, mobile, and desktop applications. (DAST, SAST, IAST, SCA)
To import your data from AppScan Standard or ASoC to the Kenna.AppSec module, you will need to leverage the AppScan XML Connector under the Dynamic Assessment tools category. We require the use of the HCL AppScan XML Connector for AppScan ASoC and AppScan Standard.
The Connector is a mandatory full run connector due to its nature as an XML connector.
Important: There are two different AppScan Connectors: the AppScan Connector (XML) and the AppScan Enterprise Connector (API). They do not support the same tools. The AppScan Connector (XML) supports data from AppScan Standard and ASoC. The HCL AppScan Enterprise Connector supports HCL AppScan Enterprise.
What Types of AppScan Data does the AppScan XML Connector Support?
Supported:
-
Standard
-
AppScan on Cloud (ASoC)
Not Supported:
-
Enterprise
-
Source
User Prerequisites/Connector Setup:
-
Given that the connector is an XML based connector, Virtual Tunnels or Agents are not required. It will be a simple file drag and drop.
-
The user leveraged must have the ability to generate XML reports in AppScan.
Important: There are 2 ways to generate XML reports in HCL AppScan Standard. One option is via the reports menu and the 2nd option is via the file Export menu. In order to have your Application Identifiers appear in Kenna.AppSec by default, please use option 2. To do so please follow the steps below:
File -> Exports -> Scan results as XML and select "For Earlier Version Legacy".
Please see the screenshot blow that illustrates the steps necessary when creating the XML results file.
Configuring your Connector in Cisco Vulnerability Management
To set up the Connector, navigate to the Connectors tab in your Cisco Vulnerability Management deployment (you must be a Cisco Vulnerability Management Administrator to do so). On the Connectors page, select HCL AppScan.
Once you select the AppScan XML Connector, the following screen will appear:
-
Enter a name for the connector, or leave it as AppScan.
- Asset Inactivity Limit (days): Use this if you wish to set an inactivity limit for assets ingested by this connector.
- Connector-level asset inactivity limits take precedence over the global inactivity limit. If you do not set an Asset Inactivity Limit, the Global Limit will apply to data ingested by this connector. See Setting Asset Inactivity Limits.
- We recommend an asset inactivity limit of 2-3x the scan cadence of your Webinspect Scans if you plan to upload regularly.
-
Save and Verify
What AppScan Items does Cisco Vulnerability Management Import?
Cisco Vulnerability Management will import all of the applications associated with the user leveraged for the connector. We will pull:
|
AppScan Field |
Cisco Vulnerability Management Field |
Notes |
|---|---|---|
|
Standard: Host > :Name |
Application identifier |
Search for Application identifier in Cisco Vulnerability Management by using the custom query box and typing application:"*" |
|
Standard: Issue > Url |
URL |
|
|
source_vulnerability.issue_type_id |
Identifier |
|
|
ignored=false |
Vulnerability Status |
Vulnerability status is Open or Closed. We do not map False Positives or Triage States. Open vulnerabilities are reported in application scan reports. Closed vulns are no longer present in these reports and Cisco Vulnerability Management will auto-close the vulnerability. |
|
name |
Vulnerability Name |
|
|
severity |
scanner_score |
0-10 |
|
cwe (id) |
CWE |
|
|
{Technical Description + Causes + SecurityRisks + Affected Products} |
|
These items are combined and distilled into Vulnerability Description in Cisco Vulnerability Management. |
|
{Priority + Fix Recommendation} |
Solution |
|
|
last_found_on |
last_seen_time |
|
|
found_on |
Found Date |
|
|
{Variant + CWE + Comments + Reasoning + Test Difference} |
Details |
These items are combined and distilled into Vulnerability Details in Cisco Vulnerability Management. |
|
-N/A- |
Tags |
There are no tags returned in the XMLs, thus no tags are created for Standard or ASoC connections. |
The Connector does not pull in the following:
-
Custom Fields
-
Tags for the XML connector
Optional Settings
The following settings can be enabled on the backend for AppScan Connectors. To have these settings enabled, or for more information, please contact Support, or your Customer Success Engineer.
-
Exclude Informationals
-
When this option is enabled, Cisco Vulnerability Management will not import vulnerabilities that do not include a CVE, CWE, or WASC ID.
-
-
Ignore Scanner Last Seen Time
-
If you do not want the asset last seen time in Cisco Vulnerability Management to be the scanner reported last seen time.
-
-
Custom Ordered Locators
-
Locators (IP, Netbios, FQDN, etc) can be reordered to better deduplicate vulnerabilities on the Connector level or the entire Platform level. For more information see the help article here.
-
Common Reasons for AppScan Connector Run Failures
- Inability to process unexpected data/format
- If more than 1% of connector payloads fail, Cisco Vulnerability Management will auto-fail the Connector Run.
Additional Assistance:
Please contact Support should you require any additional assistance with the AppScan Connector(s).
Comments
Please sign in to leave a comment.