HCL AppScan has been positioned by Gartner as a leader in the Magic Quadrant for Application Security Testing for the second consecutive year.

Two new Spring Framework vulnerabilities have surfaced over this last week, and both are considered critical.

The apache log4j CVE-2021-44228 vulnerability allows unauthenticated remote code execution and is triggered when a specially crafted string provided by an attacker is processed by the Log4j 2 vulnerable component. HCL AppScan can help developers scan for log4j using our Open-Source analysis (OSA) capability.

This update will empower developers by offering new supporting languages, extended coverage in several IDEs platforms, and enhanced user experience.

AppScan's “How to Fix” information yields detailed solutions to potential vulnerabilities in multiple code languages. IAST is now available on AppScan Enterprise

We all realize the power of mobile applications helping expand businesses and unlocking their market reach with potential customers. Read blog for more details.

The AppScan on Cloud web experience has several great improvements that not only bring a clean consistent interface across different areas of the service, but more importantly, provide better visability, ease of use and new developer centric advisories with sample code to remediate.

This article provides convenient links to Application Security resources that you and your team can utilize in 2021 and beyond.

In this blog experienced Application Security Evangelist Rob Cuddy provides his insights for 2021, including anticipated industry trends.

This blog provides practical application security testing techniques that you can use to tackle the OWASP Top 10 vulnerability, Sensitive Data Exposure.

Our new HCL AppScan on Cloud capabilities in Europe permit you to conduct Application Security Testing while leveraging European data residency.

Read this blog to learn more about HCL AppScan's support of SAP ABAP. And, you can request a free trial or demo of our AppSec solution.

As part of our periodic blog series that's focused on OWASP Top 10 vulnerabilities, this article examines the most prevalent vulnerability: SQL Injection.

You'll learn how to make an informed decision amongst the plethora of Application Security Testing options in the market, including DAST, SAST & IAST.

Learn 5 key financial findings from Ponemon Institute's "Application Security in the DevOps Environment" study & request a free copy of Ponemon's report.

Web applications are unprotected, and everyone can get to it. All you need is an internet connection. That includes hackers too! But developers often ignore web application security and teams typically spend most of the time on the code – and little to no time making sure the web apps are reliable. According to Forrester, application vulnerabilities remain the main reason for the success of attacks, representing 42% of attacks by exploiting a software vulnerability and 35% came via a web app. Common website app threats There isn’t just one way that websites get attacked; some common web app threats are: SQL Injections SQL injection attacks are done by infusing malicious code in an exposed SQL query. They count on an attacker inserting a request within the message sent by the website to the database. Malware Malware – the biggest threat to your website, is used to access private data or server resources. Malware can be classified into distinct bands since they work to achieve separate goals- spyware, viruses, ransomware, worms, and trojans. Phishing Scam Phishing scam attacks affect directly with email marketing efforts. These types of threats are planned to look like emails that are from valid sources, to obtain sensitive data. Brute Force Then there’s also brute force attacks, where hackers attempt to guess passwords and forcefully gain access to the web application owner’s details. But how do you secure web apps against any malicious intent? Here are some of the tips. Source code encryption Malware often taps bugs and vulnerabilities within the design and source code of the application. This malicious code infects 12M+ apps, and the most common way attackers do it is by repackaging popular apps into "rogue apps" and publishing the same. That is why you need to test code for vulnerabilities or run source code scanning. Secure...

Larry Ponemon from Ponemon Institute showcases findings from "Application Security in the DevOps Environment." You can request a free copy of the report.

This blog explains how classic childhood advice can be leveraged to protect your family from cybersecurity threats like phishing & social engineering.

By reading this blog, you'll learn about the latest Dynamic Application Security Testing enhancements to the HCL AppScan portfolio.

By reading this blog, you'll learn 15 key application security insights from a real-life CISO. A link to a detailed companion webinar is also provided.

By reading & sharing this blog, you'll learn how to manage security risk in your applications more effectively, whether you're a user or app developer.

You might not think that there are similarities between AppSec and baseball. However, both are driven primarily by analytics, Read & share our blog now.

By reading this blog, you're learn the key traits and multi-disciplinary areas of focus that are required for hybrid security professionals to succeed.

In the 4th and final blog in our Continous Security blogging series, we focus on the Assure theme & its capabilities of Measure & Audit.

Adopt IAST as part of your SDLC & find out about about mission-critical use-cases that could significantly impact your organization's DevOps program.

In the third blog in our Continuous Security blogging series, we focus on the Intensify theme & the capabilities of Educate & Govern.

Read this blog for a detailed overview of HCL AppScan's integration with Azure DevOps & to register for a complimentary trial of HCL AppScan on Cloud.

In Blog #2 of our "Continuous Security" blogging series, you'll learn about the Construct phase. Check out the link to our companion webinar to learn more.

This blog summarizes recent findings from ESG's Technical Validation of HCL AppScan, and provides links to ESG's comprehensive report & our YouTube video.

In this blog, HCL Aleph Research recaps security vulnerabilities that they have located in router technology, which will be presented at DEF CON.

HCL AppScan Activity Recorder is a Chrome browser extension, which permits you to record traffic & actions from your site & upload recordings to DAST.

  Once upon a time, “Dynamic Analysis” was called “Black-Box Testing”. I miss the old names (Black-Box, White-Box, Glass-Box…). While the new names have nice acronyms (DAST, SAST, IAST, etc.) they are far less descriptive in the way they work. The challenges faced when performing one type of testing or another are far clearer when the name explains how the testing option actually works.   Black-Box very clearly tells you that you are treating the test target as a “black box”. You cannot see inside. You can only rely on what the black box chooses to expose to you. When we perform test attacks, we call that a “reflection,” which is how the application responds to an attack. It is sometimes the lack of reflection that indicates whether a test succeeded.  This reliance on reflections is one of the major challenges faced by DAST. It is a limiting factor on the type of issues that can be detected. Some tests create an immediate response (or a response in a following sequence of requests) and those are issues DAST can find. Some tests are designed to disrupt a WebApp’s execution flow (intentionally causing a reflection failure) and those also are issues that DAST can detect.   What about everything else?   Impact of Asynchronous Validation Mechanism Testing  Maybe not everything else, but the asynchronous validation mechanism introduced several years ago does help. The idea behind these tests is not to rely on direct reflection (or lack thereof) but on other externally observable behavior of the application.  Where is this useful? For example, when testing for Command-Execution. We try to execute commands that would perform one of the actions described below. These are done outside the context of the running application and would, in many cases, have no response (direct reflection in an HTML, for example) associated with them. Under normal circumstances a DAST scanner would not be able to detect these vulnerabilities.   The first class of tests attempt to trigger an HTTP request to a web server embedded within the AppScan scanner itself. AppScan tries to get the tested server to initiate an HTTP request to a specific URL that helps us understand the source attack. It...

By reading this blog series, you'll learn how Continuous Security benefits your organization. You can also watch our companion webinar to learn more.

Learn best practices for conducting Private Site Scanning (PSS) with HCL AppScan on Cloud (ASoC). Then, test-drive ASoC with our free 30-day trial.

Read this blog to learn how to identify security vulnerabilities in third-party application components. Then, you can test-drive HCL AppScan on Cloud.

Learn how to calculate risk for applications that your company has in development & find out how to utilize HCL AppScan on Cloud to manage vulnerabilities.

In this blog, you'll learn more about Dynamic Application Security Testing (DAST) policies & find out how to maximize your team's dynamic analysis efforts.

By reading this blog, you'll learn more about tested elements in your Dynamic Application Security Testing (DAST) program

This blog outlines 4 key issues that you need to address, in order to manage application security effectively in your organization.

Read out latest blog to learn how HCL AppScan V10.0.1's XSS Analyzer can be used to address Cross-Site Scripting (XSS) vulnerabilities in your applications.