We currently use a combination of WebInspect and Assessment Management Platform (AMP) for conducting Vulnerability Assessments (VA).
Recently visiting HP's Website, I saw there is a number of new and re-branded security/VA tools that I assume have come out of HP's acquisition of Fortify?
I am a bit confused as to the difference between AMP, HP WebInspect Enterprise and Software Security Center, as they all seem to be offering very similar things. I have also found there to be very little information available on AMP anymore, and that some AMP links now re-direct to HP WebInpsect Enterprise - has this product now replaced AMP?
I know I could probably contact somebody in sales to give me a detailed run-down on each tool, but I'd rather a frank and honest opinion on the differences between these tools, rather than a sales pitch as to why I should upgrade to one tool or another.
At the risk of giving our Product Managers the heebie-jeebies, I will attempt an off-the-cuff brief on this. ;-) Message me privately if you would like to talk directly or meet with Sales for a fuller explanation and demonstration.
As you know, our current HP Fortify organization is made up of the collision/merger of the old SPI Dynamics (nee HP ASC) and Fortify. Each of these organizations are leaders in separate areas of application testing, DAST and SAST respectively. While there were some integrations and overlap prior to this acquisition, not everything was perfectly aligned. The most glaring sample of this was that we were selling two separate web consoles for vulnerability management, HP AMP (DAST) and Fortify F360 (SAST). For those customers using both solutions, the obvious question was, "Why do I need two?". Our goal is to make the combination of DAST and SAST testing and correlation easy and available to our customers while still offering them each one separately as their needs dictate.
HP WebInspect Enterprise ("WIE") is our movement toward unifying these two solutions. Ostensibly, it is replacing HP AMP and serving as a plug-in to the SSC Server (previously F360 Server). Since 2010 we had had capabilities to export scans from WebInspect (desktop) and AMP in order to transfer them into SSC, but WIE offers a closer relationship for this publishing action.
The current release of WIE from September 2012 is version 9.30, replacing HP AMP 9.20. Beneath the hood, it is largely the same old AMP codebase, including its system requirements, SmartUpdate, use of distributed Sensors, user Roles and Permissions, and even minor details such as using the exact same AMP API and some files or folders still carrying the "AMP" moniker. The current release of WebInspect 9.30 (desktop) can be connected to either AMP 9.20 or WIE 9.30, so you are not losing any technical or attack capabilities.
The key separation from AMP is that WIE can only be installed if it has a SSC Server present or reachable during the Initialization wizard. Once installed, the WIE server manages all of the DAST scan data. AMP "Sites" have become SSC "Projects", and those artifacts are created in and then imported from the SSC interface. Developers using SSC can fill out a Scan Request form within the SSC UI, and then the AppSec team using the WIE UI will process and run those requests. Finished results are reviewed in WIE and ultimately published into SSC, where those DAST findings are then matched with the SAST test results for the same Project. All reporting now takes place within the SSC UI.
In addition, the web interface of WIE now offers a scan UI that is very similar to that of the existing WebInspect desktop product. This offers better real-time visibility than AMP had offered, although a few minor items are still lacking from the desktop product's UI, such as the right-click menus. Scans can still be transferred freely between the WIE server and WebInspect (desktop) without any need for translation or export/import.
As an AMP customer, WebInspect Enterprise may not be ready for you. This initial release does not offer any automated migration capabilities, so all AMP scans, artifacts, and defined Permissions would have to be transferred manually or rebuilt. There were also other key features in AMP that did not make it into this initial release of WIE such as Assessments, Tags, and Discovery Scans. Based on those differences, I believe that existing AMP customers should remain on that platform for at least the next one or two releases of WebInspect Enterprise. Once WIE offers more assistance for on-boarding existing AMP customers, our Product Management team will be contacting and assisting you on this. Some customers who used very few of AMP's available features have already begun transitioning, but recall that this is a manual process.
New customers are being offered only WIE at this time. If they are an existing Fortify SSC customer, they simply acquire only the WIE Server component and Sensor(s). This permits them to immediately begin pulling DAST scan information into their existing testing process and centralized view, with the actual DAST tests being run by the AppSec staff. If they are an entirely new customer, our WebInspect Enterprise Starter Edition bundle ("WIE SE") provides them the necessary SSC Server component (SSC Server, WIE Server, 1 Sensor, plus 1 WebInspect desktop seat).
My company is looking at introducing Fortify STA and SSC, and as such, there may be a push to upgrade from AMP to WebInspect Enterprise.
I was wondering if there was any news, or work in the pipeline, for an automated migration process from AMP to WIE?
As previously mentioned, we have over 3 years worth of scan data, that it would not be feasible to migrate manually.
I was also wondering if you could provide some information on the added functionality that you get from implementing WIE, that you wouldn't get from just publishing your scans from WebInspect to SSC directly.
For some additional conversations, I will private message you the name and contacts of the Product Manager, Jonathan.
WebInspect Enterprise (WIE) is currently at release 10.10 and interoperates with SSC Server 4.0 as a partner module of sorts. It is much closer than AMP was. At this point the two products are still on separate implementation stacks, with WIE requiring IIS and MSSQL, and with SSC supporting several platforms (as a Java app) and choices of DB via JDBC drivers. Co-installations are possible, but you might prefer using two separate machines. WIE depends on SSC Server to authenticate its users (further linked to LDAP/AD upstream) and to manage/create the Projects (targets), but from then all of your DAST testing is performed within the WIE web console.
The developers using the SSC web console UI can either Request a Dynamic Scan for their Project (typical), or run a scan themselves directly from the SSC web console (less common). The first option causes a Scan Request to appear in the WIE web console, where your properly trained and focused SecOps staff will see it, run the scan, review the findings, and Publish them back into the SSC Project. The second option requires that the developer understand how to run a WebInspect/Sensor scan. Regardless of how the dynamic scan is run, the SSC UI offers ways to filter and prioritize the findings even further, so the developers are not swamped with minor items. And
The Scan UI in WIE is really beautiful compared to what AMP offers for real-time status. It launches the Guided Scan wizard, as seen in WebInspect desktop, to run the scan on a remote Sensor, and provides 98% of the real-time scan status UI you are accustomed to from the WebInspect desktop UI, all within a browser pane. And that browser can be MSIE or Firefox, not just MSIE. Chrome is not quite supported but some users try anyways.
A Key difference in WIE from AMP is the way the findings are pulled into SSC Server. We have always had the ability to Import an exported scan from WebInspect desktop or AMP, particularly if it was in the Fortify FPR file format. The trouble with that was that Fortify's SAST processes always assume that 100% of the app was analyzed, and so any new upload for a Project was the truest version. As we know with dynamic scans, separate tests may cover different portions of the application, so merging is better. With WebInspect Enterprise, this merging action is now available as part of the Publishing action. The SecOp staff are shown a summary of New/Existing/Reopen types of categories, and they can choose how to treat those with respect to any prior WebInspect scan results that are already in the SSC Project.
Most all of the customers I have dealt with for implementing WebInspect Enterprise have been greenfield clients or they had minimal amounts of materials in AMP they wanted transferred. I believe our Professional Services group has performed larger, automated migrations, but I do not have a status on the migration features that WIE 10.20 may offer. As that is probably a forward-facing feature where I am limited to discuss, you may want to bring that up in private with Jonathan.
-- Habeas Data Micro Focus Fortify Customers-Only Forums – https://community.saas.hpe.com/t5/Fortify/ct-p/fortify
The new scan merging capabilities sounds like a great feature, given it has always been difficult to generate trend reports for applications that require multiple scans to get full coverage. The ability to create and track requests for WebInspect scans within the tool itself is also a bonus.
We currently conduct all scans from within WebInspect and upload results to AMP as opposed to using the AMP Scan Wizard, so not sure that we would use the web console; other than to reduce our WI license pool :o)
I will contact Jonathan with regards to AMP Migration. Thankyou for forwarding me his details.
Question on current implementation. We have 2 WI thin clients, 4 AMP sensors installed on server and our 1 AMPMgr server. What would that translate to in the new WIE model. Looking to get licenses for SSC, sensors and manager server. Does the WIE thin client come along with licensing or is it needed anymore?