Adding or Editing Scanning Credentials

Credentials must be provided for Continuous Dynamic to scan sites that require user authentication (where users must log in for access). As a Continuous Dynamic Admin, you can add and edit these scanning credentials in the Continuous Dynamic Portal. We recommend that you provide two sets of scanning credentials for each site: a primary set and a secondary set to use as a backup.

Never provide the credentials of an existing user as a set of scanning credentials.

This article explains how to add, edit, and disable scanning credentials from the Site Details page, under the Assets tab. From here, you can also enter credentials for Business Logic Assessments (BLAs).

Mechanisms for providing scanning credentials

Continuous Dynamic supports the following mechanisms for providing scanning credentials.

Username and password

A set of dedicated login credentials for the site that you want to scan.

Privileged Access Management (PAM) integration

Continuous Dynamic can retrieve scanning credentials from Privileged Access Management (PAM) solutions from HashiCorp®. To use this mechanism, an Admin must first create a PAM credentials object. For details, see PAM Authentication Overview.

Multi-factor authentication

Continuous Dynamic supports authenticated scanning of sites that implement multi-factor authentication (MFA). The supported MFA methods are: Time-based One-time Password (TOTP), Mobile SMS, and Email. For more information, see Multi-factor Authentication for Assessments.

Adding Scanning Credentials

To add scanning credentials to a site, perform the following steps:

  1. In the Portal, select the Assets tab.

  2. Select the site that you want to add scanning credentials for.

  3. On the Site Details page, select the Scan subtab.

    assets scan screen
  4. Click Add Credentials.

  5. In the Add Credentials dialog, enter a Credential Name for your reference.

    add scan credentials mfa checkbox
  6. First, configure the Primary scanning credentials by editing the fields in the Primary column.

  7. To securely store scanning credentials in the Continuous Dynamic Portal, follow these steps:

    1. Select Username & Password as the Authentication Type (the default option).

    2. Enter the Username and Password for your scanning credentials.

    3. Go to step 9.

  8. To use scanning credentials stored in Privileged Access Management (PAM) solutions from HashiCorp®, follow these steps:

    1. Select PAM Integration as the Authentication Type.

      An Admin must have configured the HashiCorp PAM integration.
    2. Select the PAM Object that is configured for use with the scanning credentials you want to add.

    3. In the Target field, enter the target ID provided from Boundary (applies to "Token" and "Credentials" auth methods only). The Target must start with ttcp_, for example, ttcp_vneKty7ATw.

    4. In the Secret Path field, enter the path to the secret in the Vault secret engine (applies to the "App Role" auth method only).

    5. Go to step 9.

  9. Enter the Login Entrance URL and Destination URL of the site you want to scan.

  10. Enter any additional Login Notes.

  11. If the site uses Time-based One-time Password (TOTP) MFA, where users authenticate using a TOTP token generated in an authenticator app, perform the following steps:

    1. Select the Enable Time-based One-time Password (TOTP) MFA checkbox.

    2. Enter the Secret Key for your MFA provider account in the TOTP Secret Key field.

      Continuous Dynamic supports any TOTP generator - for example, Google Authenticator or Duo Mobile - as long as you provide a Secret Key. The TOTP provider must use SHA-1 hashing and Base32-encoded Secret Keys. For more information, see Setting up Time-based One-time Password (TOTP) MFA.
  12. (Recommended) Repeating the above steps, enter login information for a second set of Backup scanning credentials.

  13. Click Save.

The primary and secondary scanning credentials (if provided) are now available for use by Continuous Dynamic.

Editing Scanning Credentials

To edit existing scanning credentials for a site, perform the following steps:

  1. In the Portal, select Assets > Site Details.

  2. On the Site Details page, select the Scan subtab.

  3. Click the blue chevron expand credentials arrow to expand the credentials that you want to edit.

    edit scan credentials 1
  4. Click Edit and then update the desired Primary and Backup login information.

  5. Click Save.

Adding, Editing, or Disabling Business Logic Assessment Credentials

For sites under the DAST Premium Edition (PE) service, you can manage credentials used in Business Logic Assessments (BLAs) directly in the Portal.

If you are using a standalone BLA license for a site under the DAST Standard Edition (SE) service, you must contact Black Duck to add BLA credentials.

Adding Business Logic Assessment Credentials

To add BLA credentials for a site, perform the following steps:

  1. In the Portal, select the Assets tab, then select a Site asset.

  2. On the Site Details page, select the Services subtab.

  3. Click Add Credentials:

    bla add credentials
  4. In the Add Credentials dialog, enter a Credential Name for the BLA credentials. This will be displayed on the Services subtab.

    add bla credentials inc mfa pam
  5. First, configure the Primary BLA credentials by editing the fields in the Primary column.

  6. To securely store BLA credentials in the Continuous Dynamic Portal, follow these steps:

    1. Select Username & Password as the Authentication Type (the default option).

    2. Enter the Username and Password for your BLA credentials.

    3. Go to step 8.

  7. To use BLA credentials stored in Privileged Access Management (PAM) solutions from HashiCorp®, follow these steps:

    1. Select PAM Integration as the Authentication Type.

      An Admin must have configured the HashiCorp PAM integration.
    2. Select the PAM Object that is configured for use with the BLA credentials you want to add.

    3. In the Target field, enter the target ID provided from Boundary. (applies to "Token" and "Credentials" auth methods only). The Target must start with ttcp_, for example, ttcp_vneKty7ATw.

    4. In the Secret Path field, enter the path to the secret in the Vault secret engine (applies to the "App Role" auth method only).

    5. Go to step 8.

  8. Enter the Login Entrance URL and Destination URL of the site that will be analyzed.

  9. Enter any additional Login Notes.

  10. If the site uses Time-based One-time Password (TOTP) MFA, where users authenticate using a TOTP token generated in an authenticator app, perform the following steps:

    1. Select the Enable Time-based One-time Password (TOTP) MFA checkbox.

    2. Enter the Secret Key for your MFA provider account in the TOTP Secret Key field.

      Continuous Dynamic supports any TOTP generator - for example, Google Authenticator or Duo Mobile - as long as you provide a Secret Key. The TOTP provider must use SHA-1 hashing and Base32-encoded Secret Keys. For more information, see Setting up Time-based One-time Password (TOTP) MFA.
  11. (Recommended) Repeating the above steps, enter login information for a second set of Backup BLA credentials.

  12. Click Save to save the BLA credentials.

Using the provided BLA credentials, Threat Research Center (TRC) engineers can now perform a BLA for the selected site.

Editing Business Logic Assessment Credentials

To edit BLA credentials, perform the following steps:

  1. In the Portal, select Assets > Site Details.

  2. On the Site Details page, select the Services subtab.

  3. Click the down arrow to expand the BLA credentials that you want to edit.

    edit BLA credentials
  4. Click Edit and then update the login information you want to change.

  5. Click Save.

Disabling Business Logic Assessment Credentials

  1. To disable a set of BLA credentials, select them from the list, and then click Disable Credentials.

    bla disable credentials 1
  2. Select Confirm to disable the selected credentials.

    bla credentials disable confirm

The disabled credentials are longer used for BLAs. To ensure your BLA can be completed appropriately, replace the credentials you disabled.

Setting Up Email Notification for BLA Status Changes

You can enable email notifications for certain BLA status changes in your Profile.