HCL Software
AppScan (HCL) test
Dynamic Application Security Testing · Category 9. DAST · Tier 2
CL Listed — Visible
Methodology v3.5 · OLIR Schema
Avril 2026
Evaluation Tier:
Visible (Listed)
→
Verified (CAE)
→
Enterprise (EEE)
Layer 1-2 only · Documentary assessment · All capabilities vendor-claimed
⚡ Executive Summary 30 seconds
What it is
Automated dynamic application security testing (DAST) scanner for web vulnerability detection. AppScan DAST performs black-box testing of running web applications to identify security vulnerabilities including injection flaws, broken authentication, XSS, and misconfigurations without requiring access to source code.
Best for
Automated web vulnerability scanning (OWASP Top 10), PCI DSS Req. 6.2/6.5 (secure development & vulnerability management), DORA Art. 8(5) (ICT testing methodologies). Ideal for security teams needing continuous automated testing of production and pre-production web applications.
What it does NOT do
No source code analysis (SAST), no WAF capabilities, no runtime protection (RASP), no network security, no IAM, no SIEM functionality. Not a static analysis or SCA tool — focuses exclusively on dynamic black-box vulnerability detection in running applications.
CL Recommendation
AppScan DAST is a mature dynamic scanner with deep crawling capabilities inherited from IBM research. Critical for PCI DSS 6.x, OWASP compliance, and NIST SSDF verification. Combine with SAST (Cat. 9), WAF (Cat. 6), and SCA tools for complete application security coverage. Strong fit for CI/CD pipeline integration for shift-left security testing.
⚖ Regulatory Fit Per regulation verdict
PCI DSS v4.0
~17% of requirements
✔ Strong — Req. 6.2, 6.5 (vulnerability detection in web apps)
DORA
~12% of obligations
● Moderate — Art. 8(5) ICT testing methodologies
NIS2
~8% of Art. 21
△ Supporting — Art. 21(2)(e) security in system acquisition
GDPR
~3% of articles
△ Supporting only — Art. 25 (DPbD via vulnerability detection)
HIPAA
~5% of provisions
△ Supporting only — §164.312(a) access controls via secure apps
NIST SSDF
~40% of practices
✔ Strong — PW.7, PW.8, RV.1 (runtime testing & verification)
PCI DSS v4.0 (PROPRIETARY)
| Focal | Obligation | OLIR Rel. | Hub Ref | Rationale |
|---|
| Req. 6.2.4 | Software engineering techniques for vulnerabilities | Direct | SA-11 / PR.PS-06 | Functional |
| Req. 6.3.1 | Identify and manage vulnerabilities | Direct | RA-5 / ID.RA-01 | Functional |
| Req. 6.5.5 | Address common coding vulnerabilities | Contributing | SA-11 / PR.PS-06 | Semantic |
| Req. 11.3.1 | Internal vulnerability scans | Contributing | RA-5 / ID.RA-01 | Semantic |
DORA (OPEN_GOV)
| Focal | Obligation | OLIR Rel. | Hub Ref | Rationale |
|---|
| Art. 8(5) | ICT testing methodologies | Direct | SA-11 / PR.PS-06 | Functional |
| Art. 24(1) | Threat-led penetration testing | Contributing | CA-8 / RS.AN-02 | Semantic |
| Art. 8(4) | Secure ICT development lifecycle | Contributing | SA-15 / PR.PS-06 | Semantic |
NIST SSDF (OPEN_GOV)
| Focal | Obligation | OLIR Rel. | Hub Ref | Rationale |
|---|
| PW.7 | Review and test code for vulnerabilities | Direct | SA-11 / PR.PS-06 | Functional |
| PW.8 | Test executable code for vulnerabilities | Equivalent | SA-11 / PR.PS-06 | Syntactic |
| RV.1 | Identify and confirm vulnerabilities | Direct | RA-5 / ID.RA-01 | Functional |
| PW.6 | Verify code meets security requirements | Contributing | SA-11 / PR.PS-06 | Semantic |
Articles without contribution omitted. Full OLIR mapping available in Audit Pack export.
🎯 Buyer Guidance Decision support
✔ Consider When
- + PCI DSS Req. 6.2/6.5 web application vulnerability testing compliance
- + Need automated black-box testing without source code access
- + CI/CD pipeline integration for pre-deployment security gates
- + NIST SSDF PW.7/PW.8 runtime testing verification required
- + Large web application portfolio requiring continuous DAST scanning
❌ Avoid When
- − Need source code analysis (SAST) — this is a DAST-only configuration
- − Require SCA or open-source dependency scanning
- − Small development team with basic web app (overkill)
- − Need WAF or runtime application protection (RASP)
- − Looking for free or open-source DAST tools (OWASP ZAP alternative)
⚙ Capabilities 19 claimed · 4 groups · DR-2 Quality Tiers + Config Modifiers
Web App Scanning 5✓ 0● 0✗▼
✓Automated web crawling
Deep crawl engine with JavaScript execution for SPA/AJAX apps
Specific Obl.Out-of-Box
✓OWASP Top 10 detection
Full coverage of OWASP Top 10 2021 vulnerability categories
Specific Obl.Out-of-Box
✓Authenticated scanning
Login sequence recording and replay for protected areas
Specific Obl.Config Change
✓Single-page application support
Angular, React, Vue.js dynamic content scanning
Control FamilyConfig Change
✓Scan policy templates
Pre-configured policies for quick start (OWASP, PCI, custom)
Generic ControlOut-of-Box
API Testing 4✓ 1● 0✗▼
✓REST API scanning
Automated endpoint discovery and vulnerability testing
Specific Obl.Config Change
✓OpenAPI/Swagger import
Import API specifications for targeted scanning
Control FamilyOut-of-Box
✓SOAP/WSDL testing
Legacy web service security testing
Control FamilyConfig Change
●GraphQL scanning
Query injection and introspection vulnerability testing
Control FamilyConfig Change
✓Postman collection import
Import existing API collections for coverage
Generic ControlOut-of-Box
CI/CD Integration 5✓ 0● 0✗▼
✓Jenkins plugin
Native Jenkins pipeline integration for automated scans
Control FamilyOut-of-Box
✓Azure DevOps extension
Pipeline task for Azure DevOps build/release pipelines
Control FamilyOut-of-Box
✓GitLab CI integration
YAML-based pipeline integration via CLI
Control FamilyConfig Change
✓REST API for automation
Full programmatic access for custom pipeline integration
Control FamilyOut-of-Box
✓Quality gate enforcement
Break builds on severity thresholds (critical, high, medium)
Specific Obl.Config Change
Reporting 4✓ 0● 0✗▼
✓OWASP Top 10 compliance report
Pre-built template mapping findings to OWASP categories
Specific Obl.Out-of-Box
✓CWE/CVE mapping
Findings correlated to CWE IDs and known CVEs
Specific Obl.Out-of-Box
✓Executive summary report
High-level risk overview with trend analysis
Generic ControlOut-of-Box
✓Developer remediation guidance
Fix recommendations with code examples per vulnerability
Data SurfacedOut-of-Box
🛡 MITRE ATT&CK Mapping Layer 4 — Derived via SP 800-53
M1016
Vulnerability Scanning
Full (claimed)
M1050
Exploit Protection
Full (claimed)
M1013
Application Developer Guidance
Partial (claimed)
M1051
Update Software
Partial (claimed)
Score: 3.2 / 5.0 (64%) — All vendor-claimed. Techniques addressed: T1190, T1059, T1203 (exploitation & injection family).
▼ Show ATT&CK techniques detail| Technique | Name | How Addressed | Provenance |
|---|
| T1190 | Exploit Public-Facing Application | DAST identifies exploitable vulnerabilities in running web applications before deployment | DERIVED via M1016 |
| T1059 | Command and Scripting Interpreter | Detects injection flaws (SQL, OS command, LDAP) via dynamic testing | DERIVED via M1016 |
| T1203 | Exploitation for Client Execution | Identifies XSS, CSRF, and clickjacking vulnerabilities via black-box testing | DERIVED via M1050 |
📄 Evidence Pack DR-2 §5.1 — Proof of value
✔DAST scan reports (PDF/XML/HTML)
Detailed dynamic scan findings with OWASP and CWE classification. Exportable.
✔OWASP compliance evidence
Pre-built OWASP Top 10 pass/fail report for auditor review.
✔CI/CD scan execution logs
Pipeline integration logs showing scan triggers and gate decisions.
✔Remediation tracking report
Vulnerability lifecycle from detection to fix verification.
⚠Third-party validation
Independent DAST tool comparison benchmarks. Limited availability.
Evidence level: Documentary review only (CL Listed). For verified evidence, upgrade to CAE (Examine + Interview) or EEE (+ Test).
⏱ Operational Metrics & Anti-Hype DR-2 §5.1 + §9.2
| Metric | AppScan Standard (Desktop) | AppScan on Cloud (SaaS) | AppScan Enterprise |
|---|
| Implementation | 1-3 days | 1-2 weeks | 4-8 weeks |
| FTE Required | 0.1 FTE | 0.25 FTE | 0.5-1 FTE |
| Time to first value | Day 1 (first DAST scan on target web application) |
| Time to production | Month 1-3 (all web apps onboarded, CI/CD gates active, scan policies tuned) |
Anti-Hype: Marketing vs. Reality
Most comprehensive DAST scanner
Strong web application crawling and detection, but API testing and SPA support are still maturing compared to newer competitors.
Partial
Zero false positives with smart validation
Automatic validation reduces false positives but does not eliminate them. Expect 10-20% FP rate on initial scans.
Misleading
Full CI/CD integration in minutes
Jenkins and Azure DevOps plugins available, but production-grade pipeline integration requires scan policy tuning and threshold configuration.
Partial
IBM research-backed detection engine
Accurate. Core scanning engine inherits 20+ years of IBM Security research and vulnerability signatures.
Verified
⚖ Strengths & Cautions
✔ Strengths
- + Deep web crawling engine with strong JavaScript/AJAX execution
- + IBM heritage — 20+ years of security vulnerability research
- + Comprehensive OWASP Top 10 and CWE/SANS Top 25 coverage
- + Flexible deployment: desktop, SaaS, and enterprise on-prem
- + Strong CI/CD integration (Jenkins, Azure DevOps, GitLab)
- + Automatic vulnerability validation to reduce false positives
⚠ Cautions
- ! DAST-only — no source code analysis or SAST capabilities in this configuration
- ! Full web app scans can be time-consuming on large applications (hours)
- ! Modern SPA/React scanning requires careful configuration for coverage
- ! Enterprise licensing model — no free tier for small teams
- ! GraphQL and modern API protocol support still maturing
- ! Post-IBM acquisition — HCL ecosystem and support still evolving
- ! All capabilities VENDOR-CLAIMED (no CL independent testing)
📈 Competitive Positioning Category 9 — DAST
| Capability | AppScan (HCL) test | Invicti | Acunetix | Burp Suite |
|---|
| Web App DAST | ✔ | ✔ | ✔ | ✔ |
| API Testing | ✔ | ✔ | ✔ | ✔ |
| CI/CD Integration | ✔ | ✔ | ✔ | ✔ |
| Authenticated Scanning | ✔ | ✔ | ✔ | ✔ |
| SPA/JS Support | ✔ | ✔ | ✔ | ✔ |
| On-prem Deployment | ✔ | ✔ | ✔ | ✔ |
| Pricing Entry | Enterprise only | Enterprise only | Mid-market | Community (free) |
Competitive data based on public information. CL has not evaluated these alternatives — for detailed assessment, see individual CL Listings.
📑 Framework Views Hub: CSF 2.0 + 800-53r5 + ISO 27001
▼ Show NIST SP 800-53, CSF 2.0, ISO 27001 mapping tablesNIST SP 800-53 Rev 5
| Control | Name | Contribution | Provenance |
|---|
| SA-11 | Developer Testing & Evaluation | direct | DERIVED via PCI DSS 6.2 |
| RA-5 | Vulnerability Monitoring & Scanning | direct | DERIVED via PCI DSS 6.3 |
| CA-8 | Penetration Testing | contributing | DERIVED via DORA Art. 24 |
| SI-10 | Information Input Validation | direct | DERIVED via OWASP A03 |
NIST CSF 2.0
| Control | Name | Contribution | Provenance |
|---|
| PROTECT | PR.PS-06 Secure software development | contributing | DERIVED via SA-11 |
| IDENTIFY | ID.RA-01 Vulnerability identification | direct | DERIVED via RA-5 |
| DETECT | DE.CM-09 Software monitoring | contributing | CL-ORIGINAL |
| RESPOND | RS.AN-02 Impact analysis | contributing | CL-ORIGINAL |
ISO 27001:2022 Annex A
| Control | Name | Contribution | Provenance |
|---|
| A.8.29 | Security testing in dev & acceptance | direct | DERIVED via NIS2-ISO |
| A.8.25 | Secure development life cycle | contributing | DERIVED via ISO 27034 |
| A.8.8 | Management of technical vulnerabilities | direct | CL-ORIGINAL |
| A.8.28 | Secure coding | contributing | DERIVED via OWASP-ISO |
| SSDF ID | Practice | Status |
|---|
| PW.1 | Risk-based secure design | Claimed |
| RV.2 | Timely vulnerability remediation | Claimed |
| PO.5 | Secure development environment | Claimed |
| PS.3 | SBOM available | Not stated |
| RV.1 | Vulnerability disclosure program | Claimed |
| PS.2 | Code signing | Unknown |
Compliance Labs · Software Listing v3.5 · OLIR Schema
Hub: CSF 2.0 ↔ 800-53r5 ↔ ISO 27001 · Avril 2026
