As suggested by its very name, HCL AppScan on Cloud (ASoC) is a cloud-based service. It features a Web-Application Dynamic Analysis Security scanner that lives outside the organization’s network.
ASoC can easily scan publicly available web applications. However, development and test applications typically are deployed inside the organization, behind the firewall and/or inside labs. To scan those applications, you need to use Private Site Scanning (PSS).
How to achieve Private Site Scanning from the Cloud
The obvious but arduous and expensive solution is to add network components, such as VPNs and proxies, or change the network to allow the scanner access into the organizational network. That approach is not ideal and is frowned upon by CIOs and IT security teams.
The ASoC PSS solution requires no specialized hardware or changes to your network that might introduce additional risk. The ASoC PSS client is set up in your network and requires only outgoing access to the Internet (directly or via proxy) and access to the site being scanned. This client can be installed on any machine in the organization and requires relatively few resources.
PSS is part of the AppScan Presence package which provides capabilities such as a recording proxy and uses the service to receive instructions from the ASoC service.
ASoC PSS consists of two endpoints that create a secure (TLS-encrypted) TCP/IP tunnel:
- The tunnel server endpoint resides in the cloud network, alongside the scanner. This endpoint receives requests that the scanner generates and forwards them down the tunnel to the client.
- The tunnel client endpoint initiates the tunnel connections. This is key to avoiding network restrictions, as outgoing connections to the Internet can be easily allowed in organizations. The client receives the traffic sent down the tunnel from the server, forwarding it to the tested application. The responses make the same trip, in reverse.
In ASoC, mark the tested application as a PSS and select the location of the AppScan Presence to use. After that everything is automatic.
Security considerations with ASoC PSS
ASoC enables security scanning, so security considerations were key in developing and implementing the ASoC PSS solution. ASoC developers focused on the security of our customers’ networks and the security of the tunnel connection.
As noted, PSS does not require any changes to your network; no special concessions are required by the PSS tunnel client. This allows you to apply the organizational security policies on the host machine that’s running the PSS tunnel client. Additionally, there are no changes required to the organizational firewall, such as allowing incoming connections on certain ports or IP addresses.
Each Presence instance has a unique key that serves as its ID. The key is used to identify the Presence instance and provides it with the correct scan tasks. The key can be renewed at any time, and so can conform to organizational security policies that require periodic updates. Once a key is renewed on the server, the Presence instance stops receiving tasks until the key is physically placed on the Presence machine.
To secure the connection at the PSS level, it is crucial that the tunnel server and tunnel client can trust each other to prevent external access to the private network from an unvalidated location. When a scan is ready to run and the tunnel server is started, PSS generates two certificates: one for itself and one for the client.
The server certificate, along with the client-side certificate and private key, are passed to the tunnel client, along with the scan task details (via the secured communication between the Presence service and the SaaS service). The tunnel client and tunnel server can then validate the identity of the remote connection. The certificates are invalidated once the scan is completed, and are never reused, even for rescanning.
All this put together, Application Security on Cloud Private Site Scanning provides a mechanism to leverage cloud-based security scanners to scan deployed applications within an organization in a simple and secure manner.
To test-drive HCL AppScan on Cloud on your own, register now for our 30-day free trial.