HCL AppScan, previously known as IBM AppScan, is a family of desktop and web security testing and monitoring tools formerly from the Rational Software division of IBM. In July 2019, the product was acquired by HCL Technologies and currently slated under HCL Software, a product development division of HCL Technologies.
AppScan Enterprise: Large-scale, multi-user, multi-app dynamic application security to identify, understand, and remediate vulnerabilities, and achieve regulatory compliance.
To import your data from HCL AppScan Enterprise to the Kenna.AppSec module, you will need to leverage the HCL AppScan Enterprise Connector under the Dynamic Assessment tools.
Important: There are two different AppScan Connectors: the AppScan Connector (XML) and the AppScan Enterprise Connector (API). They do not support the same tools. The AppScan Connector (XML) supports data from AppScan Standard and ASoC. The HCL AppScan Enterprise Connector supports HCL AppScan Enterprise. Please use the HCL AppScan Enterprise connector for your Enterprise AppScan deployment.
The Connector is a mandatory full run connector and does not support incremental runs.
What Types of AppScan Data does Cisco Vulnerability Management Support?
-
DAST
-
IAST
User Prerequisites/Connector Setup:
-
If your HCL AppScan Enterprise deployment is an on-premise deployment, you will need to leverage the Kenna Virtual Tunnel. The Kenna Agent does not currently support AppScan Enterprise.
-
The user account whose credentials are used in the setup must have access to the AppScan API.
Configuring your AppScan Enterprise Connector in Cisco Vulnerability Management
To set up the Connector, navigate to the Connectors tab in your Cisco Vulnerability Management deployment (you must be a Cisco Vulnerability Management Administrator to do so). On the Connectors page, select HCL AppScan Enterprise
Once you select the HCL AppScan Enterprise Connector, the following screen will appear:
-
Enter a name for the connector, or leave it as "AppScan Enterprise".
-
Enter the API ID and API Key for the account
-
Schedule the Connector. Select the frequency at which you’d like your Connector to run. (we recommend mirroring the cadence of your AppScan Scans).
- Asset Inactivity Limit (days): Use this if you wish to set an inactivity limit for assets ingested by this connector.
- Connector-level asset inactivity limits take precedence over the global inactivity limit. If you do not set an Asset Inactivity Limit, the Global Limit will apply to data ingested by this connector. See Setting Asset Inactivity Limits.
-
If your AppScan Deployment is on-premise and you need to leverage the Virtual Tunnel, please select the
Use Virtual Tunnel
checkbox which will appear below the Asset Inactivity Limit for customers with a Virtual Tunnel already set up. -
Save and Verify
What AppScan Enterprise Items does Cisco Vulnerability Management Import?
Cisco Vulnerability Management will import all of the applications associated with the user leveraged for the connector. We will pull:
AppScan Field |
Cisco Vulnerability Management Field |
Notes |
---|---|---|
Enterprise: N/A |
Application identifier |
Search for Application identifier in Cisco Vulnerability Management by using the custom query box and typing application:"*" |
issue-group > url |
URL |
|
source_vulnerability.issue_type_id |
Identifier |
|
ignored=false |
Vulnerability Status |
Vulnerability status is Open or Closed. We do not map False Positives or Triage States. Open vulnerabilities are reported in application scan reports. Closed vulns are no longer present in these reports and Cisco Vulnerability Management will auto-close the vulnerability. |
name |
Vulnerability Name |
|
severity |
scanner_score |
0-10 |
cwe (id) |
CWE |
|
{Technical Description + Causes + SecurityRisks + Affected Products} |
|
These items are combined and distilled into Vulnerability Description in Cisco Vulnerability Management. |
{Priority + Fix Recommendation} |
Solution |
|
issue.last_found_on |
last_seen_time |
|
found_on |
Found Date |
|
owner |
Owner |
|
{Variant + CWE + Comments + Reasoning + Test Difference} |
Details |
These items are combined and distilled into Vulnerability Details in Cisco Vulnerability Management. |
Tags |
Tags |
These items are turned into Tags in Cisco Vulnerability Management. |
The Connector does not pull in the following:
-
Custom Fields
What API Calls are involved?
The API endpoints we leverage are:
-
standard login request
-
https://#{host}:#{port}/ase/api/#{endpoint}"
-
get applications (id)
-
issues/reports/#{id}
-
-
for each ID returned, fetch the scan report
-
issues/reports/securitydetails
-
-
when reports left to fetch = nil, consolidate and upload client file to Cisco Vulnerability Management
-
file_name = "#{name}-#{app_id}-#{report_id}-#{connector_run.id}
-
-
then logout https://#{host}:#{port}/ase/api/logout
Optional Settings
The following settings can be enabled on the backend for AppScan Enterprise Connectors. To have these settings enabled, or for more information, please contact Support, or your Customer Success Engineer.
-
Exclude Informationals
-
When this option is enabled, Cisco Vulnerability Management will not import vulnerabilities that do not include a CVE, CWE, or WASC ID.
-
-
Skip Tags
-
This setting will allow you to NOT create any Tags within Cisco Vulnerability Management based on the scanner metadata.
-
-
Ignore Scanner Last Seen Time
-
If you do not want the asset last seen time in Cisco Vulnerability Management to be the scanner reported last seen time.
-
-
Tag Reset
-
This setting will assist in keeping your scanner metadata in sync with Cisco Vulnerability Management. Each time the connector is run, ALL tags within Cisco Vulnerability Management will be removed and the scanner tag metadata re-created.
-
If you have created any manual tags OR any tags were created off of metadata from other connectors that tag info will be removed and will be refreshed once those other connectors are rerun.
-
-
Custom Ordered Locators
-
Locators (IP, Netbios, FQDN, etc) can be reordered to better deduplicate vulnerabilities on the Connector level or the entire Platform level. For more information see the help article here.
-
Common Reasons for AppScan Enterprise Connector Run Failures
-
Bad credentials
-
No reports are found, Cisco Vulnerability Management will abort
-
Failed API calls
-
Inability to process unexpected data/format
-
If more than 1% of connector payloads fail, Cisco Vulnerability Management will auto-fail the Connector Run
Additional Assistance:
Please contact Support should you require any additional assistance with the AppScan Enteprise Connector.
Comments
Please sign in to leave a comment.