Lieutenant
Lieutenant
9727 views

Webinspect Incremental scans- Few Questions

Jump to solution
Hi,
I'm working on Webinspect Incremental scan feature. I stumbled upon few questions that we could arrive at answers. I thought this for would be helpful. I
Scenario:
On week-1, I perform a scan, scan-1 and it has 'X' number of issues. On week-2, with scan-1 as baseline, I perform a incremental scan, scan-2. Now if there are any new issues apart from 'X' , it will be reported as findings in this scan. Let's call it 'Y'. On week-3, i repeat same exercise with scan-2 as baseline and scan-3 yields 'Z' number of issues.
Questions:
If 'X' issues were remediated, how do I verify it using Webinspect? Do I need to use retest vulnerabilities option for scan-1 apart from doing a incremental scan-2?
Can I use different workflow macros for scan-1 and scan-2?



Regards,
Sethu
Labels (1)
0 Likes
1 Solution

Accepted Solutions
Micro Focus Expert
Micro Focus Expert

Sethu_BNYMT;

It is important to review the Help article in WebInspect, "Reusing Scans".  There are several nuances between Incremental Scan and Rescan to be aware of.

  • Incremental Scan - Recrawls the entire site, but only Audits new areas exposed.  This means that New Issues added to areas previously tested will be missed.
  • Rescan - Vulns Only - This option only retests the Issues identified in the selected scan, and so it will not discover new areas of the site nor will it find new vulns introduced into the site by Dev.  It essentially runs only Authentication plus the (replay) Steps associated with each of the original found Issues.
  • Reuse Remediation - Creates a custom Scan Policy based on the Issues found in the first, selected scan.  It then recrawls the site and Audits everything, but only using the vulns listed in that customized Policy.  This would find those same vuln types if they were added elsewhere on the site, but it would miss New Issues that had not been in the original scan findings (Policy).

 

This is why it is important to utilize Scan Merge with your Incremental Scans, in a purposeful cycle.  To properly run your series, you will want to operate Scan-1, then Scan-2, Merge Scan-2 with Scan-1 to produce a new Baseline Scan-2.5, run Scan-3, Merge Scan-3 with Scan-2.5 to produce a newer Baseline Scan-3.5, and so on.  It will also be important to periodically step back and run a complete (not Incremental) scan of the site, to produce the next Baseline Scan for the upcoming cycle or period of time.

To validate corrected Issues, you would run a Rescan - Vulns Only against the selected scan, whether a Baseline scan or one of the Incrementals.  If you were Merging Incrementals back into the Baseline as suggested, then it would be that Baseline scan that you would use as the basis for the Rescan.

The Incremental Scan feature can save you time when dealing with rapid development changes in a short period, but as you can see from the definitions above, things can also be missed.  You will want to set a period of time where you generate the Baseline, operate a series of Incremental Scans with Merge-Back actions, and then begin the next cycle with a fresh, new Baseline Scan.


-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify

View solution in original post

2 Replies
Micro Focus Expert
Micro Focus Expert

Sethu_BNYMT;

It is important to review the Help article in WebInspect, "Reusing Scans".  There are several nuances between Incremental Scan and Rescan to be aware of.

  • Incremental Scan - Recrawls the entire site, but only Audits new areas exposed.  This means that New Issues added to areas previously tested will be missed.
  • Rescan - Vulns Only - This option only retests the Issues identified in the selected scan, and so it will not discover new areas of the site nor will it find new vulns introduced into the site by Dev.  It essentially runs only Authentication plus the (replay) Steps associated with each of the original found Issues.
  • Reuse Remediation - Creates a custom Scan Policy based on the Issues found in the first, selected scan.  It then recrawls the site and Audits everything, but only using the vulns listed in that customized Policy.  This would find those same vuln types if they were added elsewhere on the site, but it would miss New Issues that had not been in the original scan findings (Policy).

 

This is why it is important to utilize Scan Merge with your Incremental Scans, in a purposeful cycle.  To properly run your series, you will want to operate Scan-1, then Scan-2, Merge Scan-2 with Scan-1 to produce a new Baseline Scan-2.5, run Scan-3, Merge Scan-3 with Scan-2.5 to produce a newer Baseline Scan-3.5, and so on.  It will also be important to periodically step back and run a complete (not Incremental) scan of the site, to produce the next Baseline Scan for the upcoming cycle or period of time.

To validate corrected Issues, you would run a Rescan - Vulns Only against the selected scan, whether a Baseline scan or one of the Incrementals.  If you were Merging Incrementals back into the Baseline as suggested, then it would be that Baseline scan that you would use as the basis for the Rescan.

The Incremental Scan feature can save you time when dealing with rapid development changes in a short period, but as you can see from the definitions above, things can also be missed.  You will want to set a period of time where you generate the Baseline, operate a series of Incremental Scans with Merge-Back actions, and then begin the next cycle with a fresh, new Baseline Scan.


-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify

View solution in original post

Lieutenant
Lieutenant
Thanks a lot for your thoughts and guidance.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.