Micro Focus Expert
Micro Focus Expert
5333 views

Micro Focus Fortify Product Announcement: SCA, SSC, WI & WIE 20.2.0

Micro Focus Fortify Product Announcement

Version 20.2.0

Micro Focus Fortify is pleased to announce the availability on 11/17/20 of version 20.2.0 of Fortify Software Security Center (SSC), Fortify Static Code Analyzer (SCA), WebInspect, and WebInspect Enterprise. The Fortify 20.2.0 on-premises release continues to advance the strategic initiatives of the product suite by adding accelerated language support, providing end users with actionable results, expanding our open source solution with Sonatype, offering hybrid delivery methods, and shifting application security left.

Please watch for the upcoming 20.2.1 patch release headlined by support for Xcode 12, plus a Docker file scanning update, a rulepack hotfix required by support, and an ABAP update.

 

Micro Focus Fortify Software Security Center

The following features have been added to Fortify Software Security Center.

Webhooks

The latest version of Fortify Software Security Center includes a new Webhook feature in the Administrative section. Use it to create hooks for system and application version events directly in the UI or API. When available, Webhooks can be helpful in updating external pipelines with Fortify Software Security Center data. This feature will drive our next generation of build failure workflows in the continuous integration plugins that we currently offer.

General Performance Improvements

- Ahead-of-time compilation reduces the time needed to download the JavaScript for our user interface. Our testing indicates a 40% reduction in the overall package size.

- The Issue endpoint has been refactored for better direct API performance.

 Open Source Components View

A new Open Source Components view appears on the Open Source tab of the Issues page. This view displays Sonatype open source issues. The user can audit these issues directly in the view. This view also includes two new fields: Invoked and Controllable. These fields indicate whether the Sonatype-identified method or function(s) were called or user-controlled input reached this function/method in your custom code.

OWASP ASVS v4.0 Report

The OWASP ASVS v4.0 report provides an easy way to consolidate the list of requirements for secure software development as defined by this standard.

ScanCentral DAST

ScanCentral DAST joins the family! The ScanCentral tab in Fortify Software Security Center now has both SAST and DAST options. WebInspect customers can now orchestrate dynamic testing and automation from within Fortify Software Security Center.

Java 11 Support

Support for Java 11 in combination with Tomcat 9. See the Micro Focus Software System Requirements document for more information.

 

Fortify ScanCentral SAST

Product Name Change

With the introduction of Fortify ScanCentral DAST (for dynamic scans), Fortify ScanCentral was re-named ScanCentral SAST. For information about Fortify ScanCentral DAST, see the Micro Focus Fortify ScanCentral DAST Configuration and Usage Guide.

JavaScript Packaging Improvement

There is a new parameter available in the ScanCentral SAST client to include npm dependencies, when they are not present in the current working directory. Users can add –scan-nodemodules to ScanCentral SAST client command. ScanCentral SAST will download the node modules and include them for translation and analysis. If this flag is not present, even if the node modules are there, we exclude them by default.

Quality Improvements

- ScanCentral SAST has improved support for multiple versions of Fortify Static Code Analyzer. When scanning resources are unavailable for a particular client version, more informative error messages will be issued.

- The auto upgrade feature now patches all connected ScanCentral SAST clients, avoiding the need to manually install the patches multiple times.

- ScanCentral SAST standalone clients receive both patch upgrades and major version upgrades (controller is upgraded).

- Embedded ScanCentral SAST clients from Fortify Static Code Analyzer will not automatically upgrade to the new version, but do receive patches.

- Custom build parameters that are required for software compilation are now included and invoked by ScanCentral SAST clients. Previously, the default build invocation parameters for supported build tools was used.

 

Micro Focus Fortify Static Code Analyzer

The following features have been added to Fortify Static Code Analyzer 

Java

- Support added for Java 14

- Native support for Lombok added. It is not necessary to use “delombok” anymore

- Support added for Kotlin interoperability

If your project contains Java code that refers to Kotlin code, include all the source directories in the translation command so that the Kotlin function calls are correctly resolved.

.NET

- Now uses MSBuild 16.6

- Added Generics Type support

Swift/Obj C

- Added support for XCode up to version 11.7

- JavaScript

JavaScript

- Support added for TypeScript 3.3- 4.0

- Support added for ECMAScript 2019 and 2020

Kotlin

- Added full support for Kotlin 1.3.50

- Kotlin support is no longer a Technology Preview

- Added Kotlin Java Interoperability

If your project contains Kotlin and Java source code, you can use the Java source to resolve any Kotlin types that refer to Java files

- Added Kotlin for Android support

Go

- Added support for Go Modules

- Refactoring of Go translation which allows easier translation and takes away the need to have Go installed on the translation machine

COBOL

- Added support for IBM Enterprise COBOL up to version 6.1

Python

- Added support for Python 3.8

- Improved imports support for Python

Docker

- Added support for running Fortify Static Code Analyzer in a Docker container

- Added support for scanning Docker configuration files

ABAP Extractor

- Improved performance

- Added option to block the download of SAP standard code

Modular Analysis (Technology Preview)

- Updated to include control flow analysis

Speed Dial (Technology Preview)

The first version of Speed Dial provides a selection of configuration files to select the breadth and depth of the desired Fortify Static Code Analyzer scan.

 

Micro Focus Fortify Static Code Analyzer Tools

The following features have been added to Fortify Static Code Analyzer Tools. 

Azure DevOps

- New ScanCentral SAST Task

With the new Azure DevOps task, you can programmatically install the ScanCentral SAST client from the controller to configure and use the ScanCentral SAST client to orchestrate remote scanning from Azure DevOps. This works for both hosted and local build agents.

- New ScanCentral DAST Task

In Azure DevOps, this task allows you to automate and orchestrate remote dynamic (WebInspect) scans from the ScanCentral DAST module inside of Fortify Software Security Center.

Visual Studio Code

Fortify is happy to welcome the Fortify Visual Studio Code Extension to our IDE plugin family. In this first release, local Fortify Static Code Analyzer scans, remote scans via ScanCentral, and remote scans via Fortify on Demand are all supported.

Token Authentication in all the Tools

Fortify has introduced token-based authentication to Fortify Static Code Analyzer from Audit

Workbench and the Visual Studio, Eclipse, and IntelliJ plugins.

Support for OWASP ASVS v4.0 Report

Support has been added for OWASP ASVS v4.0 reports.

 

Micro Focus Fortify WebInspect

The following features have been added to Fortify WebInspect.

Automatic Detection of Single-page Applications

Fortify continues to improve usability with time-saving features that eliminate manual configuration of scans. WebInspect 20.2.0 detects when applications use modern frameworks such as Angular and React and automatically adjusts its configuration to provide the best coverage.

Redundant Page Detection

Applications with lots of redundant content, such as content management systems and catalog sites, can cause unnecessarily long-running scans. With WebInspect 20.2.0, you can use an advanced redundant page detection algorithm to reduce these scan times.

ADFS CBT Support

Per advice from Microsoft, many organizations are implementing a channel binding token (CBT) to secure Active Directory Federation Services (ADFS) authentication. WebInspect 20.2.0 now supports this extended protection mechanism. Look at Scan Settings under Network Authentication > Method > ADFS CBT to use this new feature, and reference the Help topic for details.

Engine 5.1 Updates

Fortify continues to evolve its engines to improve coverage and performance. WebInspect 20.2.0 provides a faster crawl and audit, and better application support from the web macro recorder. Finally, as a sneak peak of things to come in 2021, the Web Macro Recorder with Macro Engine 5.1 now attempts to detect and display client-side frameworks that are used in the target application.

OpenSSL Technical Preview

WebInspect 20.2.0 introduces a technical preview of our OpenSSL integration. This integration provides support for TLS 1.3, and provides an option for customers whose system administrators may be restricting the Microsoft SCHANNEL stack. The setting may be enabled in the UI at Edit > Application Settings > General.

ScanCentral DAST

Fortify is excited to release a new DAST orchestration and automation platform integrated right into Software Security Center 20.2.0!

 

Micro Focus Fortify WebInspect Enterprise

The following features have been added to Fortify WebInspect Enterprise. 

Automatic Detection of Single-page Applications

Fortify continues to improve usability with time-saving features that eliminate manual configuration of scans. The WebInspect 20.2.0 sensor detects when applications use modern frameworks such as Angular and React, and automatically adjusts its configuration to provide the best coverage.

Redundant Page Detection

Applications with lots of redundant content, such as content management systems and catalog sites, can cause unnecessarily long-running scans. With the WebInspect 20.2.0 sensor, you can use an advanced redundant page detection algorithm to reduce these scan times.

ADFS CBT Support

Per advice from Microsoft, many organizations are implementing a channel binding token(CBT) to secure Active Directory Federation Services (ADFS) authentication. The WebInspect 20.2.0 sensor now supports this extended protection mechanism.

 

Learn More

For more information about the Micro Focus Fortify 20.2 release, visit these links:

- View the Fortify Technical Forum previewing this release.

- Fortify Unplugged YouTube Playlist for 20.2

 

Join the Fortify Community!

Join the Micro Focus Security community that provides customer-facing forums, educational webinar, product documentation and tutorials. Connect with peers, ask questions, search for solutions, share ideas, and collaborate over best practices in the Fortify Community today. Visit: 

https://community.softwaregrp.com/t5/Fortify/ct-p/fortify

 

Documentation

On 11/17/20, you can find both html and pdf documentation for Fortify version 20.2.0 software products at:
https://www.microfocus.com/support-and-services/documentation/

Note: Legacy documentation (prior to 18.1) can still be found at: https://community.softwaregrp.com/t5/Fortify-Product-Documentation/ct-p/fortify-product-documentation

 

Contact Support

For support, please visit https://softwaresupport.softwaregrp.com/.

Details are available in the attached release letter along with specific feature requirements. We hope that you continue to find out products helpful and we welcome any feedback. If you have any questions, please don’t hesitate to contact us.

 

Scott Johnson
Director of Product Management
Micro Focus Security Fortify
+1 (404) 931-1028
scott.k.johnson@microfocus.com

Labels (2)
0 Replies
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.