Dynamic Tech Training

Introduction to DAST and how Micro Focus Fortify fulfills the need

Training - Watch customer facing training videos on Micro Focus Education website

Setup Lab

Minimum of three WinOS Servers.

  • MSSQL Server
  • WIE
  • WI

Installation of WIE (Standalone or Attached to existing SSC instance)

Review the following

WIE Tasks

  1. Configure IIS
  2. Add WIE User
  3. Download and Install WIE
  4. Install Enterprise Console
  5. Install/Configure Sensor
  6. Activate Sensor
  7. Setup default role in Enterprise Console

WIE Exercises

  • Configure at least two WIE Sensors
  • Create a project in SSC and request a dynamic scan
  • See Fortify Software Security Center User Guide pages 85-90
  • Create a Guided Scan of the http://zero.webappsecurity.com site
  • Check the results published in WIE Web Console and compre with SSC console

Installation of WI

Review the following for WI

WI Tasks

  1. Install SQLExpress
  2. Install WI
  3. Discuss Licensing
  4. Named User
  5. Concurrent User (Need LIM)
  6. Locate the following WI file directories - browse to and become familiar with the following:
  7. %localappdata%\HP\HP WebInspect
  8. C:\ProgramData\HP\HP WebInspect
  9. C:\Program Files\Fortify\Fortify WebInspect
  10. Connect to WIE Instance
  11. Review Chapter 18 of the WebInspect Tools Guide
  12. Record a login macro for http://zero.webappsecurity.com
  13. Review Chapters 6-10 of the WI User Guide

WI Exercises

  1. Create a basic scan of the Zero http://zero.webappsecurity.com website where you only scan the starting directory.
  2. Create a crawl only scan of the Zero website for both the starting directory and subdirectories.
  3. Create a scan for the directory and subdirectories of Zero using the Standard policy.
  4. Create a scan for the directory and subdirectories of Zero with a Login Macro using the Standard policy.
  5. Create a scan for the directory and subdirectories of Zero with a Login Macro using the SQL Injection policy.
  6. After the scan completes, individually retest some of the SQLI vulns.
  7. Perform an authenticated, crawl only scan of http://legacy.webappsecurity.com site
  8. Restrict to directory and subdirectories
  9. User: user
  10. Password: user
  11. When the crawl is complete, start an audit for the completed crawl
  12. Use the latest DISA STIG Policy
  13. Perform an authenticated, crawl and audi scan of http://www.altoromutual.com
  14. Restrict to directory and subdirectories
  15. User: jsmith
  16. Password: Demo1234
  17. Disable Auto fill web forms
  18. Use the OWASP Top 10 2017 Policy
  19. When complete, Rescan > Scan Again, but enable Auto fill web forms
  20. Compare the results of the two scans

WI Debugging Tools

Watch the following videos

WI Debugging Tools Tasks & Exercises

  • Review the User Guide regarding Traffic Analysis (page 105)
  • Monitor a scan again Zero using the Traffic Monitor and Web Proxy

Setup/Configure LIM

LIM is free to use, but you must have a concurrent license.

LIM Tasks

  1. Install LIM
  2. Activate LIM (Recommended user record the LIM Activation Token)
  3. This activated token is associate with another LIM
    1. LIM Activation, release current
    2. Enter old LIM Activation token
      1. from backup
      2. contact support/licensing
  4. Add product licenses

Support Training

  1. The importance of a scan file with logs and traffic over log files only.
  2. Understand where log files are located
  3. Difference and similarities between WI and WIE Sensors
  4. Tracing a WIE scan
  5. LIM & WI licensing versus WIE licensing
  6. Common issues & Broken Scans Troubleshooting
  7. AntiVirus/AntiMalware
  8. API Scanning
  9. Ciphers/Protocols
  10. LMR Troubleshooting

Support Training Review and Tasks

WI Agent

  • Review
  • Introduction to Runtime presentation
  • WebInspect Agent presentation
  • Exercise
  • Install a WI Agent on a Tomcat instance running WebGoad
  • Check the WI Agent logs to ensure proper installation and the agent is running
  • Conduct a scan of the WebGoat installation

Deeper Dive Videos

Some deeper dive videos with Shawn Simpson are available on the Fortify Support Team SharePoint site.