Dynamic Tech Training
Introduction to DAST and how Micro Focus Fortify fulfills the need
Training - Watch customer facing training videos on Micro Focus Education website
Setup Lab
Minimum of three WinOS Servers.
- MSSQL Server
- WIE
- WI
Installation of WIE (Standalone or Attached to existing SSC instance)
Review the following
- Documents
- Review the installation guide
- Guides & Presentations
- WebInspect Enterprise Setup PowerPoint presentation providing an overview of how to install WIE and how it fits in with SSC
- WebInspect Enterprise Installation Guide
- WIE Introduction
- WIE-Presentation
- Videos
- WIE Setup Troubleshooting
- WIE Usage
- WIE01 - Introduction
- WIE02 - Use Case - High Level Overview
- WIE03 - Use Case - Managing Sensors
- WIE04 - Use Case - Self Service Scans
- WIE05 - Use Case - SSC Integration
- WIE06 - Use Case - Central Repository
- WIE07 - Use Case - WIE & SSC Background Tasks
- WIE09 - Basic Config
- WIE10 - Troubleshooting Demo + Q&A
WIE Tasks
- Configure IIS
- Add WIE User
- Download and Install WIE
- Install Enterprise Console
- Install/Configure Sensor
- Activate Sensor
- Setup default role in Enterprise Console
WIE Exercises
- Configure at least two WIE Sensors
- Create a project in SSC and request a dynamic scan
- See Fortify Software Security Center User Guide pages 85-90
- Create a Guided Scan of the http://zero.webappsecurity.com site
- Check the results published in WIE Web Console and compre with SSC console
Installation of WI
Review the following for WI
- Documents
- Review the installation guide
- Guides & Presentations
- WebInspect Setup Troubleshooting
- Videos
- WI Usage
- WI Login Macros and Advanced Settings
WI Tasks
- Install SQLExpress
- Install WI
- Discuss Licensing
- Named User
- Concurrent User (Need LIM)
- Locate the following WI file directories - browse to and become familiar with the following:
- %localappdata%\HP\HP WebInspect
- C:\ProgramData\HP\HP WebInspect
- C:\Program Files\Fortify\Fortify WebInspect
- Connect to WIE Instance
- Review Chapter 18 of the WebInspect Tools Guide
- Record a login macro for http://zero.webappsecurity.com
- Review Chapters 6-10 of the WI User Guide
WI Exercises
- Create a basic scan of the Zero http://zero.webappsecurity.com website where you only scan the starting directory.
- Create a crawl only scan of the Zero website for both the starting directory and subdirectories.
- Create a scan for the directory and subdirectories of Zero using the Standard policy.
- Create a scan for the directory and subdirectories of Zero with a Login Macro using the Standard policy.
- Create a scan for the directory and subdirectories of Zero with a Login Macro using the SQL Injection policy.
- After the scan completes, individually retest some of the SQLI vulns.
- Perform an authenticated, crawl only scan of http://legacy.webappsecurity.com site
- Restrict to directory and subdirectories
- User: user
- Password: user
- When the crawl is complete, start an audit for the completed crawl
- Use the latest DISA STIG Policy
- Perform an authenticated, crawl and audi scan of http://www.altoromutual.com
- Restrict to directory and subdirectories
- User: jsmith
- Password: Demo1234
- Disable Auto fill web forms
- Use the OWASP Top 10 2017 Policy
- When complete, Rescan > Scan Again, but enable Auto fill web forms
- Compare the results of the two scans
WI Debugging Tools
Watch the following videos
WI Debugging Tools Tasks & Exercises
- Review the User Guide regarding Traffic Analysis (page 105)
- Monitor a scan again Zero using the Traffic Monitor and Web Proxy
Setup/Configure LIM
LIM is free to use, but you must have a concurrent license.
- Review the LIM Installation and Troubleshooting Guide (PDF-older) provides LIM installation steps and troubleshooting of common issues
LIM Tasks
- Install LIM
- Activate LIM (Recommended user record the LIM Activation Token)
- This activated token is associate with another LIM
- LIM Activation, release current
- Enter old LIM Activation token
- from backup
- contact support/licensing
- Add product licenses
Support Training
- The importance of a scan file with logs and traffic over log files only.
- Understand where log files are located
- Difference and similarities between WI and WIE Sensors
- Tracing a WIE scan
- LIM & WI licensing versus WIE licensing
- Common issues & Broken Scans Troubleshooting
- AntiVirus/AntiMalware
- API Scanning
- Ciphers/Protocols
- LMR Troubleshooting
Support Training Review and Tasks
- Watch the following videos
- WD05 Broken Scans - Missing Pages
- WD06 Broken Scans - No Vulns
- WD07 Broken Scans - Short Scan with Few Findings
- WD08 Broken Scans - Slow Scan #1
- WD09 Broken Scans - Slow Scan #2
- WD10 Broken Scans - Missing Pages
- For each case in the following presentation, please study the issue and compose a response to the customer - Post Introduction WebInspect Training Tasks (Post Introduction WebInspect Training Tasks
WI Agent
- Review
- Introduction to Runtime presentation
- WebInspect Agent presentation
- Exercise
- Install a WI Agent on a Tomcat instance running WebGoad
- Check the WI Agent logs to ensure proper installation and the agent is running
- Conduct a scan of the WebGoat installation
Deeper Dive Videos
Some deeper dive videos with Shawn Simpson are available on the Fortify Support Team SharePoint site.