WebInspect Agent

I'm trying to run a WebInspect Scan on SSC but it's asking for the WebInspect Agent, somebody knows where can I find it? or where can I download it? 

I read something about the agent come along with the WebInspect's installation but I'm not finding in my installation package.

  • Verified Answer

    WebInspect agent is not required, but it can provide you much greater results with our IAST solution (scanning WI Agent enabled site with WebInspect).  This combination of these these in use is known as "WebInspect Real-Time" or "WIRT".

    The WI Agent supports Java or IIS .NET web server frameworks. It is a specialized form of Fortify Runtime that is meant to communicate with WebInspect or the WebInspect Enterprise Sensor in real-time.  Essentially you download the Runtime installer for your framework (from HP's SSO portal), install it and restart the web service, then scan it.  And WebInspect Agent is free!

    Here are some Tagged articles for these:

    Benefits of WIRT:

    • Attack Surface Exposure – all pages known
    • Attack Surface Exposure – all inputs known
    • Attack Validation – Regardless of the HTTP Response, WebInspect Agent can inform WebInspect when an attack was successful on the back-end
    • Time-Saving – CAPTCHA Bypass (supported CAPTCHA listed in the Fortify System Requirements doc)
    • Time-Saving – Attack types that are having little effect will be advised to turn off
    • Time-Saving – Parameters that were previously tested will be skipped when they appear elsewhere (Java frameworks only)
    • Time-to-Remediation – Duplicate findings are bundled in WebInspect so only one defect is reported.
    • Time-to-Remediation – Any Stack Traces triggered are collected and kept with the vulnerability details.  These can include LOC detail and SQL Query information.