Publishing a scan (Fortify WebInspect Enterprise Connected)

Note: This topic applies only if Fortify WebInspect Enterprise is integrated with OpenText Application Security Center (Software Security Center).

Use the following procedure to transmit scan data from OpenText DAST to a Application Security server, via Fortify WebInspect Enterprise.

Note: For information about managing the Application Security status of vulnerabilities when conducting multiple scans of the same website or application, see Integrating vulnerabilities into Application Security.

  1. Configure Fortify WebInspect Enterprise and Application Security.

  2. Run a scan in OpenText DAST (or use an imported or downloaded scan). 

  3. Click the Enterprise Server menu and select Connect to WebInspect Enterprise. You will be prompted to submit credentials.

  4. If a scan is open on a tab that has focus, and you want to publish only that scan:

    1. Click .

    2. Select an application and version, then click OK.

    3. Examine the results. Columns will appear in the Summary pane specifying "Published Status" and "Pending Status."  The Published Status is the status of the vulnerability the last time this scan was published to Fortify WebInspect Enterprise.  The Pending Status is what the status of the vulnerability will be after this scan is published.  Depending on the Pending Status, you can modify it to specify whether the vulnerability has been resolved or is still existing (see Step 7 below).  In addition, a new tab named "Not Found" appears; this tab contains vulnerabilities that were detected in previous scans but not in the current scan. You can add screenshots and comments to vulnerabilities or mark vulnerabilities as false positive or ignored. You can also review and retest vulnerabilities, modifying the scan results until you are ready to publish.

    4. Click . Go to Step 7.

  5. To select from a list of scans:

    1. Click the Enterprise Server menu and select Publish Scan.

    2. On the Publish Scan(s) to Application Security Center dialog box, select one or more scans.

    3. Select an application and version.

    4. Click NextOpenText DAST automatically synchronizes with Application Security.

  6. OpenText DAST lists the number of vulnerabilities to be published, categorized by status and severity.

    To determine the status, OpenText DAST compares previously submitted vulnerabilities (obtained by synchronizing with Application Security) with those reported in the current scan. If this is the first scan submitted to an application version, all vulnerabilities will be "New."

    If a vulnerability was previously reported, but is not in the current scan, it is marked as "Not Found." You must determine if it was not found because it has been fixed or because the scan was configured differently (for example, you may have used a different scan policy, or you scanned a different portion of the site, or you terminated the scan prematurely). When examining the results (step 4c), you can change the "pending status" of individual vulnerabilities detected by all but the first scan (by right-clicking a vulnerability in the Summary pane). However, when publishing, you must specify how OpenText DAST should handle any remaining "Not Found" vulnerabilities.

    To retain these "Not Found" vulnerabilities in Application Security (indicating that they still exist), select Retain: Assume all vulnerabilities still marked "Not Found" in the scan are still present.

    To remove them (implying that they have been fixed), select Resolve: Assume all vulnerabilities still marked "Not Found" in the scan are fixed.

  7. If this scan was conducted in response to a scan request initiated at Application Security, select Associate scan with an "In Progress" scan request for the current application version.

  8. Click Publish.