Fortify WebInspect Agent adds IAST capabilities to the Fortify WebInspect DAST scanner.
The agent instruments applications during dynamic scans to provide code-level details including file names, line numbers, and stack traces for each vulnerability.
What is Fortify WebInspect Agent?
The WebInspect Agent is an optional component that transforms Fortify WebInspect from a pure DAST scanner into a hybrid DAST+IAST solution.
While WebInspect attacks the application externally, the agent monitors code execution internally, correlating external attack payloads with their internal code paths.
This combination provides the best of both worlds: DAST finds vulnerabilities that require running the full application stack, while the IAST agent pinpoints exactly where in the code the vulnerability exists.
Developers receive actionable reports with specific file and line references rather than vague HTTP-level descriptions.
The agent is included free with WebInspect and WebInspect Enterprise licenses.
It is also available through the Fortify on Demand SaaS platform.
Key Features
Code-Level Vulnerability Reporting
When the agent detects a vulnerability during a scan, it captures the complete execution context:
- Source file name and path
- Line number where the vulnerability occurs
- Full stack trace showing the call chain
- Variable values at the point of exploitation
- Framework and library versions involved
This detail eliminates the guesswork that typically follows DAST-only scans.
Attack Validation
The agent validates that attacks launched by WebInspect actually reach vulnerable code paths.
This confirmation reduces false positives by ensuring that apparent vulnerabilities are not blocked by web application firewalls, input validation, or other defensive layers.
CAPTCHA Bypass
When the agent is deployed, it can help WebInspect bypass CAPTCHA challenges that would otherwise block automated scanning.
The agent intercepts CAPTCHA validation at the application level, allowing scans to proceed without manual intervention.
Integration with Fortify Static Code Analyzer
Organizations using Fortify SCA for SAST can correlate static findings with runtime observations from the WebInspect Agent.
This cross-referencing confirms which statically-detected vulnerabilities are actually reachable during execution.
How to Use Fortify WebInspect Agent
Java Agent Installation
Deploy the agent by adding it to your application’s JVM arguments:
# Download agent from Fortify portal
# Located in WebInspect installation directory
# Start application with agent
java -javaagent:/opt/fortify/WebInspectAgent.jar \
-Dfortify.agent.server=https://webinspect.example.com:8089 \
-Dfortify.agent.token=$AGENT_TOKEN \
-jar your-application.jar
Configure the agent properties file for advanced settings:
# agent.properties
fortify.agent.enabled=true
fortify.agent.server.url=https://webinspect.example.com:8089
fortify.agent.application.name=MyApplication
fortify.agent.session.id=auto
fortify.agent.log.level=INFO
.NET Agent Installation
For .NET applications, install the agent via the Windows installer or configure manually:
# Run the WebInspect Agent installer
msiexec /i FortifyWebInspectAgent.msi /qn
# Or configure via web.config
<!-- web.config for ASP.NET applications -->
<configuration>
<appSettings>
<add key="FortifyAgent.ServerUrl" value="https://webinspect.example.com:8089" />
<add key="FortifyAgent.Token" value="${AGENT_TOKEN}" />
<add key="FortifyAgent.AppName" value="MyApplication" />
</appSettings>
<system.webServer>
<modules>
<add name="FortifyAgentModule" type="Fortify.Agent.IISModule" />
</modules>
</system.webServer>
</configuration>
Configuring WebInspect for Agent Integration
Enable agent support in your WebInspect scan configuration:
- Open WebInspect and create or edit a scan
- Navigate to Settings > Agent
- Enable “Use WebInspect Agent”
- Configure the agent server URL and credentials
- Run the scan against the instrumented application
# CLI scan with agent enabled
webinspect -s "https://app-with-agent.example.com" \
-settings agent_enabled.xml \
-output scan_results.fpr
CI/CD Integration
Integrate WebInspect with agent into your deployment pipeline:
# Jenkins Pipeline example
pipeline {
agent any
stages {
stage('Deploy with Agent') {
steps {
script {
// Deploy application with IAST agent
sh '''
docker run -d --name app-iast \
-e FORTIFY_AGENT_SERVER=$FORTIFY_SERVER \
-e FORTIFY_AGENT_TOKEN=$FORTIFY_TOKEN \
-p 8080:8080 \
myapp:fortify-agent
'''
}
}
}
stage('DAST+IAST Scan') {
steps {
script {
// Run WebInspect scan against instrumented app
sh '''
webinspect -s "http://app-iast:8080" \
-settings agent_enabled.xml \
-output results.fpr
'''
}
}
}
stage('Process Results') {
steps {
// Upload to Fortify Software Security Center
fortifyUpload applicationName: 'MyApp',
applicationVersion: '1.0',
resultsFile: 'results.fpr'
}
}
}
}
When to Use Fortify WebInspect Agent
The WebInspect Agent is valuable whenever you are already running Fortify WebInspect scans and want more actionable results.
The code-level detail transforms DAST findings from vague HTTP descriptions into precise remediation guidance.
Consider using the WebInspect Agent when you need:
- Code-level details (file names, line numbers) for DAST findings
- Validation that detected vulnerabilities actually reach vulnerable code
- CAPTCHA bypass for automated scanning workflows
- Correlation between WebInspect DAST and Fortify SCA static findings
- Reduced false positives through runtime validation
- Integration with Fortify Software Security Center for centralized reporting
The agent is particularly valuable for Java and .NET enterprise applications where WebInspect is already part of the security testing strategy.