Configuring a Dynamic Scan

After preparing your website for a dynamic assessment, you need to complete the Dynamic Scan Setup page. You only need to configure the dynamic scan settings once per release as the settings are carried over to the next scan. You can edit settings as needed for subsequent assessments.

To configure a dynamic scan:

1. Select the Applications view.

   Your Applications page appears.

2. Click the name of the application.

   The Application Overview page appears.

   

3. Click Start Scan for the release that you want to have assessed and select Dynamic.

   The Dynamic Scan Setup page appears.

   

4. Complete the required fields. All other fields are optional or set to default values.

   Field	Description
   Assessment Type	Select the assessment type. Only assessment types allowed by the organization's security policy are displayed. The SLO of the selected assessment type appears below the field. The Dynamic+ Web Services assessment is used for testing web services where an OpenAPI definition or Postman collection is not available.
   Dynamic Site URL	Type your site's URL. This field is available for Dynamic Website, Dynamic+ Website, and Dynamic+ Web Services assessments.
   Entitlement	Select the entitlement that the assessment will use. The field displays entitlements that are valid for the selected assessment type, including those available for purchase. If the release has an active subscription, only options that do not consume entitlements are displayed.
   Time Zone	Select your location's time zone, which is used to schedule the scan's start time.
   Environment Facing	Select whether the site is internal or external.

5. If needed, you can configure additional scan settings in the sections appearing below the required fields. The sections that are available depend on the assessment type selected.

   Scope (Dynamic Website, Dynamic+ Website, Dynamic+ Web Services)

   1. To edit the scope of the scan, click Scope.

      

   2. Complete the fields as needed.

      Field	Description
      Scan entire host (<URL>)	Select one of the following options: Scan entire host (<URL>) (default): the entire host will be scanned Example: Given https://foo.com/home, the following URLs will be included: https://foo.com/ https://foo.com/contact-us.html https://foo.com/folder/ https://foo.com/folder/folder2/page.aspx https://foo.com/home/folder/ https://foo.com/home/index.html Restrict the scan to the URL directory and subdirectories: only the directory denoted by the last slash in the URL and its subdirectories will be scanned. If you select this option, make sure the last slash denotes the directory to which you want the scan to be restricted. Example: Given https://foo.com/home/, the following URLs will be excluded: https://foo.com/ https://foo.com/folder/ https://foo.com/contact-us.html https://foo.com/folder/folder2/page.aspx
      Restrict scan to URL directory and subdirectories
      Allow HTTP (:80) and HTTPS (:443)	Select the check box to allow both HTTP and HTTPS scanning of the site (default). Example: Given https://foo.com/home, if the Scan entire host option is selected, http://foo.com/ and its subdirectories will be included. If the Restrict scan to URL directory and subdirectories option is selected, only http://foo.com/home and its subdirectories will be included.
      Allow form submissions during crawl	Select this option to allow form submissions during the crawl of the site (default). This uncovers additional application surface area that can then be examined for a more thorough scan. Deselecting this option does not prevent form submissions during the vulnerability checks. Detection of many critical vulnerabilities, such as SQL injection and cross-site scripting, requires form submissions. To exclude specific web functionalities from form submissions, specify those URLS in the Exclude URLS that contain field.
      Exclude URLS that contain	(Optional) Type a full or partial URL and click to exclude URLs matching the string from testing. Add a new entry for each string. The field is not case-sensitive. By default, Fortify Azure DevOps Extension the None does not scan URLs outside the provided hostname, such as subdomains (https://www.foo.com, https://dev.foo.com) or offsite domain (https://bar.com). Example: https://foo.com/login.html, login.html

   (Authentication (Dynamic Website, Dynamic+ Website, Dynamic+ Web Services)

   1. To edit the authentication settings, click Authentication.

      

   2. Complete the fields as needed.

      Field	Description
      Form Authentication	(Optional) Select the check box if form authentication is required. Provide user names and passwords for at least two users. To add more credentials, use the Additional Notes field at the bottom of this form. If available, select the Generate unique authentication check box if self-registration is required.
      Network Required	(Optional) Select the check box if network authentication is required and provide a username and password.
      Additional Authentication Instructions	(Optional) Select the check box if additional authentication is required, such as an account number or tenant code, and type instructions. Fortify Azure DevOps Extension The None does not support multi-factor authentication. Examples include authentication controls involving SMS messages, email verifications, CAPTCHA, OATH Tokens, and physical tokens.

   Web Services (Dynamic Web Services)

   For information on preparing web services project files suitable for automated testing, see Preparing Web Services Project Files.

   1. To add instructions for scanning web services utilized by the site, click Web Services.

   2. Select the API definition type: Postman Collection (File), Postman Collection (URL), OpenAPI (File), OpenAPI (URL).

      OpenAPI Specification versions 2.0 and 3.0 are supported.

   3. Perform the relevant task based on your API definition type:

      API Definition Type	Procedure
      Postman Collection (File)	Click ... and browse to and select the Postman collection file. The JSON file format is accepted. If a file already exists, you can use the existing file or upload a new file.
      Postman Collection (URL)	Provide the Postman collection URL. If authentication is needed to access the URL, provide the header name in the Header Name and the credentials in Header Value fields. For example, provide Authorization in Header Name and Bearer <token> in Header Value. Not that this is separate from the credentials used to authenticate requests. Examples: X-API-Key: <apikey> Authorization: <apikey> Authorization: Bearer <token> If the credentials are passed as a query parameter, include it in the URL.
      OpenAPI (File)	Click ... and browse to and select the OpenAPI document file. The JSON file format is accepted. If a file already exists, you can use the existing file or upload a new file. If the API requires authentication, provide the API key value in the API Key field. The supported security scheme is API key. Multiple API keys in requests are not supported.
      OpenAPI (URL)	Provide the OpenAPI document URL. If the API requires authentication, provide the API key value in the API Key field. The supported security scheme is API key. Multiple API keys in requests are not supported.

   4. In the Additional Instructions field, type additional instructions.

   Web Services (Dynamic+ Web Services)

   For information on preparing web services project files suitable for automated testing, see Preparing Web Services Project Files.

   1. To add instructions for scanning web services utilized by the site, click Web Services.

      

   2. Complete the fields as needed.

      Field	Description
      Web Service Type	Select the web service type: SOAP, REST. Upload a project file, such as a WSDL file or API definition file, that contains working sample data. The JSON, WSDL, TXT, and XML file formats are accepted.
      Additional Instructions	(Optional) Type additional instructions, such as required headers, tokens, or authentication mechanisms.
      Username, Password API Key, Password	(Optional) Provide the username and password or API key and password.

   Scheduling & Availability (all assessments)

   1. To edit the scan frequency and site availability settings, click Scheduling & Availability.

      

   2. Complete the fields as needed.

      Field	Description
      Repeat Frequency	Select the scan's repeat frequency: Do not repeat (default), 2 weeks, 1 month, 2 months, 3 months, 4 months, 6 months, 12 months. If you are requesting a single scan, keep the default value. Scheduled recurring scans are automated and subjected to the following stipulations: Scheduling of a scan occurs seven days before the calculated scan date, which is determined by the start date of the previous scan and the repeat frequency. For example, if a monthly scheduled scan starts on the 5th of the month, the next scan will be scheduled for the 5th of the next month. The entitlement is deducted at the time of scheduling. A scan will only be scheduled if a valid entitlement for the selected assessment type exists at the time of the scheduling. If a scan is canceled, no further scans will be scheduled. If a scan is still in progress when the next scan is to be scheduled, Fortify Azure DevOps Extension the None will attempt once a day to reschedule the next scan until the scan date has passed. For example, if a monthly scheduled scan that starts on the 5th of the month is still in progress by the 5th of the next month, the next rescheduling attempt will take place seven days before the 5th of the month after that.
      Site Availability	Select the check boxes to indicate when the environment is available for testing. Use the local time of the time zone specified above. You must provide a minimum of a four hour window of availability during the week. Pausing and resuming testing causes the scan to take longer than the standard SLO. Contact the support team for more information if you have site availability constraints.

   Additional Details (Dynamic Website, Dynamic+ Website, Dynamic+ Web Services)

   1. To add additional details about the scan, click Additional Details.

      

   2. Complete the fields as needed.

      Field	Description
      User agent	Select the user agent type that will be used for the site: Desktop browser (default), Mobile browser
      Concurrent request threads	Select the number of concurrent requests that will be used for the scan: Standard (default): 5 crawl requestor threads, 10 audit requestor threads, 20 second request timeout Limited: 2 crawl requestor threads, 3 audit requestor threads, 5 second request timeout Selecting the Limited option will reduce the scan load but will also cause the scan to take longer than the standard SLO.
      Additional Notes	(Optional) Type additional information that the testing team needs to know before starting the assessment. Free form exclusions and whitelist notes have been migrated to this field.
      Additional Documentation	(Optional) Upload documentation (30 MB limit) that facilitates testing of the application. Uploaded files are displayed in the Uploaded Files section below. Supported file types: DOC, DOCX, PPT, TXT, PDF, PPTX, ZIP, XLS, XLSX, CSV.
      Generate WAF Virtual Patch	Contact support to enable the option. (Optional) Select the check box to request a WAF virtual patch from Fortify WebInspect. Once the assessment is complete, you can download the file on the Scans page
      Request pre-assessment conference call	(Optional, Dynamic Premium and Dynamic+ assessments only) Select the check box to request a pre-assessment conference call. The check box is cleared after the assessment is completed. You cannot request a pre-assessment conference call for a scan scheduled within 72 hours.

6. Once you have configured the scan settings, click Save.

   • If the form is complete, the Setup Status is marked as Valid.

   • If the form is incomplete, the Setup Status is marked as Incomplete. A list of the issues appears at the top of the page. You can hover over the x icon next to Setup Status to display the list.