Wikis - Page

CyberRes Fortify Product Announcement: SCA, SSC, WI & WIE 21.2.0

0 Likes

Software 21.2.0
December 2021

At Fortify, our goal is to assist organizations in building software resilience for modern development from a partner they can trust. Fortify continues to cover a wide range of AppSec use cases common to today's landscape. From DevSecOps, Cloud Transformation, Securing the Software Supply Chain, and Maturity at Scale, Fortify delivers a holistic, inclusive, and extensible platform that supports the breadth of your software portfolio.

We are excited to announce the general availability of our CyberRes Fortify 21.2.0 release! With enhanced offerings to increase speed, accuracy, scalability, and ease of use, this marks another important chapter in Fortify’s elevation of application security. This release contains updates to Fortify Static Code Analyzer, Fortify WebInspect, Fortify Software Security Center, and Fortify Software Composition Analysis.

This release of CyberRes Fortify Software includes the following new functions and features:

CyberRes Fortify Software Security Center

The following features have been added to Fortify Software Security Center.

Static/Dynamic Issue Correlation Indicator

  • In this release, we introduce the static/dynamic issue correlation indicator. After static and dynamic scans are run on an application version and the results have been uploaded to Fortify Software Security Center, issues that were uncovered by both static and dynamic scans are tagged with the correlation indicator on the AUDIT page.

ScanCentral SAST Controller Updates

  • You can now place the ScanCentral SAST Controller into maintenance mode which prevents scans that are running on the sensor from losing data.
  • You can shutdown ScanCentral SAST Controller sensors individually or in a batch. ScanCentral DAST Scans Support
  • The Scans feature now includes both static and dynamic scan results

New Premium Quarterly Reports

  • PCISSF (SoftwareSecurityFramework) 1.2report
  • CWE Top 25 report

LDAP Update

  • You can now configure Fortify Software Security Center to invalidate tokens created by users who have been disabled in LDAP

Java 11 Deployment

  • Software Security Center can be deployed in a Java 11 (or higher) environment Kubernetes Updates
  • Added support for Kubernetes 1.21
  • Added support for Helm 3.6 and 3.7

CyberRes Fortify ScanCentral SAST
The following features have been added to Fortify ScanCentral SAST.

Support for the Fortify License and Infrastructure Manager

  • You can now centrally manage your Fortify ScanCentral SAST licenses through the Fortify License and Infrastructure Manager.

MSBuild Integration Update

  • With the 21.1.0 release of Fortify Static Code Analyzer, MSBuild integration was updated with support for .NET 5 and other new features. Fortify ScanCentral SAST now supports this new MSBuild integration functionality.

Go Language Support

  • Added support for Go version1.17.

Graceful Shutdown and Timer Support

  • When shutting down Fortify ScanCentral SAST, the controller allows currently running scans to complete while keeping other scans from starting. Once the controller is running again, it will run the scans in the queue. In addition, a timeout can be set for long running scans that will cancel the scan if breached and free the sensor to pick up a new scan request.

Sensor Pool Assignment Improvement

  • When starting up a sensor, you can assign it to a specific sensor pool without having to use the Fortify Software Security Center UI.

CyberRes Fortify Static Code Analyzer
The following features have been added to Fortify Static Code Analyzer.

Fortify License and Infrastructure Manager

  • For customers that use Fortify under the Concurrent Scanning license model, Fortify Static Code Analyzer can now use the Fortify License and Infrastructure Manager to obtain a license key rather than the traditional fortify.license file. This enables the correct sharing of the Fortify Scan Machine license metric between Fortify Static Code Analyzer and WebInspect instances. The option to use the traditional fortify.license file is still available.

Regular Expression (regex) Analysis

  • The Fortify Static Code Analyzer Configuration analyzer can now detect vulnerabilities in file names and content using RegEx-based rules.

Operating System Updates
Fortify added support for the following operating systems and versions:

  • IBM AIX 7.1
  • Oracle Solaris SPARC 11.3
  • Oracle Solaris x64 11.4
  • Windows Server 2022

Compiler Updates
Fortify added support for the following compiler versions:

  • gcc 10.2.1
  • g++ 10.2.1
  • Swiftc 5.4.2

Build Tool Updates
Fortify added support for the following build tool versions:

  • Gradle 7.2
  • Maven 3.8.2
  • MSBuild 16.11
  • Xcodebuild 12.5.1

C++ Updates

  • Added support for gcc on Macintosh
  • Added support for gcc version 10.2.1
  • Added support for C++ 14 and 17

JavaScript Improvements

  • Added support for ECMAScript 2021
  • Added support for TypeScript 4.2 - 4.3
  • Made Type inference improvements
  • Added support for SAPUI5/OpenUI5
  • Minified JS excluded from scan by default

Go Language Update

  • Added support for Go 1.17

YAML Support

  • Added support for translating YAML code

Kotlin Update

  • Added support for Kotlin 1.5

PHP

  • Completed support for PHP 8

Scala

  • Eliminated the need for a separate license from Lightbend for Scala translations. A license key is still required to run the plugin. The key is now included in the Fortify distribution.

Configuration Scanning

  • JSON scanning enabled by default
  • Added YAML scanning

CyberRes Fortify Static Code Analyzer Tools
The following features have been added to Fortify Static Code Analyzer Tools.

ScanCentral SAST Support

  • Added Remote Translation capability to Fortify Scan Wizard, and the Fortify Eclipse Plugins
  • Added ability to configure Fortify ScanCentral SAST and launch local and remote translations and scans from the Fortify Eclipse Complete Plugin Advanced Analysis.

New PCI SSF Report
Generate new PCI SSF Report (version 1.2) from the following tools:

  • Fortify Audit Workbench
  • Fortify Visual Studio Extension
  • Fortify Eclipse Plugins (Complete and Remediation)
  • BIRT Report Generator

CyberRes Fortify ScanCentral DAST
The following features have been added to Fortify ScanCentral DAST.

Correlated Issues

  • ScanCentral DAST can now uncover correlations between DAST and SAST results and forward the information to Fortify Software Security Center. Correlated results are displayed in the Fortify Software Security Center AUDIT View.

Scan Visualization Update

  • Selected scan visualizations can be opened in a new browser tab rather than using Site Explorer.

Client-Side Certificate Support

  • Upload a certificate and password for use when running a scan. If a scan requires the certificate, ScanCentral DAST will download and install it.
  • Enable Redundant Page Detection and use it when running a scan.

Scan Priority Level

  • All scans can be assigned a priority level.
  • When a scan is queued because there isn't a free sensor and a scan with a lower priority is running, the lower-priority scan will be shut down so the scan with the higher priority can run. The scan with the lower priority will restart when a sensor becomes available.

Azure SQL Support

  • The ScanCentral DAST Configuration Tool now supports Azure SQL and Azure Managed SQL.
  • The ScanCentral DAST container now supports Azure SQL and Azure Managed SQL.

CyberRes Fortify WebInspect
The following features have been added to Fortify WebInspect.

API Discovery

With the new API Discovery, any Swagger or OpenAPI schema detected during a scan will have its endpoints added to the existing scan and authentication will be applied to the endpoints with our automatic state detection. In addition, probes will be sent to default locations of popular API frameworks to discover schemas.

Two-factor Authentication

Two-factor Authentication is a common requirement in enterprises and can be a burden to the security tester to get a bypass or to manually scan. WebInspect now offers the ability to automate Two-factor Authentication scans. This is accomplished by installing a lightweight Android app onto a phone or emulator that can capture SMS and Email tokens and pass them back to the scanner for authentication. Once configured, there is no need for user interaction.

Automatic State Detection

WebInspect now automatically detects and configures state for Oauth, JWT, and Bearer Tokens during a scan.

Engine 6.1 Updates

Fortify continues to enhance its engines to improve scan coverage and performance. WebInspect 21.2.0 provides a faster crawl and audit, and better application support from the Web Macro Recorder with Macro Engine 6.1.

Improved DOM XSS Detection

WebInspect 21.2.0 has new DOM XSS detection capabilities for analyzing client-side code for XSS. This will allow for improved XSS attack performance and the ability to detect client-side only attacks, such as XSS in DOM fragments.

Web Fuzzer Tool

The Web Fuzzer Tool lets you run Fuzzing tests that submit random or sequential data to various areas of an application to uncover security vulnerabilities. For example, when searching for buffer overflows, a tester can generate data of various sizes and send it to one of the application entry points to observe how the application handles it.

CyberRes Fortify WebInspect Enterprise
The following features have been added to the Fortify WebInspect sensor used in WebInspect Enterprise.

API Discovery

With the new API Discovery function in WebInspect, any Swagger or OpenAPI schema detected during a scan will have its endpoints added to the existing scan and authentication will be applied to the endpoints with our automatic state detection. In addition, probes will be sent to default locations of popular API frameworks to discover schemas.

Automatic State Detection

WebInspect now automatically detects and configures state for Oauth, JWT, and Bearer Tokens during a scan.

Engine 6.1 Updates

Fortify continues to enhance its engines to improve scan coverage and performance. WebInspect 21.2.0 provides a faster crawl and audit, and better application support from the Web Macro Recorder with Macro Engine 6.1.

Improved DOM XSS Detection

WebInspect 21.2.0 has new DOM XSS detection capabilities for analyzing client-side code for XSS. This will allow for improved XSS attack performance and the ability to detect client-side only attacks, such as XSS in DOM fragments.

Contact CyberRes Fortify Customer Support

If you have questions or comments about using this product, contact CyberRes Fortify Customer Support using one of the following options.

To Manage Your Support Cases, Acquire Licenses, and Manage Your Account
https://www.microfocus.com/support

For More Information

For more information about Fortify software products: https://www.microfocus.com/solutions/application-security

Comment List
Related
Recommended