Security Blog

As AppSec testing continues to grow, see Fortify’s new on-premise release

As AppSec testing continues to grow, see Fortify’s new on-premise release

Micro Focus Frequent Contributor

Application security testing continues to be the fastest growing of all tracked information security segments. If you don’t already know… Fortify is Micro Focus’ suite of application security products focuses on testing and securing applications. Fortify has been known for its depth of coverage and innovation for more than a decade. And earlier in 2018, Gartner once again positioned Fortify as a leader in its "Magic Quadrant for Application Security Testing", citing both Fortify’s Completeness of Vision and Ability to Execute1.

As AppSec testing continues to grow.jpgFeature updates for the latest on-premise release, 18.10 are where vision and execution intersect to provide our customers with a great product. Our May 2018 updates include some great new features. My favorite new feature is Security Assistant for Visual Studio 2017 (it even has its own blog post!). Fortify Security Assistant provides real-time-as-you-type security analysis on your code, and provides immediate results in the IDE (Integrated development environment)! This makes developers’ lives easier. 

Here are some other new feature highlights for our on-premise products (Static Code Analyzer, Software Security Center, tools and WebInspect): 

Fortify Static Code Analyzer (SCA)
This release provides the ability to scan additional frameworks and new language versions, including these new features for SCA: 

.NET Enhancements
The following languages and frameworks have been added to our .NET support:

  • Support for Android and iOS Applications (including Forms Applications) built on Windows using Xamarin
  • Support for Azure Projects

Scala Enhancements

  • Fortify Static Code Analyzer now supports scanning Scala applications up to version 2.13

Support for applications based on the Scala Play framework

JavaScript Support

  • Support for applications built using the 2016 and 2017 ECMAScript scripting language specifications
  • Improved support for scanning Node.js applications

Apple Support
In this release we have added support for:

  • Swift 4 and Xcode 9.2 applications
  • The latest Objective-C/C++ compilers

Python Support
The following changes have been made to Python:

  • Python 3 applications are supported
  • Significant performance improvement when scanning large Python applications

Fortify Plugin for Bamboo
Fortify Static Code Analyzer extension for Atlassian Bamboo:

  • Integrates Fortify Static Code Analyzer with Gradle, Maven, MSBuild, and Visual Studio (devenv)
  • Uploads results to Fortify Software Security Center
  • Fail builds based upon user-selected build fail criteria
  • Support for all of the languages supported by Fortify Static Code Analyzer

The Fortify Bamboo extension is available through the Atlassian marketplace.

Fortify Software Security Center
This release provides improvements to make Software Security Center easier to use, including these new features: 

Token Management
This release includes a new user interface for managing tokens. You no longer have to use the CLI to create, extend, or revoke tokens. When a token is about to expire, a notification is sent, making interruptions due to expired tokens less likely. The token management interface can be accessed from the Administration section under Users.

Oracle Partitioning
A new partitioning script for Oracle can increase FPR processing by up to 20%. This results from an increase in the maximum number of processing threads enabled by the enhanced DB Access concurrency. The partitioning script for Oracle is located in the Fortify Software Security distribution in the following directory: /sql/oracle/extra/partitioning.sql.

Audit Assistant Auto-Apply – Automatically Audit Security Issues
With Audit Assistant you can now automatically apply Audit Assistant predictions to mapped analysis tags. Predictions that fall within the confidence threshold are automatically audited. To Enable Audit Assistant Auto-apply, navigate to the Administrative section, then Configuration, and then Audit Assistant and choose Enable Audit Assistant auto-apply.

JavaScript “Sandbox” API Utility
A number of new scenarios have been added to the JavaScript Sandbox utility. The scenarios provide examples of how to use the Fortify Software Security Center RESTful API, including:

  • Creating Application Versions
  • Batching User Assignment
  • Batching Request Audit Assistant Predictions and Training
  • Generating, tracking, and downloading reports

To help you get started, you can access our code and documentation on our github site.

Access Swagger-generated API Reference Documentation by browsing to “About ->” and then clicking “API Documentation” from within Fortify Software Security Center.

Consolidated Proxy Settings
Fortify Software Security Center now uses a consolidated proxy configuration section that can be re-used throughout the application instead of having to individually configure proxy configurations for things like Audit Assistant, bug trackers, etc. To enable and configure your organization’s proxy settings, browse to Administration -> Configuration -> Proxy. After your proxy configuration has been saved, you can browse to other areas of Fortify Software Security Center and check the “Use SSC proxy for <Feature>” option to use the proxy settings you configured.

Bug Tracker Plugin Redesign
The bug tracking plugins have been repackaged to leverage a new plugin framework and an OSGi container that helps Fortify Software Security Center avoid collisions. The JIRA plugin has been rewritten with better comments in cleaner code. The included bug trackers can be enabled and configured by browsing to Administration -> Plugins -> Bug Tracking

Fortify WebInspect
This release helps reduce friction with improved automation, including these new features for WebInspect Enterprise: 

Standalone Proxy Server
A standalone license-free proxy server with associated REST API is available to download via the Marketplace. The standalone proxy enables Fortify WebInspect Enterprise users to spin up and work with the WebInspect proxy without requiring WebInspect licenses to operate. This is particularly useful for automating workflows via traffic capture.

REST API Updates
The following new endpoints are now available via the WebInspect Enterprise REST API:
Add a Scan Requests endpoint in REST API that adds the following abilities:

  • GET Scan Requests (/scanRequests/ or projectVersions/{id:long}/scanRequests") returns a paged list of summaries. Clients can specify page size and start, and also whether to filter completed scans.
  • GET Scan Request Details (/scanRequests/{id}/) returns details of a specific scan request. This is the full metadata of the request form.
  • GET Scan Request Attachment (/scanRequests/{id}/attachments/{attachmentId}/) downloads the relevant scan attachment if available for the specified scan request.
  • PUT Scan Request status update (/scanRequests/{id}/action with specified action as defined in the swagger doc or /scanRequests/ put with serialized ScanRequest object) updates the status if allowed on the specified scan request.

Add a scan export endpoint (/Scans/{id}/export) which exports scan to stream response. Allowed types are FPR, Scan, and XML. L

For more information
There’s a lot more documentation here:

If you are a current customer and have questions, contact Micro Focus Fortify Customer Support using one of the following options.

  1. Manage Your Account:
  2. Call Support in the US: 1.844.260.7219 

If your organization is interested in secure application development, security testing, and continuous monitoring and protection of apps and the valuable data they contain, check out Micro Focus Fortify


1 “Source: Gartner, Gartner 2018 Magic Quadrant for Application Security Testing, March 2018”

0 Kudos