Wednesday, May 5, 2010

WebInspect and Scheduled jobs

Many users may be unaware that WebInspect offers basic scheduling capabilities. I know that I prefer to watch my scans begin and run in case anything goes awry, but scheduling is a great tool for those recurring assessment targets where you have already performed assessments in the past and essentially know what to expect.

Bear in mind that while the WebInspect UI allows up to two simultaneous scans, the Scheduler, CLI, and Enterprise Assessment methods being discussed today are limited to running only single scans in series, one after the other.

1. Scan Settings File:

Obviously having the settings saved ahead of time will make the scheduling or repeating that much simpler. The scan settings reside as XML files on your machine, and they can be accessed or edited from several methods as follows.

* If the site has already been scanned successfully, save its settings as a settings file for re-use later. To do this, open that scan on-screen, click on the Edit menu > Current Scan Settings. The lower left corner offers the choice to "Save Settings As", to XML format.

* Or, pretend you are starting the scan, and on the final/fifth page of the WebInspect 8.1 scan wizard there is now a link that allows you to save the configured settings for later use. At this point you may cancel the scan wizard without running the assessment.

* Or, open the Default Scan Settings, modify everything you want, and then use the "Save Settings As" option found on the lower left-hand corner of that window. Access this screen from the Edit menu > Default Scan Settings, and using the Cancel button afterwards will ensure your actual Defaults are not modified.

* To edit your settings file further just use any of the methods above, or access it directly from the Manage Settings tool found under the Edit menu. Loading it in as your Default Scan Settings, and then re-saving it afterwards works well also.

2. Now set up the Scheduled job:

On the Start Page tab, click on the Manage Schedule button > Add, or just use the Schedule button found in the top toolbar to get to the same wizard. Proceed through the offered Schedule Wizard as follows. Having a saved scan settings file makes this simpler, but that file is not required.

The first screen of this Schedule Wizard deals with "When" to run it (e.g. Recurring, Weekly). The next five screens are the normal Scan Wizard the user always uses when kicking off assessments. The Settings button at the bottom of the screen allows you to simply drop in the saved setting file if you had one. The wizard's sixth page has an option to define a particular Report to auto-generate upon completion.

3. Scheduler background service:

To ensure the Scheduled Scan actually runs, make certain that the Windows service, "WebInspect Scheduler Service" is set to Automatic, i.e. it has not been disabled. If you prefer to set it to Manual, you have to manually start it before you leave for the night/weekend. The "HP ASC Monitor" icon in the System Tray provides a short route to start this service manually, or it can be managed through the Windows Control Panel (Administrative Tools). The scan will run so long as this scheduler service is running, regardless of whether the WebInspect UI is open or not.

Command Line Alternative:

WebInspect also offers the same automated scan methods via the Command Line Interface (CLI) that the Scheduler offers. Details can be found in the UI's Help guide under "Command Line Execution", or via "wi.exe -?". Among others, WI.EXE has an option to use a previously saved scan setting file. This version of WebInspect's scanner can be called from the CLI, any BAT file, the Windows AT command, or similar Windows features/tools that can be used to schedule and run CLI tools. The CLI scan option can be run regardless of the status of the WebInspect Scheduler Service, as they are not related or linked.

Back-to-Back Scan Options:

If you wish to run a series of scans, it is preferable to use the Enterprise Assessment to set that up, since it combines the Scheduler with one of the two primary assessment types (Web Site Assessment or Web Service Assessment). The normal Scheduler can kick off the scan, but it has no regard as to when it will end. That sort of additional awareness and scheduling flexibility was left to the enterprise solution, HP's Assessment Management Platform, which includes scan priorities and Black Out periods. If two (or more) WebInspect jobs are scheduled back-to-back, the second one may not start because the previous one has not yet completed, and when it does the window of opportunity to begin the next assessment may have long passed according to WebInspect's internal programming. The Enterprise Assessment automatically runs the configured scans in series, one after another.

Monitoring the status:

For all of these methods, bear in mind that there is no UI access into the scan's progress. You can see that it is running, and kill the service directly or the WebInspect.exe or WI.EXE process to halt it, but one cannot peek into it in real time. If you end the scan prematurely, the scan can always be opened in the UI and then the Resume button will allow the assessment to complete by running it within that UI interface.


No comments:

Post a Comment