HCL AppScan, previously known as IBM AppScan, is a family of desktop and web security testing and monitoring tools formerly from the Rational Software division of IBM. In July 2019, the product was acquired by HCL Technologies and currently slated under HCL Software, a product development division of HCL Technologies.
AppScan Enterprise: Large-scale, multi-user, multi-app dynamic application security to identify, understand, and remediate vulnerabilities, and achieve regulatory compliance.
Important: There are two different AppScan Connectors: the AppScan Connector (XML) and the AppScan Enterprise Connector (API). They do not support the same tools.
- The AppScan Connector (XML) supports data from AppScan Standard and ASoC.
- The HCL AppScan Enterprise Connector supports HCL AppScan Enterprise. Use the HCL AppScan Enterprise connector for your Enterprise AppScan deployment.
The Connector is a mandatory full run connector and does not support incremental runs.
What Types of AppScan Data does Cisco Vulnerability Management Support?
-
DAST
-
IAST
Prerequisites
-
If your HCL AppScan Enterprise deployment is an on-premises deployment, you will need to leverage the Virtual Tunnel. The Agent does not currently support AppScan Enterprise.
-
The user account whose credentials are used in the setup must have access to the AppScan API.
-
You must be a Cisco Vulnerability Management Administrator.
Configuring your AppScan Enterprise Connector in Cisco Vulnerability Management
1. In the Cisco Vulnerability Management UI, click Connectors.
2. Click Add Connector.
3. in the Dynamic Assessment section, click HCL AppSCan Enterprise.
4. On the AppScan Enterprise Enterprise page, enter the following information:
-
Name: Enter a name for the connector, or leave it as "AppScan Enterprise".
-
Enter the API ID and API Key for the account.
-
Schedule: Select the frequency that you’d like your Connector to run. Cisco recommends mirroring the cadence of your scans.
-
Asset Inactivity Limit: Enter a time in days for the connector level asset inactivity limit.
Note: Connector-level asset inactivity limits take precedence over the global inactivity limit. If you do not set an Asset Inactivity Limit, the Global Limit will apply to data that this connector ingests. For more information, see the Setting Asset Inactivity Limits information. - If your AppScan Deployment is on-premises and you need to leverage the Virtual Tunnel, select the Use Virtual Tunnel checkbox which will display below the Asset Inactivity Limit for customers with a Virtual Tunnel already set up.
5. Click Save and Verify.
What AppScan Enterprise Items does Cisco Vulnerability Management Import?
Cisco Vulnerability Management will import all of the applications associated with the user leveraged for the connector. We will pull:
AppScan Field |
Cisco Vulnerability Management Field |
Notes |
---|---|---|
Enterprise: N/A |
Application identifier |
Search for Application identifier in Cisco Vulnerability Management by using the custom query box and typing application:"*" |
issue-group > url |
URL |
|
source_vulnerability.issue_type_id |
Identifier |
|
ignored=false |
Vulnerability Status |
Vulnerability status is Open or Closed. We do not map False Positives or Triage States. Open vulnerabilities are reported in application scan reports. Closed vulns are no longer present in these reports and Cisco Vulnerability Management will auto-close the vulnerability. |
name |
Vulnerability Name |
|
severity |
scanner_score |
0-10 |
cwe (id) |
CWE |
|
{Technical Description + Causes + SecurityRisks + Affected Products} |
|
These items are combined and distilled into Vulnerability Description in Cisco Vulnerability Management. |
{Priority + Fix Recommendation} |
Solution |
|
issue.last_found_on |
last_seen_time |
|
found_on |
Found Date |
|
owner |
Owner |
|
{Variant + CWE + Comments + Reasoning + Test Difference} |
Details |
These items are combined and distilled into Vulnerability Details in Cisco Vulnerability Management. |
Tags |
Tags |
These items are turned into Tags in Cisco Vulnerability Management. |
The Connector does not import the following:
-
Custom Fields
What API Calls are involved?
The API endpoints that Cisco Vulnerability Management leverages are:
-
standard login request
-
https://#{host}:#{port}/ase/api/#{endpoint}"
-
get applications (id)
-
issues/reports/#{id}
-
-
for each ID returned, fetch the scan report
-
issues/reports/securitydetails
-
-
when reports left to fetch = nil, consolidate and upload client file to Cisco Vulnerability Management
-
file_name = "#{name}-#{app_id}-#{report_id}-#{connector_run.id}
-
-
then logout https://#{host}:#{port}/ase/api/logout
Optional Settings
The following settings can be enabled on the backend for AppScan Enterprise Connectors. To have these settings enabled, or for more information, please contact Support, or your Customer Success Engineer.
Exclude Informationals
When you enable this option, Cisco Vulnerability Management will not import vulnerabilities that do not include a CVE, CWE, or WASC ID.
Skip Tags
This setting enables you to not create any Tags in Cisco Vulnerability Management based on the scanner metadata.
Ignore Scanner Last Seen Time
Select this setting if you do not want the asset last seen time in Cisco Vulnerability Management to be the scanner reported last seen time.
Tag Reset
This setting assists you with keeping your scanner metadata synchronized with Cisco Vulnerability Management. Each time the connector is run, all tags in Cisco Vulnerability Management will be removed and the scanner tag metadata re-created.
If you have created any manual tags or any tags were created from metadata from other connectors, that tag information will be removed and will be refreshed once those other connectors are rerun.
Custom Ordered Locators
Locators (such as IP, Netbios, and FQDN) can be reordered to better deduplicate vulnerabilities on the Connector level or the entire Platform level. For more information, see the help article here.
Common Reasons for AppScan Enterprise Connector Run Failures
- Bad Credentials. If you enter the incorrect connector credentials during the connector setup, Cisco Vulnerability Management will not have access to the environment to make the API calls.
- If no reports are found, Cisco Vulnerability Management will abort the Connector run, rather than fail it outright.
- If an API call fails (no data available, or other reasons).
- If Cisco Vulnerability Management receives data that is not in the expected format and cannot process it, the connector will fail.
- If more than 1% of connector payloads fail to import cleanly, Cisco Vulnerability Management will auto-fail the Connector run.
Additional Assistance:
Contact Support if you require any additional assistance with the AppScan Enteprise Connector.
Comments
Please sign in to leave a comment.