• Overview
• Forking the Repository
• Building the Application
• Running the Application
• Application Security Testing Integrations
  • SAST using Fortify SCA command line
  • SAST using Fortify ScanCentral SAST
  • Open Source Susceptibility Analysis using Sonatype Nexus IQ
  • SAST using Fortify on Demand
  • DAST using Fortify WebInspect
  • DAST using Fortify ScanCentral DAST
  • DAST using Fortify on Demand
  • API Security Testing using Fortify WebInspect and Postman
  • API Security Testing using ScanCentral DAST
  • FAST Using ScanCentral DAST and FAST proxy
• Build and Pipeline Integrations
  • Jenkins Pipeline
  • GitHub Actions
  • Azure DevOps Pipeline
  • GitLab CI/CD
• Developing and Contributing
• Licensing

IWA (Insecure Web App) Pharmacy Direct is an example Java/Spring Web Application for use in DevSecOps scenarios and demonstrations. It includes some examples of bad and insecure code - which can be found using static and dynamic application security testing tools such as those provided by Micro Focus Fortify.

One of the main aims of this project is to illustrate how security can be embedded early ("Shift-Left") and continuously ("CI/CD") in the development lifecycle. Therefore, a number of examples of "integrations" to common CI/CD pipeline tools are provided.

The application is intended to provide the functionality of a typical "online pharmacy", including purchasing Products (medication) and requesting Services (prescriptions, health checks etc). It has a modern-ish HTML front end (with some JavaScript) and a Swagger based API.

Please note: the application should not be used in a production environment!

An up-to-date version of the running application can be found at https://iwa.onfortify.com.

In order to execute example scenarios for yourself, it is recommended that you "fork" a copy of this repository into your own GitHub account. The process of "forking" is described in detail in the GitHub documentation - you can start the process by clicking on the "Fork" button at the top right.

To build (and unit test) the application, execute the following from the command line:

mvn clean package

This will create a JAR file (called iwa.jar) in the target directory.

To build a WAR file for deployment to an application server such as Apache Tomcat execute the following:

mvn -Pwar clean package

This will create a WAR file (called iwa.war) in the target directory.

There are a number of ways of running the application depending on the scenario(s) that you wish to execute.

To run (and test) locally in development mode, execute the following from the command line:

mvn spring-boot:run

Then navigate to the URL: http://localhost:8888. You can carry out a number of actions unauthenticated, but if you want to login you can do so as one of the following users:

• [email protected]/password
• [email protected]/password

There is also an administrative user:

• [email protected]/password

Upon login, you will be subsequently asked for a Multi-Factor Authentication (MFA) code. This functionality is not yet enabled and you can enter any digit number sequence, e.g. 12345.

The JAR file can be built into a Docker image using the provided Dockerfile in src/main/configs and the following commands:

mvn -Pjar clean package
docker build -t iwa -f src/main/configs/Dockerfile .

or on Windows:

mvn -Pjar clean package
docker build -t iwa -f src\main\configs\Dockerfile.win .

This image can then be executed using the following commands:

docker run -d -p 8888:8888 iwa

There is also an example docker-compose.yml file in src/main/configs that illustrates how to run the application with HTTPS/SSL using nginx and certbot - please note this is for reference only as it uses a "hard-coded" domain name.

If you want to run the application in the cloud (so you can run a WebInspect scan for example) you can deploy the application to Microsoft Azure along with its required infrastructure by using the following (from a PowerShell command prompt):

Connect-AzAccount
New-AzResourceGroup -Name iwa-[YOUR_INITIALS]-rg -Location eastus
gradlew azureWebAppDeploy

Replace eastus with your own desired region and make sure in the .env file you have set AZURE_APP_NAME to a unique value.

You can navigate to your Azure portal to see the built infrastructure and to the deployed web application using the URL output shown from the azureWebAppDeploy task.

To clean up all the resources you can execute the following (from a PowerShell console):

Remove-AzResourceGroup -Name iwa-[YOUR_INITIALS]-rg

Most of the following examples need environment and user specific credentials. These are loaded from a file called .env in the project root directory. This file is not created by default (and should never be stored in source control). An example with all of the possible settings for the following scenarios is illustrated below:

# Application URL (locally)
APP_URL=http://localhost:8888
# Software Security Center
SSC_URL=http://[YOUR-SSC-SERVER]
SSC_USERNAME=admin
SSC_PASSWORD=password
SSC_AUTH_TOKEN=XXX
SSC_APP_NAME=IWAPharmacyDirect
SSC_APP_VER_NAME=master
# ScanCentral SAST/DAST
SCANCENTRAL_CTRL_URL=http://[YOUR-SCANCENTRAL-SERVER]/scancentral-ctrl
SCANCENTRAL_CTRL_TOKEN=XXX
SCANCENTRAL_POOL_ID=00000000-0000-0000-0000-000000000002
SCANCENTRAL_EMAIL=info@microfocus.com
SCANCENTRAL_DAST_API=http://[YOUR-SCANCENTRAL-DAST-SERVER]/api/
# ScanCentral FAST
FAST_EXE=C:\\Program Files\\Micro Focus WIRC Server\\Fast.exe
FAST_PORT=8087
FAST_PROXY=127.0.0.1:8087
# Nexus IQ Lifecycle
NEXUS_IQ_URL=http://[YOUR-NEXUS-IQ-SERVER]
NEXUS_IQ_AUTH=XXX
NEXUS_IQ_APP_ID=IWAPharmacyDirect
# Fortify on Demand
FOD_API_URL=https://api.ams.fortify.com
FOD_API_KEY=XXXX
FOD_API_SECRET=YYYY
FOD_TENANT=[YOUR-TENANT]
FOD_USER=[YOUR-USERNAME]
FOD_PAT=XXXX
# Azure (Resource Manager)
AZURE_SUBSCRIPTION_ID=[YOUR-SUBSCRIPTION-ID]
AZURE_RESOURCE_GROUP=[YOUR-NAME]-iwa-rg
AZURE_APP_NAME=[YOUR-NAME]-iwa-app
AZURE_REGION=eastus

There is an example PowerShell script fortify-sca.ps1 that you can use to execute static application security testing via Fortify SCA.

.\bin\fortify-sca.ps1

This script runs a "sourceanalyzer" translation and scan on the project's source code. It creates a Fortify Project Results file called IWA.fpr which you can open using the Fortify auditworkbench tool:

auditworkbench.cmd .\IWAPharmacyDirect.fpr

It also creates a PDF report called IWAPharmacyDirect.pdf and optionally uploads the results to Fortify Software Security Center (SSC).

In order to upload to SSC you will need to have entries in the .env similar to the following:

SSC_URL=http://localhost:8080/ssc
SSC_AUTH_TOKEN=28145aad-c40d-426d-942b-f6d6aec9c56f
SSC_APP_NAME=IWAPharmacyDirect
SSC_APP_VER_NAME=master

The SSC_AUTH_TOKEN entry should be set to the value of a 'CIToken' created in SSC "Administration->Token Management".

There is a PowerShell script fortify-scancentral-sast.ps1 that you can use to package up the project and initiate a remote scan using Fortify ScanCentral SAST:

.\bin\fortify-scancentral-sast.ps1

In order to use ScanCentral SAST you will need to have entries in the .env similar to the following:

SSC_URL=http://localhost:8080/ssc
SSC_AUTH_TOKEN=6b16aa46-35d7-4ea6-98c1-8b780851fb37
SSC_APP_NAME=IWA
SSC_APP_VER_NAME=master
SCANCENTRAL_CTRL_URL=http://localhost:8080/scancentral-ctrl
SCANCENTRAL_CTRL_TOKEN=96846342-1349-4e36-b94f-11ed96b9a1e3
SCANCENTRAL_POOL_ID=00000000-0000-0000-0000-000000000002
SCANCENTRAL_EMAIL=test@test.com

The SCANCENTRAL_CTRL_TOKEN entry should be set to the value of a 'ScanCentralCtrlToken ' created in SSC "Administration->Token Management".

Once the scan has been initiated you can check its status from the SSC User Interface or using the command:

 scancentral -url [your-controller-url] status -token [returned-token]

where [returned-token] is the value of the token displayed after the scan request has been submitted.

There is a PowerShell script fortify-sourceandlibscanner.ps1 that you can use to carry out Open Source Software Composition Analysis (using Sonatype Nexus and upload the results to SSC:

.\bin\fortify-sourceandlibscanner.ps1

In order to user Nexus IQ Server you will need to have entries in the .env similar to the following:

SSC_URL=http://localhost:8080/ssc
SSC_AUTH_TOKEN=6b16aa46-35d7-4ea6-98c1-8b780851fb37
SSC_APP_NAME=IWA
SSC_APP_VER_NAME=master
NEXUS_IQ_URL=http://localhost:8070
NEXUS_IQ_AUTH=XXX:YYY
NEXUS_IQ_APP_ID=IWA

where NEXUS_IQ_AUTH is an encoded User token created in the Nexus IQ Server UI, e.g. "User Code:Passcode".

To execute a Fortify on Demand SAST scan you need to package and upload the source code to Fortify on Demand. To package the code into a Zip file for uploading you can use the scancentral command utility as following:

scancentral package -bt mvn -bf pom.xml --output fod.zip

You can then upload this manually using the Fortify on Demand UI or you can use the PowerShell script fortify-fod.ps1 provided to upload the file and start a Fortify on Demand static scan as follows:

.\bin\fortify-fod.ps1 -ZipFile '.\fod.zip' -ApplicationName 'IWA' -ReleaseName 'master' -Notes 'PowerShell initiated scan' `
    -FodApiUri 'https://api.emea.fortify.com' -FodApiKey 'FOD_ACCESS_KEY' -FodApiSecret 'FOD_SECRET_KEY'

where FOD_ACCESS_KEY and FOD_SECRET_KEY are the values of an API Key and Secret you have created in the Fortify on Demand portal. This script makes use of the PowerShellForFOD PowerShell module.

To carry out a WebInspect scan you should first "run" the application using one of the steps described above. Then you can start a scan using the following command line:

"C:\Program Files\Fortify\Fortify WebInspect\WI.exe" -s ".\etc\IWA-UI-Dev-Settings.xml" -macro ".\etc\IWA-UI-Dev-Login.webmacro" -u "http://localhost:8888" -ep ".\IWA-DAST.fpr" -ps 1008

This will start a scan using the Default Settings and Login Macro files provided in the etc directory. It assumes the application is running on "localhost:8888". It will run a "Critical and High Priority" scan using the policy with id 1008. Once completed you can open the WebInspect "Desktop Client" and navigate to the scan created for this execution. An FPR file called IWA-DAST.fpr will also be available - you can open it with auditworkbench (or generate a PDF report from using ReportGenerator). You could also upload it to Fortify SSC or Fortify on Demand.

There is an example PowerShell script file fortify-webinspect.ps1 that you can run to execute the scan and upload the results to SSC:

.\bin\fortify-webinspect.ps1

To carry out a ScanCentral DAST scan you should first "run" the application using one of the steps described above. Then you can start a scan using the provided PowerShell script fortify-scancentral-dast.ps1. It can be invoked via the following from a PowerShell prompt:

.\bin\fortify-scancentral-dast.ps1 -ApiUri 'SCANCENTRAL_DAST_API' -Username 'SSC_USERNAME' -Password 'SSC_PASSWORD' `
    -CiCdToken 'CICD_TOKEN_ID'

where SCANCENTRAL_DAST_API is the URL of the ScanCentral DAST API configured in SSC and SSC_USERNAME and SSC_PASSWORD are the login credentials of a Software Security Center user who is permitted to run scans. Finally, CICD_TOKEN_ID is the "CICD identifier" of the "Scan Settings" you have previously created from the UI.

You can invoke a Fortify on Demand dynamic scan using the PowerShellForFOD PowerShell module. For examples on how to achieve this see here.

The IWA application includes a fully documented Swagger based API which you can browse to at http://localhost:8888/swagger-ui/index.html?configUrl=/v3/api-docs/swagger-config. You can carry out security testing of this API using Fortify WebInspect or ScanCentral DAST. A Postman collection is provided to help in this. You can exercise the collection using newman. For example from a PowerShell command prompt on Windows:

newman run .\etc\IWA-API-Dev-Auth.postman_collection.json --environment .\etc\IWA-API-Dev.postman_environment.json --export-environment .\etc\IWA-API-Dev.postman_environment.json
newman run .\etc\IWA-API-Dev-Workflow.postman_collection.json --environment .\etc\IWA-API-Dev.postman_environment.json

In order to use this collection with WebInspect you will need to make sure newman is on the path and then you can run:

& "C:\Program Files\Fortify\Fortify WebInspect\WI.exe" -pwc .\etc\IWA-API-Dev-Workflow.postman_collection.json -pec .\etc\IWA-API-Dev.postman_environment.json -ep ".\IWA-API.fpr"

You can also import the Postman collections into ScanCentral DAST and run the resultant setup using the fortify-scancentral-dast.ps1 script and the relevant CICD Identifier.

The Fortify FAST Proxy allows you to capture traffic from an automated test run and then use the traffic as a workflow for a ScanCentral DAST execution. In order to carry out the example here you will need to have installed WIRCServerSetup64-ProxyOnly.msi which is available in the Dynamic_Addons.zip of the ScanCentral DAST installation media.

There is an example Selenium Python test script provided test_add_to_cart.py that can be used to execute a simple functional test of the running application. There are also a couple of PowerShell scripts start_fast_proxy.ps1 and stop_fast_proxy.ps1 that can be used to start/stop the FAST Proxy. In order to use these scripts you will need to have entries in the .env file similar to the following:

APP_URL=https://iwa.onfortify.com
SSC_AUTH_TOKEN_BASE64=MmYyMTA5MzYtN2Q5Ny00NmM1LWI5NTUtYThkZWI2YmJlMDUy
SSCANCENTRAL_DAST_API=http://localhost:5001/api/
SCANCENTRAL_DAST_CICD_IDENTIFIER=c3c3df60-de68-45b8-89c0-4c07b53392e7
FAST_EXE=C:\\Program Files\\Micro Focus WIRC Server\\Fast.exe
FAST_PORT=8087
FAST_PROXY=127.0.0.1:8087
CHROME_WEBDRIVER_PATH=C:/Tools/selenium/chromedriver.exe

The SSC_AUTH_TOKEN_BASE64 is the (first) encoded token shown in SSC not the (second) decoded token. The CHROME_WEBDRIVER_PATH should be set to a compatible version for your Chrome browser as downloaded from here.

You will also need to have installed the Selenium, PyTest and python-dotenv Python modules:

pip install selenium
pip install pytest
pip install python-dotenv

Make sure the application is running and then execute the following in a terminal window:

powershell bin\start_fast_proxy.ps1

Then in another terminal window execute the following:

pytest
powershell bin\stop_fast_proxy.ps1

The FAST executable from the first terminal should terminate and then a scan execute in your ScanCentral DAST environment.

If you are using Jenkins, a comprehensive Jenkinsfile is provided to automate all of the typical steps of a DevSecOps Continuous Delivery (CD) process. For application security testing it can make use of Fortify SCA, Fortify WebInspect, Fortify SSC and/or Fortify on Demand.

To make use of the Jenkinsfile create a new Jenkins Pipeline Job and in the Pipeline section select Pipeline script from SCM and enter the details of a forked version of this GitHub repository.

The first run of the pipeline should be treated as a "setup" step as it will create some Job Parameters which you can then select to determine which features you want to enable in the pipeline.

You will need to have installed and configured the Fortify SCA and/or the Fortify on Demand Uploader Jenkins plugins.

There is lots of documentation in the Jenkinsfile itself so please examine it to see what else you will need to do for a successful invocation.

This repository includes a GitHub Actions example workflow that automates the build of the application and scans the code using either Fortify on Demand or Fortify ScanCentral for SAST.

This repository includes a GitLab Pipelines example pipeline that automates the build of the application and uploads the source code to Fortify on Demand for SAST.

It makes use of the Fortify GitLab CI Templates

For a fully working Azure DevOps pipeline see the sister project IWA.NET.

Please see the Contribution Guide for information on how to develop and contribute.

If you have any problems, please consult GitHub Issues to see if has already been discussed.

This application is made available under the GNU General Public License V3