How to initiate WebInspect scan from fortify SSC ?

We are using WebInspect Standalone19.1.0 and SSC 19.1.0. Is there any we can initiate WebInspect dynamic scan from SSC for any project?

 

   

Tags:

  • Currently that is only available with WebInspect Enterprise. 

     

    SSC-Dynamic-Scan.png

    There are ways you script a scan and import those into SSC using either CLI or API for both WebInspect and SSC.

  • Thanks
    I am aware of Webinspect REST APIs
    We want to integrate Webinspect standalone scan with ServiceNow. I found Webbreaker that is open source utility for Webinspect automation, however it lacks in some features like scheduling and polling, incremental scan and also there is no frequent commits for this tool.
    Is there any alternative solution available or we need to develop and customize at our end using those Webinspect REST APIs.

    Thanks!!!
  • Outside of WIE, API and CLI, I'm not aware of any other options. Understand I work in Support and have limitations regarding usability and what others may be doing. Someone else may have additional input.

  • Verified Answer

    Ethan provided the correct for the original question.  SSC users (typically developers) can request as WebInspect Enterprise scan using a built-in form, and then the WIE staff will configure and run the requested scan.  Unfortunately that is not automated, and it is not using WebInspect desktop.  If you wanted to automate DAST scans and had WebIsnpect Enterprise, then I would utilize the WebInspect Enterprise API, typically found at https://{WIE_Manager_host}/WIE/REST/   SSC Server would not be used to trigger those scans, but to house the finished results (automated Publishing from WIE to SSC).

     

    WebBreaker was a nice project for running WebInspect desktop scans vai its original API, created by one of our staff, but it does not appear to be active project at this time.  Its current capabilities may not take advantage of improvements and new endpoints made to WebInspect's API over the past few years.  We release new WebInspect twice annually, Spring and Fall/Winter.

     

    WebInspect (desktop) is currently at version 20.10 (2020, Spring), and its Swagger-based REST API may provide your best option for automation.  It offers a full-featured CLI (WI.EXE) as well, but API tend to lend themselves to network use better than CLI.  To enhance this focus, Fortify provides a WebInspect Docker container (Windows-based), which is essentially a headless API instance, ready-to-use.  Furthermore, our management team has expanded with Postman integrations utilizing WebInspect's API.  You can see the API endpoints at the following URL (default configuration), as well as samples showing CURL commands, and even fields to generate live tests in the browser.  This API feature is also how Azure users are able to operate WebInspect scans, and so that is why I feel investigating the API directly would be your best option for creating the automation you desire.

    • http://localhost:8083/webinspect/api

     

    All of this is assuming that you wish to run WebInspect scans.  If you are instead seeking to extract your WebInspect scan results and move them, there are several routes.  Obviously, the WebInspect desktop results can be output to FPR format and direct-uploaded into our Fortify SSC Server, and from there the results can be managed or migrated over to other systems.  This is one item out Fortify Jenkins plugin offers as a Post-Build Action, to package the results and deliver them to SSC.  If you run your scans in WebInspect Enterprise rather than WebInspect desktop, those scans will automatically be transferred into the connected SSC Server.

    Another great option for results transfer is the WebInspect Full Export to XML format.  This will dump the entire scan tree, plus all sessions, all vulnerabilities, and all Remediation details into a single document.  That file can be imported into any other system, once you identify the transformation process and desired field mappings.  This Full Export action can be run via WebInspect's API or CLI at scan-time as a scan option, or after-the-fact against a completed scan.

    I hope that helps you.

  • In addition to what  and I originally presented, we now have Scan Central DAST for version 20.2 of SSC and WebInspect:

    ScanCentral DAST

    Fortify is excited to release a new DAST orchestration and automation platform integrated right into Software Security Center 20.2.0! For more information, watch our “Introduction to ScanCentral DAST” video on the Fortify Unplugged YouTube channel

    Fortify ScanCentral DAST is a dynamic application security testing tool that is comprised of the Fortify WebInspect sensor service and other supporting technologies that you can use in conjunction with Fortify Software Security Center.

    The following diagram illustrates the Fortify ScanCentral DAST architecture.

    DynScan_Arch_768x188.png