We at Fortify have a vision to continue our application security market leadership by providing key enterprise enhancements that focus on improvements in speed, automation and usability. The new WebInspect release (Version 19.1.0) delivers with automation capabilities, integrating our dynamic technology as part of an organization’s ecosystem, and improving the user experience.

There are three big things that stand out for me in this release:

1. Macros

Macro Recorder Updates

• To support modern frameworks, we’ve released a technical preview of our updated macro recorder tool. After changing the default macro recorder setting under Application Settings, the updated tool will be available via the Basic Scan Wizard.

Macro Validation

• Ease of use is at the forefront of everything we do. With our new Macro Validation feature, WebInspect can optionally test macros prior to scanning both via the API and UI. This tests for failed creds, failed steps, timeouts, general execution errors, etc.
• Macro Validation satisfies several use cases:
  • Validation that a previously recorded Macro is still good
  • Validation that Auto-Gen can successfully create a macro
  • API/CLI driven macro validation
  • Scan time macro testing
• Validation is on by default. Turn it off Scan Stop by modifying Scan Settings | Authentication.

Macro Auto-gen

• We’re reducing some of the manual touchpoints traditionally required by dynamic scanning. WebInspect can now automatically create a login macro with just a URL, username, and password. This feature is available via the UI, API, and CLI. Keep in mind you can still use our familiar Login Macro Recorder to record a macro manually.

2. API improvements

API Expansion:

• Our new scans data API endpoint provides a wealth of details around scan statistics, and even enables simplified querying of vulnerability information.
• Macro Validation – use /testlogin against a scanID
• Macro Validation – use /Scanner/settings/{filename}/testlogin against settings w/macro
• Statistics Endpoints – use /data
• Easily access vulnerability information – use /data/SessionChecks
• Auto-Macro – passed as an override to a scan

API Scanning Improvements

• We’re committed to making API scanning easier. Our WISWAG tool can now consume definitions built in the OpenAPI 3.0 specification. WebInspect can also now handle bearer tokens for improved authentication support.

3. WebInspect via a Docker container

• WebInspect can now be deployed for API- and CLI-driven scanning via a Docker container. Customers with concurrent use licenses should check out the WebInspect on Docker guide for more detail.
• Check out these two videos on our Fortify Unplugged YouTube channel:
  • Preparing a VM for Containerized WebInspect
  • Scanning with WebInspect in a Container

4. Bonus – other new features include:

• Performance Improvements
• WebSockets Improvements
• Improved Server-Level Correlation
• Blind SQL Injection Accuracy
• Multi-user Login
• Settings Visualization Improvements

See the full release notes on the Fortify Product Announcements Board. If you haven’t already, subscribe to this board today to stay up to date on what's new with our products!

1. Log into the community. You may use your MySupport credentials or register if you do not already have them.
2. Visit the Fortify Product Announcements Board
3. Click on "Subscribe to forum updates"
4. To review or modify your notification settings:
   1. Click on your picture in the top right corner
   2. Click My Subscriptions > Notification Settings
   3. Review and modify your settings as desired