Getting back to the task of adding
support for the ASP.NET MVC framework and following the advice of the
architects of the language:
of writing and deploying an F4F handler that uses the F4F high-level
APIs are described in the AppScan Source document
Security_AppScan_Source_Utilities.pdf shipped with the product. See
Chapt. 7. “
Hence it seems that we shall create a
new F4F Handler (also known around town as a 'WAFL Generator') –
which is the mechanism by which the .wafl files are created during
each scan for use by the Analysis Engine.
the F4FEjbExample.zip provided in the <appscan_install_dir>\samples\
directory as a guide and Eclipse as the development environment of
choice. Given that the user manual is quite detailed in the
procedure, I will only highlight the changes that I'm making - since
we'll be replacing the support for Java Enterprise Java Beans (EJB)
with ASP.NET MVC.
still believe the ideal 'support scenario' to pursue is actually to create
a generic F4F Handler that can be integrated with various framework
mapping scripts and ultimately build a foundation for the various
tools to communicate by way of this abstract language.
a bit of coding around with the example, trying to add Tainted
Callbacks as appropriate for many of the ASP.NET MVC data flow paths,
and feeling a bit out of my element without my C# extension and lamba
methods, I'm contemplating just generating a 'template' .wafl file
with the F4F Handler and then populating the proper elements from a
Runtime.Exec() call out to my friendly neighborhood scripts....
this first draft anyway, with pointers to the samples and docs, in case anyone
has some better suggestions to move forward or the initiative to
tackle this in the 'documented and supported' manner.
I shall return...just going to check if anyone might have managed to
procure one of those AppScan Appliance Mainframes for me yet.