Scribd
Upload
15 views19 pages

HCL AppScan

The document provides an overview of HCL AppScan, a security testing tool that integrates into DevSecOps processes to enhance application security through various scanning methods including DAST, SAST, and IAST. It highlights the evolution of AppScan since its inception, its capabilities in identifying vulnerabilities, and the support services offered by HCL. Additionally, it outlines the features of AppScan Standard and Source, emphasizing their roles in the software development lifecycle and compliance.

Uploaded by

alvisyeung
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
15 views19 pages

HCL AppScan

The document provides an overview of HCL AppScan, a security testing tool that integrates into DevSecOps processes to enhance application security through various scanning methods including DAST, SAST, and IAST. It highlights the evolution of AppScan since its inception, its capabilities in identifying vulnerabilities, and the support services offered by HCL. Additionally, it outlines the features of AppScan Standard and Source, emphasizing their roles in the software development lifecycle and compliance.

Uploaded by

alvisyeung
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 19

(DevSecOps)

HCL AppScan

Pre-sale

Alantsai@palsys.com.tw

1
1 DevSecOps

2 AppScan簡介

3 AppScan白箱掃描

4 AppScan黑箱掃描

5 AppScan架構與服務

2
DevSecOps

3
4
AppScan

A New Horizon

5
AppScan HCL
About HCL HCL Values HCL Product Revenue

Fastest growing large technology Bring enduring value to our customers’ Most disruptive technology
company* with $9.3B revenue; mission-critical IT investments, drive company with fastest to
147,000 employees across 44 new capabilities through sustained reach $1B products revenue
countries innovation

APPSCAN IP partnership Quarterly release cadence under HCL HCL acquisition


AppScan V10
between HCL and IBM 8 quarterly CI/CD releases since IPP of AppScan
April 3rd 2020
March 2017 9.0.3.7 – 9.0.3.14 July 2019
‘98: Developed by Sanctum
‘04: Acquired by Watchfire
‘07: Acquired by IBM

1998 – 2017 2017 2018 2019 2020

AppScan improvements under HCL


2.5X 4X Over 2X 1,700+ Over 300% 80%
Increased Increased research Increased product Tickets resolved workload increase in Improvement in
development management ASoC YtY Customer Sat
* Among the Top 10 Global IT service providers
AppScan V10

快速且準確的
保護DevOps流程 企業及管理
掃描

通過機器學習與新的 快速且簡單的使用方式 企業級的管理功能


技術,增加掃描的準 更好的整合進入客戶既 及能見度
確度及 掃描效能 有的CI/CD環境

7
AppScan V10

Cloud
AppScan on Cloud
“ASoC”
IAST
DAST On-Premise
SAST AppScan Enterprise
Mobile AppScan Source
Open Source
AppScan Standard
DAST
SAST

8
Types of Application Security Testing with
AppScan
Open
DAST SAST IAST
Source
WHAT: Scans live web WHAT: Scans application WHAT: Analyzes live web WHAT: Scans for vulnerable
applications code to identify applications open source components

HOW: Tests applications HOW: Uses taint analysis HOW: Monitors HOW: Checks if open source
by sending actual attacks and pattern matching to application behavior as it packages used by the
and evaluating their follow data flows and is being. Interacted with application have known
responses ensure sensitive areas are to identify vulnerabilities vulnerabilities
sanitized
WHEN: Applied in QA/Pre- WHEN: Applied in WHEN: Applied in
production testing and WHEN: Applied in QA/Pre-production testing development or automated
during production development or automated at build, and later when in
at build or code compilation production

9
AppScan V10 DEVSECOPS

Design Code Build Test Check-In

CodeSweep SAST, DAST, SCA, Mobile IAST


Development
HCL Application Security
ASM, AppScan Issue Gateway
DAST Operations

Assess Track Monitor Deploy

10
AppScan

Standard V10

11
AppScan Standard
• 黑箱安全測試工具,不需程式原始碼
• 透過Dynamic application security testing (DAST) 模擬駭
客攻擊手法,可有效地識別,發現真實Web應用程序漏洞。
• Web應用程序安全測試工具
• SQL injection, Cross-site scripting, Buffer overflow
• 自動化安全分析以檢測可利用的資源
• 通過使用動態分析漏洞

• 在開發過程中提供安全性評估
• 為開發人員提供滲透測試
• 對於安全性和法規遵從利益相關者的綜合測試解決方案
• 提供管理,報告和儀表板
AppScan Standard V10 /
Optimization Issues Test Duration Audience
Level Coverage
No Optimization 100% 100% Major release, compliance and benchmarks.
'Fast' 97% 50% Security export for more frequent scans.
'Faster' 85% 20% DevSecOps during ongoing evolution
'Fastest' 70% 10% Dev and QA during initial evolution
AppScan

Source V10

14
AppScan Source
• Static Application Security Testing (SAST) solution
• 掃描應用程序原始碼中的安全風險和已知的漏洞
• 通過整合現有開發工具和DevOps構建框架,在軟體開
發週期的早期即解決安全問題
• 集中管理和執行安全策略
• 報告,管理和合規性功能可促進安全狀態和問題的交流
• 利用並行計算極大地加快SAST測試的速度,並利用AI
減少錯誤的判定

15
AppScan Source Overview
Source for Analysis Source for Automation Source for Remediation Source for Development
• 白箱掃瞄 • 自動掃描 • 調查漏洞 • 調查漏洞
• 分析結果報告 • ANT,Make,Maven整合 • 在指導下進行修補 • 在指導下進行修補
• 管理安全策略 • 資料存取API • Non-scanning IDE • IDE Scanning
plug-in • Confirm Fix

SAST

AppScan Enterprise Server


Governance -- Collaboration -- Enterprise Reporting -- Central AppSec Management
ASE

CodeSweep
AppScan

A New Horizon

17
架構說明:
1. 以容器化開發安全為目標

2. 一個小的完整環境來入門

3. 底層儲存的效率提升整體表現

我們提供的服務:
1. HCL AppScan安裝與顧問服務

2. 容器化平台(OpenShift)安裝與維護

3. HITACHI的硬體顧問及維運
18
Thanks
for Listening
www.palsys.com.tw

19

You might also like