If you haven’t looked at AppScan on Cloud recently, you’re missing out on some fantastic new features that make scanning more convenient and meaningful than ever. The last few months of 2021 introduced multiple improvements that provide significant advantages to our users. This blog will look at some of the newest features and benefits offered by AppScan on Cloud.
Log4j specific testing
With all the news surrounding the Log4j vulnerability, it was the logical next step for AppScan on Cloud to add testing capabilities to detect and provide remediation guidance for Log4j. Specifically, a new security rule was added for DAST testing and automatically included for all Test Optimization types, so you can still prioritize speed without compromising the ability to scan for Log4j. ASoC’s OSA testing also detects vulnerabilities associated with all 4 of the CVEs that have been identified with Log4j. Figure 1 below illustrates an example of the new test result finding a potential remote command execution vulnerability. You can watch the entire process of this DAST testing in this YouTube example
Figure 1: Finding Log4j Vulnerabilities in AppScan on Cloud
New Single Scan Reporting
Another innovative feature that has been added to ASoC is the single scan view. The single scan view is a detailed report on a scan that can even be viewed while the scan is running. Using the “Overview” tab of the single scan view provides visibility into the number of visited pages, tested elements, and vulnerability issues as they are found. Users can drill down to specific issues first discovered in the scan as they show up on their scan card. Figure 2 below provides an example of what this new view looks like. Once the scan is completed, issues can be viewed and filtered and reports can be downloaded. Columns in the scan report are clickable and lead to a filtered list in the “Issues” tab. On the “Issues” tab, comments can be added to an individual issue by selecting the “Comments” option. This allows users to effectively share feedback with their team members.
Figure 2: New Single Scan View in AppScan on Cloud
New Language Supported
ASoC recently announced support for the Report Program Generator, or RPG, a programming language used for business applications and primarily found on IBM I or OS/400 systems. For more information about RPG as a language, see this programmer.io site. Now ASoC users can now include file types of. rpg, .rpgl and .rpgle in static analysis. At the time of this writing, AppScan on Cloud now supports over 30 different languages.
Greater flexibility and control
A constant area of focus for AppScan on Cloud is to make it easier to run scans that are meaningful and effective at vulnerability remediation. As part of this effort, we have added a new report type for the 2021 OWASP Top 10 and several new capabilities to increase the amount of flexibility ASoC users have for controlling scans.
Specifically, we have added the following:
- Support for both including and excluding .NET namespaces.
- Support for specifying cache locations when Java parallel processing is used.
- A new Rider plugin.
- Greater support for viewing issues found for the first time in the application.
- Easier processes for scheduling and editing a configured schedule
- New icons to indicate the “Scheduled” and “Repeat” status of scans.
- An automatic log-out following an inactivity period of 30 minutes as well as two changes for how business units are managed.
- Support for merging two business units and the ability to add a limit to the number of business units allowed in the organization.
Specific to IAST
No discussion on ASoC would be complete without highlighting new features added for Interactive Application Security Testing (IAST). With the most recent upgrade, we added the ability to update the IAST agent configuration and made changes to improve overall performance: Java 17 support and enhanced support for communication with AppScan Enterprise in environments where the proxy is set through Java properties. Additionally, there are several new security features for IAST, including the capability to identify XXE on a JAXB class (more information on this particularly vulnerable class can be found at the OWASP XXE site) and detect JSON XSS informational issues (an XSS variant of vulnerable data written to responses as JSON).
We are confident that our existing AppScan on Cloud users will enjoy the benefits of these new additions. If you are not yet an AppScan on Cloud user, we encourage you to visit our AppScan on Cloud site and sign up for our free trial to experience our new features first-hand.