Frequently Asked Questions

We have outlined a number of frequently asked questions around FIPS compliant HCL AppScan 360°. Please review the FAQ’s below. We also invite you to view our short video answering questions about implementation.

Licensing

  • There are multiple license types available that accommodate one of the following:

    • Number of applications to protect

    • Number of contributing users

    • Desired scan concurrency

    Speak with your HCLSoftware Federal Client Director or one of our business partners to determine the right approach for your organization

  • No, it does not require a license server. An HCL AppScan 360° instance is activated by entering a token, provided via email, into the user interface.

  • Yes, all licensing options allow you to select the level of concurrency. Beyond the license you are only limited by the resources you provide for the HCL AppScan 360° instance.

FedRAMP (See Video Explainer)

  • HCL AppScan 360° does not require FedRAMP Authorization as it is not delivered as a SaaS. View this short video for the complete details of how your organization would install on your premises or in your private cloud.

    See video explainer

  • No, HCL AppScan 360° is not delivered as a vendor-managed Software as a Service. Instead, you manage it as a service. See the brief video for the full deployment options.

DevOps

  • HCL AppScan 360° has a Jenkins plugin to simplify automated security testing governance. It allows:

    ·         Code prep for scanning for SAST

    ·         Submission of scan request to AS 360° (SAST, DAST, SCA)

    ·         Polling for scan completion

    ·         Results retrieval

    ·         Stopping the Jenkins pipeline if your governance policy has been violated

Secure AppSec

  • HCLSoftware developed AppScan 360° to be FIPS 140-3 compliant to provide the security levels our federal customers need.  FIPS 140-3 is achievable when you install it in a secure environment:

    • The receiving Kubernetes cluster, control plane, and addons are FIPS Validated and/or FIPS Ready

    • The Ubuntu 22.04 PRO with FIPS enabled is used for Node servers and the installation server

    • The ingress controller used in the cluster is configured securely

  • No, it does not require a license server. An HCL AppScan 360° instance is activated by entering a token, provided via email, into the user interface.

  • Yes, we created HCL AppScan 360° to be run wherever our U.S Federal Government Clients need to access it, including enclaves and secure networks where access to a cloud-based solution would not be accessible.

    See the brief video for the full deployment options.

  • Yes, findings from prior scans are evaluated by status, e.g., Open, In Progress, Noise, against the results from a just completed scan. Only findings that are unique to the current scan are counted as new, and previously triaged findings are not re-reported.

Scan Correlation

  • Yes, findings from prior scans are evaluated by status, e.g., Open, In Progress, Noise, against the results from a just completed scan. Only findings that are unique to the current scan are counted as new, and previously triaged findings are not re-reported.

Have more questions?

Reach out to our team and we can assist with any additional information you need.