I try run first time AMP concole, but I got Log On to AMP Window. I read in guide that I should add my domain credentials in Administartion>Roles. But this submenu is disable, unless I put in Lig on to AMP window proper username and password. Which should I put there (this from AMP Manager)?
Would anyone know where HP AMP stores the scanning templates that are made through the webGUI? I would like to export one of these templates and provide it for users that work with stand-alone installs of Webinspect. I can find the .compliance templates, but not the custom ones that are made.
I am hoping that this is possible, but I cannot locate where the custom templates would be on the server.
Please note that Support does not end for another two years, but most customers will want to investigate the free migration path to WebInspect Enterprise.
From: Hewlett-Packard [mailto:firstname.lastname@example.org]
Sent: Monday, September 01, 2014 8:39 PM
Subject: HP Assessment Management Platform Obsolescence
Hewlett-Packard has important product discontinuance information available for you regarding your HP Assessment Management Platform software.
All customers with an active support contract for HP Assessment Management Platform are eligible to migrate to HP WebInspect Enterprise.
You're receiving this communication either because you're listed as your company's contact for a support contract that includes the product this communication is about or because you're subscribed to receive alerts. Should you no longer be your company's contact for support contracts, please contact your HP Representative or HP Business Partner to request the support contract(s) to be updated.
Key Program Dates:
September 1, 2014
Product Discontinuance Announcement
November 1, 2014
End of Sale (no longer orderable or available for purchase)
October 31, 2016
End of Support
October 31, 2018
End of Self-Help Support
Detailed information regarding this discontinuance can be found at:
HP appreciates your business and looks forward in assisting you with your future software requirements.
Note: Some updates get sent out based upon what product family they are a part of, not by exact model. If you don't find the update on the web under your specific model number, then it does not apply to that model.
The articles in this newsletter are the opinions of the Hewlett Packard Company.
The products referenced in this newsletter may not be available for purchase if they are not in your company's standards list. Promotions void where prohibited or restricted by law. HP reserves the right to modify or withdraw these promotions at any time. See individual promotions for specific terms and conditions.
To change your email address click here. To unsubscribe from this newsletter and all other HP communications, click here.
HP Privacy Mailbox
11445 Compaq Center Drive W.
Houston, TX 77070
2014 Hewlett-Packard Company. All rights reserved. All product and company names referenced herein are trademarks of their respective owners. THIS DOCUMENT IS PROVIDED FOR INFORMATIONAL PURPOSES ONLY. INFORMATION PROVIDED IN THIS DOCUMENT IS PROVIDED AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED. This document may be copied provided all text is included and copies contain HP's copyright notice and any other notices provided herein.
Recently we did a password change for the service account for tthe server where the amp server is installed and we are able to get into the am p windows and the web console . It shows the below error message .
Description: An error occurred during the processing of a configuration file required to service this request. Please review the specific error details below and modify your configuration file appropriately.
Parser Error Message: Could not create Windows user token from the credentials specified in the config file. Error from the operating system 'Logon failure: unknown user name or bad password.
Line 149: </tagMapping>
Line 150: </pages>
Line 151: <identity impersonate="true" userName="registry:HKLM\Software\HP\AMP\8.0\AmpManagerWS\ASPNET_SETREG,userName" password="registry:HKLM\Software\HP\AMP\8.0\AmpManagerWS\ASPNET_SETREG,password" />
Line 152: <httpHandlers>
Line 153: <!-- Ajax -->
Please help me on this
Can anyone tell me if HP AMP integrates with SAML for any version?
If it does, which version?
If not, does anyone know the best way to integrate the application with SAML?
I have over 3x years worth of scans stored in AMP, from which im wanting to pull out various statistics.
In particular I'm wanting to find a way to report on which of my sites have ever had any form of Cross Site Scripting, as this is one of the biggest issues faced by my workplace.
Through the Dashboard's Top 5 Vulnerabilities WebPart I am able to determine which sites currently have XSS, based on the results from the most recent scan, where XSS is considered any of the following:
- Cross Site Scripting
- Filter Evasion Cross Site Scripting
- HTML Tag Injection
- JSON Hijacking/Injection
- Cross-Frame Scripting
... and possibly more
I would like to produce a similar report, which takes into account all of a site's previous scans, not just the most recent.
I don't require this to be available via the Dashboard and have also have read access to the AMP Database, so a SQL Query to retrieve this information would suffice.
WebInspect Enterprise is a multi-machine implementation. As such, the System Requirements can be a bit dry as a series of lists. Attached is a visual representation of these same requirements for WIE 10.10. Perhaps it will help you understand the "big picture".
Recently I became aware of an oversight in the Web Macro Recorder tool (WMR) and our WebInspect Enterprise 10.0 (WIE) web console. When configuring a New Scan, the WIE web console provides a way for the WIE user to Import a pre-recorded Workflow (Start Macro), but not any way to record it in real-time. If you click the Advanced Settings button, the fields shown for Workflows are mostly identical, with no option to Record, only Import. This makes practical sense, as the WMR tool is a standalone EXE and not incorporated within the web browser UI. It is possible this same issue exists for WIE version 9.30 as well.
At this point, the user would generally switch to the WIE Console (thick client), WebInspect (desktop), or the standalone Security Toolkit in order to launch the WMR tool. However, the latest iteration of the new Unified UI for the WMR does not offer a "Workflow-Only" recording mode; it will assume you are recording a Login Macro. If you attempt push through anyway to record your Macro, and stuff in a nonsensical Logout Condition like "something", as I did, you will later find that the WIE Sensor scan halts on the first request with an Object Instance error and some messages about the Starting URL being empty. A badly designed Login Macro simply cannot be used as a Start Macro/Workflow! Doh!
The trouble with the latest WebInspect 10.10 (and for WIE 10.0), is that Workflows are assumed to be recorded on-the-fly within the Guided Scan wizard, which is only available in the WebInspect desktop product. This does utilize the WMR tool, but in a Workflow-Only recording mode when used for the Workflow specification. The other forms of the WMR tool used elsewhere should have an option in the UI to enable this option, but it did not make it into this latest release. Again, an oversight.
There are several work-arounds for this scenario, all permitting a WIE user to pre-record a Workflow for use when configuring WIE Sensor scans.
1. The WMR EXE can be launched with a hidden flag that enables this Workflow-Only recording mode.
The flag is "/IsWorkflow:true". Adding this CLI instruction into a BAT file will permit you an easy way to launch that tool, provided you have either the Security Toolkit, WebInspect (desktop), or the standalone Toolkit installed on your workstation. Below is my own BAT file's contents.
"C:\Program Files (x86)\Common Files\HP\HP Security Toolkit\ToolkitHost.exe" /Product:TruClient /IsWorkflow:true
:: This script opens the Web Macro Recorder tool (10.x) in a mode appropriate for recording a Workflow or Start Macro, and not as a Login Macro. Useful for WIE web UI users with the Security Toolkit.
2. The Web Proxy tool can be used to record Workflow macros.
Again, use one of the suggested clients above to access the Toolkit and launch the Web Proxy tool. Configure your browser to use this localhost proxy and then browse the desired Workflow. Halt the proxy's Record mode and use its File menu to Create A Macro. this will be a Workflow macro that can be Imported into the WIE web console where needed.
3. Workflows recorded in WebInspect's Guided Scan wizard can be saved ("Exported"). These *.webmacro files can then be used when configuring your Workflow-Driven scans on the WIE Sensors.
The general steps for this activity are posted below, but they were previously detailed at this other forum posting: http://h30499.www3.hp.com/t5/WebInspect/Manual-mode-scan-settings-help/m-p/6058879#.UidRdT_3MmY
4. Scan Template!
Any scan you configure in WebInspect (desktop) can be uploaded to WIE as a Scan Template using the Enterprise Server menu. This uploaded Scan Template would include any Workflows you had defined in the original scan. the assumption here is that you already ran the Workflow-Driven scan, however long or short, in WebInspect desktop, and then saved the Current Scan Settings to an XML file.
To access the workflows originally recorded, you will need to have saved your desired scan setting file. If you failed to save the scan settings during the scan wizard process, you can still access them at any time that the scan is either Paused or Completed. Simply bring the scan on-screen in WebInspect, then open the Edit menu > Current Scan Settings. The lower left corner of the new window offers the ability to "Save Settings As", which will generate the necessary XML file to work on.
1. Next, you will need to start the Guided Scan wizard, and then click the toolbar button for "Open" to load that saved setting file into the wizard.
- There may be a delay as the wizard begins and then loads the setting file.
- You may also need to re-Verify the starting URL before you can move around within the wizard's screens.
2. Navigate within the Guided Scan phase panels (left-hand side) to "Workflows" > "1. Manage Workflows".
- Once there, you will see a listing of your previously recorded Macros ("workflows").
3. Select the workflow/macro that you wish to edit and then click either Export or Edit.
- Based on your WebInspect Application Settings (Directories panel), the default folder for exported (Saved) web macros in WebInspect 10.0 on Windows 7 will probably be C:\Users\%CURRENTUSER%\Documents\SPI Dynamics\Tools\
4. Exported (saved) web macros can be edited outside of the Guided Scan wizard by using the Web Macro Recorder tool.
Our sensors appear to have successfully updated to WebInspect 10.1. They show as version "10.1.177.0" and "available" in AMP Console. They are all approved to participate in "any available" sensor scans. However, any attempt to start a new scan in AMP results in the scan hanging up in "Starting" status.
Any help appreciated.
HP Fortify Kicks off the Summer with Three New Releases
We are pleased to announce the immediate availability of the following HP Fortify products across our entire software security portfolio. Each of these releases offers significant improvements in usability, performance, and quality while also serving to advance our market momentum. The following summarizes the highlights in each release. More in-depth information is also available in the documentation referenced below.
HP Fortify Software Security Center 3.90
Includes the following performance and reliability improvements:
Results Processing—Results are now processed in a way that provides better information to the user. Now, new scan results are merged more quickly with past results so the progress of a particular application’s security posture over time can be tracked with improved efficiency.
Improved Performance for Simultaneous Users—Response times are now faster for multiple users working to triage security issues through both the web interface and IDE remediation plug-ins.
HP Fortify Static Code Analyzer 3.90
Now includes the following:
Xcode 4.6—Support for Xcode 4.6 and iOS 6.1 is now included.
Eclipse 4.2—Support for Eclipse 3.8 (Indigo) and 4.2 (Juno) for both auditing and scanning, and also as a remediation plug-in, is now included.
Support Diagnostic Tool—A new support diagnostic tool added to Audit Workbench provides platform and log information on support tickets. This tool is available at Help->Contact Support.
WebInspect 10.1 adds support importing functional test automation scripts from HP Unified Functional Test (UFT) to kickstart application security testing. It also includes dramatically improved performance for both the Local File Inclusion (LFI) and Remote File Inclusion (RFI) analysis engines.
WebInspect Enterprise 10.0
WebInspect Enterprise 10.0 creates a more integrated user experience through much tighter integration with Software Security Center by providing support to create dynamic security tests directly from SSC. Other improvements include greatly enhanced usability by elimination of dual steps such as requiring both SSC and WI credentials for login, and implicit synchronization of project versions.
WebInspect Foreign Language 10.0
WebInspect Foreign Language 10.0 now includes support for Traditional Chinese.
In light of the recent WebInspect 10.0 release, I wanted to restate how AMP and WebInspect Enterprise customers go about updating their Sensors to the latest version. (Yes, WebInspect 10.0 works with AMP 9.20, not just WIE 9.30.) Due to their centralized control model, these products require some additional steps beyond the SmartUpdate that occurs for a WebInspect (desktop) user.
In normal operations, the administrator will open the WebInspect Enterprise Console or AMP Console and check the SmartUpdate Approval sub-panel under the Administration panel. If the newest version of WebInspect is not yet listed here, run SmartUpdate and wait for it to complete. Once the latest version of WebInspect is shown here, right-click on it and select "Approved". After this, all Sensors will be automatically updated when they connect back to their Manager and/or are requested to run any scan. Pretty nice!
Periodically there will be a schema update between WebInspect (Sensor) releases that requires an update to the scan storage database. If the Sensor is using SQL Express, this schema update will occur automatically. If the Sensor is instead using a "normal" MS SQL database (Standard or Enterprise edition), then the administrator may need to intercede. If this is the case, the Sensor will display a message to this effect within the Sensors panel of the WIE/AMP Console. That message will also include a link to a local file that houses the necessary update Query script.
The administrator will need to transfer the recommended Query script to the SQL database or a DBA/DBO. They will need to run this Query against the specific database used by that Sensor. Once finished, the Sensor's displayed status should update within the Sensors panel and the Sensor should become Available again. Sometimes this update activity causes the Windows Sensor service to be Stopped and Started on that remote workstation, but since it is updating it will not have any live scans to be interrupted.
Alternatively, the most foolproof method may be to remotely connect to each of your Sensor machines and then download and install WebInspect 10, or whatever is the newest version, on top of the current Sensor version. But we don't have time for that! And still the database sometimes demands personal attention as detailed above.
We currently use a combination of WebInspect and Assessment Management Platform (AMP) for conducting Vulnerability Assessments (VA).
Recently visiting HP's Website, I saw there is a number of new and re-branded security/VA tools that I assume have come out of HP's acquisition of Fortify?
I am a bit confused as to the difference between AMP, HP WebInspect Enterprise and Software Security Center, as they all seem to be offering very similar things. I have also found there to be very little information available on AMP anymore, and that some AMP links now re-direct to HP WebInpsect Enterprise - has this product now replaced AMP?
I know I could probably contact somebody in sales to give me a detailed run-down on each tool, but I'd rather a frank and honest opinion on the differences between these tools, rather than a sales pitch as to why I should upgrade to one tool or another.
Is it possible to move a scan from one assessment to another in AMP?
Funny, but HP has not yet made a forum for the WebInspect Enterprise product yet ("WIE"). Since this is slowly replacing the HP AMP product, I guess we should start posting WIE topics and questions here for now.
My reasoning is not only because this product is replacing AMP, but it has a good amount of the same structure and capabilities carried over.
So until we hear more, we can use this forum. Enjoy!
I have created a new workflow scan in Webinspect for one application and uploaded the scan template in AMP. In AMP I have created a scan for same application with the scan template which I have created previously from Webinspect. I got crawl count as 5000 for webinspect scan and for AMP I got crawl count as 103 . Using same application and same configuration then why I am getting this much of difference in webinspect and AMP. Please provide me the solution for this. I need same crawl count for both webinspect and AMP scan.
I'm trying to determine exactly what the Assessment Maintenance->Archive option does. The help pages seems to indicate that it archives "the scan" by compressing it and moving it to "a separate database". My questions are:
1. does doing this help relieve problems with the AMP database filling up?
2. Does it compress and store all the scans in the assessment, or just all contributing scans?
Any help appreciated!
AMP is currenlty deployed through BigIP's F5 load balancer. After logging in to the AMP dashboard, users are immediately shown a "Your Session has Expired Page." However, if I access the AMP server directly (by IP address without going through the F5), users are able to maintain their session and the app functions correctly.
My questions are: Is there a setting in the AMP application itself that handles cookie management? Is there a setting somewhere that would be restting the HTTP context (for example something like: vuser_init() or a checkbox for "Simulate a new user on each iteration") that would handle virtual user sessions?
Could you please help me how to find the total memory limit(total size) for AMP webconsole as I am trying to upload bulk scans into it.
Like WebInspect give option to edit current scan setting when the scan is paused, do we get the same features in AMP...
Currently when I suspend a scan & try editing its configuration it shows in readonly mode only !
Thanks & stay secure,
We have the option to filter views based on tags we define. The tagging is allowed to be applied at scan & site level, but the filtering is only available at site level....
So now, suppose I have saved all scans executed between Apr-June under tag Q1-2012. How do I set the filter so that I can view only scans executed during that period. I tried to create the filter but its fetching no data as the tag is only working at site level...
Can any body suggest is this a problem in AMP or I'm missing some key step !
Thanks & stay secure,