- Overview
- Forking the Repository
- Pre-Requisites
- Building the Application
- Running the Application
- Application Security Testing Integrations
- SAST using Fortify Static Code Analyzer command line
- SAST using Fortify ScanCentral SAST
- SAST using Fortify on Demand
- DAST using Fortify WebInspect
- DAST using Fortify ScanCentral DAST
- DAST using Fortify on Demand
- API Security Testing using Fortify WebInspect and Postman
- API Security Testing using ScanCentral DAST
- Build and Pipeline Integrations
- Developing and Contributing
- Licensing
IWA.NET (Insecure Web App) Pharmacy Direct is an example Microsoft.NET Core Web Application for use in DevSecOps scenarios and demonstrations. It includes some examples of bad and insecure code - which can be found using static and dynamic application security testing tools such as OpenText Fortify.
One of the main aims of this project is to illustrate how security can be embedded early ("Shift-Left") and continuously ("CI/CD") in the development lifecycle. Therefore, a number of examples of "integrations" to common CI/CD pipeline tools are provided.
The application is intended to provide the functionality of a typical "online pharmacy", including purchasing Products (medication) and requesting Services (prescriptions, health checks etc). It has a modern-ish HTML front end (with some JavaScript) and a Swagger based API.
Please note: the application should not be used in a production environment!
In order to execute example scenarios for yourself it is recommended that you "fork" a copy of this repository into your own GitHub account. The process of "forking" is described in detail in the GitHub documentation - you can start the process by clicking on the "Fork" button at the top right.
- Microsoft .NET 6.0.x SDK
- Visual Studio 2022 Community Edition (or higher)
- (Optional) SQL Server Express 2019 including SQL Server LocalDB
- (Optional) Fortify Static Code Analyzer local install
- (Optional) Fortify command line (fcli) tool
- (Optional) Debricked CLI
To build the application, select Build->Build Solution from within Visual Studio or
carry out the following from a command prompt:
cd InsecureWebApp
dotnet restore
dotnet buildTo create a Docker image build the application as above and then carry out the following:
docker build --tag iwa.net --file Dockerfile .To run the application, click on the "Run/Play" button in Visual Studio (with the IWA profile selected)
or carry out the following from a
command prompt:
dotnet runTo run a Docker container using the image built above you can use:
docker run -d -p 5001:80 iwa.netWhichever mechanism you use, the application should be available in your browser at https://localhost:5001/
There is an example batch script that you can use to execute static application security testing via Fortify Static Code Analyzer.
FortifyScanCommands.bator you can directly run the following commands:
sourceanalyzer -b iwa -clean
sourceanalyzer -b iwa -debug -logfile trans.log dotnet build IWA.NET.sln
sourceanalyzer -b iwa -debug -logfile scan.log -scan -f IWA.fpr
start "" "IWA.fpr"This script runs a "sourceanalyzer" translation and scan on the project's source code.
It creates a Fortify Project Results file called IWA.fpr which you can open using the
Fortify auditworkbench tool:
auditworkbench IWA.fprTBD
To execute a Fortify on Demand
SAST scan you need to package and upload the source code to Fortify on Demand.
To package the code into a Zip file for uploading you can use the scancentral command utility as following:
"C:\Program Files\Microsoft Visual Studio\2022\Enterprise\Common7\Tools\VsDevCmd.bat"
scancentral package --build-tool msbuild --build-file IWA.NET.sln --output fod.zipYou can then upload this manually using the Fortify on Demand UI or alternately you can use the Fortify fcli tool to upload this Zip file and start a scan using the following:
fcli fod session login --url https://api.ams.fortify.com --client-id __FOD_CLIENT_ID_ --client-secret _FOD_CLIENT_SECRET__
fcli fod sast-scan start --release _YOUR_APP_:_YOUR_REL_ -f fod.zip --store curScan
fcli fod sast-scan wait-for ::curScan::where _FOD_CLIENT_ID_ and _FOD_CLIENT_SECRET_ are the values of an API Key and Secret you have created in the Fortify on
Demand portal, and _YOUR_APP_ and _YOUR_REL_ is the Fortify on Demand Application and Release name you are running the scan for.
To carry out a WebInspect scan you should first "run" the application using one of the steps described above. Then you can start a scan using the following command line:
"C:\Program Files\Fortify\Fortify WebInspect\WI.exe" -s ".\etc\IWA-UI-Dev-Settings.xml" -macro ".\etc\IWA-UI-Dev-Login.webmacro" -u "https://localhost:5001" -ep ".\IWA.NET-DAST.fpr" -ps 1008
This will start a scan using the Default Settings and Login Macro files provided in the etc directory. It assumes
the application is running on "https://localhost:5001". It will run a "Critical and High Priority" scan using the policy with id 1008.
Once completed you can open the WebInspect "Desktop Client" and navigate to the scan created for this execution. An FPR file
called IWA.NET-DAST.fpr will also be available - you can open it with auditworkbench (or generate a
PDF report from using ReportGenerator). You could also upload it to Fortify SSC or Fortify on Demand.
TBD
TBD
TBD
TBD
To carry out a Debricked scan using the Debricked CLI carry out the following from a command prompt:
cd InsecureWebApp
debricked scan . -e "*\**.lock" -e "**\node_modules\**" -r _DEBRICKED_REPO_ -t _DEBRICKED_TOKEN_where _DEBRICKED_REPO_ is the name of the repository you want represented in Debricked UI and
_DEBRICKED_TOKEN_ is your Debricked access token.
There is a simple GitHub action fortify.yml for carrying out a SAST scan using Fortify on Demand.
An Azure Devops pipeline azure-pipelines.yml is provided and has variables such as "USE_FOD_SAST" or "USE_SCANCENTRAL_DAST" which can be set to True or False depending on which application security testing integration you require.
This application is made available under the GNU General Public License V3