Adding or Editing Scanning Credentials
Credentials must be provided for Continuous Dynamic to scan sites that require user authentication (where users must log in for access). As a Continuous Dynamic Admin, you can add and edit these scanning credentials in the Continuous Dynamic Portal. We recommend that you provide two sets of scanning credentials for each site: a primary set and a secondary set to use as a backup.
Never provide the credentials of an existing user as a set of scanning credentials. |
This article explains how to add, edit, and disable scanning credentials from the Site Details page, under the Assets tab. From here, you can also enter credentials for Business Logic Assessments (BLAs).
Mechanisms for providing scanning credentials
Continuous Dynamic supports the following mechanisms for providing scanning credentials.
A set of dedicated login credentials for the site that you want to scan.
Continuous Dynamic can retrieve scanning credentials from Privileged Access Management (PAM) solutions from HashiCorp®. To use this mechanism, an Admin must first create a PAM credentials object. For details, see PAM Authentication Overview.
Continuous Dynamic supports authenticated scanning of sites that implement multi-factor authentication (MFA). The supported MFA methods are: Time-based One-time Password (TOTP), Mobile SMS, and Email. For more information, see Multi-factor Authentication for Assessments.
Adding Scanning Credentials
To add scanning credentials to a site, perform the following steps:
-
In the Portal, select the Assets tab.
-
Select the site that you want to add scanning credentials for.
-
On the Site Details page, select the Scan subtab.
-
Click Add Credentials.
-
In the Add Credentials dialog, enter a Credential Name for your reference.
-
First, configure the Primary scanning credentials by editing the fields in the Primary column.
-
To securely store scanning credentials in the Continuous Dynamic Portal, follow these steps:
-
Select Username & Password as the Authentication Type (the default option).
-
Enter the Username and Password for your scanning credentials.
-
Go to step 9.
-
-
To use scanning credentials stored in Privileged Access Management (PAM) solutions from HashiCorp®, follow these steps:
-
Select PAM Integration as the Authentication Type.
An Admin must have configured the HashiCorp PAM integration. -
Select the PAM Object that is configured for use with the scanning credentials you want to add.
-
In the Target field, enter the target ID provided from Boundary (applies to "Token" and "Credentials" auth methods only). The Target must start with
ttcp_
, for example,ttcp_vneKty7ATw
. -
In the Secret Path field, enter the path to the secret in the Vault secret engine (applies to the "App Role" auth method only).
-
Go to step 9.
-
-
Enter the Login Entrance URL and Destination URL of the site you want to scan.
-
Enter any additional Login Notes.
-
If the site uses Time-based One-time Password (TOTP) MFA, where users authenticate using a TOTP token generated in an authenticator app, perform the following steps:
-
Select the Enable Time-based One-time Password (TOTP) MFA checkbox.
-
Enter the Secret Key for your MFA provider account in the TOTP Secret Key field.
Continuous Dynamic supports any TOTP generator - for example, Google Authenticator or Duo Mobile - as long as you provide a Secret Key. The TOTP provider must use SHA-1 hashing and Base32-encoded Secret Keys. For more information, see Setting up Time-based One-time Password (TOTP) MFA.
-
-
(Recommended) Repeating the above steps, enter login information for a second set of Backup scanning credentials.
-
Click Save.
The primary and secondary scanning credentials (if provided) are now available for use by Continuous Dynamic.
Editing Scanning Credentials
To edit existing scanning credentials for a site, perform the following steps:
-
In the Portal, select Assets > Site Details.
-
On the Site Details page, select the Scan subtab.
-
Click the blue chevron
to expand the credentials that you want to edit.
-
Click Edit and then update the desired Primary and Backup login information.
-
Click Save.
Adding, Editing, or Disabling Business Logic Assessment Credentials
For sites under the DAST Premium Edition (PE) service, you can manage credentials used in Business Logic Assessments (BLAs) directly in the Portal.
If you are using a standalone BLA license for a site under the DAST Standard Edition (SE) service, you must contact Black Duck to add BLA credentials.
Adding Business Logic Assessment Credentials
To add BLA credentials for a site, perform the following steps:
-
In the Portal, select the Assets tab, then select a Site asset.
-
On the Site Details page, select the Services subtab.
-
Click Add Credentials:
-
In the Add Credentials dialog, enter a Credential Name for the BLA credentials. This will be displayed on the Services subtab.
-
First, configure the Primary BLA credentials by editing the fields in the Primary column.
-
To securely store BLA credentials in the Continuous Dynamic Portal, follow these steps:
-
Select Username & Password as the Authentication Type (the default option).
-
Enter the Username and Password for your BLA credentials.
-
Go to step 8.
-
-
To use BLA credentials stored in Privileged Access Management (PAM) solutions from HashiCorp®, follow these steps:
-
Select PAM Integration as the Authentication Type.
An Admin must have configured the HashiCorp PAM integration. -
Select the PAM Object that is configured for use with the BLA credentials you want to add.
-
In the Target field, enter the target ID provided from Boundary. (applies to "Token" and "Credentials" auth methods only). The Target must start with
ttcp_
, for example,ttcp_vneKty7ATw
. -
In the Secret Path field, enter the path to the secret in the Vault secret engine (applies to the "App Role" auth method only).
-
Go to step 8.
-
-
Enter the Login Entrance URL and Destination URL of the site that will be analyzed.
-
Enter any additional Login Notes.
-
If the site uses Time-based One-time Password (TOTP) MFA, where users authenticate using a TOTP token generated in an authenticator app, perform the following steps:
-
Select the Enable Time-based One-time Password (TOTP) MFA checkbox.
-
Enter the Secret Key for your MFA provider account in the TOTP Secret Key field.
Continuous Dynamic supports any TOTP generator - for example, Google Authenticator or Duo Mobile - as long as you provide a Secret Key. The TOTP provider must use SHA-1 hashing and Base32-encoded Secret Keys. For more information, see Setting up Time-based One-time Password (TOTP) MFA.
-
-
(Recommended) Repeating the above steps, enter login information for a second set of Backup BLA credentials.
-
Click Save to save the BLA credentials.
Using the provided BLA credentials, Threat Research Center (TRC) engineers can now perform a BLA for the selected site.
Editing Business Logic Assessment Credentials
To edit BLA credentials, perform the following steps:
-
In the Portal, select Assets > Site Details.
-
On the Site Details page, select the Services subtab.
-
Click the down arrow to expand the BLA credentials that you want to edit.
-
Click Edit and then update the login information you want to change.
-
Click Save.
Disabling Business Logic Assessment Credentials
-
To disable a set of BLA credentials, select them from the list, and then click Disable Credentials.
-
Select Confirm to disable the selected credentials.
The disabled credentials are longer used for BLAs. To ensure your BLA can be completed appropriately, replace the credentials you disabled.
Setting Up Email Notification for BLA Status Changes
You can enable email notifications for certain BLA status changes in your Profile.