Fortify ScanCentral DAST: how to scan customer Private Applications

A Fortify ScanCentral DAST scan of public sites can be achieved by directly connecting over internet.

A Fortify ScanCentral DAST scan of customer private sites can be achieved by using one of the following options:

1. Whitelist Fortify Hosted scan sensor(s) source IP address(es) (i.e. provided by Ops)
2. Fortify Connect (FC) - point-to-point non-routed proxy tunnel without exposing the target application through your firewall. The most commonly expected deployment/scan scenario is Cloud/Remote Mode as described below:
   1. Scenario 1: DAST/WebInspect Sensor Running in the Fortify Hosted environment (Cloud/Remote Mode)
      1. The diagram included below depicts a DAST/WebInspect Sensor Running in the cloud based Fortify Hosted environment (aka Cloud/Remote Mode). This assumes you have internal applications which need to be scanned, but the internal applications are not accessible from outside your internal network.
         The Fortify Connect (FC) Client is a pre-configured executable that runs behind your firewall; establishes a point-to-point proxy tunnel that enables the Fortify ScanCentral DAST scanner to leverage the Fortify Connect Server (running in the cloud) and Client (running in your internal network) as a proxy to your internal sites. No other traffic can be routed over this connection.
         • The pre-configured FC Client executable will be available for download via the “ScanCentral DAST > Fortify Connect” configuration tab after you configure FC in your Fortify Hosted environment.
      2. Working with Fortify Connect for private application scanning
         1. 
      3. Fortify Connect Client on Fortify ScanCentral DAST
         
         1. Note: Fortify Connect Client is only officially supported on Linux
      4. Configuring and using Fortify Connect
         
         1. Note: only from step 2 to step 7
3. Locally hosted Fortify DAST Scan Sensor
   1. Kubernetes Helm Charts
      • Installed and managed by customer or Professional Services.
      • The following document describes how to configure and use the scancentral-dast-scanner 24.4 Helm charts for complete ScanCentral DAST scanner container orchestration in Kubernetes.
        • Deploying DAST Scanner in Kubernetes 
          • Tips and clarifications
          • The ScanCentral DAST core components have been already installed and are part of Fortify Hosted.
          • The core configuration properties values (DAST API service URL and DAST API service account token secret name) are received on sign-up within a password protected document).
          • The ScanCentral DAST Scanner Helm charts version should match the Fortify product version deployed in Fortify Hosted. Anything other than major/minor is essentially patches. Always get the latest patches. Tip: To find other available versions, go to https://hub.docker.com/r/fortifydocker/helm-scancentral-dast-scanner/tags. 
          • License 
            • Utilise on-prem license - to be added to the Fortify Hosted LIM pool
            • Share Fortify Hosted DAST sensor license - from the Fortify Hosted LIM pool
   2. Docker image
      
      • • • Installed and managed by customer or Professional Services

            • A Linux image of Fortify DAST Scan Sensor/Fortify WebInspect on Docker are available for download in the Fortify Hosted Support Hub (DAST-sensor_xx.x.tar.gz) or pulling from the Fortify Docker repository: https://www.microfocus.com/documentation/fortify-ScanCentral-DAST/2440/SC_DAST_Help_24.4.0/index.htm#DynSetup/DynScan_WI-Docker.htm?TocPath=Configuring%2520the%2520ScanCentral%2520DAST%2520Environment%257C_____10 

              For information on how to use the launch artifacts to pull one of these images and start the container as a DAST sensor, see the Micro Focus Fortify WebInspect and OAST on Docker User Guide at https://www.microfocus.com/documentation/fortify-webinspect/2440/WI_Docker_Guide_24.4.0.pdf 

              • Linux Docker scripts sample (DAST_API_ROOT_URL and DAST_SERVICE_TOKEN are provided by the Fortify Hosted team as "Fortify ScanCentral DAST API URL" and "scDastServiceToken" respectively. The DAST_API_ROOT_URL needs to be accessible by the customer without proxy):