Data Sheet Fortify WebInspect (DAST) CyberRes Fortify WebInspect is a dynamic application security testing (DAST) tool that identifies application vulnerabilities in deployed web applications and services. WebInspect is an automated DAST solution that provides comprehensive vulnerability detection and helps security professionals and QA testers identify security vulnerabilities and configuration issues. It does this by simulating real-world external security attacks on a running application to identify issues and prioritize them for root-cause analysis. WebInspect has numerous REST APIs to benefit integration and has the flexibility to be managed through an intuitive UI or run completely via automation. Product Highlights Automation with Integration WebInspect can be run as a fully-automated solution to meet DevOps and scaling needs, and integrate with the SDLC without adding additional overhead. • REST APIs help achieve a tighter integration and help automate scans and check whether compliance requirements have been met. • Leverage prebuilt integrations for Micro Focus Application Lifecycle Management (ALM) and Quality Center, and other security testing and management systems. • Powerful integrations allow teams to re-use existing scripts and tools. WebInspect can easily integrate with any Selenium script. • Scan RESTful web services: supports Swagger and OData formats via WISwag command line tool, enabling WebInspect to fit into any DevOps pipeline. • Base settings: ScanCentral Admin can preconfigure a scan template and provide that to users to scan their apps—no security knowledge needed. Shift DAST Left with WebInspect Focus on Quality Software Shift Left Model Key Features Functional Application Security Testing (FAST) Don’t be limited by IAST! FAST can take all the functional tests and use those in the same way IAST does, but then it keeps crawling. Even if a functional test misses something, FAST won’t miss it. Hacker-Level Insights View findings such as client-side frameworks and the version numbers—findings that could become vulnerabilities if not updated. HAR Files for Workflow Macros WebInspect can use HAR files for workflow scanning, ensuring important content is covered during scans. Manage Enterprise Application Security Risk Monitor trends within an application and take action on the most critical vulnerabilities first to meet DevOps needs. Flexible Deployment Start quickly and scale as needed with the flexibility of on-premise, SaaS, or AppSec-as-a-service. Compliance Management Pre-configured policies and reports for all major compliance regulations related to web application security, including PCI DSS, DISA STIG, NIST 800-53, ISO 27K, OWASP, and HIPAA. Increase Speed with Horizontal Scaling Horizontal scaling creates little versions of WebInspect using Kubernetes that just focus on processing JavaScript. This allows the scans to work in parallel, allowing for much faster scans. Traditional Quality Model Scan Any API for Improved Accuracy Get a complete story around APIs, whether it’s SOAP, Rest, Swagger, OpenAPI, or Postman. Planning & Design Development & Build Test Figure 1. Detect vulnerabilities earlier in the SDLC with WebInspect Deploy & Release Monitor & Analyze Key Benefits Find Vulnerabilities Faster and Earlier WebInspect can be tuned and optimized for your application to find vulnerabilities faster and earlier in the SDLC. Enhance scan with agent technology that expands the coverage of the attack surface and detects additional types of vulnerabilities. • Test for a new class of vulnerabilities called “Out of Band” or OAST Vulnerabilities. Using the public Fortify OAST server, WebInspect can detect OAST vulns such as Log4Shell. • Single Page Application (SPA) Detection supporting these common frameworks: Angular, AngularJS, React, GWT, Vue, Dojo, and Backbone. • WebInspect Agent integrates dynamic testing and runtime analysis to enhance your findings and scope. It identifies vulnerabilities by crawling more of the app, expanding coverage of the attack surface, and exposing exploits better than dynamic testing alone. • Test mobile-optimized websites as well as native web service calls. Prioritization with advanced technologies: • A solution to SCHANNEL lockdown issues, OpenSSL Preview provides a simple solution for environments where SSL is being restricted either by registry or group policy. • Run custom policies that are tuned towards high speed with pol