We all realize the power of mobile applications helping expand businesses and unlocking their market reach with potential customers.

However, mobile has also expanded the threat vector for malicious actors trying to profit from security vulnerabilities.

In the battle against malicious hackers, companies need to make sure that they are well protected from threats coming from their mobile operations. However, what some seem to forget is that the exposure from mobile isn’t limited to vulnerabilities on the client-side mobile application users download from their provider app store and install on their devices. The bigger risk actually comes from the service running on the backend, serving the requests coming from client-side apps.

Thanks to its support for scanning both the client-side mobile applications and the server-side web-services using a mix of application security testing techniques, HCL AppScan is the only solution that can offer the complete set of technologies to properly test your mobileapplications landscape.

For example, developers can easily examine their own code for security vulnerability using Static Analysis Security Testing (SAST) and use Software Composition Analysis (SCA) to evaluate if third party components they import into their applications have known vulnerabilities.

When it comes to the server side, on top of SAST and SCA, AppScan allows users to scan the backend service using Dynamic Analysis Security Testing (DAST), which imitates the same actions a malicious hacker would use. Interactive Analysis Security Testing (IAST) is also available to monitor the application behavior as it is being interacted with, allowing another layer of testing, that can detect vulnerabilities that may not be easily exposed externally.

Those that have followed AppScan in the past few years, are familiar also with HCL AppScan on Cloud’s Mobile Analyzer for scanning client-side mobile application. The Mobile Analyzer relies on the IAST technology, and in recent months, as we introduced the above mentioned SAST support for mobile languages, we transitioned our usage of the IAST technology to focus on web applications and web services.

SAST Benefits

Passive IAST offers security analysis at zero time. Its sweet spot is when it runs as part of the pipeline, leveraging the functional testing the QA team already runs. This works great with web applications and web services but not so much when it comes to client-side mobile applications. In order to overcome such limitations, in AppScan we’ve implemented a proprietary crawler to automatically interact with the application. Using this approach, we were able to successfully scan the application, but on average the scan time was over 1 hour while our SAST scans complete in only a few minutes or even less.

With our IAST solution, we are only able to scan iOS and Android applications written in Swift, Objective-C, Android Java and Kotlin, and limited to applications that can run on generic devices. Not supporting applications written for a specific Android manufacturer. With our SAST Solution, in addition to the above 4, we also support ionic, React Native and Xamarin and planning to add more languages and frameworks. With SAST, being device agnostic, we are able to scan the code regardless from the device it is meant for.

As mentioned, IAST monitors the application as it is being interacted with, an IAST solution for mobile requires to involve actual mobile devices. Due to that, Mobile Analyzer was only available on our cloud solution, adding mobile support through SAST made it available also in HCL AppScan Source.

Application security testing such as IAST and DAST test a running application, on one end, this makes them more accurate than SAST, but on the other harder to scan. In order to successfully complete a SAST scan, all that is needed is the application code. There is no need to instantiate backend server, no need to make sure the scanners can reach that backend or provide the login credentials, in fact, one doesn’t even need to be able to compile the application, all that is needed is the application code.

At HCL Software, we have seen a tremendous increase in value of mobile applications that use HCL AppScan on Cloud. We welcome you to schedule a demo and see why.

Comment wrap
Further Reading
Secure DevOps | June 24, 2022
Automatic Issue Correlation Now Part of HCL AppScan
There is no silver bullet that can solve the application security challenge. Each of the core technologies (IAST, DAST, and SAST) has strengths and weaknesses.Auto Issue Correlation allows us to leverage the strengths of each technology, while overcoming weaknesses with the advantages of the others. Furthermore, Auto Issue Correlation enhances your AST capabilities, improves your prioritization process and reduces remediation time and effort.
Secure DevOps | June 6, 2022
Guide To Reliable Application Security Testing Software
Looking for a secure solution for fast, accurate, and agile application security testing? You can come across reliable market-leading web application security testing facilities that quickly detect system vulnerabilities. Read the blog to know more.
Secure DevOps | May 20, 2022
New Vulnerability in Spring Framework Detected
A new vulnerability, dubbed SpringShell in Spring Framework, was recently discovered by the HCL AppScan team.SpringShell was given a CVE ID of CVE-2022-22965, and results in Remote Code Execution (RCE) upon successful exploitation, compromising the web server and putting it under the attacker's control. It affects Spring Framework versions 5.3.17/5.2.19 and lower (it was patched in versions 5.3.18/5.2.20).
Filters result by