HCL AppScan 360º FAQ

Frequently Asked Questions

We have outlined a number of frequently asked questions around FIPS compliant HCL AppScan 360°. Please review them below. We also invite you to view our short video answering questions about implementation.

Watch video

Licensing

How is the HCL AppScan 360° licensed?

There are multiple license types available that accommodate one of the following:

Number of applications to protect
Number of contributing users
Desired scan concurrency

Please reach out to your sales representative, partner or contact us to determine the right approach for your organization.

Does the product require a license server?

No, it does not require a license server. An HCL AppScan 360° instance is activated by entering a token, provided via email, into the user interface.

Are concurrent scans allowed?

Yes, all licensing options allow you to select the level of concurrency. Beyond the license you are only limited by the resources you provide for the HCL AppScan 360° instance.

FedRAMP

Is HCL AppScan 360° FedRAMP Authorized?

HCL AppScan 360° does not require FedRAMP Authorization as it is not delivered as a SaaS. View this short video for the complete details of how your organization would install on your premises or in your private cloud.

Watch video

Is HCL AppScan 360° delivered as SaaS?

No, HCL AppScan 360° is not delivered as a vendor-managed Software as a Service. Instead, you manage it as a service. See the brief video for the full deployment options.

Watch video

DevOps

We use Jenkins for CI/CD, how will HCL AppScan 360° support us?

HCL AppScan 360° has a Jenkins plugin to simplify automated security testing governance. It allows:

Code prep for scanning for SAST
Submission of scan request to AS 360° (SAST, DAST, SCA)
Polling for scan completion
Results retrieval
Stopping the Jenkins pipeline if your governance policy has been violated

Secure AppSec

How is HCL AppScan 360° considered secure?

HCLSoftware developed AppScan 360° to be FIPS 140-3 compliant to provide the security levels our federal customers need. FIPS 140-3 is achievable when you install it in a secure environment:

The receiving Kubernetes cluster, control plane, and addons are FIPS Validated and/or FIPS Ready
The Ubuntu 22.04 PRO with FIPS enabled is used for Node servers and the installation server
The ingress controller used in the cluster is configured securely

Is HCLSoftware a Cloud Service Provider for HCL AppScan 360°?

No, HCLSoftware created AS 360° to be run wherever U.S Federal Government clients need to access it, including enclaves and secure networks where access to a cloud-based solution would not be accessible.

See the brief video for the full deployment options:

Watch video

Can HCL AppScan 360° be installed in an air-gapped network environment or secure enclave?

Yes, we created HCL AppScan 360° to be run wherever our U.S Federal Government Clients need to access it, including enclaves and secure networks where access to a cloud-based solution would not be accessible.

See the brief video for the full deployment options:

Watch video

Is there data leakage from scan to scan?

No, HCL AppScan 360° creates a new container for every scan request. Upon completion of a scan, that container is not reused and instead destroyed.

Scan Correlation

Are successive scans against the same target correlated?

Yes, findings from prior scans are evaluated by status, e.g., Open, In Progress, Noise, against the results from a just completed scan. Only findings that are unique to the current scan are counted as new, and previously triaged findings are not re-reported.