HCL AppScan IAST

HCL AppScan IAST

Category: IAST
License: Commercial
Visit Website →

HCL AppScan IAST monitors application runtime behavior during functional and QA testing to detect security vulnerabilities.

Its patented algorithms track data flow and validate findings, significantly reducing false positives compared to traditional scanners.

What is HCL AppScan IAST?

HCL AppScan IAST is an interactive application security testing solution that instruments Java and .NET applications with lightweight agents.

These agents observe code execution during normal testing activities, identifying vulnerabilities like SQL injection, cross-site scripting, and insecure deserialization without requiring dedicated security test cases.

The technology originated from IBM Security AppScan before HCL acquired the product line in 2019.

It is available through two deployment models: AppScan on Cloud (SaaS) and AppScan Enterprise (on-premises).

Key Features

Patented False Positive Elimination

HCL uses patented algorithms to trace data flow from input sources through the application to sensitive sinks.

By observing actual code execution paths, the agent can verify whether tainted data reaches dangerous operations without proper sanitization.

This validation step eliminates false positives that plague traditional DAST scanners.

Hot Attach and Detach

The Java agent supports hot attachment to running applications without requiring a restart.

Security teams can enable instrumentation on staging environments during specific test windows, then detach when testing completes.

This flexibility reduces operational disruption in shared environments.

Managed Code Execution for .NET

The .NET agent runs entirely in managed code without disabling JIT optimizations.

This design choice ensures minimal performance impact while maintaining full visibility into application behavior.

The agent monitors both custom application code and framework interactions.

Auto-Issue Correlation

When running IAST alongside DAST or after SAST scans, AppScan automatically correlates related findings across testing types.

A single SQL injection vulnerability detected by SAST, triggered by DAST, and observed by IAST appears as one consolidated issue rather than three separate tickets.

API Discovery

The IAST agent automatically catalogs all APIs exercised during testing.

This discovery capability helps security teams maintain accurate API inventories and identify undocumented endpoints that may have been missed by manual documentation.

How to Use HCL AppScan IAST

Java Agent Installation

Download the agent from your AppScan portal and add it to your JVM arguments:

# Start application with IAST agent
java -javaagent:/opt/appscan/iast-agent.jar \
     -Dappscan.iast.server=https://appscan.example.com \
     -Dappscan.iast.key=$APPSCAN_API_KEY \
     -jar myapplication.jar

For hot attach to a running process:

# Attach to running JVM by PID
java -jar /opt/appscan/iast-attacher.jar \
     --pid 12345 \
     --server https://appscan.example.com \
     --key $APPSCAN_API_KEY

.NET Agent Installation

Install the .NET agent as a NuGet package or via the standalone installer:

# Install via NuGet for ASP.NET Core applications
dotnet add package HCL.AppScan.IAST.Agent

# Configure in appsettings.json

{
  "AppScanIAST": {
    "ServerUrl": "https://appscan.example.com",
    "ApiKey": "${APPSCAN_API_KEY}",
    "ProjectName": "MyApplication"
  }
}

CI/CD Integration

Integrate IAST into your pipeline by running functional tests against the instrumented application:

# Azure DevOps Pipeline example
stages:
  - stage: SecurityTesting
    jobs:
      - job: IAST
        steps:
          - task: Docker@2
            inputs:
              command: run
              arguments: >
                -d --name app-iast
                -e APPSCAN_SERVER=$(AppScanServer)
                -e APPSCAN_KEY=$(AppScanKey)
                myapp:iast-enabled

          - script: npm run integration-tests
            displayName: Run functional tests

          - script: |
              curl -X POST "$(AppScanServer)/api/iast/finalize" \
                   -H "Authorization: Bearer $(AppScanKey)"
            displayName: Finalize IAST session

When to Use HCL AppScan IAST

HCL AppScan IAST is well-suited for enterprises with established Java and .NET application portfolios, particularly those already using other AppScan products for SAST or DAST.

Consider HCL AppScan IAST when you need:

  • Accurate runtime vulnerability detection with minimal false positives
  • Integration with existing HCL AppScan SAST or DAST deployments
  • Hot attach capability for testing in shared staging environments
  • Support for both cloud and on-premises deployment models
  • Automatic correlation across multiple testing methodologies
  • API discovery during functional testing cycles

Organizations running languages beyond Java and .NET should evaluate alternatives, as AppScan IAST does not currently support Python, Node.js, or Go.

Other IAST Tools

Acunetix AcuSensor
Acunetix AcuSensor

Line-of-Code Details

Checkmarx IAST
Checkmarx IAST

Unified AppSec Platform Integration

Contrast Assess
Contrast Assess

95%+ True Positive Rate

Datadog Code Security (IAST)
Datadog Code Security (IAST)

APM-Integrated Vulnerability Detection

See all IAST tools