- Overview
- Forking the Repository
- Building the Application
- Running the Application
- Application Security Testing Integrations
- SAST using Fortify SCA command line
- SAST using Fortify ScanCentral SAST
- Open Source Susceptibility Analysis using Sonatype Nexus IQ
- SAST using Fortify on Demand
- DAST using Fortify WebInspect
- DAST using Fortify ScanCentral DAST
- DAST using Fortify on Demand
- API Security Testing using Fortify WebInspect and Postman
- API Security Testing using ScanCentral DAST
- Build and Pipeline Integrations
- Developing and Contributing
- Licensing
IWA.NET (Insecure Web App) Pharmacy Direct is an example Microsoft.NET Core Web Application for use in DevSecOps scenarios and demonstrations. It includes some examples of bad and insecure code - which can be found using static and dynamic application security testing tools such as Micro Focus Fortify.
One of the main aims of this project is to illustrate how security can be embedded early ("Shift-Left") and continuously ("CI/CD") in the development lifecycle. Therefore, a number of examples of "integrations" to common CI/CD pipeline tools are provided.
The application is intended to provide the functionality of a typical "online pharmacy", including purchasing Products (medication) and requesting Services (prescriptions, health checks etc). It has a modern-ish HTML front end (with some JavaScript) and a Swagger based API.
Please note: the application should not be used in a production environment!
In order to execute the example scenarios described here you should "fork" a copy of the Git repository - unfortunately Azure DevOps does not offer this feature across organisations. As an alternative you can "clone" the repository and setup a new "remote" or ask permission to be added to the dedicated fork project.
To create the required database:
dotnet tool install --global dotnet-ef
dotnet tool restore
dotnet ef database update
To build (and unit test) the application either select "Build->Build Solution" from within Visual Studio or execute the following from the command line:
msbuild IWA.NET.sln /p:Configuration=Debug /t:Clean,Build
To create docker image:
docker build --tag iwa.net --file InsecureWebApp/Dockerfile .
To create and test locally, no support of SSL, use httpport=44331 to test i.e., http://localhost:44331/:
docker run -d -p 44331:80 iwa.net
You can run the application from within Visual Studio or use the provided Azure DevOps pipeline azure-pipelines.yml to deploy it to an Azure Website.
There is an example batch script fortify-sca.ps1 that you can use to execute static application security testing via Fortify SCA.
FortifyScanCommands.bat
OR directly run the below commands to execute SAST
sourceanalyzer -b iwa -clean
sourceanalyzer -b iwa -debug -logfile trans.log dotnet build IWA.NET.sln
sourceanalyzer -b iwa -debug -logfile scan.log -scan -f iwa.fpr
start "" "iwa.fpr"
This script runs a "sourceanalyzer" translation and scan on the project's source code. It creates a Fortify Project Results file called IWA.fpr
which you can open using the Fortify auditworkbench
tool:
auditworkbench IWA.fpr
To execute a Fortify on Demand SAST scan
you need to package and upload the source code to Fortify on Demand. To package the code into a Zip file for uploading
you can use the scancentral
command utility as following:
"C:\Program Files\Microsoft Visual Studio\2022\Enterprise\Common7\Tools\VsDevCmd.bat"
scancentral package --build-tool msbuild --build-file IWA.NET.sln --output fod.zip
You can then upload this manually using the Fortify on Demand UI or you can use the FoDUploader utility to upload the file and start a Fortify on Demand static scan as follows:
java -jar FodUpload.jar -z fod.zip -aurl 'https://api.emea.fortify.com' -purl 'https://emea.fortify.com' -rid 'FOD_RELEASE_ID' -tc 'FOD_TENANT'
-uc 'FOD_CREDENTIALS' -ep 2 -pp 0 -I 1 -apf -n "command-line initiated scan"
where FOD_ACCESS_KEY
and FOD_SECRET_KEY
are the values of an API Key and Secret you have created in the Fortify on
Demand portal. This script makes use of the PowerShellForFOD
PowerShell module.
To carry out a WebInspect scan you should first "run" the application using one of the steps described above. Then you can start a scan using the following command line:
"C:\Program Files\Fortify\Fortify WebInspect\WI.exe" -s ".\etc\IWA-UI-Dev-Settings.xml" -macro ".\etc\IWA-UI-Dev-Login.webmacro" -u "http://localhost:8080" -ep ".\IWA.NET-DAST.fpr" -ps 1008
This will start a scan using the Default Settings and Login Macro files provided in the etc
directory. It assumes
the application is running on "localhost:8080". It will run a "Critical and High Priority" scan using the policy with id 1008.
Once completed you can open the WebInspect "Desktop Client" and navigate to the scan created for this execution. An FPR file
called IWA.NET-DAST.fpr
will also be available - you can open it with auditworkbench
(or generate a
PDF report from using ReportGenerator
). You could also upload it to Fortify SSC or Fortify on Demand.
An Azure Devops pipeline azure-pipelines.yml is provided and has user selected variables such as "UseFoD" or "UseScanCentralDAST" which can be set to True or False depending on which application security testing integration you require.
This application is made available under the GNU General Public License V3