Micro Focus Fortify Product Announcement: SCA, SSC, WI & WIE 21.1.0

2 Likes
3 months ago

What’s New in Micro Focus Fortify

Software 21.1.0
July 2021

We are excited to announce the general availability of our Micro Focus Fortify 21.1.0 release! With enhanced offerings to increase speed, accuracy, scalability, and ease of use, this marks an important chapter in Fortify’s elevation of application security. This release contains updates to Fortify Static Code Analyzer, Fortify WebInspect, Fortify Software Security Center, and Fortify Software Composition Analysis.

This release of Micro Focus Fortify Software includes the following new functions and features.

Micro Focus Fortify Software Security Center
The following features have been added to Fortify Software Security Center.

Oracle: JDBC Driver Requirement
If you use Oracle as your Fortify Software Security Center database, you no longer need to manually add the JDBC driver. The installer now includes the JDBC Thin Driver (ojdbc8.jar).

Autoconfigure Update
You no longer need to provide db.driver.class, db.dialect, or db.like.specialCharacters to deploy SSC using autoconfiguration (<app_context>.autoconfig file). Deployment works for all databases if you provide values for db.username, db.password, and jdbc.url only.

Required Attribute Alert
If an administrator creates a new required attribute, Fortify Software Security Center alerts you to the addition so that you can specify a value for it in an application version.

Export Open Source Results
You can now export your open source data to a comma-separated file.

DENY Button for Artifacts
There is now a DENY button for artifacts that require approval but were uploaded by mistake. The denied results will not be merged with the application version but can be retained as part of the record.

New Reports
The premium report bundle now includes three new issue reports:

  • DISA STIG 5.1
  • NIST 800-53 Revision 5 (Accessed through the FISMA Compliance: FIPS-200 report template)
  • CWE Top 25 2020

StartTLS Support for LDAP
StartTLS is now supported as a connection method to LDAP servers.

Enhanced Issue Filtering
Issue filtering from the OVERVIEW and AUDIT pages now includes enhancements. You can now filter issues based on their category.

Kubernetes Support

  • Added support for Kubernetes version 1.20.
  • Added support for versions 3.4 and 3.5 of the Helm command-line tool.

Service Integrations Support

  • Added support for Azure DevOps Server 2020

Micro Focus Fortify ScanCentral SAST

Improved Job Processing Messages
Previously, when a job was assigned to a sensor, the Controller sent the email message "ScanCentral job request accepted." After the job was completed, the Controller sent the email message "ScanCentral job completed."

Now, when the Controller accepts a job, it sends the email message "ScanCentral job request accepted." After the job is assigned to a sensor, the Controller sends the email message "ScanCentral job request assigned." Finally, after the job is completed, the Controller sends the email message "ScanCentral job completed."

New -debug Option
The -debug option, which enables debug logging on clients and sensors, was added in this release.

-upload Option Required for Scans When Fortify Software Security Center is in Lockdown Mode
Previously, if Fortify Software Security Center was in lockdown mode, you could run a scan even if you failed to specify the -upload option in the ScanCentral command. The results shown for the scan on the SCANCENTRAL > SAST tab in Fortify Software Security Center left out the application version and the scan was not uploaded. Now, if Fortify Software Security Center is in lockdown mode, and you try to start a scan without using the -upload option, client execution fails with an error.

Improved Sensor Cleanup
Now, the clean-up process on a sensor machine invokes the sourceanalyzer -clean command to remove Fortify Static Code Analyzer internal files related to the job.

Maven Remote Translation
You can now specify custom settings files for Maven remote translation.

New Email Properties
Two new properties in the config.properties file allow you to specify which outgoing email domains to use for outgoing emails and which domains are disallowed.

Micro Focus Fortify Static Code Analyzer
The following features have been added to Fortify Static Code Analyzer.

.NET
Added support for the following languages and frameworks:

  • .NET 5.0
  • C# 9
  • ASP.NET Blazor

To improve MSBuild integration, the custom msbuild executable and its assemblies were replaced by a Fortify-specific .targets file and task assemblies. These changes favorably impact translations under MSBuild Integration performed by the system’s MSBuild tool.

MSBuild Support Update
Added support for version 16.8 and 16.9.

Go

  • Added support for Go versions 1.15 and 1.16.
  • Added support for the GOPROXY environment variable.

Java

  • Updated JSP translation produces fewer false positives
  • Improved bytecode analysis

JavaScript
Added support for the following languages and frameworks:

  • TypeScript 4.1
  • Angular 10 and 11

Kotlin
Added support for Kotlin 1.4.20.

PHP
Added support for PHP 7.2, 7.3, 7.4, and 8.0.

Python
Added support for the following languages and frameworks:

  • Python 3.9
  • Django 3.1

Swift/Obj-C
Added support for Xcode 12.4.

Operating Systems (Linux)
Added support for the following Linux servers:

  • SUSE Linux Enterprise Server 15.
  • Red Hat Enterprise Linux 8.2.
  • CentOS Linux 7.6-1810 and 8.2-2004.
  • Ubuntu 20.04.1 LTS.

Micro Focus Visual COBOL (Technology Preview)
Added support for Micro Focus Visual COBOL 6.0.

C/C++ (Technology Preview)
Improved support for constructs in C++11 using new Clang-based translation.

Speed Dial (Technology Preview)

  • Added level 3 and 4 support.
  • Improved intermediate development scan speeds by up to 50% (with a reduction in reported issues).
  • Reduced scan time for typed languages such as Java and C/C++.
  • Level 4 support provides a full scan.

Micro Focus Fortify Static Code Analyzer Tools
The following features have been added to Fortify Static Code Analyzer Tools.

ScanCentral SAST Support in Secure Code Plugins

  • ScanCentral SAST support added to Eclipse Complete Plugin, IntelliJ Analysis Plugin, and Visual Studio Extension.
  • You can now submit ScanCentral SAST scan requests from the plugins.
  • Added support for both local translation (send MBS file for scan phase) and remote translation (send package for both translation and scan phases).

Java 11 Runtime Support

  • All tools and secure code plugins can be run in a Java 11 runtime environment.

Syntax Highlighting for Additional Languages in Audit Workbench

  • Adds syntax highlighting for the following languages: ABAP, Apex, ASP, C# and ASP.NET, COBOL, Cold Fusion, Go, Kotlin, Objective C, PHP, Python, Ruby, Scala, Swift, VB.NET, Visual Basic 6.0 and configuration files.

Improved Merge Behavior in Visual Studio Extension

  • Adds the ability to choose to merge with or overwrite a previous scan result.
  • If an issue template is specified for the scan (configured as default or via additional scan option), the issue template from the new scan will be saved in the merged FPR.
  • Set the merge option in Fortify > Options > Project Configuration > Advanced Scan Options. Select or clear the Merge with Previous Scan checkbox.

New Versions of Reports

  • DISA STIG 5.1
  • NIST 800-53 Revision 5
  • CWE Top 25 2020

These can be generated from Fortify Audit Workbench, the secure code plugins, and the BIRTReportGenerator command-line interface.

Updated IDE Support

  • Added support for Eclipse versions 2020-x and 2021-x in Micro Focus Fortify Plugins for Eclipse.
  • Added support for Eclipse version 2021-x in Micro Focus Fortify Security Assistant Plugin for Eclipse.
  • Added support for versions 4.x of Android Studio in Micro Focus Fortify Plugins for JetBrains IDEs and Android Studio.

Service Integrations

  • Added support for Azure DevOps Server 2020.

Micro Focus Fortify ScanCentral DAST
The following features have been added to Fortify ScanCentral DAST.

Functional Application Security Testing (FAST)
FAST provides a CI/CD-friendly way to capture traffic from functional tests and send it to ScanCentral DAST for targeted DAST scanning.

API Scanning with Postman
In 21.1.0, ScanCentral DAST continues to simplify API scanning with its Postman integration. A new workflow in the WebInspect sensor automatically detects the authentication requests and excludes them from attack by default. There are also improvements to Oauth2.0 support.

Hacker Level Insights
Hacker Level Insights is a new framework that exposes those insights about an application that are interesting from a security perspective, but not necessarily a vulnerability. Detection of JavaScript client-side frameworks is included in 21.1.0.

Data Retention Policies
Configuring data retention policies at the application or scan level allows automatic purging of stale data to support ScanCentral DAST database maintenance and system performance in high usage environments.

Deny Intervals
ScanCentral DAST supports application and scan-level deny intervals when currently running scans are paused or forced to complete, and new scans do not start.

Base Settings
Base Settings provide ScanCentral DAST administrators the ability to apply scan setting templates across all applications or specific applications.

Policy Import
ScanCentral DAST supports using custom policies at both the application level and scan level.

Alerting
A messaging framework displays information about the quality and performance of scans in progress.

SiteExplorer Download
A link is provided in ScanCentral DAST to download SiteExplorer for visualization of a scan.

Horizontal Scaling (Technology Preview)
Horizontal scaling of sensor script engines provides dramatically faster scanning.

Micro Focus Fortify WebInspect
The following features have been added to Fortify WebInspect.

HTTP/2 Support
Modern applications have begun leveraging HTTP/2 to improve the user experience with improved speed and more efficient client/server communication. WebInspect now supports applications that use HTTP/2 technology.

API Scanning with Postman
WebInspect continues to simplify API scanning with its Postman integration. A new workflow in the sensor automatically detects the authentication requests and excludes them from attack by default. There are also improvements to Oauth2.0 support.

Hacker Level Insights
Hacker Level Insights is a new framework that exposes those insights about an application that are interesting from a security perspective but may not necessarily be a vulnerability. Detection of JavaScript client-side frameworks is included in 21.1.0.

Engine 6.0 Updates
Fortify continues to enhance its engines to improve scan coverage and performance. WebInspect 21.1.0 provides a faster crawl and audit, and better application support from the Web Macro Recorder with Macro Engine 6.0.

Masked Parameters in TruClient
The Web Macro Recorder with Macro Engine 6.0 allows values for parameters such as password to be masked so they are hidden from view.

Simplified User Agent Selection
Selection of a User Agent in settings during scan configuration is now applied to both TruClient macros and the scan settings.

Alerting
Alert-level scan log messages provide information about the quality and performance of scans in progress.

OpenSSL
The OpenSSL technical preview is now the default SSL/TLS implementation in WebInspect. This integration provides support for TLS 1.3, and provides an option for customers whose system administrators may be restricting the Microsoft SCHANNEL stack.

Micro Focus Fortify WebInspect Enterprise
The following features have been added to Fortify WebInspect Enterprise.

Engine 6.0 Updates
Fortify continues to enhance its engines to improve scan coverage and performance. WebInspect 21.1.0 provides a faster crawl and audit, and better application support from the Web Macro Recorder with Macro Engine 6.0.

Masked Parameter in TruClient
The Web Macro Recorder with Macro Engine 6.0 allows values for parameters such as password to be masked so they are hidden from view.

Simplified User Agent Selection
Selection of a User Agent in Advanced Settings during scan configuration are now applied to both TruClient macros and the scan settings.

Contact Micro Focus Fortify Customer Support
If you have questions or comments about using this product, contact Micro Focus Fortify Customer Support using one of the following options.

To Manage Your Support Cases, Acquire Licenses, and Manage Your Account
https://www.microfocus.com/support

For More Information
For more information about Fortify software products: https://www.microfocus.com/solutions/application-security

Comment List
Anonymous
Related Discussions
Recommended