Scan AWS Hosted Applications the Easy Way with Fortify on Demand!

Super Contributor.
Super Contributor.
2 0 5,272

We’re excited to announce that Micro Focus Fortify on Demand has permanently been whitelisted for scanning of Amazon Web Services (AWS) instances. this means is that Fortify on Demand customers will no longer be required to submit a quarterly L7 form to AWS security to prevent scans from being blocked.

Here’s some background information about this topic:

Scan AWS Hosted Applications the Easy Way with Fortify on Demand1.pngAs applications become the main mode of interaction between organizations and key stakeholders (including customers, partners and competitors), they have increased complexity and reduced time to market. When combined with lower IT budgets, increased number of applications and releases; securing applications in this day and age takes a lot orchestrated effort. Running a successful application security program requires a good first step and tenacious follow-up including security awareness training, shift-left initiatives, software lifecycle integrations, automation and continuous security testing.

Application security testing techniques such as SAST (Static Application Security Testing), DAST (Dynamic Application Security Testing), IAST (Interactive Application Security Testing) and RASP (Runtime Application Self Protection) each play different and complementary roles in helping organizations secure applications.

Testing the security of applications in production has been and continues to be a valuable activity for organizations for two main reasons:

  1. Testing in production provides a holistic (including custom code, open source components and infrastructure that the app is running on) and possibly an attacker’s view of the security stance
  2. Continuously testing the applications in production provides visibility about new threats as well as existing security risks.

Dynamic application security testing (DAST) consists of a series of automated web layer attacks and human auditors verifying the results. As a concept, DAST can be seen as a form of penetration testing at the application layer. What’s interesting is that most penetration testers do use DAST tools to optimize their findings and efforts on the application layer (which always makes me think of an imaginary term: DASTception since DAST is a subset of pen testing while pen testing techniques are a natural part of the DAST process which are a subset of pen testing…).

Penetration testing or dynamic application security testing always require planning and preparation in order to minimize potential unintended implications and false alarms in security protection and monitoring systems. Within a traditional organization running applications on premises, this requires communication and collaboration across multiple teams including security, network management and IT operations along with the service vendor or the red team.

When done in a cloud environment, getting the required permissions from the cloud provider becomes an important prerequisite since these tests can be perceived as a real attack by the cloud provider. Without proper communication, these tests can result in false alarms, blocked traffic to targeted applications or incomplete test results. (TechBeacon has a very comprehensive guide on this: Pen testing cloud-based apps: A step-by-step guide )

The leading cloud infrastructure providers provide authorization processes to enable these tests for their customers. Amazon Web Services (AWS) has been providing guidance to its customers with the AWS Penetration testing page and the AWS Vulnerability / Penetration Testing Request Form to temporarily whitelist testing vendors to specific AWS instances.

So when AWS customers want to get penetration testing or DAST services for their application hosted on AWS, they have to submit the request form and ask for temporary white listing for the test vendor to their instances. While not difficult, the whitelisting process surely is a daunting task which requires time and effort – particularly for organizations with large app portfolios that must be scanned frequently.

Well, Fortify on Demand has eliminated this process for our customers since Amazon Web Services (AWS) has permanently whitelisted scanning of AWS instances by Fortify on Demand. Fortify on Demand customers can initiate scans on their AWS hosted applications any time they need without having to go through the permission process. More details on this improvement can be found on our Fortify on Demand 18.4 Release Notes. To view these notes, please login to the Fortify on Demand instance for your regional data center:


About the Author
Application Security, Penetration Testing, Security
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.