FedRAMP Fortify on Demand

Similar documents
HP Fortify Scanning Plugin for Xcode

HPE Security Fortify Plugins for Eclipse

HPE Security Fortify Audit Workbench

HPE Security Fortify WebInspect Enterprise Software Version: Windows operating systems. Installation and Implementation Guide

HPE Security Fortify Jenkins Plugin

HPE Security Fortify Plugins for Eclipse Software Version: Installation and Usage Guide

HPE Security Fortify Audit Workbench Software Version: User Guide

ALM. What's New. Software Version: Go to HELP CENTER ONLINE

HP Automation Insight

Micro Focus Fortify Jenkins Plugin

Project and Portfolio Management Center

ALM. Tutorial. Software Version: Go to HELP CENTER ONLINE

HP AutoPass License Server

HP Project and Portfolio Management Center

HP Enterprise Integration module for SAP applications

HP ALM Client MSI Generator

Project and Portfolio Management Center

HP Enterprise Collaboration

HP Data Center Automation Appliance

HP Business Availability Center

HP Operations Orchestration

HPE Security Fortify Runtime Application Protection (RTAP)

HPE Enterprise Integration Module for SAP Solution Manager 7.1

HP ALM. Software Version: Tutorial

Content Manager. Software Version 9.3. Release Notes

HP Business Service Management

HP ALM. Software Version: patch 2. Business Views Microsoft Excel Add-in User Guide

IDE Connector Customizer Readme

HPE Security Fortify WebInspect Runtime Agent

Legal Notices. The information contained herein is subject to change without notice.

HP Universal CMDB. Software Version: Content Pack (CP18) Discovery and Integrations Content Guide - Discovery Activities

HP WebInspect Enterprise

Business Process Testing

HP Service Manager. Software Version: 9.41 For the supported Windows and UNIX operating systems. SM Reports help topics for printing

HP ALM. Software Version: Tutorial

HP Service Manager. Software Version: 9.40 For the supported Windows and Unix operating systems. Knowledge Management help topics for printing

IDOL Site Admin. Software Version: User Guide

HP Operations Orchestration Software

Enterprise Integration Module for SAP Solution Manager 7.2

HP Operations Orchestration

HPE Project and Portfolio Management Center

HP Operations Orchestration Software

Fortify Software Security Content 2017 Update 4 December 15, 2017

Universal CMDB. Software Version: Content Pack (CP20) Discovery and Integrations Content Guide - Discovery Activities

HPE Intelligent Management Center

Project and Portfolio Management Center

HPE Security Fortify Static Code Analyzer Tools

HP Service Manager. Software Version: 9.41 For the supported Windows and UNIX operating systems. Service catalog help topics for printing

Put Security Into Your DevOps NOW. Or Prepare for the Flood Matthew Fisher Solution Architect, Fortify Federal 08MAR2018

HP UFT Connection Agent

HP Database and Middleware Automation

HPE Security Fortify WebInspect Runtime Agent

HP ALM Performance Center

HP Intelligent Management Center v7.1 Branch Intelligent Management System Administrator Guide

HPE ALM Client MSI Generator

HP Integration with Incorta: Connection Guide. HP Vertica Analytic Database

HP Service Manager. Process Designer Tailoring Best Practices Guide (Codeless Mode)

HP ALM Synchronizer for Agile Manager

HPE Security Fortify Software

Guest Management Software V2.0.2 Release Notes

HP Service Manager. Software Version: 9.41 For the supported Windows and UNIX operating systems. Collaboration Guide

HP ALM Lab Management

HP Intelligent Management Center v7.1

HPE Security Fortify Runtime

HP SM Service Catalog-PPM Center Project Proposal Integration Solution

HPE ALM Excel Add-in. Microsoft Excel Add-in Guide. Software Version: Go to HELP CENTER ONLINE

Widgets for SAP BusinessObjects Business Intelligence Platform User Guide SAP BusinessObjects Business Intelligence platform 4.1 Support Package 2

HP Service Manager Integration Suite (SMIS)

HPE Remote Analysis Agent Software Version: 5.2 Microsoft Windows. Technical Note

Oracle Cloud Using the Eventbrite Adapter with Oracle Integration

Fortify WebInspect Workshop. Lab Exercises

HPE Insight Online User Guide

HP Service Test Management

HP Asset Manager Software License Optimization Best Practice Package

Oracle Cloud E

HP Network Node Manager i Software Step-by-Step Guide to Scheduling Reports using Network Performance Server

HPE Automatic Number Plate Recognition Software Version: Automatic Number Plate Recognition Release Notes

HPE Intelligent Management Center v7.3

Configuring Security Mitigation Settings for Security Bulletin HPSBPI03569 Protecting Solution Installation Settings

HP Operations Orchestration

Automated Java System Post-Copy Configuration Using SAP Landscape Management 3.0, Enterprise Edition

HPE Security Fortify WebInspect Enterprise Software Version: Windows operating systems. User Guide

Brochure. Security. Fortify on Demand Dynamic Application Security Testing

Business Add-Ins (BAdIs) for SD Jam Integration Document Version:

Oracle Cloud Using the Eventbrite Adapter. Release 17.3

HP Operations Manager

HP-UX Software and Patching Management Using HP Server Automation

Oracle Cloud Using the Microsoft Adapter. Release 17.3

HPE Project and Portfolio Management Center

Project and Portfolio Management Center

Oracle Cloud. Using the Google Calendar Adapter Release 16.3 E

HPE Project and Portfolio Management Center

Oracle Cloud Using the Adobe esign Adapter. Release 17.3

This release of Micro Focus Fortify Software includes the following new functions and features. Micro Focus Fortify Software Security Center

HPE StoreEver MSL6480 Tape Library Version 5.50 Firmware Release Notes

HPE Storage Optimizer Software Version: 5.4. Best Practices Guide

HP Real User Monitor. Software Version: Real User Monitor Sizing Guide

ForeScout Extended Module for Qualys VM

HP Application Lifecycle Management. Upgrade Best Practices

HPE XP7 Performance Advisor Software 7.2 Release Notes

Transcription:

FedRAMP Fortify on Demand Software Version: 17.1 Release Notes Document Release Date: Sept. 2017 Software Release Date: Sept. 2017

As organizations continue to embrace DevOps principles, the latest release of Fortify on Demand has continued its focus on enabling the integration and automation of application security into the software development lifecycle. Along with expanded, flexible security policy management, this release accelerates the adoption of software security assurance programs. The version numbering scheme for Micro Focus Fortify on Demand has changed to align with the numbering schemed used by the rest of the Micro Focus Fortify portfolio. The new version number format is <year>.<release_number> where <year> is the two-digit year of the release and <release_number> is the one-digit sequential number of the release that year. For more detailed information on Fortify on Demand, please refer to the Fortify on Demand User Guide located in the Fortify on Demand portal and the Fortify on Demand Help Center. Release Schedule The Fortify on Demand v17.1 release schedule is as follows. Data Center Release Schedule US FedRAMP September 16, 2017 The Fortify on Demand portal will be unavailable during the upgrade. Assessments that are in progress will continue to run, results of scans that complete during the upgrade post when the upgrade is complete. If you have questions about the schedule, check with your Technical Account Manager (TAM). Accessing Fortify on Demand Documentation You can access the Fortify on Demand User Guide directly from the Documentation link located in the Fortify on Demand portal or from the Fortify on Demand Help Center along with additional support documents and FAQs. Fortify on Demand (17.1) Page 2 of 11

In addition, the context sensitive link the feature. icon found in the portal opens a new window that displays the help topic for Fortify on Demand Release Notes in English, Spanish, and Japanese are available in the Help Center upon the US release. Fortify on Demand User Guide is available in English in the portal upon the US release, while the Spanish and Japanese versions are available upon the EMEA, APJ, and AUS release. Fortify on Demand v17.1 Feature Summary New Functionalities Flexible Policy Management Security leads now have additional control and flexibility in defining their security (pass/ fail) policies and can configure how policies are applied to applications in a tenant with the following settings: Set the scope that is used to determine which security policy is applied to each application based on business criticality, application type, or a specific application attribute Assign a policy to each scope value Fortify on Demand (17.1) Page 3 of 11

Security Leads can also create and manage multiple custom security policies. In addition to the star rating and grace remediation period, a custom policy can now specify: Which vulnerabilities that are included when determining the pass/ fail status of an application based on industry-standard classifications such as PCI, OWASP, DISA STIG, FISMA, or CWE Whether Application Monitoring is required for releases in production Which assessment types are available to applications that have the policy applied For more information, see the Policy Management section in the Micro Focus Fortify on Demand User Guide. Enhanced Issue Flow Diagram The issue flow diagram has enhanced display and navigational functionalities for better usability, particularly around highlighting shared data flows to quickly identify optimal remediation strategies to fix multiple static issues at once. When a node is selected, the number of highlighted issues is displayed. Clicking the icon of the first node in a trace drills into issue details. Additional navigational buttons are available: Toggle Heat Map - enables / disables highlighting of data flows. Fortify on Demand (17.1) Page 4 of 11

Note: The heat map highlights nodes in different colors based on the number of issues sharing it: red (>50%), orange (>30%) and yellow (>10%). Prune -(available when a node is selected) narrows the diagram to the combined data flow of the selected issues. Reset removes pruning and resets the diagram to the default view of the selected issue category. Zoom To Fit - resizes the entire diagram to fit in the display without resetting or pruning. Full Screen - expands the diagram in full screen mode. Redesigned Application and Release Overview Pages The Application Overview and Release Overview pages have been redesigned to share a consistent look that offers a prominent view of critical information. Application Overview: The Application Releases page is renamed to the Overview page. The Overview page displays the production risk and policy compliance that is shown on Your Applications page s Managed grid as well as the Application Monitoring and App Defender statuses. Fortify on Demand (17.1) Page 5 of 11

Release Overview: The Release Overview page now displays static, dynamic or mobile, and network scan status. The Send to WAF/IPS button has been moved to the Application and Release Scans pages. Note: The WAF beta feature must be enabled for the tenant. The Enable Audit button has been removed and is only available on the Issues page. Fortify on Demand (17.1) Page 6 of 11

Source Control Integration Fortify on Demand offers source control integration for the following source control platforms: GitHub and Bitbucket. This enables Fortify on Demand to pull source code from repositories on those platforms for static assessments. The following languages are supported: Java, Javascript,.NET, PHP, and Python. The requirements for preparing your code for upload to Fortify on Demand remain the same as described in the Micro Focus Fortify on Demand User Guide. Source control integration is configured at the application level. Once it is configured, users can select a branch or release to upload when starting a static assessment. The GitHub integration uses the GitHub marketplace application, which is unique to each datacenter. Fortify on Demand (17.1) Page 7 of 11

The Bitbucket integration uses the OAuth consumer functionality in Bitbucket. Additional updates include: The new Static Scan Setup page replaces the Static Scan wizard; static scan settings on this page are carried over to the next static scan. The Build Server Integration URL is now automatically generated once the assessment type, technology stack, and language level (if applicable) have been selected on the Static Scan Setup page. For more information, see the Source Control Integration section in the Micro Focus Fortify on Demand User Guide. Support for DISA STIG 4.1 and OWASP Mobile Top 10 Classifications Fortify on Demand now supports the DISA STIG 4.1 and OWASP Mobile Top 10 classifications. The portal now includes the following additions: DISA STIG 4.1 report modules and report template have been added. DISA STIG 4.1 and OWASP 2014 Mobile Top 10 columns have been added to the issues data export. DISA STIG 4.1 and OWASP 2014 Mobile Top 10 options have been added to the Release Issue page s grid view. Fortify Source Code Analyzer 16.20 Fortify on Demand has implemented the latest version of Micro Focus Fortify Security Source Code Analyzer (version 16.20) for scanning source code. Fortify Source Code Analyzer 16.20 offers the following features: Extended Swift support Swift 2.2 support Supported features include dataflow analysis, semantic analysis, control flow analysis, better object interoperability, and higher order analysis Fortify on Demand (17.1) Page 8 of 11

New.NET front end Eliminates need for the pre-compiled step Enables and expands new robust functionalities Objective-C for Xcode 8.0, 8.1 support Support for additional ABAP keywords and statements Improved TSQL support Quality improvements for the Java translator, Javascript translator, and Dataflow Analyzer User Experience Improvements Show or Hide Fixed and Suppressed Issues Separately Users can now show or hide fixed (Fixed / Fixed Validated) and suppressed (False Positive Confirmed, Suppressed) issues separately on the Application Monitoring, Release Overview, and Release Issues pages. Improved Global Search The Fortify on Demand portal s global search now provides filtering search results by applications, releases, and/or reports. The number of results displayed is also increased. Improved Navigation by Scan Status Icons Users can now directly access details of the most recent scan status for a release by clicking the status icons displayed in the Your Applications, Your Releases, Application Overview, and Release Overview pages. Not Started (not applicable for Your Applications page): you are redirected to the relevant Scan Setup page or to the Release Scans page for a network scan. Scheduled: you are redirected to the relevant Scan Setup page. In Progress: you are redirected to the Release Scans page. Paused: you are redirected to the Release Scans page and the Help Center Tickets modal window. Canceled: you are redirected to the relevant Scan Setup page or to the Release Scans page for a canceled network scan. Completed: you are redirected to the Release Issues page filtered by the relevant scan type. Monitoring: you are redirected to the application's Application Monitoring page. Fortify on Demand (17.1) Page 9 of 11

Improved Display and Logging of Paused Scan Activity The portal now has improved display and logging of paused scan activity. All release-level pages display a status bar notifying the pause and pause reason, along with a link to access associated Help Center tickets. The application s event log now records the paused date and time, pause reason, and associated Help Center tickets. Data exports include the Paused Count (number of times scan was paused) and Pause Reasons (reasons for the scan pause) columns. The pause count and pause reasons have been added to the scan summary available on the Application Scans and Release Scans pages The following API endpoints now return pause count and pause reasons: GET /api/v3/applications/{applicationid}/scans GET /api/v3/releases/{releaseid}/scans Standardized False Positive Challenge Submission Process The False Positive Challenge submission process has been standardized to support timely, accurate review of false positive challenges by the Fortify on Demand security experts. The False Positive Challenge form guides users through the supplemental information needed by the security experts. This must be completed to update the Developer Status and enable the challenge to be submitted. Users can only flag issues during the remediation period of the last scan where the issues were found. After the remediation period has expired, security experts no longer have access to certain relevant scan details. If a user believes multiple issues are false positives due to a common mitigating control or similar reason, users should mark one representative issue for the false positive challenge. Based on feedback from the Fortify on Demand experts, the user can then choose whether to suppress other potentially related issues. Improved Reporting of Static Scan Files The Static File Listing report module now lists all scanned files according to the FPR, including file size and last modified date. This helps users to check which files were scanned as well as compare differences in previous scans. Note: The Static File Listing report module has been removed from the Static Summary and Hybrid Summary report templates. Updated Software Security Center Link Utility Software Security Center (SSC) Link Utility version 4.0.0 has been released. The SSC Link Utility now allows customization of the Fortify on Demand API URL through the user interface, along with several bug fixes. Fortify on Demand (17.1) Page 10 of

API Improvements The following improvements have been made to the Fortify on Demand API: The following endpoints have been added: POST /api/v3/releases/{releaseid}/static-scans/start-scan-with-defaults GET /api/v3/releases/{releaseid}/vulnerabilities/{vulnid}/traces/{traceindex}/{traceentryindex}/snippet The includefixed and includesuppressed optional parameters have been added to the following endpoints: GET /api/v3/releases/{releaseid}/vulnerabilities GET /api/v3/releases/{releaseid}/vulnerability-filters AnalyzerName has been added to GET /api/v3/releases/{releaseid}/vulnerabilities/{vulnid}/details. GET /api/v3/releases/{releaseid}/vulnerability-filter uses the text value for scantype. PrimaryLocationFull has been added to GET /api/v3/releases/{releaseid}/vulnerabilities/{vulnid}/summary. The keywordsearch optional parameter has been added to GET /api/v3/releases/{releaseid}/vulnerabilities. Support for filtering by package has been added to GET /api/v3/releases/{releaseid}/vulnerabilities. Support for filtering and sorting by parentassessmenttypename, parentassessmenttypescantype,and parentassessmenttypescantypeid has been added to GET /api/v3/releases/{releaseid}/assessment-types. The VulnerabilitySeverityTypes, TechnologyTypes, LanguageLevels, and AuditActionTypes optional parameters have been added to GET /api/v3/lookup-items. The emaillist parameter is optional on POST /api/v3/applications and PUT /api/v3/applications/{applicationid}. Case-insensitive filtering has been added to the releasename, releasedescription, and applicationname properties for the following endpoints: GET /api/v3/releases GET /api/v3/applications/{applicationid}/ Case-insensitive filtering and string matching have been added to the applicationname and emaillist properties for GET /api/v3/applications. AuditPendingSuppression has been added to the following endpoints: GET /api/v3/releases/{releaseid}/vulnerabilities GET /api/v3/releases/{releaseid}/vulnerability-filters GET /api/v3/releases/{releaseid}/vulnerabilities/{vulnid}/all-data GET /api/v3/releases/{releaseid}/vulnerabilities/{vulnid}/summary Performance Improvements This release includes performance improvement for page loading times. Fortify on Demand (17.1) Page 9 of 11

Legal Notices Warranty The only warranties for Micro Focus Development products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Micro Focus shall not be liable for technical or editorial errors or omissions contained herein. The information contained herein is subject to change without notice. Restricted Rights Legend Confidential computer software. Valid license from Micro Focus required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The software is restricted to use solely for the purpose of scanning software for security vulnerabilities that is (i) owned by you; (ii) for which you have a valid license to use; or (iii) with the explicit consent of the owner of the software to be scanned, and may not be used for any other purpose. You shall not install or use the software on any third party or shared (hosted) server without explicit consent from the third party. Copyright Notice Copyright 2010-2017 Micro Focus Plc Trademark Notices Adobe is a trademark of Adobe Systems Incorporated. Microsoft and Windows are U.S. registered trademarks of Microsoft Corporation. UNIX is a registered trademark of The Open Group. Documentation Updates The title page of this document contains the following identifying information: Software Version number Document Release Date, which changes each time the document is updated Software Release Date, which indicates the release date of this version of the software To check for recent updates or to verify that you are using the most recent edition of a document, go to: https://community.saas.hpe.com/t5/fortify-product-documentation/ct-p/fortify-product-documentation You will receive updated or new editions if you subscribe to the appropriate product support service. Contact your Micro Focus sales representative for details. Micro Focus Fortify on Demand (17.1) Page 10 of 11

Contacting Micro Focus Fortify on Demand Support If you have questions or comments about using this product, contact Micro Focus Fortify on Demand Technical Support using one of the following options. Contact your Technical Account Manager (TAM). For More Information For more information about Micro Focus software products: https://software.microfocus.com/en-us/software/enterprise-security Micro Focus Fortify on Demand (17.1) Page 11 of 11

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback