MicroFocus WebInspect - XML Connector

WebInspect is an automated dynamic testing tool that mimics real-world hacking techniques and attacks, and provides comprehensive dynamic analysis of complex web applications and services. WebInspect operates within the Dynamic Application Security Testing (DAST) side of Application Security.

To import your data from WebInspect to the Kenna.AppSec module, you will need to leverage the MicroFocus WebInspect Connector under the “Dynamic Assessment” tools.

User Prerequisites/Connector Setup:

  • Given that the Cisco Vulnerability Management's WebInspect Connector is a file-based connector, the only pre-requisite is that you have access to export data from your WebInspect deployment in XML format.

    • Current WebInspect users should do the following:
      Manage Scans -> Select Scan -> Open -> File -> Export -> Scan Details -> Set 'Details' to 'Full' -> Export

Important: WebInspect XML exports have previously been submitted with invalid formatting. If your XML Connector is failing due to formatting, you can use the `xmllint` tool to format the XML properly. Otherwise CDATA sections will overtake the data we are expected to parse.

Configuring your WebInspect Connector in Cisco Vulnerability Management

Navigate to the Connectors tab in your Cisco Vulnerability Management deployment (you must be a Cisco Vulnerability Management Administrator to do so) and under “Dynamic Assessment” select MicroFocus WebInspect.

 

Webinspect1.png

Once you select the WebInspect icon from the Connectors page, you will see a screen like this:

websinspect2.png

 

  • Name: Enter a name for the connector, or leave it as "WebInspect".

  • Leave the Kenna Virtual Tunnel checkbox blank as this is a file-based connector.
  • Asset Inactivity Limit (days): Use this if you wish to set an inactivity limit for assets ingested by this connector.
    • Connector-level asset inactivity limits take precedence over the global inactivity limit. If you do not set an Asset Inactivity Limit, the Global Limit will apply to data ingested by this connector. See Setting Asset Inactivity Limits
    • We recommend an asset inactivity limit of 2-3x the scan cadence of your Webinspect Scans if you plan to upload regularly.
  • Save and verify.

To Run the Connector, upload the WebInspect file on your local machine to the Connector (Or Drag & Drop). The connector will start processing data and a loading bar will appear.

 

What WebInspect Items does Cisco Vulnerability Management Import?

Fields in WebInspect

Fields in Cisco Vulnerability Management

Note

<host>

Application Identifier

Search for application_identifer in Cisco Vulnerability Management by using the custom query box and typing application:""

<url>

URL

 

name

Vulnerability Name

 

 

vulnerability Status

We do not map false positives, all vulnerabilities imported are default “open” unless they are not reported in a subsequent scan, in which case the platform auto-closes the vuln.

issue_id

scanner_id

 

severity

scanner_score

ScannerScore (0-4)
0 → 0

1 → 25

2 → 50

3 → 75

4 → 100
ScannerScore (0-100)
1 → 1 mapping

 

CWE

mapped based on identifier

“first” start_time

Found On
first_found_on
vulnerability_found
finding_found

The report does not pass specific “seen” times, so we utilize the first time the vulnerability is reported in the scan, and that scan time as the time at which the vulnerability or finding was first seen.

start_time

last_seen_time
vulnerability_last_seen

The report does not pass specific “seen” times, so we utilize the scan time as the time at which the vulnerability or finding was seen.

Sections > summary + implication + execution + reference

Description

 

-N/A-

Tags

No tags are presented in the XML report. As a result, no tags are imported.

 

Optional Settings

The following settings can be enabled on the backend for WebInspect Connectors. To have these settings enabled, or for more information, please contact Support, or your Customer Success Engineer.

  • Exclude Informationals

    • When this option is enabled, Cisco Vulnerability Management will not import vulnerabilities that do not include a CVE, CWE, or WASC ID.

  • Ignore Scanner Last Seen Time

    • If you do not want the asset last seen time in Cisco Vulnerability Management to be the scanner reported last seen time.

  • Custom Ordered Locators

    • Locators (IP, Netbios, FQDN, etc) can be reordered to better deduplicate vulnerabilities on the Connector level or the entire Platform level. For more information see the help article here.

 

Additional Assistance:

Please contact Support should you require any additional assistance with the WebInspect  Connector.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.