I'm currently scanning a large number of websites built using Drupal and am trying to reduce the number of Microsoft-centric checks that WebInspect performs as part of the OWASP Top 10 Policy to increase scan performance and reduce false positives.
I'm trying to do this through the Smart Scan setting, but am unsure whether this is the best place to do it?
I'm adding Custom server/application type definitions, for the application but it is unable to auto-identify the type of technology being used. As I know this application is built using Drupal and Drupal uses PHP, I have selected PHP as the technology. The web server being used to host this site is nginx, however this does not appear in the list, so the only Server/Application type I have selected is PHP.
Is this the best way to remove technology-specific checks when they are not required for a scan, or is there a much better way of doing this?
An alternate method may be to customize your scan Policy to omit the servers in question.
Open the Policy using the included Policy Manager tool and then switch to the Attack Groups view. On the subject tree, expand the Web Servers branch and disable the boxes for "IIS" and others that you feel will not apply. Next, expand the branches for \Third-Party Web Applications\Content Managers\Drupal\ and verify that all choices are enabled. Lastly, open the Search function and locate all vulnerabilities with "drupal" in their name, to ensure they are still enabled for this scan policy.
-- Habeas Data Micro Focus Fortify Customers-Only Forums – https://community.saas.hpe.com/t5/Fortify/ct-p/fortify