There is no silver bullet that can solve the application security challenge. Each of the core technologies (IAST, DAST, and SAST) has strengths and weaknesses.

Auto Issue Correlation allows us to leverage the strengths of each technology, while overcoming weaknesses with the advantages of the others. Furthermore, Auto Issue Correlation enhances your AST capabilities, improves your prioritization process and reduces remediation time and effort.

For example:

  • enriches DAST issues with IAST/SAST details.
  • prioritizes SAST findings using the accuracy of your IAST/DAST results.
  • validates SAST fixes from the status updates of your IAST/DAST issues.
  • reduces the number of vulnerabilities and remediation tasks by grouping issues together.

Once Auto Issue Correlation is activated, correlation is updated automatically whenever any relevant IAST, DAST or SAST issues are found. Existing groups are automatically updated with the new issues, and new groups are created as necessary. No user action is needed.

How it Works

HCL AppScan’s Auto Issue Correlation is based on our IAST solution.

IAST has access to the application at runtime (like DAST) and is able to see the source code (like SAST). Our automatic correlation algorithm matches IAST issues with DAST and SAST issues. It extracts data from each issue and then uses a variety of heuristics to identify correlations. This brings optimization of the remediation process to a new level. So, adding IAST and Auto Issue Correlation to your arsenal can reduce the overall number of issues/vulnerabilities to be addressed.

How to Use It

All you need is to have an active IAST session, and to activate Auto Issue Correlation. AppScan on Cloud (ASoC) will then automatically create correlation groups and show them in the “Correlation group” tab under “All Issues”. ASoC will keep updating and creating new groups as new issues are added to the application.

Here are some examples:

Dashboard

When correlation is identified, it’s indicated on the Issues chart in the dashboard of an application.

Dashboard

Correlation groups page

Click on the Correlation link to open the Correlation page for the application, listing the correlation groups it contains.

Correlation groups page

Issues in a group

Click on a group to see its issues.

Issues in a group

Issue details

The issue pane for a specific issue indicates when it belongs to a correlation and/or fix group in the “Related” section:

Issue details

Once Auto Issue Correlation is activated, correlation is updated automatically whenever any relevant IAST, DAST or SAST issues are found. Existing groups are automatically updated with the new issues, and new groups are created as necessary. No user action is needed.

We all know that code reuse is a best practice in software development. However, this also means that a single weak link can create multiple security vulnerabilities in an app. The diagram below illustrates how a weak sanitizer could cause multiple SQL Injection vulnerabilities. Since REST API 1 has a different route/source to RESP API 2, their vulnerabilities would appear unrelated in scan results.

Rest API

Correlation aggregates together vulnerabilities that should be remediated as a single task.

Note in the example below, that the correlation group includes issues found by different technologies (IAST and DAST), of different issue types, and with different severities.

Thanks to Auto Issue Correlation, diverse issues, which would not have otherwise been seen as connected, can now be resolved with a single remediation effort.

Reflected Cross Site Scripting

Visit hcltechsw.com/AppScan to learn more or schedule a demo.

Comment wrap
Further Reading
article-img
Secure DevOps | May 20, 2022
New Vulnerability in Spring Framework Detected
Through AppSscan, SCA, and DAST offerings, identify Springshell vulnerability and secure your apps in spring framework from Remote Code Execution (RCE)
article-img
Secure DevOps | April 28, 2022
Latest Version of AppScan Standard Now Available
Explore the latest version of the HCL AppScan standard with added new features. Experience the all-new DAST configurations to their fullest extent.
article-img
Secure DevOps | April 25, 2022
HCLSoftware recognized by Gartner as a Leader in the April 2022 Magic Quadrant for Application Security Testing
HCL AppScan has been positioned by Gartner as a leader in the Magic Quadrant for Application Security Testing for the second consecutive year.
Close
Filters result by
Sort:
|