List the Webinspect tests for OWSAP Policy 2013 - A7 and A9 (910 Views)
Reply
Occasional Advisor
Febins
Posts: 13
Registered: ‎04-19-2012
Message 1 of 7 (910 Views)

List the Webinspect tests for OWSAP Policy 2013 - A7 and A9

 

Hi , 

 

  Please let me know the list of tests in Webinspect which is come under the Top Ten policy - 

 

A7 - Missing Function Level Access Control

A9 - Using Known Vulnerable Components 

 

Why because of the tests we done manually is not taken by Webinspect in its execution. We had applied the policy ; OWSAP Top Ten - 2013 policy. 

 

One more request is to developer division of Webisnpect HP is ; it would better to list the the OWSAP breakage to the list is good to understand which are the tests come under which category. Now the group is limit to Attack groups, Threat Class and Severity. 

 

 

Occasional Advisor
Febins
Posts: 13
Registered: ‎04-19-2012
Message 2 of 7 (883 Views)

Re: List the Webinspect tests for OWSAP Policy 2013 - A7 and A9

[ Edited ]

 

 

One more query regarding this .. 

 

How does webinspect know what are the components to test for w.r.t vulnerabilities?  Is a way to list the components which Webisnpect using for the test ? 

Respected Contributor
HansEnders
Posts: 605
Registered: ‎07-01-2008
Message 3 of 7 (869 Views)

Re: List the WebInspect tests for OWASP Policy 2013 - A7 and A9

I believe you are misunderstanding the use of the Standard View in the Policy Manager tool, where you have captured your screen shot of "OWASP breakage".  The Policy Manager lists the available attacks here, with three available views:  Threat Classifications, Severity Levels, and Attack Groups.  The Attack Groups view offers the most granular inspection of the attacks and Audit Engines that have been enabled in the currently selected scan Policy, but each of these views have value in enabling/disabling/inspecting the attacks.

 

The Policies are built manually from the many thousands of attacks listed in our proprietary SecureBase.  These are not solely limited to items of interest for different Compliance standards, but are instead an amalgam of known attacks and specialized, discrete agents developed by our researching team to identify complex discrete issues.  This collection is then available to be used by our user community.

 

The default Policies are our best efforts to match the user community need, and some of these do include the OWASP family of standards.  Unfortunately, the Policy Manager is not built to display the enabled attacks in the format of the many available standards.  In the distant past, we offered many different Policies for different standards, but then that necessitated numerous scans to fulfill multiple standards.  Our goal today is to provide you substantial coverage during the scan so that you need only scan the target once, and then you can generate as many Compliance reports against that test as you may need to.  Now you can run a scan with the Standard or All Checks policy, as sample selections, and later issue SOX, PCI, and OWASP reports against that single scan.

 

 

 

If you wish to identify the attacks we have linked with the OWASP standard, there are two dependable methods and one that is more focused on the report template than the Policy template.  Bear in mind that as we continue to add to and update the SecureBase, these mappings may or may not change.

 

1.  Open the Compliance Manager tool, and then the OWASP 2013 report template.  Expand the details for the desired requirements and identify which Threat Classes and/or individual attacks have been linked to that requirement.

 

2.  Open the Policy Manager tool, and then the OWASP 2013 scan Policy (New option).  Switch to the Attack Groups view.  Expand the entire view tree and begin browsing by hand.

 

3.  Start any scan you like, such as the OWASP 2013 Policy, then Pause the scan after it has begun its work.  Generate your desired Compliance report against it, such as the OWASP 2013 option.  The Details portion of the report will list all of the enabled attacks individually for that selected Policy


-- Habeas Data
Occasional Advisor
Febins
Posts: 13
Registered: ‎04-19-2012
Message 4 of 7 (860 Views)

Re: List the WebInspect tests for OWASP Policy 2013 - A7 and A9

Currently , In Compliance Manager have only OWSAP 2010 list. OWSAP 2013 is not  yet updated in Compliance manager. Please correct if i am wrong. 

Respected Contributor
HansEnders
Posts: 605
Registered: ‎07-01-2008
Message 5 of 7 (832 Views)

Re: List the WebInspect tests for OWASP Policy 2013 - A7 and A9

You are correct, it turns out I overlooked the fact that the OWASP 2013 Compliance template has not made it into WebInspect 10.10 yet.   :-/

 

The OWASP 2013 scan Policy was added via SmartUpdate, but our Fortify SSR research team is still building the OWASP 2013 Compliance Report template.  It will be released as part of their quarterly updates.  Based on their last update on October 1, I suspect that means it will arrive at the end of December / beginning of January.

 

In the meantime, their advice is to run the OWASP 2013 scan Policy and use the standard Vulnerability Summary report.  This will not break out the OWASP Requirements visually like the Compliance template would, but it will cover the necessary findings categories.


-- Habeas Data
Regular Visitor
mdavis800
Posts: 4
Registered: ‎02-05-2014
Message 6 of 7 (696 Views)

HP WebInpsect: Comparision Standard & OWASP Policy | List of Vulnerabilities

[ Edited ]

Hello Everyone,

 

1. Please let me know the comparision between 'Standard Policy' & 'OWASP Policy' that gets selected before Web Inspect (WIE) Scan Starts.

 

2. Also, kindly share list of Vulnerabilities that is address by WIE for-

  A.  Standard Policy

  B. OWASP Policy

 

Thanks,

Michael

Respected Contributor
HansEnders
Posts: 605
Registered: ‎07-01-2008
Message 7 of 7 (683 Views)

Re: HP WebInspect: Comparison Standard & OWASP Policy | List of Vulnerabilities

Michael;

 

You will have to perform your own comparison of those two, or any other of the available scan policies.  Above, in October 2013, I detailed several ways to investigate that data.  It is not a very clean-cut process as these policies are templates that cherry-pick individual attacks or entire classes of attacks from a database with 5000+ checks.

 

As a side note, the abbreviation "WIE" has not been formalized by our management team, but it is used commonly to indicate "WebInspect Enterprise", which is not the same product as WebInspect (desktop).  These two do share the exact same scan capabilities, scan settings, and scan Policy options.


-- Habeas Data
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.