Micro Focus

Fortify ScanCentral DAST

Software Version: 21.2.0 Windows®


Configuration and Usage Guide


Document Release Date: November 2021 Software Release Date: November 2021



Legal Notices

Micro Focus The Lawn

22-30 Old Bath Road Newbury, Berkshire RG14 1QN UK

https://www.microfocus.com

Warranty

The only warranties for products and services of Micro Focus and its affiliates and licensors (“Micro Focus”) are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Micro Focus shall not be liable for technical or editorial errors or omissions contained herein. The information contained herein is subject to change without notice.

Restricted Rights Legend

Confidential computer software. Except as specifically indicated otherwise, a valid license from Micro Focus is required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license.


Copyright Notice

© Copyright 2020-2021 Micro Focus or one of its affiliates

Trademark Notices

All trademarks, service marks, product names, and logos included in this document are the property of their respective owners.

Documentation Updates

The title page of this document contains the following identifying information:


This document was produced on November 10, 2021. To check for recent updates or to verify that you are using the most recent edition of a document, go to:

https://www.microfocus.com/support/documentation


Contents


Preface                                             17 Contacting Micro Focus Fortify Customer Support                      17 For More Information                                     17 About the Documentation Set                                17 Fortify Product Feature Videos                                17


Change Log                                            18


Chapter 1: Introduction                                     25

What is ScanCentral DAST?                                   25 Software Security Center                                  25 LIM                                             25 DAST API                                          26

DAST Utility Service                                    26 DAST Global Service                                    26 ScanCentral DAST Database                                26 WebInspect Sensor                                     27

Permissions in Fortify Software Security Center                      27 Tasks Requiring Admin Permissions                          28

Related Documents                                      28 All Products                                        29 Micro Focus Fortify ScanCentral DAST                           29 Micro Focus Fortify Software Security Center                        30 Micro Focus Fortify WebInspect                              30


Chapter 2: Configuring the ScanCentral DAST Environment                  32 Important Information about SSL                             32 Requesting Access to Fortify Docker Repository                      32 Before You Begin                                     33 Understanding the Installation Process                          33 Upgrading and Managing ScanCentral DAST                        35



Upgrading ScanCentral DAST                               35 Requirements for Upgrading                                35 Recommendation for Upgrading                              36 Effect of Upgrades on Scheduled Scans                          36 Managing ScanCentral DAST                               36

Setting Up Docker                                      36

Configuring the Database and Core Containers                      37 About the ScanCentral DAST Configuration Tool                     37 Installing and Launching the Configuration Tool                      38 What's Next?                                       38 Configuring the Database Connection                           38 Configuring the DBO-level Account                          38 Configuring the Standard Account                           39 What's Next?                                     40 Initializing the Database                                 40 Updating SecureBase                                 40 Using the Default SecureBase                             40 Using a Local SecureBase                               41 What's Next?                                     41 Configuring DAST SSL                                  41 About the Certificate Path                               41 Generating an API SSL Certificate                           41 Using an Existing Certificate                              42 Not Using SSL                                     42 What's Next?                                     43 Configuring Utility Service SSL                              43 About the Certificate Path                               43 Generating a Utility Service SSL Certificate                       43 Using an Existing Certificate                              44 Not Using SSL                                     44 What's Next?                                     45 Configuring Environment Settings                            45 Configuring Proxy Settings                              45 Known Issue with Host Name, Machine Name, and Container Name           46 Allowing Untrusted Certificates                            46 What's Next?                                     46 Configuring ScanCentral DAST Settings                          46 Configuring SSC Settings                               46



Configuring API Settings                               47 Configuring Utility Service Settings                          48 Configuring LIM Settings                                48 Creating a Sensor Service Token                            48 Retaining Completed Scans on Sensor                         49 Disabling Advanced Scan Prioritization                         49 Changing the SmartUpdate URL                            49 Changing the Licensing URL                              49 What's Next?                                     50 Applying the Settings                                   50 What's Next?                                     50 Generating Launch Artifacts                               50 Understanding the Launch Artifacts                          51 Generating the Launch Artifacts                            52 What's Next?                                     52

Using the Compose File                                    52

Using PowerShell Scripts                                    53 Using One Script                                      53 Using Two Scripts                                      54

Using Fortify WebInspect on Docker                             55

Using Fortify WebInspect with the Sensor Service                     55 Before You Begin                                   55 Important Information About Licenses                         55 Important Prerequisite for Windows Server 2016                    56 Configuring the Fortify WebInspect REST API                      56 Installing and Configuring the DAST Sensor Service                   58

Integrating with Kubernetes                                59 DNS Requirement                                    60 Sensor Installation Requirement                             61 Implementing Scan Scaling with Kubernetes                       61 Downloading kubectl and Helm                              62 Downloading in Windows PowerShell                         62 Downloading in Linux                                 63 Deploying HAProxy in Kubernetes                            63 Before You Begin                                   63 Guideline for Configuring HAProxy in Azure                      64 Deploying HAProxy Ingress Controller                         64



Deploying the Kubernetes Metrics Server                       65 Before You Begin                                  65 Deploying the Metrics Server                             65 Confirming the Metrics Server Installation                       65 Deploying WISE in Kubernetes                              66 Before You Begin                                  66 Using the Default Parameters                             66 Viewing the Default Parameters                           66 Overriding the Default Parameters                          67 Installing WISE Into a Kubernetes Namespace                     68 Understanding the Parameters for WISE Deployment                 69 Uninstalling WISE                                  70 Installing the Sensor into the Kubernetes Cluster                     70 Before You Begin                                  70 Installing the Sensor                                 71 Understanding the Helm Parameters                         72 Uninstalling the Sensor from the Kubernetes Cluster                  73


Chapter 3: Understanding the User Interface                         74 ScanCentral DAST User Interface                             74

Scan Visualization                                      75 Resizing the Display Areas                                76 Hiding and Showing a Display Area                            76

Working with Tables                                     77 Customizing Table Views                                 77 Updating or Creating a View                                78 Selecting a Different View                                 78

Managing Columns in Tables                                78 Rearranging the Columns                                78 Adding and Removing Columns                             79

Understanding Basic Filters in Tables                             79 Guidelines                                        80

Using Basic Filters in Tables                                80 Accessing the Basic Filter Feature                            80 Filtering by Application, Version, Name, or URL                      80 Filtering by Date, Scan Status, or Scan Type                       81 Clearing the Filter                                    82



Understanding Advanced Filters in Tables                         83 Understanding the Operators                              83 Understanding Conditions and Field Filters                       84

Using Advanced Filters in Tables                              84 Accessing the Advance Filter Feature                           84 Creating an Advanced Filter                               84 Editing an Advanced Filter Condition                           85 Removing an Advanced Filter Condition                         85 Clearing Filters                                      85

Sorting Data in Columns                                    86 Known Issue with Sorting                                  87 Sorting Directly in the Table                                87 Sorting in the Table Preferences Panel                           87

Clearing Data from Input Boxes                              88

Viewing Content on Multiple Pages                            88 Changing the Number of Items Displayed                       88 Navigating Multiple Pages                              88 Changing the Number of Items Displayed in the Table Preferences Panel         89


Chapter 4: Configuring a Scan                                  90 What is a Scan?                                       90

Preparing Your System for Audit                               90 Sensitive Data                                      90 Firewalls, Anti-virus Software, and Intrusion Detection Systems              91 Effects to Consider                                    91 Helpful Hints                                       92

Accessing Settings Configuration from Software Security Center               93 Accessing from the DAST Scans List                          93 Accessing from the Settings List                            93 What's Next?                                      93

Getting Started                                         93 What's Next?                                        94

Configuring a Standard Scan                                 95 What’s Next?                                       96

Configuring a Workflow-driven Scan                            96 Types of Macros Supported                               96



Configuring a Workflow-driven Scan                           97 What’s Next?                                       98

Configuring an API Scan                                   98 What’s Next?                                       102

Configuring Proxy Settings                                 102 What's Next?                                       103

Configuring Authentication                                 103 Configuring Site Authentication                             104 Downloading the Macro Recorder Tool                          104 Using a Client Certificate                                 104 Configuring Network Authentication                           105 What's Next?                                      105

Configuring Scan Details                                 106 What's Next?                                      106 Adding and Managing Allowed Hosts                          106 Adding Allowed Hosts                                107 Editing or Removing Hosts                              107 Configuring Scan Priority                                107 Changing the Priority                                108 Understanding Advanced Scan Prioritization                       108 Priority and Sensor Pools                               108 Priority and Scan Status                               108 Priority and Sensors                                 109 When Advanced Scan Prioritization is Disabled                    109 Configuring Data Retention                               110 Scanning Single-page Applications                           110 Technology Preview                                 110 The Challenge of Single-page Applications                      110 Configuring SPA Support                               111 Using Traffic Viewer (Traffic Monitor)                          111 Proxy Server Included                                111 Option Must be Enabled                               111 Enabling Traffic Viewer (or Traffic Monitor)                      111 Creating and Managing Exclusions                            112 Creating Exclusions                                 112 Exclusion Examples                                 113 Editing or Removing Exclusions                           113 Understanding and Creating Inclusive Exclusions                    114



Understanding Inclusive Exclusion Regular Expressions                114 Example One                                    114 Example Two                                    115 Configuring Redundant Page Detection                         116 Enabling SAST Correlation                               117 Enabling Scan Scaling                                 117

Reviewing Scan Settings                                   118 Saving the Settings to Software Security Center                      118 Scheduling a Scan                                    118 Running a Scan                                      120 Using the Scan Settings in the DAST API                         120 Accessing the DAST API Swagger UI                          121 Using the Swagger UI                                 121

Conducting an Automated Scan with FAST                         121 Installation Recommendation                              121 Before You Begin                                    122 Process Overview                                    122 Downloading the FAST Installer                             123 Understanding the FAST Options                            123


Chapter 5: Working with Scans                                126

Accessing DAST Scans in Software Security Center                   126 User Role Determines Capabilities                         126

Understanding the Scans List                               126

Understanding the Scan Detail Panel                            130 Findings by Severity                                   130 Additional Scan Details                                 130

Working with Active Scans                                  132 Pausing a Scan                                       132 Stopping a Scan                                      132 Resuming a Scan                                      133 Re-importing a Scan                                    133

Working with Alerts                                     133 Technology Preview                                   133 Accessing Alerts                                     134 Understanding the ALERTS Tab                             134 Acknowledging New Alerts                                135



Managing the DAST Scans List                               135 Starting a New Scan                                   135 Refreshing the Scans List                                135 Publishing to Fortify Software Security Center                      136 Deleting a Scan                                     136 Using the Force Delete Option                              136

Downloading DAST Scans, Settings, and Logs                        137 Paused Scans                                       137 License Unavailable Scan Status                             137 File Types Available                                    137 Downloading a File                                    139

Viewing Scan Results                                    139 Working with the Site Tree                                140 Site Tree Icons                                    140 Using Breadcrumbs                                  140 Understanding the Findings Table                            141 Available Columns                                  141 Working with Findings                                  142 Viewing the Vulnerability Description                         142 Viewing the Request and Response                          142 Viewing Steps                                     142 Understanding the Traffic Table                             143 Available Columns                                  143 Working with Traffic                                   145 Viewing the Request and Response                          145 Viewing Parameters                                  145 Viewing Steps                                     146 Understanding SPA Coverage                              146


Chapter 6: Working with Sensors                              148

Accessing DAST Sensors in Software Security Center                  148 User Role Determines Capabilities                         148

Understanding the Sensor List                              148 Understanding the Sensor Detail Panel                          149

Enabling or Disabling Sensors                               150 Facts About Disabled Sensors                             150 Enabling or Disabling a Sensor                             150



Chapter 7: Working with Sensor Pools                           152

Accessing DAST Sensor Pools in Software Security Center                152 User Role Determines Capabilities                         152

Understanding the Sensor Pools List                           152 Understanding the Pool Detail Panel                           153 Creating a DAST Sensor Pool                               153

Managing Sensor Pools                                    155 Facts About Managing Sensor Pools                            155 Editing a Sensor Pool                                   155 Refreshing the Pools List                                 155 Deleting a Sensor Pool                                  156 Changing the Default Sensor Pool                             156


Chapter 8: Working with Scan Settings                           157

Accessing DAST Scan Settings in Software Security Center               157 User Role Determines Capabilities                         157

Understanding the Scan Settings List                          157 Understanding the Scan Settings Detail Panel                      158

Managing Scan Settings                                   159 Creating New Settings                                  159 Editing Settings                                     160 Downloading Settings                                  160 Deleting Settings                                     160 Copying the Settings ID for Use in the API                        161


Chapter 9: Working with Scan Schedules                         162

Accessing DAST Scan Schedules in Software Security Center              162 User Role Determines Capabilities                        162

Understanding the Scan Schedules List                         162 Understanding the Schedule Detail Panel                        163

Managing Schedules                                     163 Creating a New Schedule                                 163 Editing a Schedule                                     164 Enabling or Disabling Schedules                              164 Deleting a Schedule                                    165



Chapter 10: Working with Deny Intervals                           166 Deny Intervals Apply to Applications                           166 Deny Intervals are Global Settings                             166

Accessing Deny Intervals in Software Security Center                  166 User Role Determines Capabilities                         167

Understanding the Deny Intervals List                           167 Understanding the Deny Intervals Detail Panel                       167 Creating a Deny Interval                                 168

Managing Deny Intervals                                  171 Facts About Editing a Deny Interval                           171 Editing a Deny Interval                                  171 Deleting a Deny Interval                                 172 Refreshing the Deny Intervals List                            172


Chapter 11: Working with Policies                              173

Accessing Policies in Software Security Center                      173 User Role Determines Capabilities                          173

Understanding the Policies List                              173 Understanding the Policy Detail Panel                           174 Importing a Custom Policy                                 174

Managing Policies                                      175 Editing a Policy                                      175 Deleting a Policy                                     175 Refreshing the Policies List                                176


Chapter 12: Working with Base Settings                          177 Differences Between Base Settings and Templates                    177 Base Settings are Global Settings                            177

Accessing Base Settings in Software Security Center                  177 User Role Determines Capabilities                         177

Understanding the Base Settings List                          178 Understanding the Base Settings Detail Panel                      178

Creating Base Settings                                    179 What's Next?                                       180



Configuring Base Settings for a Standard Scan                   180 What’s Next?                                    181 Configuring Base Settings for a Workflow-driven Scan                  182 Types of Macros Supported                             182 Configuring Base Settings for a Workflow-driven Scan                182 What’s Next?                                    183 Configuring Base Settings for an API Scan                        183 What’s Next?                                    187 Configuring Proxy Settings in Base Settings                       187 What's Next?                                    188 Configuring Authentication in Base Settings                       188 Configuring Site Authentication                           189 Downloading the Macro Recorder Tool                        189 Configuring Network Authentication                         189 What's Next?                                    190 Configuring Base Settings Details                            190 What's Next?                                    190 Adding and Managing Allowed Hosts in Base Settings                190 Adding Allowed Hosts                              191 Editing or Removing Hosts                            191 Configuring Scan Priority in Base Settings                      192 Changing the Priority                              192 Configuring Data Retention in Base Settings                     192 Scanning Single-page Applications in Base Settings                 192 Technology Preview                               193

The Challenge of Single-page Applications                  193

Configuring SPA Support                           193 Using Traffic Viewer (Traffic Monitor) in Base Settings                193 Proxy Server Included                              194 Option Must be Enabled                             194 Enabling Traffic Viewer (or Traffic Monitor)                   194 Creating and Managing Exclusions in Base Settings                 194 Creating Exclusions                               194 Exclusion Examples                               195 Editing or Removing Exclusions                         196 Configuring Redundant Page Detection in Base Settings               196 Enabling SAST Correlation in Base Settings                     197 Applying Base Settings to Applications                         197 What's Next?                                   197



Reviewing and Saving Base Settings                          197


Chapter 13: Working with Application Settings                         198 Application Settings are Global Settings                           198 Priority                                           198 Data Retention                                       198

Accessing the Application Settings                            198 User Role Determines Capabilities                           199

Understanding the Application Settings List                      199

Managing Application Settings                               199 Editing Application Settings                              200 Refreshing the Application Settings List                         201


Appendix A: Troubleshooting ScanCentral DAST                     202

Locating Log Files                                      202 Log File Names                                      202 Extracting Log Files                                    202 API Logs                                         202 DAST Configuration Tool Logs                              203 Global Service Logs                                    203 Scanner Service Logs                                   203 Utility Service Logs                                    204

Troubleshooting the Configuration Tool                          204 Troubleshooting Upgrade Issues                              206 Troubleshooting the DAST API                              209 Troubleshooting DAST Scans                               210

Troubleshooting Alerts                                   212 Technology Preview                                   212 Disabling Alerts                                      212 Alerts Troubleshooting Table                               212

Checking and Restarting the WebInspect REST API Service             213 Checking the WebInspect REST API Service Status in a Classic Fortify WebInspect Installation                                  213 Restarting the Service in a Classic Fortify WebInspect installation           213 Checking the WebInspect REST API Service Status in Fortify WebInspect on Docker   214



Restarting the Service for Fortify WebInspect on Docker             214

Troubleshooting the Sensor Service                       214 Checking the Sensor Service Status in a Classic Fortify WebInspect Installation     215 Restarting the Sensor Service in a Classic Fortify WebInspect Installation        215 Checking the Sensor Service Status in Fortify WebInspect on Docker         215 Restarting the Sensor Service in Fortify WebInspect on Docker            216


Appendix B: Scanning with a Postman Collection                       217 What is Postman?                                     217 Benefits of a Postman Collection                              217 Known Limitations with Postman Variables                         217 Postman Prerequisites                                  217

Tips for Preparing a Postman Collection                           218 Ensure Valid Responses                                 218 Order of Requests                                    218 Handling Authentication                                 218 Using Static Authentication                               219 Using Dynamic Authentication                              219 Using a Postman Login Macro                              219 Postman Auto-configuration                               219 Sample Postman Scripts                                 220

Manually Configuring Postman Login for Dynamic Tokens                220 What are Dynamic Tokens?                              220 Before You Begin                                  220 Process Overview                                  220 Identifying and Isolating the Login Request                      221 Creating a Logout Condition with Regular Expressions                 221 Creating a Response State Rule for a Bearer Token                   222 Creating a Response State Rule for an API Key                     222


Appendix C: Reference Lists                                  224

Policies                                             224 Best Practices                                        224 By Type                                           226 Custom                                           227 Hazardous                                         227



Deprecated Checks and Policies                             228 HTTP Status Codes                                     229


Send Documentation Feedback                               233

Preface


Preface


Contacting Micro Focus Fortify Customer Support

Visit the Support website to: