Fortify on Demand Releases version 19.2


Original Question: Fortify on Demand Releases version 19.2 by Brent_Jenkins

Fortify on Demand (FoD) delivers application security as a service, providing customers with the security testing, vulnerability management, expertise, and support needed to easily create, supplement, and expand a Software Security Assurance program in as little as just one day.

The Fortify on Demand team is excited to announce the release of version 19.2 on 5/18/2019. This exciting update contains functionality, automation, and user experience improvements, which are outlined below:

  • New API Functionality
  • Enhanced Integrations for Jenkins and Azure DevOps
  • User Experience Improvements
  • Microservice Enhancements
  • Entitlements Visibility Enhancements
  • Dynamic Scanning Improvements
  • Opensource User Experience Enhancements


New APIs Functionality

  • New and improved endpoints for global data exports
  • GET/api/v3/reports/dataexports
  • GET/api/v3/reports/dataexports/{dataExportId}/download
  • Audit Templates - Audit Templates to allow users to pull a list of application audit filters
    • GET /api/v3/applications/{applicationId}/audittemplates
  • Static Scan Manifest - Static Scan Manifest log file
  • GET/api/v3/scans/{scanId}/manifest
  • User Groups - User Groups can get list Group ID, Group Name, and Number of Users
  • GET /api/v3/user-group-application-access/{userGroupId}
  • POST /api/v3/user-group-application-access/{userGroupId}
  • DELETE /api/v3/user-group-application-access/{userGroupId}/{applicationId}
  • GET /api/v3/user-management/user-groups
  • GET /api/v3/applications/{applicationId}/user-groups


Enhanced Integrations for Jenkins and Azure DevOps (Updates Already Live)

  • Fortify on Demand Uploader Plugin - Jenkins plugin pipeline support
    • Expanded support for existing personal access token and API Key support within Jenkins pipelines
  • Expanded support for existing personal access token and API Key support
  • Azure DevOps removed the ability to select scan preference (deprecated functionality)
    • Users can still select audit preference. 
  • Added ability to select entitlement preferences.


User Experience Improvements

  • Ability to provide an IP name in the IP restrictions section
  • Created policy creation wizard to allow for simpler app sec policy creation
    • Policies can now be applied to dev, test, and prod
  • Ability to customize open developer statuses
  • Enhanced filtering to allow multi-select on the” Your Releases” page for
    • Business Criticality
    • Star Rating
    • Pass/Fail
  • Users now have the ability to select a signing algorithm SSO connections
    • SHA-1(Default)
    • SHA-256
  • New kingdom filter for global and application audit templates
  • Ignore version history FPR import (applies to both dynamic and static scans)
  • When a customer imports a static or dynamic FPR, suppression status is imported for “new” issues


Microservices Enhancements

  • Increased size limit from 15mb to 100mb
  • 1 in progress scan per app; additional microservices will queue (1 scan at a time per microservice)
  • Automated audit for all scans


Entitlements Visibility Enhancements

  • Users will have the ability to select an entitlement ID (custom field) for mobile, static, dynamic scans
  • Users now have the ability to view entitlements showing quantity purchased, consumed and start date


Dynamic Scanning Improvements

  • Recurring dynamic scans are scheduled beginning 7 days before the next scan date
      • If a scan is already in progress for the app at the 7-day mark, then the next scan won’t be scheduled
  • Network Scan
    • Depreciated support for importing network scans


Open Source User Experience Enhancements

  • A standalone open source components issues page has been created to understand open source vulnerabilities
  • System event history is now being populated
  • Open source recommendations are now including CWE links with the recommendations tab
  • Executive summary, Issue breakdown, Issue breakdown by Analysis reporting now includes open sources issues


Static Scanning Language Support

  • Scanning has been Improved to provide improved scan accuracy and turnaround times for static scans
  • Language support has been expanded to include the following languages:
    • ECMAScript 2018
    • TypeScript 3.x
    • Angular 7
    • Python 3
    • Django 2.x
    • Java 11


Accessing Fortify on Demand Documentation
Users can access the most recent Fortify on Demand User Guide and Release Notes from the Fortify on Demand Help Center along with additional support documents and FAQs.

To check for recent updates or to verify that you are using the most recent edition of a document, go to:

Comment List