Integrating with Kubernetes for Scan Scaling
You can integrate Fortify ScanCentral DAST with Kubernetes to create a scalable cloud architecture that provides scan scaling functionality, resulting in faster scans of your applications.
During a scan, script engines replay TruClient macros and run scripts to reveal the Document Object Model (DOM) of the application and events on the page. Scan scaling involves automatically creating multiple pools of these script engines in Kubernetes. In essence, it distributes the work of performing the scan across multiple script engines, thereby reducing the amount of time it takes to conduct the scan.
Scan scaling might be beneficial for applications that generally have long-running scans.
The following diagram illustrates the integration of ScanCentral DAST with Kubernetes.
DNS Requirement
Your Domain Name System (DNS) can use Azure Private DNS zones. However, you must add a record into the DNS for the WebInspect script engine (WISE) ingress host name and the Kubernetes ingress controller IP address.
Sensor Installation Requirement
You must use one of the following options to install the Fortify WebInspect sensor for integration with Kubernetes:
-
Install the Fortify WebInspect sensor on a machine that is located in the same subnet that is used by the Kubernetes cluster.
-
If the Kubernetes cluster supports both Windows and Linux nodes on the same subnet, then you can install the Fortify WebInspect sensor into the Kubernetes cluster using the WebInspect Helm Charts.
Tip: Make note of the sensors that you install for integration with Kubernetes. You will need to add one or more of these sensors to the sensor pool(s) that you create for scan scaling.
Implementing Scan Scaling with Kubernetes
You must configure the machine(s) where the remote script engines will run and the Kubernetes node that will manage them. You must also configure at least one sensor pool for scan scaling and then enable scaling in your scan. The following table describes this process.
| Stage | Description |
|---|---|
| 1. | Download and configure kubectl and Helm software. For more information, see Downloading kubectl and Helm. |
| 2. | Deploy the HAProxy ingress Kubernetes controller. For more information, see Deploying HAProxy in Kubernetes. |
| 3. | Deploy the Kubernetes Metrics Server to handle horizontal auto scaling for the Kubernetes WISE pods. For more information, Deploying the Kubernetes Metrics Server. |
| 4. |
Deploy the WebInspect Script Engine (WISE) cluster in Kubernetes. For more information, see Deploying WISE in Kubernetes. |
| 5. | Optionally, install the Fortify WebInspect sensor into the Kubernetes cluster using the WebInspect Helm Charts available on GitHub at https://github.com/fortify/helm3-charts. |
| 6. |
Configure one or more sensor pools for scan scaling. For more information, see Creating a DAST Sensor Pool. Note: Not all pools need to use scan scaling. You may only need one or two pools configured for scan scaling. You can then add your applications with long-running scans to the sensor pools that are configured for scan scaling. |
| 7. |
Configure scan scaling in scan settings. For more information, see Enabling Scan Scaling. |