WebInspect automation workflows use build automation tools to manage the dynamic scanning ecosystem, including QA testing and cloud deployments.
Dynamic analysis (DAST), combined with static analysis (SAST), provides more thorough coverage, but automating dynamic is more complex. You can either build your own tech stack, or borrow a framework. This guide helps you accelerate your automation by using existing test automation scripts/frameworks that other enterprises have already created as part of their DevOps practices.
Target solves Dynamic Application Security Test Orchestration (DASTO) with the WebBreaker tool on GitHub. This open-source project utilizes WebInspect to provide greater agility and flexibility to deliver improved integration into the SDLC pipeline, Git workflows, etc.
Maven plugin developed by Ruud Senden with Fortify for WebInspect and WebInspect Enterprise enables users to automatically build applications, deploy test instances and run integration tests. Integrate the following scenario into the CI/CD pipeline:
Automation workflows use a build automation tool that manages the scanning ecosystem via the following steps:
This is simpler because WIE manages the scheduling and polling to identify availability of a sensor. WebInspect Enterprise also automatically publishes results to Fortify Software Security Center.
Automation can utilize artifacts generated during QA functional tests (for example Selenium scripts to automate WI/WIE scans). The advantage of this approach is:
Add these steps to the Basic Security Task—WebInspect:
Same additional steps as for WebInspect.
Another use case is automation in the cloud by deploying the sensors for both WI and WIE, and dynamically scaling the sensor installation around the scale of application security testing under process.