- About Vivit
- LUGs & SIGs
- Vivit Blogs
- News & Events
- Knowledge Base
|HPE Software Products: AMP|
I try run first time AMP concole, but I got Log On to AMP Window. I read in guide that I should add my domain credentials in Administartion>Roles. But this submenu is disable, unless I put in Lig on to AMP window proper username and password. Which should I put there (this from AMP Manager)?
Would anyone know where HP AMP stores the scanning templates that are made through the webGUI? I would like to export one of these templates and provide it for users that work with stand-alone installs of Webinspect. I can find the .compliance templates, but not the custom ones that are made.
I am hoping that this is possible, but I cannot locate where the custom templates would be on the server.
Please note that Support does not end for another two years, but most customers will want to investigate the free migration path to WebInspect Enterprise.
From: Hewlett-Packard [mailto:firstname.lastname@example.org]
Hewlett-Packard has important product discontinuance information available for you regarding your HP Assessment Management Platform software.
September 1, 2014
Product Discontinuance Announcement
November 1, 2014
End of Sale (no longer orderable or available for purchase)
October 31, 2016
End of Support
October 31, 2018
End of Self-Help Support
Note: Some updates get sent out based upon what product family they are a part of, not by exact model. If you don't find the update on the web under your specific model number, then it does not apply to that model.
Recently we did a password change for the service account for tthe server where the amp server is installed and we are able to get into the am p windows and the web console . It shows the below error message .
Description: An error occurred during the processing of a configuration file required to service this request. Please review the specific error details below and modify your configuration file appropriately.
Line 149: </tagMapping> Line 150: </pages>
Line 151: <identity impersonate="true" userName="registry:HKLM\Software\HP\AMP\8.0\AmpManagerWS\ASPNET_SETREG,userName" password="registry:HKLM\Software\HP\AMP\8.0\AmpManagerWS\ASPNET_SETREG,password" />
Line 152: <httpHandlers> Line 153: <!-- Ajax -->
Please help me on this
Can anyone tell me if HP AMP integrates with SAML for any version?
If it does, which version?
If not, does anyone know the best way to integrate the application with SAML?
I have over 3x years worth of scans stored in AMP, from which im wanting to pull out various statistics.
In particular I'm wanting to find a way to report on which of my sites have ever had any form of Cross Site Scripting, as this is one of the biggest issues faced by my workplace.
Through the Dashboard's Top 5 Vulnerabilities WebPart I am able to determine which sites currently have XSS, based on the results from the most recent scan, where XSS is considered any of the following:
... and possibly more
I would like to produce a similar report, which takes into account all of a site's previous scans, not just the most recent.
I don't require this to be available via the Dashboard and have also have read access to the AMP Database, so a SQL Query to retrieve this information would suffice.
WebInspect Enterprise is a multi-machine implementation. As such, the System Requirements can be a bit dry as a series of lists. Attached is a visual representation of these same requirements for WIE 10.10. Perhaps it will help you understand the "big picture".
Recently I became aware of an oversight in the Web Macro Recorder tool (WMR) and our WebInspect Enterprise 10.0 (WIE) web console. When configuring a New Scan, the WIE web console provides a way for the WIE user to Import a pre-recorded Workflow (Start Macro), but not any way to record it in real-time. If you click the Advanced Settings button, the fields shown for Workflows are mostly identical, with no option to Record, only Import. This makes practical sense, as the WMR tool is a standalone EXE and not incorporated within the web browser UI. It is possible this same issue exists for WIE version 9.30 as well.
At this point, the user would generally switch to the WIE Console (thick client), WebInspect (desktop), or the standalone Security Toolkit in order to launch the WMR tool. However, the latest iteration of the new Unified UI for the WMR does not offer a "Workflow-Only" recording mode; it will assume you are recording a Login Macro. If you attempt push through anyway to record your Macro, and stuff in a nonsensical Logout Condition like "something", as I did, you will later find that the WIE Sensor scan halts on the first request with an Object Instance error and some messages about the Starting URL being empty. A badly designed Login Macro simply cannot be used as a Start Macro/Workflow! Doh!
The trouble with the latest WebInspect 10.10 (and for WIE 10.0), is that Workflows are assumed to be recorded on-the-fly within the Guided Scan wizard, which is only available in the WebInspect desktop product. This does utilize the WMR tool, but in a Workflow-Only recording mode when used for the Workflow specification. The other forms of the WMR tool used elsewhere should have an option in the UI to enable this option, but it did not make it into this latest release. Again, an oversight.
There are several work-arounds for this scenario, all permitting a WIE user to pre-record a Workflow for use when configuring WIE Sensor scans.
1. The WMR EXE can be launched with a hidden flag that enables this Workflow-Only recording mode.
The flag is "/IsWorkflow:true". Adding this CLI instruction into a BAT file will permit you an easy way to launch that tool, provided you have either the Security Toolkit, WebInspect (desktop), or the standalone Toolkit installed on your workstation. Below is my own BAT file's contents.
"C:\Program Files (x86)\Common Files\HP\HP Security Toolkit\ToolkitHost.exe" /Product:TruClient /IsWorkflow:true
:: This script opens the Web Macro Recorder tool (10.x) in a mode appropriate for recording a Workflow or Start Macro, and not as a Login Macro. Useful for WIE web UI users with the Security Toolkit.
2. The Web Proxy tool can be used to record Workflow macros.
Again, use one of the suggested clients above to access the Toolkit and launch the Web Proxy tool. Configure your browser to use this localhost proxy and then browse the desired Workflow. Halt the proxy's Record mode and use its File menu to Create A Macro. this will be a Workflow macro that can be Imported into the WIE web console where needed.
3. Workflows recorded in WebInspect's Guided Scan wizard can be saved ("Exported"). These *.webmacro files can then be used when configuring your Workflow-Driven scans on the WIE Sensors.
The general steps for this activity are posted below, but they were previously detailed at this other forum posting: http://h30499.www3.hp.com/t5/WebInspect/Manual-mode-scan-settings-help/m-p/6058879#.UidRdT_3MmY
4. Scan Template!
Any scan you configure in WebInspect (desktop) can be uploaded to WIE as a Scan Template using the Enterprise Server menu. This uploaded Scan Template would include any Workflows you had defined in the original scan. the assumption here is that you already ran the Workflow-Driven scan, however long or short, in WebInspect desktop, and then saved the Current Scan Settings to an XML file.
To access the workflows originally recorded, you will need to have saved your desired scan setting file. If you failed to save the scan settings during the scan wizard process, you can still access them at any time that the scan is either Paused or Completed. Simply bring the scan on-screen in WebInspect, then open the Edit menu > Current Scan Settings. The lower left corner of the new window offers the ability to "Save Settings As", which will generate the necessary XML file to work on.
1. Next, you will need to start the Guided Scan wizard, and then click the toolbar button for "Open" to load that saved setting file into the wizard.
2. Navigate within the Guided Scan phase panels (left-hand side) to "Workflows" > "1. Manage Workflows".
3. Select the workflow/macro that you wish to edit and then click either Export or Edit.
4. Exported (saved) web macros can be edited outside of the Guided Scan wizard by using the Web Macro Recorder tool.
Our sensors appear to have successfully updated to WebInspect 10.1. They show as version "10.1.177.0" and "available" in AMP Console. They are all approved to participate in "any available" sensor scans. However, any attempt to start a new scan in AMP results in the scan hanging up in "Starting" status.
Any help appreciated.
HP Fortify Kicks off the Summer with Three New Releases
We are pleased to announce the immediate availability of the following HP Fortify products across our entire software security portfolio. Each of these releases offers significant improvements in usability, performance, and quality while also serving to advance our market momentum. The following summarizes the highlights in each release. More in-depth information is also available in the documentation referenced below.
HP Fortify Software Security Center 3.90
Includes the following performance and reliability improvements:
Results Processing—Results are now processed in a way that provides better information to the user. Now, new scan results are merged more quickly with past results so the progress of a particular application’s security posture over time can be tracked with improved efficiency.
Improved Performance for Simultaneous Users—Response times are now faster for multiple users working to triage security issues through both the web interface and IDE remediation plug-ins.
HP Fortify Static Code Analyzer 3.90
Now includes the following:
Xcode 4.6—Support for Xcode 4.6 and iOS 6.1 is now included.
Eclipse 4.2—Support for Eclipse 3.8 (Indigo) and 4.2 (Juno) for both auditing and scanning, and also as a remediation plug-in, is now included.
Support Diagnostic Tool—A new support diagnostic tool added to Audit Workbench provides platform and log information on support tickets. This tool is available at Help->Contact Support.
WebInspect 10.1 adds support importing functional test automation scripts from HP Unified Functional Test (UFT) to kickstart application security testing. It also includes dramatically improved performance for both the Local File Inclusion (LFI) and Remote File Inclusion (RFI) analysis engines.
WebInspect Enterprise 10.0
WebInspect Enterprise 10.0 creates a more integrated user experience through much tighter integration with Software Security Center by providing support to create dynamic security tests directly from SSC. Other improvements include greatly enhanced usability by elimination of dual steps such as requiring both SSC and WI credentials for login, and implicit synchronization of project versions.
WebInspect Foreign Language 10.0
WebInspect Foreign Language 10.0 now includes support for Traditional Chinese.
In light of the recent WebInspect 10.0 release, I wanted to restate how AMP and WebInspect Enterprise customers go about updating their Sensors to the latest version. (Yes, WebInspect 10.0 works with AMP 9.20, not just WIE 9.30.) Due to their centralized control model, these products require some additional steps beyond the SmartUpdate that occurs for a WebInspect (desktop) user.
In normal operations, the administrator will open the WebInspect Enterprise Console or AMP Console and check the SmartUpdate Approval sub-panel under the Administration panel. If the newest version of WebInspect is not yet listed here, run SmartUpdate and wait for it to complete. Once the latest version of WebInspect is shown here, right-click on it and select "Approved". After this, all Sensors will be automatically updated when they connect back to their Manager and/or are requested to run any scan. Pretty nice!
Periodically there will be a schema update between WebInspect (Sensor) releases that requires an update to the scan storage database. If the Sensor is using SQL Express, this schema update will occur automatically. If the Sensor is instead using a "normal" MS SQL database (Standard or Enterprise edition), then the administrator may need to intercede. If this is the case, the Sensor will display a message to this effect within the Sensors panel of the WIE/AMP Console. That message will also include a link to a local file that houses the necessary update Query script.
The administrator will need to transfer the recommended Query script to the SQL database or a DBA/DBO. They will need to run this Query against the specific database used by that Sensor. Once finished, the Sensor's displayed status should update within the Sensors panel and the Sensor should become Available again. Sometimes this update activity causes the Windows Sensor service to be Stopped and Started on that remote workstation, but since it is updating it will not have any live scans to be interrupted.
Alternatively, the most foolproof method may be to remotely connect to each of your Sensor machines and then download and install WebInspect 10, or whatever is the newest version, on top of the current Sensor version. But we don't have time for that! And still the database sometimes demands personal attention as detailed above.
We currently use a combination of WebInspect and Assessment Management Platform (AMP) for conducting Vulnerability Assessments (VA).
Recently visiting HP's Website, I saw there is a number of new and re-branded security/VA tools that I assume have come out of HP's acquisition of Fortify?
I am a bit confused as to the difference between AMP, HP WebInspect Enterprise and Software Security Center, as they all seem to be offering very similar things. I have also found there to be very little information available on AMP anymore, and that some AMP links now re-direct to HP WebInpsect Enterprise - has this product now replaced AMP?
I know I could probably contact somebody in sales to give me a detailed run-down on each tool, but I'd rather a frank and honest opinion on the differences between these tools, rather than a sales pitch as to why I should upgrade to one tool or another.
Is it possible to move a scan from one assessment to another in AMP?
Funny, but HP has not yet made a forum for the WebInspect Enterprise product yet ("WIE"). Since this is slowly replacing the HP AMP product, I guess we should start posting WIE topics and questions here for now.
My reasoning is not only because this product is replacing AMP, but it has a good amount of the same structure and capabilities carried over.
So until we hear more, we can use this forum. Enjoy!
I'm trying to determine exactly what the Assessment Maintenance->Archive option does. The help pages seems to indicate that it archives "the scan" by compressing it and moving it to "a separate database". My questions are:
1. does doing this help relieve problems with the AMP database filling up?
2. Does it compress and store all the scans in the assessment, or just all contributing scans?
Any help appreciated!
AMP is currenlty deployed through BigIP's F5 load balancer. After logging in to the AMP dashboard, users are immediately shown a "Your Session has Expired Page." However, if I access the AMP server directly (by IP address without going through the F5), users are able to maintain their session and the app functions correctly.
My questions are: Is there a setting in the AMP application itself that handles cookie management? Is there a setting somewhere that would be restting the HTTP context (for example something like: vuser_init() or a checkbox for "Simulate a new user on each iteration") that would handle virtual user sessions?
Could you please help me how to find the total memory limit(total size) for AMP webconsole as I am trying to upload bulk scans into it.
Like WebInspect give option to edit current scan setting when the scan is paused, do we get the same features in AMP...
Currently when I suspend a scan & try editing its configuration it shows in readonly mode only !
Thanks & stay secure,