Using Smart Scan Settings for Drupal (700 Views)
Reply
Frequent Advisor
AutoDan
Posts: 54
Registered: ‎12-11-2011
Message 1 of 4 (700 Views)

Using Smart Scan Settings for Drupal

Hi all,

 

I'm currently scanning a large number of websites built using Drupal and am trying to reduce the number of Microsoft-centric checks that WebInspect performs as part of the OWASP Top 10 Policy to increase scan performance and reduce false positives.

 

I'm trying to do this through the Smart Scan setting, but am unsure whether this is the best place to do it?

I'm adding Custom server/application type definitions, for the application but it is unable to auto-identify the type of technology being used. As I know this application is built using Drupal and Drupal uses PHP, I have selected PHP as the technology. The web server being used to host this site is nginx, however this does not appear in the list, so the only Server/Application type I have selected is PHP.

 

Is this the best way to remove technology-specific checks when they are not required for a scan, or is there a much better way of doing this?

 

Any help would be much appreciated.

 

Regards,

 

Dan

 

 

 

 

 

 

Respected Contributor
HansEnders
Posts: 613
Registered: ‎07-01-2008
Message 2 of 4 (671 Views)

Re: Using Smart Scan Settings for Drupal

I have posed this question to our specialist team, but you may need to work through Fortify Support to get a more focused response directly from the developers.

-- Habeas Data
Respected Contributor
HansEnders
Posts: 613
Registered: ‎07-01-2008
Message 3 of 4 (663 Views)

Re: Using Smart Scan Settings for Drupal

An alternate method may be to customize your scan Policy to omit the servers in question.

Open the Policy using the included Policy Manager tool and then switch to the Attack Groups view. On the subject tree, expand the Web Servers branch and disable the boxes for "IIS" and others that you feel will not apply. Next, expand the branches for \Third-Party Web Applications\Content Managers\Drupal\ and verify that all choices are enabled. Lastly, open the Search function and locate all vulnerabilities with "drupal" in their name, to ensure they are still enabled for this scan policy.

-- Habeas Data
Frequent Advisor
AutoDan
Posts: 54
Registered: ‎12-11-2011
Message 4 of 4 (653 Views)

Re: Using Smart Scan Settings for Drupal

Hi Hans,

 

We had started implementing a scan policy and had removed the checks for IIS and others, but had missed the Drupal checks you've suggested, thanks for alerting us to these.

 

My only concern with this approach is that everytime new vulnerability definitions become available this policy will need to be re-created. So SMART Scan seemed like a potentially easier option.

 

Many thanks for your help as always.

 

Cheers,

 

Dan

The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.