02-08-2014 09:19 PM
I'm currently scanning a large number of websites built using Drupal and am trying to reduce the number of Microsoft-centric checks that WebInspect performs as part of the OWASP Top 10 Policy to increase scan performance and reduce false positives.
I'm trying to do this through the Smart Scan setting, but am unsure whether this is the best place to do it?
I'm adding Custom server/application type definitions, for the application but it is unable to auto-identify the type of technology being used. As I know this application is built using Drupal and Drupal uses PHP, I have selected PHP as the technology. The web server being used to host this site is nginx, however this does not appear in the list, so the only Server/Application type I have selected is PHP.
Is this the best way to remove technology-specific checks when they are not required for a scan, or is there a much better way of doing this?
Any help would be much appreciated.
02-19-2014 06:27 AM
-- Habeas Data
02-26-2014 12:34 PM
Open the Policy using the included Policy Manager tool and then switch to the Attack Groups view. On the subject tree, expand the Web Servers branch and disable the boxes for "IIS" and others that you feel will not apply. Next, expand the branches for \Third-Party Web Applications\Content Managers\Drupal\ and verify that all choices are enabled. Lastly, open the Search function and locate all vulnerabilities with "drupal" in their name, to ensure they are still enabled for this scan policy.
-- Habeas Data
03-03-2014 02:45 PM
We had started implementing a scan policy and had removed the checks for IIS and others, but had missed the Drupal checks you've suggested, thanks for alerting us to these.
My only concern with this approach is that everytime new vulnerability definitions become available this policy will need to be re-created. So SMART Scan seemed like a potentially easier option.
Many thanks for your help as always.