start portlet menu bar

HCLSoftware: Fueling the Digital+ Economy

Display portlet menu
end portlet menu bar
Close
Select Page

Dynamic Application Security Testing (DAST) is a black-box testing technique that involves scanning a running web application to identify security vulnerabilities by simulating external attacks. This is done by crawling websites and injecting faulty inputs to observe how an application handles unexpected or erroneous data. These types of inputs should trigger an Error Page; and when they don’t, they can signal that a page is revealing sensitive information or indicate underlying vulnerabilities due to improper error handling.

Validation Methods and Edge Cases

HCL AppScan DAST has two primary methods to validate these types of vulnerabilities. In one case the DAST engine has been trained on what to look for and uses heuristics to recognize common patterns in error messages indicative of vulnerabilities. These can include common database error messages (e.g., MySQL or SQL Server errors), or certain keywords or phrases like "null reference," "syntax error," or "exception" that need to be flagged as potential security issues. 

Additionally, DAST uses a second method that looks at all faulty inputs without being trained on what to look for. This second process, in particular, relies on Error Page Detection. A faulty input should trigger an error page; and if it doesn’t, the results are considered vulnerabilities. However, there are challenging edge cases where the error message is not very pronounced, or the page with an error looks very similar to a regular page. If the scan misses these signs, the page can be misinterpreted as a non-erroneous response and result in a false positive. In other words, the scan reports a potential vulnerability or mishandling of information when it’s not there.

Introducing GenAI

Beginning with HCL AppScan Version 10.7.0, the DAST technology now has the ability to leverage Gen AI to reduce the risks inherent in these edge cases. Simply put, a prompt is sent to the AI asking whether a given page displays an error to the user. Based on real-world tests with issues raised by customers, the AI has an excellent record of detecting errors in edge cases and compliments HCL AppScan DAST heuristics.

In order to keep any increase in scan time to a minimum, the AI is only queried when the scan rules require error page detection; and even then, only if HCL AppScan DAST fails to detect the error page using heuristics alone. If HCL AppScan managed to detect a response as erroneous without the help of AI, verification isn’t necessary as false positives in this regard are rare or non-existent. 

Introducing GenAI

Screenshot showing the AI configuration in HCL AppScan Standard (DAST tool)
(Note: The customer will need to provide their own LLM endpoint and token.)

HCL AppScan has been incorporating AI into testing tools for years now, primarily to reduce false positives in static application security testing (SAST). This new adoption of Gen AI in the DAST engine, along with its use in a new AutoFix function for faster remediation, both represent cutting-edge innovation that is defining HCL AppScan as a global leader in application security testing.

Learn more here about additional updates in HCL AppScan Version 10.7.0; and contact us today to see how we can help you improve your application security posture and reduce business risk in the Digital+ economy.

Comment wrap

Start a Conversation with Us

We’re here to help you find the right solutions and support you in achieving your business goals.

  |  January 15, 2025
The Cyber Threat Landscape in 2025: What to Expect and How to Prepare
Explore the evolving cyber threat landscape of 2025. Learn about AI-driven attacks, ransomware trends, and strategies to protect against deepfake fraud and supply chain risks.
  |  January 15, 2025
The EU’s New Cybersecurity Playbook
The EU's NIS2 Directive mandates stricter cybersecurity measures for businesses. Learn how HCL AppScan helps you comply with automated testing, risk management, and supply chain security.
  |  December 23, 2024
Transforming Application Security Testing with Developer-Centric DAST
Empower developers to find and fix vulnerabilities early with developer-centric DAST. Learn how this approach can improve your application security testing.