HCL AppScan on Cloud (ASoC) Connector Guide

How to set up and use the HCL AppScan on Cloud (ASoC) connector in RiskSense.

Overview

HCL AppScan on Cloud (ASoC) is a SaaS solution for all application security testing needs. It consolidates all HCL Security’s testing capabilities into a single service that provides a uniform experience for all technologies.

The RiskSense platform provides an API-based connector that integrates with HCL ASoC, allowing customers to bring in their DAST, SAST and Open Source (OSS) findings. It allows customers to gain visibility into their overall risk due to vulnerabilities in their source code and web applications, thereby enabling a simpler, more efficient way to manage those vulnerabilities.

User Prerequisites/HCL ASoC Setup

HCL ASoC is a cloud-based solution. Access to the cloud instance https://cloud.appscan.com/ with scanning capabilities is a prerequisite.

The user must have view access to applications, scans, and their corresponding issues. Any role above Application Manager (the default role in HCL ASoC) is sufficient for pulling data. Refer to the following link for more information: https://help.hcltechsw.com/appscan/ASoC/appseccloud_user_roles_cm.html

Steps to Generate Key ID and Key Secret from ASoC Instance

The Key ID and Key Secret are used for API authentication.

Log in to the HCL ASoC cloud instance, click on the left hamburger menu, and navigate to the Settings page.

HCL Connector - Settings Menu Location

On the Settings page, click Generate to obtain a new Key and Secret for accessing the API endpoints.

HCL Connector - Generate Button Location

Once successfully generated, make sure to copy these values, as you will be unable to retrieve them later.

HCL Connector - Key ID and Key Secret

HCL ASoC Connector API Calls

The following API calls are performed during a connector run to pull vulnerabilities from HCl ASoC into RiskSense.

API Type

Endpoint

Authentication

https://cloud.appscan.com/api/V2/Account/ApiKeyLogin

List Applications

https://cloud.appscan.com/api/V2/Apps

Get List of Issues associated with each Application

https://cloud.appscan.com/api/v2/Issues/Application/<app-id>

Get Issue details for each Issue

https://cloud.appscan.com/api/v2/Issues/{issue-id}/Artifacts

Get Issue advisory for each Issue

https://cloud.appscan.com/api/v2/Issues/{issue-id}/Advisory?locale=en-US

Get Issue fix recommendation for each Issue

https://cloud.appscan.com/api/v2/Issues/{issue-id}/FixRecommendation?locale=en-US

Configuring the HCL ASoC Connector in RiskSense

Navigate to the Automate > Integrations page.

HCL Connector - Automate Integrations Page

Using the search bar in the upper-right corner of the Integrations page, type AppScan on Cloud to find the connector. Locate the HCL ASoC card on the page and click Configuration.

HCL Connector - Configuration Button Location

In the new window under Connection, complete the required fields, as described below.

  • Connector Name: The connector’s name.
  • Access Key: Use the Key Id retrieved earlier.
  • Secret Key: Use the Key Secret retrieved earlier.
  • URL: The URL to access the HCL ASoC cloud instance. The instance URL would be https://cloud.appscan.com/AsoCUI/serviceui/home
  • SSL: Optional SSL of the instance in base64 format.

HCL Connector - Connector Window

Click Test Credentials to verify the credentials are correct and have access to make API calls to the HCL ASoC. Configure the desired schedule for the connector to retrieve results from the HCL ASoC instance and optionally turn on Enable auto URBA (Update Remediation by Assessment).

HCL Connector - Connector Specific Options

Click the Save button to save the connector’s configuration and create the connector. Once saved, the connector is now visible on the Integrations page under Currently Configured Integrations.

HCL Connector - Configured Integration

Clicking the History button displays the connector details for each pull. The Sync button allows users to perform an on-demand sync. The Edit button allows the user to edit the connector configuration. The Delete button allows the user to delete the connector.

Once files have been processed on the Uploads page, the user can view the ingested data by navigating to the Applications and Application Findings pages.

Mapping HCL ASoC fields in RiskSense

This table shows the high-level mapping of HCL ASoC fields in RiskSense. HCL ASoC connector pulls DAST, SAST, and OSS findings.

RiskSense Fields

HCL ASoC Fields - DAST / SAST / OSS

Scanner Severity

Severity

Scanner Plugin

Id

Application Name

Name

Plugin Source Status

Status

Plugin Details → FixGroup

FixGroupId (Not applicable for DAST findings)

RiskSense Tags

The following HCL ASoC fields are converted into RiskSense tags. These tags are used for searches, playbook automation, and better visualization in Dashboards.

Application Tags

  • Asset GroupName
  • Risk Rating
  • Business Impact
  • Hosts
  • URL
  • Business Owner

Application Findings Tags

  • Scan Name
  • Scanner
  • Domain

Common Fields in RiskSense

Here are the default values for the following RiskSense fields as defined for HCL ASoC:

  • Scanner Name: HCL ASoC
  • Finding Type: SAST, DAST, or OSS (open source), depending on the type of data