Fortify on Demand (FoD) delivers application security as a service, providing customers with security testing, vulnerability management, expertise, and support needed to easily create, supplement, and expand a Software Security Assurance program in as little as just one day.
The Fortify on Demand team is excited to announce the release of version 19.1, which contains new functionalities and user experience improvements!
Fortify on Demand has implemented scopes to secure the Fortify on Demand API. Scopes limit the access that is granted to access tokens when authenticating to the API. They do not grant additional permissions beyond what a user currently has.
Each endpoint has a scope that is aligned with the Fortify on Demand permissions model. All endpoints also have the api-tenant scope for backwards compatibility. The allowed scopes for the endpoints are listed in the endpoint descriptions in API Explorer.
Support for Personal Access Tokens
Fortify on Demand has implemented personal access tokens for authenticating to the API. Personal access tokens are unique keys tied to the user who generated them. They function as alternate passwords; they have the user's permissions and can be further restricted with scopes. Using personal access tokens bypasses two-factor authentication and SSO requirements set in the portal.
The custom dashboard feature, previously released as a beta feature, is now generally available for all users. To standardize dashboard usage, the Tenant Dashboard has been removed.
The following improvements have been made to the dashboard for improved usability and viewing:
- Users can create ups to 10 dashboards and switch among them.
- Users can customize the names of dashboards and tiles.
- Trending graphs now display the full OWASP category names.
- Trending graphs have improved scaling include data point markers that can be displayed or hidden.
Sonatype Integration Updates
Fortify on Demand has updated its Sonatype integration to fully integrate open source component issues found in Sonatype scans. Sonatype issues appear as open source issues at the release level; users can edit them just as with other issues. They are mapped to the OWASP, PCI, and CWE industry-standard classifications.
Sonatype issues are included in the dashboard metrics; issue counts on the Your Applications, Your Releases, and Overview pages; Issue pages export and issues data export; and associated API endpoints.
The Scans pages now display Sonatype scans separately. Sonatype scans are included in the dashboard metrics, scans data exports, and associated API endpoints.
As part of the update, stand-alone interactive and PDF reports are no longer available for new Sonatype scans. Reports are now generated through the Fortify on Demand reporting functionality. The Open Source Component report template and the Open Source Bill-of-Materials and Vulnerable Open Source Components report modules have been added.
In order to enable Sonatype open source component analysis, organizations will need to opt-in to Sonatype upon the upgrade.
Jenkins and IDE Plugins Updates
The Jenkins Plugin has been updated to work with personal access tokens. Users can specify either a global API key or a personal access token to authenticate to the Fortify on Demand API. They can also override global authentication credentials with a personal access token in the Fortify on Demand Static Assessment and Poll Fortify on Demand for Results post-build actions.
The Eclipse Plugin, IntelliJ IDEA Plugin, and Visual Studio Extension have been updated to automatically include the plugin name and version details in the scan notes. The updates also include minor bug fixes.
User Experience Improvements
Concurrent Request Threads Added to Dynamic Scan Settings
The Concurrent request threads field has been added to the Dynamic Scan Setup page for setting the number of concurrent requests that will be used for a dynamic scan:
- Standard (default): 5 crawl requestor threads, 10 audit requestor threads, 20 second request timeout
- Limited: 2 crawl requestor threads, 3 audit requestor threads, 5 second request timeout Selecting the Limited option will reduce the scan load but will also cause the scan to take longer than the standard SLO.
Configure Added to Start Dynamic/Mobile/Static Scans Permission Categories
The Configure permission has been added to the Start Dynamic Scans, Start Mobile Scans, and Start Static Scans permission categories. Users with the Configure permission can view and edit scan settings, but cannot start a scan. The Deny and Allow permissions remain the same.
FPR Import Improvement
For FPRs imported to Fortify on Demand, the scan start and complete times now use the scan date in the FPR instead of the date the FPR was imported. The change applies to both manual and API imports.
Payload Size Added to Scan Summary
Payload size information (if available) has been added to the scan summary details on the Scans pages. The field is highlighted if the difference in payload size is greater than 10% between the latest and previous scans.
Number of Days to Fix Issues Tracked
Fortify on Demand now tracks the number of days from when an issue was introduced to when it was fixed.
API Key Last Login Details Displayed
For increased visibility into the security of global API keys, the portal now displays their last login date and login IP address.
Review Training Courses Without Affecting Status
Users have the option of reviewing the contents of a course without affecting the completion status or the passed date.
Accessing Fortify on Demand Documentation
Users can access the most recent Fortify on Demand User Guide and Release Notes from the Fortify on Demand Help Centeralong with additional support documents and FAQs.
To check for recent updates or to verify that you are using the most recent edition of a document, go to: https://www.microfocus.com/support-and-services/documentation
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.