- Overview
- Forking the Repository
- Building the Application
- Running the Application
- Application Security Testing Integrations
- SAST using Fortify SCA command line
- SAST using Fortify ScanCentral SAST
- Open Source Susceptibility Analysis using Sonatype Nexus IQ
- SAST using Fortify on Demand
- DAST using Fortify WebInspect
- DAST using Fortify ScanCentral DAST
- DAST using Fortify on Demand
- API Security Testing using Fortify WebInspect and Postman
- API Security Testing using ScanCentral DAST
- FAST Using ScanCentral DAST and FAST proxy
- Build and Pipeline Integrations
- Developing and Contributing
- Licensing
IWA (Insecure Web App) Pharmacy Direct is an example Java/Spring Web Application for use in DevSecOps scenarios and demonstrations. It includes some examples of bad and insecure code - which can be found using static and dynamic application security testing tools such as those provided by Micro Focus Fortify.
One of the main aims of this project is to illustrate how security can be embedded early ("Shift-Left") and continuously ("CI/CD") in the development lifecycle. Therefore, a number of examples of "integrations" to common CI/CD pipeline tools are provided.
The application is intended to provide the functionality of a typical "online pharmacy", including purchasing Products (medication) and requesting Services (prescriptions, health checks etc). It has a modern-ish HTML front end (with some JavaScript) and a Swagger based API.
Please note: the application should not be used in a production environment!
An up-to-date version of the running application can be found at https://iwa.onfortify.com.
In order to execute example scenarios for yourself, it is recommended that you "fork" a copy of this repository into your own GitHub account. The process of "forking" is described in detail in the GitHub documentation - you can start the process by clicking on the "Fork" button at the top right.
To build (and unit test) the application, execute the following from the command line:
mvn clean package
This will create a JAR file (called iwa.jar
) in the target
directory.
To build a WAR file for deployment to an application server such as Apache Tomcat execute the following:
mvn -Pwar clean package
This will create a WAR file (called iwa.war
) in the target
directory.
There are a number of ways of running the application depending on the scenario(s) that you wish to execute.
To run (and test) locally in development mode, execute the following from the command line:
mvn spring-boot:run
Then navigate to the URL: http://localhost:8888. You can carry out a number of actions unauthenticated, but if you want to login you can do so as one of the following users:
- [email protected]/password
- [email protected]/password
There is also an administrative user:
- [email protected]/password
Upon login, you will be subsequently asked for a Multi-Factor Authentication (MFA) code. This functionality
is not yet enabled and you can enter any digit number sequence, e.g. 12345
.
The JAR file can be built into a Docker image using the provided Dockerfile
in src/main/configs
and the
following commands:
mvn -Pjar clean package
docker build -t iwa -f src/main/configs/Dockerfile .
or on Windows:
mvn -Pjar clean package
docker build -t iwa -f src\main\configs\Dockerfile.win .
This image can then be executed using the following commands:
docker run -d -p 8888:8888 iwa
There is also an example docker-compose.yml
file in src/main/configs
that illustrates how to run the application with HTTPS/SSL using
nginx and certbot - please note this is for reference only as it
uses a "hard-coded" domain name.
If you want to run the application in the cloud (so you can run a WebInspect scan for example) you can deploy the application to Microsoft Azure along with its required infrastructure by using the following (from a PowerShell command prompt):
Connect-AzAccount
New-AzResourceGroup -Name iwa-[YOUR_INITIALS]-rg -Location eastus
gradlew azureWebAppDeploy
Replace eastus
with your own desired region and make sure in the .env
file you have
set AZURE_APP_NAME
to a unique value.
You can navigate to your Azure portal to see the built infrastructure and to
the deployed web application using the URL output shown from the azureWebAppDeploy task
.
To clean up all the resources you can execute the following (from a PowerShell console):
Remove-AzResourceGroup -Name iwa-[YOUR_INITIALS]-rg
Most of the following examples need environment and user specific credentials. These are loaded from a file called .env
in the project root directory. This file is not created by default (and should never be stored in source control). An example
with all of the possible settings for the following scenarios is illustrated below:
# Application URL (locally)
APP_URL=http://localhost:8888
# Software Security Center
SSC_URL=http://[YOUR-SSC-SERVER]
SSC_USERNAME=admin
SSC_PASSWORD=password
SSC_AUTH_TOKEN=XXX
SSC_APP_NAME=IWAPharmacyDirect
SSC_APP_VER_NAME=master
# ScanCentral SAST/DAST
SCANCENTRAL_CTRL_URL=http://[YOUR-SCANCENTRAL-SERVER]/scancentral-ctrl
SCANCENTRAL_CTRL_TOKEN=XXX
SCANCENTRAL_POOL_ID=00000000-0000-0000-0000-000000000002
SCANCENTRAL_EMAIL=info@microfocus.com
SCANCENTRAL_DAST_API=http://[YOUR-SCANCENTRAL-DAST-SERVER]/api/
# ScanCentral FAST
FAST_EXE=C:\\Program Files\\Micro Focus WIRC Server\\Fast.exe
FAST_PORT=8087
FAST_PROXY=127.0.0.1:8087
# Nexus IQ Lifecycle
NEXUS_IQ_URL=http://[YOUR-NEXUS-IQ-SERVER]
NEXUS_IQ_AUTH=XXX
NEXUS_IQ_APP_ID=IWAPharmacyDirect
# Fortify on Demand
FOD_API_URL=https://api.ams.fortify.com
FOD_API_KEY=XXXX
FOD_API_SECRET=YYYY
FOD_TENANT=[YOUR-TENANT]
FOD_USER=[YOUR-USERNAME]
FOD_PAT=XXXX
# Azure (Resource Manager)
AZURE_SUBSCRIPTION_ID=[YOUR-SUBSCRIPTION-ID]
AZURE_RESOURCE_GROUP=[YOUR-NAME]-iwa-rg
AZURE_APP_NAME=[YOUR-NAME]-iwa-app
AZURE_REGION=eastus
There is an example PowerShell script fortify-sca.ps1 that you can use to execute static application security testing via Fortify SCA.
.\bin\fortify-sca.ps1
This script runs a "sourceanalyzer" translation and scan on the project's source code. It creates a Fortify Project Results file called IWA.fpr
which you can open using the Fortify auditworkbench
tool:
auditworkbench.cmd .\IWAPharmacyDirect.fpr
It also creates a PDF report called IWAPharmacyDirect.pdf
and optionally
uploads the results to Fortify Software Security Center (SSC).
In order to upload to SSC you will need to have entries in the .env
similar to the following:
SSC_URL=http://localhost:8080/ssc
SSC_AUTH_TOKEN=28145aad-c40d-426d-942b-f6d6aec9c56f
SSC_APP_NAME=IWAPharmacyDirect
SSC_APP_VER_NAME=master
The SSC_AUTH_TOKEN
entry should be set to the value of a 'CIToken' created in SSC "Administration->Token Management".
There is a PowerShell script fortify-scancentral-sast.ps1 that you can use to package up the project and initiate a remote scan using Fortify ScanCentral SAST:
.\bin\fortify-scancentral-sast.ps1
In order to use ScanCentral SAST you will need to have entries in the .env
similar to the following:
SSC_URL=http://localhost:8080/ssc
SSC_AUTH_TOKEN=6b16aa46-35d7-4ea6-98c1-8b780851fb37
SSC_APP_NAME=IWA
SSC_APP_VER_NAME=master
SCANCENTRAL_CTRL_URL=http://localhost:8080/scancentral-ctrl
SCANCENTRAL_CTRL_TOKEN=96846342-1349-4e36-b94f-11ed96b9a1e3
SCANCENTRAL_POOL_ID=00000000-0000-0000-0000-000000000002
SCANCENTRAL_EMAIL=test@test.com
The SCANCENTRAL_CTRL_TOKEN
entry should be set to the value of a 'ScanCentralCtrlToken ' created in SSC "Administration->Token Management".
Once the scan has been initiated you can check its status from the SSC User Interface or using the command:
scancentral -url [your-controller-url] status -token [returned-token]
where [returned-token]
is the value of the token displayed after the scan request has been submitted.
There is a PowerShell script fortify-sourceandlibscanner.ps1 that you can use to carry out Open Source Software Composition Analysis (using Sonatype Nexus and upload the results to SSC:
.\bin\fortify-sourceandlibscanner.ps1
In order to user Nexus IQ Server you will need to have entries in the .env
similar to the following:
SSC_URL=http://localhost:8080/ssc
SSC_AUTH_TOKEN=6b16aa46-35d7-4ea6-98c1-8b780851fb37
SSC_APP_NAME=IWA
SSC_APP_VER_NAME=master
NEXUS_IQ_URL=http://localhost:8070
NEXUS_IQ_AUTH=XXX:YYY
NEXUS_IQ_APP_ID=IWA
where NEXUS_IQ_AUTH
is an encoded User token created in the Nexus IQ Server UI, e.g. "User Code:Passcode".
To execute a Fortify on Demand SAST scan
you need to package and upload the source code to Fortify on Demand. To package the code into a Zip file for uploading
you can use the scancentral
command utility as following:
scancentral package -bt mvn -bf pom.xml --output fod.zip
You can then upload this manually using the Fortify on Demand UI or you can use the PowerShell script fortify-fod.ps1 provided to upload the file and start a Fortify on Demand static scan as follows:
.\bin\fortify-fod.ps1 -ZipFile '.\fod.zip' -ApplicationName 'IWA' -ReleaseName 'master' -Notes 'PowerShell initiated scan' `
-FodApiUri 'https://api.emea.fortify.com' -FodApiKey 'FOD_ACCESS_KEY' -FodApiSecret 'FOD_SECRET_KEY'
where FOD_ACCESS_KEY
and FOD_SECRET_KEY
are the values of an API Key and Secret you have created in the Fortify on
Demand portal. This script makes use of the PowerShellForFOD
PowerShell module.
To carry out a WebInspect scan you should first "run" the application using one of the steps described above. Then you can start a scan using the following command line:
"C:\Program Files\Fortify\Fortify WebInspect\WI.exe" -s ".\etc\IWA-UI-Dev-Settings.xml" -macro ".\etc\IWA-UI-Dev-Login.webmacro" -u "http://localhost:8888" -ep ".\IWA-DAST.fpr" -ps 1008
This will start a scan using the Default Settings and Login Macro files provided in the etc
directory. It assumes
the application is running on "localhost:8888". It will run a "Critical and High Priority" scan using the policy with id 1008.
Once completed you can open the WebInspect "Desktop Client" and navigate to the scan created for this execution. An FPR file
called IWA-DAST.fpr
will also be available - you can open it with auditworkbench
(or generate a
PDF report from using ReportGenerator
). You could also upload it to Fortify SSC or Fortify on Demand.
There is an example PowerShell script file fortify-webinspect.ps1 that you can run to execute the scan and upload the results to SSC:
.\bin\fortify-webinspect.ps1
To carry out a ScanCentral DAST scan you should first "run" the application using one of the steps described above. Then you can start a scan using the provided PowerShell script fortify-scancentral-dast.ps1. It can be invoked via the following from a PowerShell prompt:
.\bin\fortify-scancentral-dast.ps1 -ApiUri 'SCANCENTRAL_DAST_API' -Username 'SSC_USERNAME' -Password 'SSC_PASSWORD' `
-CiCdToken 'CICD_TOKEN_ID'
where SCANCENTRAL_DAST_API
is the URL of the ScanCentral DAST API configured in SSC and
SSC_USERNAME
and SSC_PASSWORD
are the login credentials of a Software Security Center user who is permitted to
run scans. Finally, CICD_TOKEN_ID
is the "CICD identifier" of the "Scan Settings" you have previously created from the UI.
You can invoke a Fortify on Demand dynamic scan using the PowerShellForFOD PowerShell module. For examples on how to achieve this see here.
The IWA application includes a fully documented Swagger based API which you can browse to at http://localhost:8888/swagger-ui/index.html?configUrl=/v3/api-docs/swagger-config. You can carry out security testing of this API using Fortify WebInspect or ScanCentral DAST. A Postman collection is provided to help in this. You can exercise the collection using newman. For example from a PowerShell command prompt on Windows:
newman run .\etc\IWA-API-Dev-Auth.postman_collection.json --environment .\etc\IWA-API-Dev.postman_environment.json --export-environment .\etc\IWA-API-Dev.postman_environment.json
newman run .\etc\IWA-API-Dev-Workflow.postman_collection.json --environment .\etc\IWA-API-Dev.postman_environment.json
In order to use this collection with WebInspect you will need to make sure newman is on the path and then you can run:
& "C:\Program Files\Fortify\Fortify WebInspect\WI.exe" -pwc .\etc\IWA-API-Dev-Workflow.postman_collection.json -pec .\etc\IWA-API-Dev.postman_environment.json -ep ".\IWA-API.fpr"
You can also import the Postman collections into ScanCentral DAST and run the resultant setup using the fortify-scancentral-dast.ps1 script and the relevant CICD Identifier.
The Fortify FAST Proxy allows you to capture traffic from an automated test run and then use the traffic
as a workflow for a ScanCentral DAST execution. In order to carry out the example here you will need
to have installed WIRCServerSetup64-ProxyOnly.msi
which is available in the Dynamic_Addons.zip
of the
ScanCentral DAST installation media.
There is an example Selenium Python test script provided test_add_to_cart.py that can be used to execute a simple
functional test of the running application. There are also a couple of PowerShell scripts start_fast_proxy.ps1 and stop_fast_proxy.ps1 that can
be used to start/stop the FAST Proxy. In order to use these scripts you will need to have entries in the .env
file similar to the following:
APP_URL=https://iwa.onfortify.com
SSC_AUTH_TOKEN_BASE64=MmYyMTA5MzYtN2Q5Ny00NmM1LWI5NTUtYThkZWI2YmJlMDUy
SSCANCENTRAL_DAST_API=http://localhost:5001/api/
SCANCENTRAL_DAST_CICD_IDENTIFIER=c3c3df60-de68-45b8-89c0-4c07b53392e7
FAST_EXE=C:\\Program Files\\Micro Focus WIRC Server\\Fast.exe
FAST_PORT=8087
FAST_PROXY=127.0.0.1:8087
CHROME_WEBDRIVER_PATH=C:/Tools/selenium/chromedriver.exe
The SSC_AUTH_TOKEN_BASE64
is the (first) encoded token shown in SSC not the (second) decoded token. The CHROME_WEBDRIVER_PATH
should be set to a compatible version for your Chrome browser as downloaded from here.
You will also need to have installed the Selenium
, PyTest
and python-dotenv
Python modules:
pip install selenium
pip install pytest
pip install python-dotenv
Make sure the application is running and then execute the following in a terminal window:
powershell bin\start_fast_proxy.ps1
Then in another terminal window execute the following:
pytest
powershell bin\stop_fast_proxy.ps1
The FAST executable from the first terminal should terminate and then a scan execute in your ScanCentral DAST environment.
If you are using Jenkins, a comprehensive Jenkinsfile
is provided to automate all of the typical
steps of a DevSecOps Continuous Delivery (CD) process. For application security testing it can make use of
Fortify SCA,
Fortify WebInspect,
Fortify SSC
and/or Fortify on Demand.
To make use of the Jenkinsfile
create a new Jenkins Pipeline Job and in the Pipeline
section select Pipeline script from SCM
and enter the details of a forked version of this GitHub repository.
The first run of the pipeline should be treated as a "setup" step as it will create some Job Parameters which you can then select to determine which features you want to enable in the pipeline.
You will need to have installed and configured the Fortify SCA and/or the Fortify on Demand Uploader Jenkins plugins.
There is lots of documentation in the Jenkinsfile
itself so please examine it to see what else
you will need to do for a successful invocation.
This repository includes a GitHub Actions example workflow that automates the build of the application and scans the code using either Fortify on Demand or Fortify ScanCentral for SAST.
This repository includes a GitLab Pipelines example pipeline that automates the build of the application and uploads the source code to Fortify on Demand for SAST.
It makes use of the Fortify GitLab CI Templates
For a fully working Azure DevOps pipeline see the sister project IWA.NET.
Please see the Contribution Guide for information on how to develop and contribute.
If you have any problems, please consult GitHub Issues to see if has already been discussed.
This application is made available under the GNU General Public License V3