Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
Highlighted
penTester8888 Regular Contributor.
Regular Contributor.
127 views

DAST results integration with SSC

Hello!

I'm looking for guidance on integrating WebInspect results into SSC which currently only contains SAST artifacts. My understanding is that after scanning an application in WebInspect a results artifact (FPR) can be exported from WebInspect and then uploaded into SSC. The static results will "correlate" with the dynamic results so that development teams can view both results and work towards remediation. I haven't had the opportunity to upload DAST results in SSC yet so I'm wondering how the correlation in SSC will be reported. Is there documentation describing the correlation process?

In addition, I'm not sure how the dynamic scan process will work given multiple authenticated scans for a single application. Many of our applications are user role-based so "scan 1 completed with user A" could produce different results than "scan 2 with user B". Can both sets of results get merged into SSC? Is there a way to document the user account in the dynamic scan results within SSC? Will the development teams be able to see both static and dynamic results by downloading the latest FPR and viewing in AuditWorkbench?

I will be working on establishing a new DAST process within our organization so any advise or recommendations would be most appreciated. Thanks!

 

Labels (3)
0 Likes
2 Replies
Valued Contributor.. rhelsens Valued Contributor..
Valued Contributor..

Re: DAST results integration with SSC

This is not an RTM reply, but page 279 and onward has alot of the details you are seeking, explaining the integration and showing screenshots of the feature.

https://www.microfocus.com/documentation/fortify-software-security-center/1820/SSC_Guide_18.20.pdf

 

I have not personally uploaded DAST results into SSC

 

0 Likes
Micro Focus Expert
Micro Focus Expert

Re: DAST results integration with SSC

Here is a link to the web-based documentation for the latest version of the application. In essence, yes you can have multiple artifacts uploads for the same application version and SSC should be able to handle the results. The results are processed slightly different than with SCA.

By the way, the majority of what you read in the documentation mentions integration through WebInspect Enterprise (WIE). The implementation of WIE will help streamline/integrate/automate some of the steps if you were to simply use WebInspect (WI) with SSC.

With WI you will have to export the file to an FPR and then upload the FPR to SSC. Yes there are ways to do this via CLI or API as well.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.