Professional Documents
Culture Documents
Installation of Fortify 20.2.0 eDAST in Easy Steps
Installation of Fortify 20.2.0 eDAST in Easy Steps
Installation of Fortify 20.2.0 eDAST in Easy Steps
Vikas.Johari@MicroFocus.com
Micro Focus
17 February 2021
Page # 1
Trademarks For Micro Focus trademarks, refer to the Micro Focus Trademark Information on the
Micro Focus website (http://www.microfocus.com/about/legal).
Micro Focus and the Micro Focus logo, among others, are trademarks or registered
trademarks of Micro Focus (IP) Limited or its subsidiaries in the United Kingdom,
United States and other countries. All other marks are the property of their respective
owners. A trademark symbol (® TM etc.) denotes a Micro Focus trademark; an
asterisk (*) denotes a third-party trademark.
Legal Notice
Copyright 2021 Micro Focus and its affiliates.
All rights reserved. No part of this publication may be reproduced, photocopied, stored
on a retrieval system, or transmitted without the express written consent of the
publisher.
Version: 0.1
Confidential – Property of Micro Focus’s Security, Risk and Governance Solutions Group.
<Document Installation Of Fortify 20.2.0 Edast In Easy Steps.Docx, updated on 17-Feb-21>
Copyright 2019 Micro Focus and its affiliates. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or
transmitted without the express written consent of the publisher
Page # 2
Table of Contents
Table of Contents .......................................................................................................................................... 2
eDAST Architecture ....................................................................................................................................... 4
Software Security Center (SSC) ................................................................................................................. 4
LIM ............................................................................................................................................................ 4
DAST API.................................................................................................................................................... 4
DAST Global Service .................................................................................................................................. 4
ScanCentral DAST Database ...................................................................................................................... 5
WebInspect Sensor ................................................................................................................................... 5
Permissions in Fortify Software Security Center (SSC) ............................................................................. 5
Lessons learned from mistakes ..................................................................................................................... 6
Lab VM Environment ................................................................................................................................ 7
Setting up Server ........................................................................................................................................... 7
Updating the hosts file .............................................................................................................................. 7
Installation and configuration of the Docker ................................................................................................ 8
Pulling Docker images ............................................................................................................................... 8
Setting up LIM as License Server................................................................................................................... 8
Update WebInspect (WI) License................................................................................................................ 16
Installing eDAST Configuration Tool ........................................................................................................... 21
Configuring WebInspect as Sensor in ScanCentral DAST ............................................................................ 34
Running the Basic Scan ............................................................................................................................... 38
Installation and Configuration of WebInspect Docker version with eDAST ............................................... 44
Running the REST API Scan ......................................................................................................................... 45
Running the Scan using Login Macro .......................................................................................................... 49
Generating Reports ..................................................................................................................................... 54
Using the eDAST REST API........................................................................................................................... 56
Using REST APIs via Swagger ................................................................................................................... 57
Using REST APIs via Postman .................................................................................................................. 60
Using REST APIs to integrate with any CI/CD Pipeline ............................................................................ 61
Appendix ..................................................................................................................................................... 67
Appendix 1: Installing Fortify .................................................................................................................. 67
Appendix 2: Installing FortifyClient ......................................................................................................... 67
Option 1: ............................................................................................................................................. 67
Confidential – Property of Micro Focus’s Security, Risk and Governance Solutions Group.
<Document Installation Of Fortify 20.2.0 Edast In Easy Steps.Docx, updated on 17-Feb-21>
Copyright 2019 Micro Focus and its affiliates. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or
transmitted without the express written consent of the publisher
Page # 3
Option 2: ............................................................................................................................................. 67
Appendix 3: .NET Requirement for ScanCentral DAST ........................................................................... 67
Confidential – Property of Micro Focus’s Security, Risk and Governance Solutions Group.
<Document Installation Of Fortify 20.2.0 Edast In Easy Steps.Docx, updated on 17-Feb-21>
Copyright 2019 Micro Focus and its affiliates. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or
transmitted without the express written consent of the publisher
Page # 4
eDAST Architecture
Fortify ScanCentral DAST is a dynamic application security testing tool that is comprised of the Fortify
WebInspect sensor service and other supporting technologies that you can use in conjunction with
Fortify Software Security Center.
ScanCentral DAST communicates with Fortify Software Security Center by way of the Software Security
Center Rest API.
ScanCentral DAST retrieves Application and Version information and user permissions from the Fortify
Software Security Center database. ScanCentral DAST uploads scans for triage to the database as FPR
files.
LIM
The License and Infrastructure Manager (LIM) Docker container provides the licensing service for the
ScanCentral DAST components.
DAST API
The ScanCentral DAST REST API Docker container provides communication between the sensor and the
ScanCentral DAST database. It also communicates with the LIM for licensing, and Fortify Software
Security Center.
WebInspect Sensor
The Fortify WebInspect sensor is either a Docker container or a Windows computer that runs the
ScanCentral DAST Sensor Service and a Fortify WebInspect sensor. The sensor does the following:
• Starts and runs scans
• Reports scan statistics to the ScanCentral DAST Global Service
• Uploads the scan to the ScanCentral DAST Rest API
Note: The ScanCentral DAST Sensor uses SmartUpdate to obtain the most recent SecureBase updates.
The permissions designated by your user role in Fortify Software Security Center determine the types of
tasks you can perform on ScanCentral DAST scans, sensors, sensor pools, settings, and scan schedules.
The following table describes the default roles in Fortify Software Security Center that allow dynamic-
related tasks.
Confidential – Property of Micro Focus’s Security, Risk and Governance Solutions Group.
<Document Installation Of Fortify 20.2.0 Edast In Easy Steps.Docx, updated on 17-Feb-21>
Copyright 2019 Micro Focus and its affiliates. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or
transmitted without the express written consent of the publisher
Page # 6
1. ScanCentral DAST's containers by default downloads and use C: unless the docker is configured
in such a way to use other Drive Letter.
2. Containers cannot read the hosts file of the HOST server. So sometimes you have to use IP
Address instead of FQDN.
3. Containers use NAT network to connect to external world.
4. Check the Appendix 3: .NET Requirement for ScanCentral DAST, if you want to use existing
WebInspect Standalone as Sensor for eDAST.
5. Keep eDAST Activation keys handy.
6. Your Docker ID has "fortifydocker" organization assigned, else you will not able to pull eDAST
images.
7. Windows Firewall should be Off.
Confidential – Property of Micro Focus’s Security, Risk and Governance Solutions Group.
<Document Installation Of Fortify 20.2.0 Edast In Easy Steps.Docx, updated on 17-Feb-21>
Copyright 2019 Micro Focus and its affiliates. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or
transmitted without the express written consent of the publisher
Page # 7
Lab VM Environment
Fortify Server
GitSuSE Server
Window
Server
This VM has standard SSC installed using SQL Server. Installation steps can be found in
https://community.microfocus.com/t5/tkb/usercontributedarticlespage/user-id/223632#
It is also recommended to install WebInspect Standalone but do not activate the license.
Setting up Server
These servers are hosted on the AWS environment hence it requires some basic changes to work
properly.
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Invoke-WebRequest "https://github.com/docker/compose/releases/download/1.27.4/docker-
compose-Windows-x86_64.exe" -UseBasicParsing -OutFile $Env:ProgramFiles\Docker\docker-
compose.exe
Restart-Computer
Enter your docker id and password, Docker will generate a file named
C:\Users\Administrator\.docker\config.json. Make sure your docker id has "fortifydocker" organization
assigned, else you will not able to pull eDAST images.
#!--LIM Dockerenvfile.--!
LimUseSSL=false
LimAdminWebSiteName=limadmin
LimServiceSiteName=limservice
LimDirectory=c:\lim
LimAdminUsername=fortify
LimAdminPassword=FortifyDAST1
LimAdminEmail=limadmin@limadmin.com
Confidential – Property of Micro Focus’s Security, Risk and Governance Solutions Group.
<Document Installation Of Fortify 20.2.0 Edast In Easy Steps.Docx, updated on 17-Feb-21>
Copyright 2019 Micro Focus and its affiliates. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or
transmitted without the express written consent of the publisher
Page # 9
LimAdminFriendlyName=limadmin
This command will run lim docker image on port 81, if you want to use port 80 then make the change in
the above command also in the rest of the document refer whenever lim is being used.
Confidential – Property of Micro Focus’s Security, Risk and Governance Solutions Group.
<Document Installation Of Fortify 20.2.0 Edast In Easy Steps.Docx, updated on 17-Feb-21>
Copyright 2019 Micro Focus and its affiliates. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or
transmitted without the express written consent of the publisher
Page # 10
Confidential – Property of Micro Focus’s Security, Risk and Governance Solutions Group.
<Document Installation Of Fortify 20.2.0 Edast In Easy Steps.Docx, updated on 17-Feb-21>
Copyright 2019 Micro Focus and its affiliates. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or
transmitted without the express written consent of the publisher
Page # 11
Click Add.
Confidential – Property of Micro Focus’s Security, Risk and Governance Solutions Group.
<Document Installation Of Fortify 20.2.0 Edast In Easy Steps.Docx, updated on 17-Feb-21>
Copyright 2019 Micro Focus and its affiliates. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or
transmitted without the express written consent of the publisher
Page # 12
Click LICENSES.
Confidential – Property of Micro Focus’s Security, Risk and Governance Solutions Group.
<Document Installation Of Fortify 20.2.0 Edast In Easy Steps.Docx, updated on 17-Feb-21>
Copyright 2019 Micro Focus and its affiliates. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or
transmitted without the express written consent of the publisher
Page # 13
Paste the eDAST Activation Token provided by Trainer, add a Description and click OK.
Validate the LICENSE GUID and click on ADD LICENSE to add WebInspect License.
Confidential – Property of Micro Focus’s Security, Risk and Governance Solutions Group.
<Document Installation Of Fortify 20.2.0 Edast In Easy Steps.Docx, updated on 17-Feb-21>
Copyright 2019 Micro Focus and its affiliates. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or
transmitted without the express written consent of the publisher
Page # 14
Confidential – Property of Micro Focus’s Security, Risk and Governance Solutions Group.
<Document Installation Of Fortify 20.2.0 Edast In Easy Steps.Docx, updated on 17-Feb-21>
Copyright 2019 Micro Focus and its affiliates. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or
transmitted without the express written consent of the publisher
Page # 15
Confidential – Property of Micro Focus’s Security, Risk and Governance Solutions Group.
<Document Installation Of Fortify 20.2.0 Edast In Easy Steps.Docx, updated on 17-Feb-21>
Copyright 2019 Micro Focus and its affiliates. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or
transmitted without the express written consent of the publisher
Page # 16
On Licensing Window
Confidential – Property of Micro Focus’s Security, Risk and Governance Solutions Group.
<Document Installation Of Fortify 20.2.0 Edast In Easy Steps.Docx, updated on 17-Feb-21>
Copyright 2019 Micro Focus and its affiliates. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or
transmitted without the express written consent of the publisher
Page # 17
Confidential – Property of Micro Focus’s Security, Risk and Governance Solutions Group.
<Document Installation Of Fortify 20.2.0 Edast In Easy Steps.Docx, updated on 17-Feb-21>
Copyright 2019 Micro Focus and its affiliates. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or
transmitted without the express written consent of the publisher
Page # 18
URL: http://fortify202.myhome.com:81/limservice
Password: novell@123
Click Next.
Confidential – Property of Micro Focus’s Security, Risk and Governance Solutions Group.
<Document Installation Of Fortify 20.2.0 Edast In Easy Steps.Docx, updated on 17-Feb-21>
Copyright 2019 Micro Focus and its affiliates. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or
transmitted without the express written consent of the publisher
Page # 19
Click Finish.
Confidential – Property of Micro Focus’s Security, Risk and Governance Solutions Group.
<Document Installation Of Fortify 20.2.0 Edast In Easy Steps.Docx, updated on 17-Feb-21>
Copyright 2019 Micro Focus and its affiliates. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or
transmitted without the express written consent of the publisher
Page # 20
Open Lim URL and check the Current Activity Details, you will see a WebInspect License has been
assigned to WebInspect installed on the VM.
Check the Current Product Usage, you will see IN USE count non zero.
Confidential – Property of Micro Focus’s Security, Risk and Governance Solutions Group.
<Document Installation Of Fortify 20.2.0 Edast In Easy Steps.Docx, updated on 17-Feb-21>
Copyright 2019 Micro Focus and its affiliates. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or
transmitted without the express written consent of the publisher
Page # 21
Open Lim URL and check the Current Activity Details, Current Product Usage and Lease History, identify
the difference.
Make sure SSC is running and you are able to login using credentials admin / sscadmin@123.
Confidential – Property of Micro Focus’s Security, Risk and Governance Solutions Group.
<Document Installation Of Fortify 20.2.0 Edast In Easy Steps.Docx, updated on 17-Feb-21>
Copyright 2019 Micro Focus and its affiliates. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or
transmitted without the express written consent of the publisher
Page # 22
Username: eDASTAdmin
Email: edastadmin@myhome.com
Role: Administrator
Password: sscadmin@123
Suspended: Disabled
Click Save.
In the Downloads\ScanCentral_DAST_20.2 folder, run the "ScanCentral DAST - Config Tool Setup
20.2.312.exe"
Confidential – Property of Micro Focus’s Security, Risk and Governance Solutions Group.
<Document Installation Of Fortify 20.2.0 Edast In Easy Steps.Docx, updated on 17-Feb-21>
Copyright 2019 Micro Focus and its affiliates. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or
transmitted without the express written consent of the publisher
Page # 24
User Name: sa
Password: novell@123
Confidential – Property of Micro Focus’s Security, Risk and Governance Solutions Group.
<Document Installation Of Fortify 20.2.0 Edast In Easy Steps.Docx, updated on 17-Feb-21>
Copyright 2019 Micro Focus and its affiliates. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or
transmitted without the express written consent of the publisher
Page # 25
Click Validate.
User name: sa
Password: novell@123
Click Validate.
Confidential – Property of Micro Focus’s Security, Risk and Governance Solutions Group.
<Document Installation Of Fortify 20.2.0 Edast In Easy Steps.Docx, updated on 17-Feb-21>
Copyright 2019 Micro Focus and its affiliates. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or
transmitted without the express written consent of the publisher
Page # 26
Confidential – Property of Micro Focus’s Security, Risk and Governance Solutions Group.
<Document Installation Of Fortify 20.2.0 Edast In Easy Steps.Docx, updated on 17-Feb-21>
Copyright 2019 Micro Focus and its affiliates. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or
transmitted without the express written consent of the publisher
Page # 27
Click OK.
Click Next.
Confidential – Property of Micro Focus’s Security, Risk and Governance Solutions Group.
<Document Installation Of Fortify 20.2.0 Edast In Easy Steps.Docx, updated on 17-Feb-21>
Copyright 2019 Micro Focus and its affiliates. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or
transmitted without the express written consent of the publisher
Page # 28
Click Next.
Click Validate.
Click Validate.
Scroll down.
Scroll down.
Confidential – Property of Micro Focus’s Security, Risk and Governance Solutions Group.
<Document Installation Of Fortify 20.2.0 Edast In Easy Steps.Docx, updated on 17-Feb-21>
Copyright 2019 Micro Focus and its affiliates. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or
transmitted without the express written consent of the publisher
Page # 30
In Other Settings –
Click Next.
Confidential – Property of Micro Focus’s Security, Risk and Governance Solutions Group.
<Document Installation Of Fortify 20.2.0 Edast In Easy Steps.Docx, updated on 17-Feb-21>
Copyright 2019 Micro Focus and its affiliates. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or
transmitted without the express written consent of the publisher
Page # 31
Confidential – Property of Micro Focus’s Security, Risk and Governance Solutions Group.
<Document Installation Of Fortify 20.2.0 Edast In Easy Steps.Docx, updated on 17-Feb-21>
Copyright 2019 Micro Focus and its affiliates. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or
transmitted without the express written consent of the publisher
Page # 32
Go to Extracted folder, Shift-Right Click and select Open PowerShell window here.
Confidential – Property of Micro Focus’s Security, Risk and Governance Solutions Group.
<Document Installation Of Fortify 20.2.0 Edast In Easy Steps.Docx, updated on 17-Feb-21>
Copyright 2019 Micro Focus and its affiliates. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or
transmitted without the express written consent of the publisher
Page # 33
When completed then the Chrome Browser, open the Portainer URL :
http://fortify202.myhome.com:9000/
Confidential – Property of Micro Focus’s Security, Risk and Governance Solutions Group.
<Document Installation Of Fortify 20.2.0 Edast In Easy Steps.Docx, updated on 17-Feb-21>
Copyright 2019 Micro Focus and its affiliates. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or
transmitted without the express written consent of the publisher
Page # 34
Click Save.
If you can see the above screen then ScanCentral DAST is configured successfully.
Confidential – Property of Micro Focus’s Security, Risk and Governance Solutions Group.
<Document Installation Of Fortify 20.2.0 Edast In Easy Steps.Docx, updated on 17-Feb-21>
Copyright 2019 Micro Focus and its affiliates. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or
transmitted without the express written consent of the publisher
Page # 35
Password: novell@123
Confidential – Property of Micro Focus’s Security, Risk and Governance Solutions Group.
<Document Installation Of Fortify 20.2.0 Edast In Easy Steps.Docx, updated on 17-Feb-21>
Copyright 2019 Micro Focus and its affiliates. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or
transmitted without the express written consent of the publisher
Page # 36
Copy the appsettings.json file from Downloads\edast-start folder to C:\SensorService and overwrite the
file. Contains of the file will be as below, it should have the IP Address of your VM in row number 9.
Confidential – Property of Micro Focus’s Security, Risk and Governance Solutions Group.
<Document Installation Of Fortify 20.2.0 Edast In Easy Steps.Docx, updated on 17-Feb-21>
Copyright 2019 Micro Focus and its affiliates. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or
transmitted without the express written consent of the publisher
Page # 37
Change to -
Password: novell@123
Confidential – Property of Micro Focus’s Security, Risk and Governance Solutions Group.
<Document Installation Of Fortify 20.2.0 Edast In Easy Steps.Docx, updated on 17-Feb-21>
Copyright 2019 Micro Focus and its affiliates. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or
transmitted without the express written consent of the publisher
Page # 38
The WebInspect installed on the VM is configured as a Sensor. Lets configure and run a Scan.
Confidential – Property of Micro Focus’s Security, Risk and Governance Solutions Group.
<Document Installation Of Fortify 20.2.0 Edast In Easy Steps.Docx, updated on 17-Feb-21>
Copyright 2019 Micro Focus and its affiliates. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or
transmitted without the express written consent of the publisher
Page # 39
From Drop Down select "Zero via eDAST" application and version 1.0. Click Next.
URL: http://zero.webappsecurity.com
Policy: Standard
Click Next.
Confidential – Property of Micro Focus’s Security, Risk and Governance Solutions Group.
<Document Installation Of Fortify 20.2.0 Edast In Easy Steps.Docx, updated on 17-Feb-21>
Copyright 2019 Micro Focus and its affiliates. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or
transmitted without the express written consent of the publisher
Page # 40
Click Next, lets not create the Login Macro this time.
Click Next.
Confidential – Property of Micro Focus’s Security, Risk and Governance Solutions Group.
<Document Installation Of Fortify 20.2.0 Edast In Easy Steps.Docx, updated on 17-Feb-21>
Copyright 2019 Micro Focus and its affiliates. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or
transmitted without the express written consent of the publisher
Page # 41
Enter the Name of Scan Settings as "Zero via eDAST", click Save then Click Run.
Click Run.
Click OK.
Confidential – Property of Micro Focus’s Security, Risk and Governance Solutions Group.
<Document Installation Of Fortify 20.2.0 Edast In Easy Steps.Docx, updated on 17-Feb-21>
Copyright 2019 Micro Focus and its affiliates. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or
transmitted without the express written consent of the publisher
Page # 42
Click Close.
Click Refresh.
When it changes to Running click on it. You can see the Statistics.
Confidential – Property of Micro Focus’s Security, Risk and Governance Solutions Group.
<Document Installation Of Fortify 20.2.0 Edast In Easy Steps.Docx, updated on 17-Feb-21>
Copyright 2019 Micro Focus and its affiliates. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or
transmitted without the express written consent of the publisher
Page # 43
Confidential – Property of Micro Focus’s Security, Risk and Governance Solutions Group.
<Document Installation Of Fortify 20.2.0 Edast In Easy Steps.Docx, updated on 17-Feb-21>
Copyright 2019 Micro Focus and its affiliates. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or
transmitted without the express written consent of the publisher
Page # 44
Open SSC -> SCANCENTRAL -> DAST -> Sensors. A new Sensor will appear, this is the Dockerized
WebInspect Sensor configured with eDAST.
Confidential – Property of Micro Focus’s Security, Risk and Governance Solutions Group.
<Document Installation Of Fortify 20.2.0 Edast In Easy Steps.Docx, updated on 17-Feb-21>
Copyright 2019 Micro Focus and its affiliates. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or
transmitted without the express written consent of the publisher
Page # 45
Now Open SSC -> SCANCENTRAL -> DAST -> Sensors. You should able to see both Sensors.
Open SSC -> SCANCENTRAL -> DAST -> Scans -> New Scan.
Select "PetStore using Containerized eDAST" version 1.0. from drop down, click Next.
Confidential – Property of Micro Focus’s Security, Risk and Governance Solutions Group.
<Document Installation Of Fortify 20.2.0 Edast In Easy Steps.Docx, updated on 17-Feb-21>
Copyright 2019 Micro Focus and its affiliates. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or
transmitted without the express written consent of the publisher
Page # 46
If Validated then -
Submit for triage: Enabled
Audit Depth (Policy): Standard
User Agent: Default
Click Next.
Confidential – Property of Micro Focus’s Security, Risk and Governance Solutions Group.
<Document Installation Of Fortify 20.2.0 Edast In Easy Steps.Docx, updated on 17-Feb-21>
Copyright 2019 Micro Focus and its affiliates. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or
transmitted without the express written consent of the publisher
Page # 47
Enter the Settings name as "PetStore API Scan", Click Save, then Click Run.
Confidential – Property of Micro Focus’s Security, Risk and Governance Solutions Group.
<Document Installation Of Fortify 20.2.0 Edast In Easy Steps.Docx, updated on 17-Feb-21>
Copyright 2019 Micro Focus and its affiliates. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or
transmitted without the express written consent of the publisher
Page # 48
Confidential – Property of Micro Focus’s Security, Risk and Governance Solutions Group.
<Document Installation Of Fortify 20.2.0 Edast In Easy Steps.Docx, updated on 17-Feb-21>
Copyright 2019 Micro Focus and its affiliates. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or
transmitted without the express written consent of the publisher
Page # 49
Open SSC -> SCANCENTRAL -> DAST -> Scans -> New Scan.
URL: http://zero.webappsecurity.com
Confidential – Property of Micro Focus’s Security, Risk and Governance Solutions Group.
<Document Installation Of Fortify 20.2.0 Edast In Easy Steps.Docx, updated on 17-Feb-21>
Copyright 2019 Micro Focus and its affiliates. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or
transmitted without the express written consent of the publisher
Page # 50
Click Next.
Click on Open MacroRecorder5_0 in the Popup. Wait a few mins, the TruClient will open, check the Task
Bar of Windows it may be there.
Confidential – Property of Micro Focus’s Security, Risk and Governance Solutions Group.
<Document Installation Of Fortify 20.2.0 Edast In Easy Steps.Docx, updated on 17-Feb-21>
Copyright 2019 Micro Focus and its affiliates. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or
transmitted without the express written consent of the publisher
Page # 51
Click on the Record button and create the Login Macro using your skills. Use the credentials Username /
Password for http://zero.webappsecurity.com
Confidential – Property of Micro Focus’s Security, Risk and Governance Solutions Group.
<Document Installation Of Fortify 20.2.0 Edast In Easy Steps.Docx, updated on 17-Feb-21>
Copyright 2019 Micro Focus and its affiliates. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or
transmitted without the express written consent of the publisher
Page # 52
In Scan Settings, click Import and select the Zero_LoginMacro file from Documents.
Click Next.
Confidential – Property of Micro Focus’s Security, Risk and Governance Solutions Group.
<Document Installation Of Fortify 20.2.0 Edast In Easy Steps.Docx, updated on 17-Feb-21>
Copyright 2019 Micro Focus and its affiliates. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or
transmitted without the express written consent of the publisher
Page # 53
Click Next.
Confidential – Property of Micro Focus’s Security, Risk and Governance Solutions Group.
<Document Installation Of Fortify 20.2.0 Edast In Easy Steps.Docx, updated on 17-Feb-21>
Copyright 2019 Micro Focus and its affiliates. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or
transmitted without the express written consent of the publisher
Page # 54
Wait for Scan to Start and Complete. It will take an hr to complete while by the mean time you can take
a Coffee break.
Generating Reports
Now we have two scan results uploaded on SSC via eDAST. Lets try to generate few reports from SSC.
Login into SSC using admin / sscadmin@123. Click on REPORTS -> NEW REPORTS.
Click on "ISSUE REPORTS", scroll down and locate and select "Vulnerability Report".
In the Report name, enter a name i.e. Zero Vuln Report, click Browse.
Confidential – Property of Micro Focus’s Security, Risk and Governance Solutions Group.
<Document Installation Of Fortify 20.2.0 Edast In Easy Steps.Docx, updated on 17-Feb-21>
Copyright 2019 Micro Focus and its affiliates. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or
transmitted without the express written consent of the publisher
Page # 55
Select the Application i.e. "Zero via eDAST", then select the version i.e. 2.0. Now click on DONE.
Click on GENERATE.
Confidential – Property of Micro Focus’s Security, Risk and Governance Solutions Group.
<Document Installation Of Fortify 20.2.0 Edast In Easy Steps.Docx, updated on 17-Feb-21>
Copyright 2019 Micro Focus and its affiliates. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or
transmitted without the express written consent of the publisher
Page # 56
Confidential – Property of Micro Focus’s Security, Risk and Governance Solutions Group.
<Document Installation Of Fortify 20.2.0 Edast In Easy Steps.Docx, updated on 17-Feb-21>
Copyright 2019 Micro Focus and its affiliates. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or
transmitted without the express written consent of the publisher
Page # 57
Identify the Request Body which is "application/json-patch+json" and Example value which needs
username and password in Json format.
Confidential – Property of Micro Focus’s Security, Risk and Governance Solutions Group.
<Document Installation Of Fortify 20.2.0 Edast In Easy Steps.Docx, updated on 17-Feb-21>
Copyright 2019 Micro Focus and its affiliates. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or
transmitted without the express written consent of the publisher
Page # 58
Identify the Request URL (note it in Notepad++) and Response Body. Notice the Token value starts with
"FORTIFYTOKEN", note down the token in Notepad ++, i.e. –
FORTIFYTOKEN M2U5NjcxYTUtNmNjYS00NDdmLWJiMGItNDA1ZmJjZmY4Njc0
Note: The CIToken of REST API via SSC can also be used along with FORTIFYTOKEN key as it will be used
below.
Now, scroll up till the top of the page and click on "Authorize" button.
In the Popup, paste the token value as above and click Authorize.
Confidential – Property of Micro Focus’s Security, Risk and Governance Solutions Group.
<Document Installation Of Fortify 20.2.0 Edast In Easy Steps.Docx, updated on 17-Feb-21>
Copyright 2019 Micro Focus and its affiliates. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or
transmitted without the express written consent of the publisher
Page # 59
Click Close.
In the Applications API calls, expand the GET /api/application call, by clicking on GET.
Confidential – Property of Micro Focus’s Security, Risk and Governance Solutions Group.
<Document Installation Of Fortify 20.2.0 Edast In Easy Steps.Docx, updated on 17-Feb-21>
Copyright 2019 Micro Focus and its affiliates. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or
transmitted without the express written consent of the publisher
Page # 60
Scroll down and check the Request URL and Response Body, you will able to see the applications, ID and
Scanner Pool details.
Method: POST
URL: http://fortify202.myhome.com:85/api/auth
Body: raw
Type: JSON
"username": "admin",
"password": "sscadmin@123"
In the Response section below, you will the token. Save the token in Notepad++.
Method: GET
URL: http://fortify202.myhome.com:85/api/applications
In Headers add a Key named "Authorization" and paste the token value from the previous call
(/api/auth). Click Send.
Confidential – Property of Micro Focus’s Security, Risk and Governance Solutions Group.
<Document Installation Of Fortify 20.2.0 Edast In Easy Steps.Docx, updated on 17-Feb-21>
Copyright 2019 Micro Focus and its affiliates. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or
transmitted without the express written consent of the publisher
Page # 62
Lets use the Swagger interface to initiate the scan via this REST Call.
Login into SSC -> SCANCENTRAL -> DAST -> Settings List.
It has a list of all CICD Identifiers for each settings. Pickup a setting's CICD Identifier. i.e. e94d681e-
a078-4ffd-ad3f-e67d93d236ad it is for PetStore API Scan, lets use it. Go back to Swagger doc, click
on "Try it out" button of the API.
Confidential – Property of Micro Focus’s Security, Risk and Governance Solutions Group.
<Document Installation Of Fortify 20.2.0 Edast In Easy Steps.Docx, updated on 17-Feb-21>
Copyright 2019 Micro Focus and its affiliates. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or
transmitted without the express written consent of the publisher
Page # 63
Change the cicdtoken and assign a name, remove scannerID and useAssignedScannerOnly variables.
Click Execute.
Scroll down and check the response. If you see an id with a value which means scan is accepted in
eDAST. Note down the CURL command in to Notepad++.
Confidential – Property of Micro Focus’s Security, Risk and Governance Solutions Group.
<Document Installation Of Fortify 20.2.0 Edast In Easy Steps.Docx, updated on 17-Feb-21>
Copyright 2019 Micro Focus and its affiliates. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or
transmitted without the express written consent of the publisher
Page # 64
Pickup the Curl command used in the call via Swagger as example -
curl -X POST "http://fortify202.myhome.com:85/api/scans/start-scan-cicd" -H
"accept: text/plain" -H "Authorization: FORTIFYTOKEN
Y2U0YTlhNTctNjBkYi00MDI1LWEwNjktNTViYTMwYzZiZmJk" -H "Content-Type:
application/json-patch+json" -d "{ \"cicdToken\": \"e94d681e-a078-4ffd-ad3f-
e67d93d236ad\", \"name\": \"PetStore API Scan via Swagger\",}"
Open SSC -> ADMINISTRATION -> Users -> Token Management -> New.
Confidential – Property of Micro Focus’s Security, Risk and Governance Solutions Group.
<Document Installation Of Fortify 20.2.0 Edast In Easy Steps.Docx, updated on 17-Feb-21>
Copyright 2019 Micro Focus and its affiliates. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or
transmitted without the express written consent of the publisher
Page # 65
Select the Token Type as CIToken and enter a Description, click Save.
It will generate two type of tokens, save them into a text file. We will be using the first token generated
for REST API.
Click on Body.
Confidential – Property of Micro Focus’s Security, Risk and Governance Solutions Group.
<Document Installation Of Fortify 20.2.0 Edast In Easy Steps.Docx, updated on 17-Feb-21>
Copyright 2019 Micro Focus and its affiliates. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or
transmitted without the express written consent of the publisher
Page # 66
Select raw and JSON from drop down. In the body enter the below -
{
"cicdToken":"e94d681e-a078-4ffd-ad3f-e67d93d236ad",
"name":"PetStore API Scan via Postman",
}
Click Send.
If everything goes well then you will see the ID value and response code 201.
This is one of the most simple way to integrate with any CI/CD Tool. You can use the REST API and either
Curl command or PowerShell script to initiate the Scan.
Confidential – Property of Micro Focus’s Security, Risk and Governance Solutions Group.
<Document Installation Of Fortify 20.2.0 Edast In Easy Steps.Docx, updated on 17-Feb-21>
Copyright 2019 Micro Focus and its affiliates. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or
transmitted without the express written consent of the publisher
Page # 67
Appendix
Appendix 1: Installing Fortify
There are quite a good step by step (Easy Steps) documents available to install and configure Fortify for
a CoE / PoC / Lab Environment.
Visit - https://community.microfocus.com/t5/tkb/usercontributedarticlespage/user-id/223632
Option 1:
FortifyClient tool exists in the “Tools” folder on Fortify_20.2.0_Server_WAR_Tomcat.zip file.
You can copy "fortifyclient" folder to any machine and if required set the PATH to fortifyclient\bin
folder.
Option 2:
During the installation of SCA, it will be installed in C:\Program
Files\Fortify\Fortify_SCA_and_Apps_20.2.0\bin folder and it will be added into PATH as well.
Confidential – Property of Micro Focus’s Security, Risk and Governance Solutions Group.
<Document Installation Of Fortify 20.2.0 Edast In Easy Steps.Docx, updated on 17-Feb-21>
Copyright 2019 Micro Focus and its affiliates. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or
transmitted without the express written consent of the publisher
Page # 68
Confidential – Property of Micro Focus’s Security, Risk and Governance Solutions Group.
<Document Installation Of Fortify 20.2.0 Edast In Easy Steps.Docx, updated on 17-Feb-21>
Copyright 2019 Micro Focus and its affiliates. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or
transmitted without the express written consent of the publisher
Page # 69
Confidential – Property of Micro Focus’s Security, Risk and Governance Solutions Group.
<Document Installation Of Fortify 20.2.0 Edast In Easy Steps.Docx, updated on 17-Feb-21>
Copyright 2019 Micro Focus and its affiliates. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or
transmitted without the express written consent of the publisher