Web applications face an increasing number of security threats every day. Fortunately, application security testing platforms like HCL AppScan are constantly evolving to recognize new vulnerabilities. But with DevOps teams releasing code at faster and faster rates, the time it takes to remediate issues can become a critical pain point. Prioritizing which problems to fix is becoming increasingly important in the face of sometimes overwhelming test results.

HCL AppScan is making that process easier and more efficient using an Auto Issue Correlation algorithm leveraging its IAST solution (Interactive Application Security Testing) available in both its AppScan Enterprise and AppScan on Cloud offerings. These security solutions also include DAST (Dynamic Application Security Testing), SAST (Static Application Security Testing) tools and Auto Issue Correlation makes full use of all of them.

Each testing engine has different strengths and weaknesses, but Automatic Issue Correlation pulls from the strengths when viewing all the data together. For instance, whereas DAST delivers very accurate results, it cannot see the code and provide the level of detail that you get from SAST and IAST scans. But with correlation, you can use your SAST and IAST scans to confirm and enrich the findings of your DAST results.

Likewise, SAST can produce an overwhelming number of findings making it hard to know what to prioritize for remediation. But the accuracy of IAST and DAST scans, when overlayed on top of the SAST results produces a subset of clearly critical issues that are now easier to remediate all at once.

Additionally, SAST fixes cannot be validated since the developers are “inside the box” and only looking at the code unlike DAST and IAST. If an issue can be confirmed as resolved with correlation from these additional engines in the form of status updates, users gain fix validation in addition to the complete coverage and short scan times inherent in SAST.

risk rating

Sample AppScan dashboard showing scans, issues found, and correlations.

Auto Issue Correlation extracts data from each IAST, DAST and SAST issue and then uses a variety of heuristics to identify correlations. This effectively reduces the overall number of vulnerabilities and remediation tasks by grouping issues together where they can be addressed quickly and completely. If a related issue was found by all three testing engines—IAST, DAST and SAST—it moves to the top of the list for remediation. Next in line are issues correlated from IAST and DAST or IAST and SAST. After that priority moves to issues found by IAST or DAST. And once all these fixes have been made, developers can move on to any remaining issues found exclusively by SAST.

IAST with Auto Issue Correlation delivers a more efficient and organized approach to fixing security issues, giving both developers and security teams greater confidence in the outgoing product, no matter how fast the updates keep coming.

Visit hcltechsw.com/AppScan to learn more or schedule a demo.


Comment wrap
Further Reading
Secure DevOps | November 9, 2022
HCL AppScan Source SAST + ASoC SAST Innovation Workshop – What You’ll Learn
Join us on November 10th to see how HCL AppScan on Cloud delivers a suite of security testing tools, including static, dynamic.
Secure DevOps | November 2, 2022
The Customers Have Spoken!
HCL Technologies is excited to announce our recognition as a Customers’ Choice vendor for 2022 in the Application Security Testing category on Gartner® Peer Insights™.
Secure DevOps | October 31, 2022
HCL AppScan Integrates Security Scanning Easily into the Jenkins Pipeline
If you are one of the many developers around the world that build (or are interested in building) applications in Jenkins, the leading open-source automation server, we have news for you.
Filters result by