Having problems with your account or logging in?
A lot of changes are happening in the community right now. Some may affect you. READ MORE HERE

Fortify on Demand Releases version 19.1

Micro Focus Expert
Micro Focus Expert
0 0 3,404

Fortify on Demand (FoD) delivers application security as a service, providing customers with security testing, vulnerability management, expertise, and support needed to easily create, supplement, and expand a Software Security Assurance program in as little as just one day.

The Fortify on Demand team is excited to announce the release of version 19.1, which contains new functionalities and user experience improvements!

New Functionalities

API Updates

Fortify on Demand has implemented scopes to secure the Fortify on Demand API. Scopes limit the access that is granted to access tokens when authenticating to the API. They do not grant additional permissions beyond what a user currently has.

Each endpoint has a scope that is aligned with the Fortify on Demand permissions model. All endpoints also have the api-tenant scope for backwards compatibility. The allowed scopes for the endpoints are listed in the endpoint descriptions in API Explorer.

Support for Personal Access Tokens

Fortify on Demand has implemented personal access tokens for authenticating to the API. Personal access tokens are unique keys tied to the user who generated them. They function as alternate passwords; they have the user's permissions and can be further restricted with scopes. Using personal access tokens bypasses two-factor authentication and SSO requirements set in the portal.

Dashboard Improvements

The custom dashboard feature, previously released as a beta feature, is now generally available for all users. To standardize dashboard usage, the Tenant Dashboard has been removed.

The following improvements have been made to the dashboard for improved usability and viewing:

  • Users can create ups to 10 dashboards and switch among them.
  • Users can customize the names of dashboards and tiles.
  • Trending graphs now display the full OWASP category names.
  • Trending graphs have improved scaling include data point markers that can be displayed or hidden.

Sonatype Integration Updates

Fortify on Demand has updated its Sonatype integration to fully integrate open source component issues found in Sonatype scans. Sonatype issues appear as open source issues at the release level; users can edit them just as with other issues. They are mapped to the OWASP, PCI, and CWE industry-standard classifications.

Sonatype issues are included in the dashboard metrics; issue counts on the Your Applications, Your Releases, and Overview pages; Issue pages export and issues data export; and associated API endpoints.

The Scans pages now display Sonatype scans separately. Sonatype scans are included in the dashboard metrics, scans data exports, and associated API endpoints.

As part of the update, stand-alone interactive and PDF reports are no longer available for new Sonatype scans. Reports are now generated through the Fortify on Demand reporting functionality. The Open Source Component report template and the Open Source Bill-of-Materials and Vulnerable Open Source Components report modules have been added.

In order to enable Sonatype open source component analysis, organizations will need to opt-in to Sonatype upon the upgrade.

Jenkins and IDE Plugins Updates

The Jenkins Plugin has been updated to work with personal access tokens. Users can specify either a global API key or a personal access token to authenticate to the Fortify on Demand API. They can also override global authentication credentials with a personal access token in the Fortify on Demand Static Assessment and Poll Fortify on Demand for Results post-build actions.

The Eclipse Plugin, IntelliJ IDEA Plugin, and Visual Studio Extension have been updated to automatically include the plugin name and version details in the scan notes. The updates also include minor bug fixes.

User Experience Improvements

Concurrent Request Threads Added to Dynamic Scan Settings

The Concurrent request threads field has been added to the Dynamic Scan Setup page for setting the number of concurrent requests that will be used for a dynamic scan:

  • Standard (default): 5 crawl requestor threads, 10 audit requestor threads, 20 second request timeout
  • Limited: 2 crawl requestor threads, 3 audit requestor threads, 5 second request timeout Selecting the Limited option will reduce the scan load but will also cause the scan to take longer than the standard SLO.

Configure Added to Start Dynamic/Mobile/Static Scans Permission Categories

The Configure permission has been added to the Start Dynamic Scans, Start Mobile Scans, and Start Static Scans permission categories. Users with the Configure permission can view and edit scan settings, but cannot start a scan. The Deny and Allow permissions remain the same.

FPR Import Improvement

For FPRs imported to Fortify on Demand, the scan start and complete times now use the scan date in the FPR instead of the date the FPR was imported. The change applies to both manual and API imports.

Payload Size Added to Scan Summary

Payload size information (if available) has been added to the scan summary details on the Scans pages. The field is highlighted if the difference in payload size is greater than 10% between the latest and previous scans.

Number of Days to Fix Issues Tracked

Fortify on Demand now tracks the number of days from when an issue was introduced to when it was fixed.

API Key Last Login Details Displayed

For increased visibility into the security of global API keys, the portal now displays their last login date and login IP address.

Review Training Courses Without Affecting Status

Users have the option of reviewing the contents of a course without affecting the completion status or the passed date.

Accessing Fortify on Demand Documentation
Users can access the most recent Fortify on Demand User Guide and Release Notes from the Fortify on Demand Help Centeralong with additional support documents and FAQs.

To check for recent updates or to verify that you are using the most recent edition of a document, go to: https://www.microfocus.com/support-and-services/documentation

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.