Installation and Configuration of ScanCentral SAST

Jul 20, 2024

Installation and Configuration of ScanCentral SAST

Presenter

  • Name: Jan
  • Role: Fortify Pre-Sales Consultant based in Germany

Objective

  • How to install and configure ScanCentral SAST
  • Includes SAST controller, sensor, client
  • Tips and tricks also provided

Questions

  • Leave questions in the comments
  • Links and timestamps in the video description

Agenda

  1. Overview of ScanCentral SAST components
  2. Documentation and installation guide
  3. Configuration of components (controller, sensor, client)
  4. Tips and tricks

Components Overview

Documentation

  • Find information at microfocus.com/documentation
  • Search for "software security center" to find relevant documentation
  • Important documents include installation, configuration, and system requirements guides

ScanCentral SAST Controller

  • The brain of ScanCentral SAST
  • Manages all scans and communicates with other components
  • Essential for the coordination of scans
  • Installed on Windows Server

Sensors

  • Workhorse for running scans
  • Managed in sensor pools for different hardware capacities
  • Physically carry out the scan jobs
  • Configurable in pools like "low hardware" or "heavy hardware"

Clients

  • Embedded Client: Part of Fortify Static Code Analyzer (SCA), offloads only the scan
  • Standalone Client: Unzip and use, offloads both translation and scan

Software Security Center (SSC)

  • UI for interacting with scans and sensor information

Installation Steps

Controller Installation

  1. Check system for requirements (e.g., Java)
  2. Download Fortify ScanCentral controller zip
  3. Unzip to desired directory (e.g., C:\Program Files\Fortify)
  4. Configure authentication tokens in config.properties
  5. Connect controller to SSC
  6. Install the service using command line (e.g., service.bat install)
  7. Start the service and verify connectivity

Sensor Installation

  1. Install Fortify SCA and update rule packs
  2. Configure worker authentication token in worker.properties
  3. Install sensor as a service on Windows using command line
  4. Verify sensor registration in SSC

Client Installation

Standalone Client - Ubuntu

  1. Check supported languages and system requirements
  2. Use a simple Java sample app (e.g., AWS SDK demo)
  3. Configure client.properties
  4. Use ScanCentral utility to start translation and scan
  5. Verify scan results in SSC

Embedded Client

  1. Use SCA for translation; offload scanning
  2. Configure embedded client to connect to ScanCentral
  3. Use IDE plugins for easy integration (optional)

Tips and Tricks

  1. Avoid spaces in authentication tokens
  2. Change token sequence: Controller first, then worker
  3. Ensure all connections are open between components (no firewall or port issues)

Final Notes

  • Links and resources provided in the video description
  • Leave feedback and questions in the comments
  • Ensure to watch other related videos for more detailed configurations