Welcome to Fortify on Demand 22.2!


Welcome to Fortify on Demand 22.2!

The 22.2 release is complete. You can now login to your Fortify on Demand portal. All the details of the 22.2 release are found within the documentation under "What's New".
Here are the highlights of the new release:

What's New in 22.2


Web Services Terminology Update
To better align with standard Application Security terminology, Fortify on Demand will be replacing "web services" references with "API" for the next release (22.3). Any references to web services in existing automation workflows needs to be updated upon the 22.3 upgrade.
Dynamic+ API Assessment as a Subscription
Micro Focus is offering the Dynamic+ API Assessment (formerly Dynamic+ Web Services Assessment) as a subscription. Micro Focus will perform unlimited Dynamic+ API Assessments during the Subscription Term. Only one assessment can be active at any time. A Dynamic+ API Assessment consists of the following activities:

  • Verify the API URL, credentials, and customer-provided definition of API endpoints to be assessed
  • Perform an automated, authenticated WebInspect assessment of designated API endpoints
  • Manually assess the target API endpoints using the Fortify on Demand testing methodology
  • Includes up to eight (8) hours of analysis by a Fortify on Demand security expert
  • Review of prioritized results by a Fortify on Demand security expert, including false positive removal

Open Source Select by Debricked
Finding an open source project to solve your specific problem can be difficult, especially when you don't know the name of the projects. Using Debricked's Open Source Select database, you can search for and compare open source projects by searching for either the project name or desired functionality. For more information, see the Open Source Select database, accessible from a link on the portal toolbar.

Engine and Rulepack Updates

Fortify Software Security Content 2022 Update 1 Support

(May 2022 update) Fortify on Demand has implemented Fortify Software Security Content 2022 update 1 from Fortify Security Research (SSR). For more information, see 

Fortify Static Code Analyzer 22.1.0 Support

Fortify on Demand will implement Micro Focus Fortify Static Code Analyzer 22.1.0 for scanning source code on June 15th. Fortify Static Code Analyzer 22.1.0 offers the following features:

  • Compiler support updates:
    • Clang 13.1.6
    • OpenJDK javac 17
    • Swiftc 5.6
    • cl (MSVC) 2015 and 2022
  • Language and framework support updates:
    • C# 10
    • .NET 6.0
    • C/C++ 20
    • HCL 2.0
    • Java 17
    • TypeScript 4.4 and 4.5

Note: Rules for Terraform and Google Cloud Platform will be part of the Fortify Software Security Content 2022 update 2 release.

API and portal support for .NET 6 and Java 17 are included in the 22.2 release, but scanning support will not be available until the Fortify Static Code Analyzer upgrade on June 15th.

New Features

User Group Export

User group details can now be exported as a CSV file. The export functionality is available on the Groups tab of the Users Management page. User group exports contain the following details: group name, first name, last name, email, role name, and assigned applications.


JIT User Group Provisioning Update

The following updates have been made to JIT user group provisioning, introduced in Fortify on Demand 22.1:

  • User group creation is now controlled separately from user group assignment.
  • If user group assignment is enabled, a value must be provided for the Groups attribute in the portal SSO settings.

Note: If a user logs in using SSO and the Groups attribute is empty in the SAML assertion, any existing user group assignments will be removed.

Daily Frequency for Scheduling Application and Release Exports

Application and release exports can be scheduled to run on a daily frequency. Daily exports run at 24:00 server time.

Hacker-level Insights Grouping Category

Hacker-level insights found in dynamic scans are now grouped in a new HLI: Detected Libraries category.

Package URL Added to Issues Data Export

The package URL (Sonatype identifier for open sources issues) has been added to the issues data export. The package URL is mapped to the existing URL column.

Bug Tracker Issues Updated When Release is Copied

For applications that have bug tracker integration enabled, when a release is copied, issues in the bug tracker are now updated. Links to the newly copied issues are added to the issue descriptions in the bug tracker.

If bug statement management is enabled, Fortify on Demand will not close a bug unless all associated issues have been fixed.

Tenant Code Saved on Login Page

The tenant code is now saved on the login page for subsequent logins.

Microservice Name Included in Report

The microservice name is now included on a report's title page.

These initiatives, support why Fortify has continued to be a leader in the AppSec industry for over a decade. Be sure to also check out our NEW 2022 AppSec Trend Report and AppSec Trend Report webinar series as well!

Comment List