HCL Software

HCL AppScan on Cloud test

Application Security Testing (SaaS) · Category 9. AppSec (SaaS) · Tier 2

CL Listed — Visible
Methodology v3.5 · OLIR Schema
Avril 2026

Evaluation Tier: Visible (Listed) → Verified (CAE) → Enterprise (EEE) Layer 1-2 only · Documentary assessment · All capabilities vendor-claimed

⚡ Executive Summary 30 seconds

What it is

Fully managed cloud-based application security testing platform combining Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), and Software Composition Analysis (SCA) in a single SaaS offering. No on-premises infrastructure required — all scanning runs in HCL's cloud environment.

Best for

PCI DSS Req. 6.2/6.3 (secure development lifecycle), DORA Art. 8(4) (secure ICT development), NIST SSDF PW.6/PW.7 (code verification and testing). Ideal for organizations wanting comprehensive AppSec without managing scanning infrastructure, especially mid-market teams transitioning from manual code reviews.

What it does NOT do

No runtime protection (RASP), no WAF capabilities, no network security, no IAM, no endpoint detection, no container security. Not a runtime defense tool — focuses exclusively on pre-deployment application vulnerability identification across code, binaries, and running apps.

CL Recommendation

HCL AppScan on Cloud is a strong SaaS-first AppSec platform combining SAST, DAST, and SCA without infrastructure overhead. Critical for PCI DSS 6.x, DORA Art. 8, and NIST SSDF compliance. Combine with WAF (Cat. 6), SIEM (Cat. 12), and RASP for full application lifecycle security. Strong alternative to Veracode and Checkmarx for teams preferring cloud-managed scanning.

⚖ Regulatory Fit Per regulation verdict

PCI DSS v4.0

~18% of requirements

✔ Strong — Req. 6.2, 6.3, 6.5 (secure dev lifecycle & vulnerability scanning)

DORA

~13% of obligations

● Moderate — Art. 8(4) secure ICT dev, Art. 8(5) testing

NIS2

~12% of Art. 21

● Moderate — Art. 21(2)(e) secure dev, Art. 21(2)(d) supply chain (SCA)

GDPR

~5% of articles

△ Supporting only — Art. 25 (DPbD via secure code), Art. 32 (secure processing)

HIPAA

~7% of provisions

△ Supporting only — §164.312(a) access controls via secure code

NIST SSDF

~55% of practices

✔ Strong — PW.4, PW.5, PW.6, PW.7 (code analysis & composition analysis)

▼ Show detailed regulatory mapping (OLIR format)

PCI DSS v4.0 (PROPRIETARY)

Focal	Obligation	OLIR Rel.	Hub Ref	Rationale
Req. 6.2.1	Secure development processes	Direct	SA-3 / PR.PS-06	Functional
Req. 6.2.3	Code review before release	Direct	SA-11 / PR.PS-06	Functional
Req. 6.3.1	Identify vulnerabilities	Direct	RA-5 / ID.RA-01	Functional
Req. 6.3.2	Maintain inventory of third-party software	Contributing	SR-3 / GV.SC-05	Semantic

DORA (OPEN_GOV)

Focal	Obligation	OLIR Rel.	Hub Ref	Rationale
Art. 8(4)	Secure ICT dev lifecycle	Direct	SA-15 / PR.PS-06	Functional
Art. 8(5)	ICT testing methodologies	Contributing	SA-11 / PR.PS-06	Semantic
Art. 24(1)	Threat-led penetration testing	Contributing	CA-8 / RS.AN-02	Semantic

NIS2 (OPEN_GOV)

Focal	Obligation	OLIR Rel.	Hub Ref	Rationale
Art. 21(2)(e)	Security in system acquisition/dev	Direct	SA-15 / PR.PS-06	Functional
Art. 21(2)(d)	Supply chain security	Direct	SR-3 / GV.SC-05	Functional

NIST SSDF (OPEN_GOV)

Focal	Obligation	OLIR Rel.	Hub Ref	Rationale
PW.6	Verify code meets security requirements	Equivalent	SA-11 / PR.PS-06	Syntactic
PW.7	Review and test code for vulnerabilities	Equivalent	SA-11 / PR.PS-06	Syntactic
PW.4	Reuse secure software components	Direct	SR-3 / GV.SC-05	Functional
RV.1	Identify and confirm vulnerabilities	Direct	RA-5 / ID.RA-01	Functional

Articles without contribution omitted. Full OLIR mapping available in Audit Pack export.

🎯 Buyer Guidance Decision support

✔ Consider When

+ Need SAST + DAST + SCA in a single cloud-managed platform
+ No appetite for managing on-prem scanning infrastructure
+ PCI DSS Req. 6.2/6.3 secure development lifecycle compliance
+ NIST SSDF compliance for government or regulated industries
+ Mid-market team needing comprehensive AppSec without enterprise complexity
+ Open-source dependency risk management via SCA

❌ Avoid When

− Require on-premises scanning for air-gapped environments
− Need runtime protection (RASP) or WAF capabilities
− Extremely sensitive code that cannot leave your network
− Need container and Kubernetes security scanning
− Budget-constrained startup — Snyk or GitHub Advanced Security may be cheaper
− Need advanced IAST capabilities

⚙ Capabilities 20 claimed · 4 groups · DR-2 Quality Tiers + Config Modifiers

Cloud SAST 5✓ 0● 0✗▼

✓

Multi-language static analysis

Java, C#, Python, JavaScript, Go, PHP, Swift, and more

Specific Obl.Out-of-Box

✓

IaC security scanning

Terraform, CloudFormation, Docker, Kubernetes manifests

Control FamilyConfig Change

✓

Incremental scanning

Scan only changed files for fast CI/CD feedback

Generic ControlOut-of-Box

✓

Custom rule creation

Organization-specific security rules

Control FamilyConfig Change

✓

Fix recommendations

AI-assisted remediation suggestions with code snippets

Data SurfacedOut-of-Box

Cloud DAST 4✓ 1● 0✗▼

✓

Automated web app scanning

OWASP Top 10 and CWE/SANS Top 25 coverage

Specific Obl.Out-of-Box

✓

API security testing

REST, SOAP, GraphQL endpoint scanning

Specific Obl.Config Change

✓

Authenticated scanning

Control FamilyConfig Change

●

Mobile app testing

Android and iOS dynamic testing

Control FamilyConfig Change

✓

Scheduled scanning

Automated recurring scan configuration

Control FamilyOut-of-Box

SCA & Open Source 5✓ 0● 0✗▼

✓

Open-source vulnerability detection

CVE/NVD matching for third-party libraries

Specific Obl.Out-of-Box

✓

License risk analysis

GPL, AGPL, MIT, Apache license compliance

Control FamilyOut-of-Box

✓

Dependency tree mapping

Transitive dependency vulnerability tracking

Control FamilyOut-of-Box

✓

SBOM generation

Software Bill of Materials in CycloneDX/SPDX format

Specific Obl.Out-of-Box

✓

Outdated component alerts

Notifications for end-of-life and unsupported packages

Generic ControlOut-of-Box

Platform & Integration 5✓ 0● 0✗▼

✓

CI/CD integration

Jenkins, Azure DevOps, GitLab, GitHub Actions plugins

Control FamilyOut-of-Box

✓

IDE plugins

VS Code, IntelliJ, Eclipse real-time feedback

Generic ControlOut-of-Box

✓

REST API

Full programmatic access for automation

Control FamilyOut-of-Box

✓

Compliance reporting

PCI DSS, OWASP, CWE pre-built report templates

Specific Obl.Out-of-Box

✓

Role-based access control

Multi-tenant with granular permissions

Control FamilyConfig Change

🛡 MITRE ATT&CK Mapping Layer 4 — Derived via SP 800-53

M1016

Vulnerability Scanning

Full (claimed)

M1051

Update Software

Full (claimed)

M1050

Exploit Protection

Partial (claimed)

M1013

Application Developer Guidance

Full (claimed)

Score: 3.5 / 5.0 (70%) — All vendor-claimed. Techniques addressed: T1190, T1059, T1203, T1195 (exploitation & supply chain family).

▼ Show ATT&CK techniques detail

Technique	Name	How Addressed	Provenance
T1190	Exploit Public-Facing Application	SAST/DAST identifies exploitable web app vulnerabilities before deployment	DERIVED via M1016
T1059	Command and Scripting Interpreter	SAST detects injection flaws in source code; DAST validates at runtime	DERIVED via M1016
T1203	Exploitation for Client Execution	Identifies XSS, CSRF, and client-side injection vulnerabilities	DERIVED via M1050
T1195	Supply Chain Compromise	SCA identifies vulnerable and malicious open-source dependencies	DERIVED via M1051

📄 Evidence Pack DR-2 §5.1 — Proof of value

✔

SAST scan reports (PDF/XML)

Detailed source code findings with CWE mapping. Cloud-hosted and exportable.

✔

DAST scan reports

OWASP Top 10 compliance evidence. PDF/HTML export.

✔

SCA vulnerability reports

Open-source library CVE inventory with remediation paths.

✔

SBOM export

CycloneDX and SPDX format Software Bill of Materials.

✔

Compliance mapping reports

PCI DSS, OWASP, CWE/SANS pre-built templates.

⚠

SOC 2 Type II report

Cloud platform security independently audited.

Evidence level: Documentary review only (CL Listed). For verified evidence, upgrade to CAE (Examine + Interview) or EEE (+ Test).

⏱ Operational Metrics & Anti-Hype DR-2 §5.1 + §9.2

Metric	Standard (SAST or DAST)	Professional (SAST+DAST+SCA)	Enterprise (Full Platform)
Implementation	1-2 weeks	2-4 weeks	4-8 weeks
FTE Required	0.25 FTE	0.5 FTE	0.75-1 FTE
Time to first value	Day 1-3 (first SAST or DAST scan on primary application)
Time to production	Month 1-3 (all apps onboarded, CI/CD gates active, SCA policies tuned)

Anti-Hype: Marketing vs. Reality

Complete AppSec platform in the cloud

Covers SAST, DAST, and SCA. No IAST, RASP, or container security. Complementary tools still needed.

Partial

No infrastructure to manage

Verified. Fully SaaS — no on-prem servers, scanners, or agents required for cloud scanning.

Verified

Enterprise-grade SAST

Solid SAST engine (ex-IBM AppScan heritage) but language coverage narrower than Fortify or Checkmarx.

Partial

AI-powered vulnerability prioritization

ML-based risk scoring exists but requires tuning. Initial false positive rates can be 20-30%.

Partial

Seamless migration from IBM AppScan

Strong compatibility for existing AppScan users. Policy and configuration migration tools available.

Verified

⚖ Strengths & Cautions

✔ Strengths

+ SAST + DAST + SCA combined in single cloud platform
+ Zero infrastructure overhead — fully managed SaaS
+ Strong IBM AppScan heritage and mature scanning engines
+ Pre-built PCI DSS and OWASP compliance reports
+ SBOM generation for supply chain transparency
+ Good CI/CD integration with major DevOps tools
+ Multi-tenant cloud architecture with role-based access

⚠ Cautions

! SAST language coverage narrower than Fortify (33 languages) or Checkmarx
! No on-prem option for air-gapped or data-sovereign environments
! Code leaves your network for cloud-based scanning
! No IAST or RASP capabilities
! Post-IBM acquisition brand recognition still building
! Initial false positive rates require tuning (20-30%)
! All capabilities VENDOR-CLAIMED (no CL independent testing)

📈 Competitive Positioning Category 9 — AppSec (SaaS)

Capability	HCL AppScan on Cloud test	Veracode	Snyk	GitHub Advanced Security
Cloud SAST	✔	✔	✔	✔
Cloud DAST	✔	✔	✗	✗
SCA	✔	✔	✔	✔
SBOM generation	✔	●	✔	✔
CI/CD integration	✔	✔	✔	✔
On-prem option	✗	✗	✗	✗
Pricing entry	Mid-market	Enterprise	Free tier	GitHub Enterprise

Competitive data based on public information. CL has not evaluated these alternatives — for detailed assessment, see individual CL Listings.

📑 Framework Views Hub: CSF 2.0 + 800-53r5 + ISO 27001

▼ Show NIST SP 800-53, CSF 2.0, ISO 27001 mapping tables

NIST SP 800-53 Rev 5

Control	Name	Contribution	Provenance
SA-11	Developer Testing & Evaluation	direct	DERIVED via PCI DSS 6.2
SA-15	Development Process & Standards	direct	DERIVED via DORA Art. 8(4)
RA-5	Vulnerability Monitoring & Scanning	direct	DERIVED via PCI DSS 6.3
SR-3	Supply Chain Controls & Processes	direct	DERIVED via NIS2 Art. 21(2)(d)
SA-3	System Development Life Cycle	contributing	CL-ORIGINAL

NIST CSF 2.0

Control	Name	Contribution	Provenance
PROTECT	PR.PS-06 Secure software development	direct	DERIVED via SA-11
IDENTIFY	ID.RA-01 Vulnerability identification	direct	DERIVED via RA-5
GOVERN	GV.SC-05 Supply chain risk management	direct	DERIVED via SR-3
DETECT	DE.CM-09 Software monitoring	contributing	CL-ORIGINAL

ISO 27001:2022 Annex A

Control	Name	Contribution	Provenance
A.8.25	Secure development life cycle	Equivalent	OFFICIAL via ISO 27034
A.8.29	Security testing in dev & acceptance	direct	DERIVED via NIS2-ISO
A.8.28	Secure coding	direct	DERIVED via OWASP-ISO
A.8.8	Management of technical vulnerabilities	direct	DERIVED via CVE-ISO
A.5.21	Managing ICT supply chain risks	contributing	CL-ORIGINAL

▼ Show Vendor Security Practices (SSDF / CRA)

SSDF ID	Practice	Status
PW.1	Risk-based secure design	Claimed
RV.2	Timely vulnerability remediation	Claimed
PO.5	Secure development environment	Claimed
PS.3	SBOM available	Claimed
RV.1	Vulnerability disclosure program	Claimed
PS.2	Code signing	Unknown

Compliance Labs · Software Listing v3.5 · OLIR Schema Hub: CSF 2.0 ↔ 800-53r5 ↔ ISO 27001 · Avril 2026