13
FedRAMP Fortify on Demand Software Version: 17.1 Release Notes Document Release Date: Sept. 2017 Software Release Date: Sept. 2017

FedRAMP Fortify on Demand - Micro Focus · Release Notes Fortify on Demand v17.1 Release Overview Fortify on Demand (17.1) Page 5 of 11 Prune - (available when a node is selected)

Embed Size (px)

Citation preview

FedRAMP Fortify on Demand Software Version: 17.1

Release Notes

Document Release Date: Sept. 2017 Software Release Date: Sept. 2017

Release Notes Fortify on Demand v17.1 Release Overview

Fortify on Demand (17.1) Page 2 of 11

Fortify on Demand v17.1 Release Overview

As organizations continue to embrace DevOps principles, the latest release of Fortify on Demand has continued its focus on enabling the integration and automation of application security into the software development lifecycle. Along with expanded, flexible security policy management, this release accelerates the adoption of software security assurance programs.

The version numbering scheme for Micro Focus Fortify on Demand has changed to align with the numbering schemed used by the rest of the Micro Focus Fortify portfolio. The new version number format is <year>.<release_number> where <year> is the two-digit year of the release and <release_number> is the one-digit sequential number of the release that year.

For more detailed information on Fortify on Demand, please refer to the Fortify on Demand User Guide located in the Fortify on Demand portal and the Fortify on Demand Help Center.

Release Schedule

The Fortify on Demand v17.1 release schedule is as follows.

Data Center Release Schedule

US FedRAMP September 16, 2017

The Fortify on Demand portal will be unavailable during the upgrade. Assessments that are in progress will continue to run, results of scans that complete during the upgrade post when the upgrade is complete. If you have questions about the schedule, check with your Technical Account Manager (TAM).

Accessing Fortify on Demand Documentation

You can access the Fortify on Demand User Guide directly from the Documentation link located in the Fortify on Demand portal or from the Fortify on Demand Help Center along with additional support documents and FAQs.

Release Notes Fortify on Demand v17.1 Release Overview

Fortify on Demand (17.1) Page 3 of 11

In addition, the context sensitive link icon found in the portal opens a new window that displays the help topic for the feature.

Fortify on Demand Release Notes in English, Spanish, and Japanese are available in the Help Center upon the US release. Fortify on Demand User Guide is available in English in the portal upon the US release, while the Spanish and Japanese versions are available upon the EMEA, APJ, and AUS release.

Fortify on Demand v17.1 Feature

Summary New Functionalities

Flexible Policy Management

Security leads now have additional control and flexibility in defining their security (pass/ fail) policies and can configure how policies are applied to applications in a tenant with the following settings:

Set the scope that is used to determine which security policy is applied to each application based on business criticality, application type, or a specific application attribute

Assign a policy to each scope value

Release Notes Fortify on Demand v17.1 Release Overview

Fortify on Demand (17.1) Page 4 of 11

Security Leads can also create and manage multiple custom security policies. In addition to the star rating and grace remediation period, a custom policy can now specify:

Which vulnerabilities that are included when determining the pass/ fail status of an application based on industry-standard classifications such as PCI, OWASP, DISA STIG, FISMA, or CWE

Whether Application Monitoring is required for releases in production

Which assessment types are available to applications that have the policy applied

For more information, see the “Policy Management” section in the Micro Focus Fortify on Demand User Guide.

Enhanced Issue Flow Diagram

The issue flow diagram has enhanced display and navigational functionalities for better usability, particularly around highlighting shared data flows to quickly identify optimal remediation strategies to fix multiple static issues at once.

When a node is selected, the number of highlighted issues is displayed.

Clicking the icon of the first node in a trace drills into issue details.

Additional navigational buttons are available:

Toggle Heat Map - enables / disables highlighting of data flows.

Release Notes Fortify on Demand v17.1 Release Overview

Fortify on Demand (17.1) Page 5 of 11

Prune - (available when a node is selected) narrows the diagram to the combined data flow of the selected issues.

Reset – removes pruning and resets the diagram to the default view of the selected issue category.

Zoom To Fit - resizes the entire diagram to fit in the display without resetting or pruning.

Full Screen - expands the diagram in full screen mode.

Redesigned Application and Release Overview Pages

The Application Overview and Release Overview pages have been redesigned to share a consistent look that offers a prominent view of critical information.

Application Overview:

The Application Releases page is renamed to the Overview page.

The Overview page displays the production risk and policy compliance that is shown on Your Applications page’s Managed grid as well as the Application Monitoring and App Defender statuses.

Note: The heat map highlights nodes in different colors based on the number of issues sharing it: red (>50%), orange (>30%) and yellow (>10%).

Release Notes Fortify on Demand v17.1 Release Overview

Fortify on Demand (17.1) Page 6 of 11

Release Overview:

The Release Overview page now displays static, dynamic or mobile, and network scan status.

The Send to WAF/IPS button has been moved to the Application and Release Scans pages.

The Enable Audit button has been removed and is only available on the Issues page.

Note: The WAF beta feature must be enabled for the tenant.

Release Notes Fortify on Demand v17.1 Release Overview

Fortify on Demand (17.1) Page 7 of 11

Source Control Integration

Fortify on Demand offers source control integration for the following source control platforms: GitHub and Bitbucket. This enables Fortify on Demand to pull source code from repositories on those platforms for static assessments.

The following languages are supported: Java, Javascript, .NET, PHP, and Python. The requirements for preparing your code for upload to Fortify on Demand remain the same as described in the Micro Focus Fortify on Demand User Guide.

Source control integration is configured at the application level. Once it is configured, users can select a branch or release to upload when starting a static assessment.

The GitHub integration uses the GitHub marketplace application, which is unique to each datacenter.

Release Notes Fortify on Demand v17.1 Release Overview

Fortify on Demand (17.1) Page 8 of 11

The Bitbucket integration uses the OAuth consumer functionality in Bitbucket.

Additional updates include:

The new Static Scan Setup page replaces the Static Scan wizard; static scan settings on this page are carried over to the next static scan.

The Build Server Integration URL is now automatically generated once the assessment type, technology stack, and language level (if applicable) have been selected on the Static Scan Setup page.

For more information, see the “Source Control Integration” section in the Micro Focus Fortify on Demand User Guide.

Support for DISA STIG 4.1 and OWASP Mobile Top 10 Classifications

Fortify on Demand now supports the DISA STIG 4.1 and OWASP Mobile Top 10 classifications. The portal now includes the following additions:

DISA STIG 4.1 report modules and report template have been added.

DISA STIG 4.1 and OWASP 2014 Mobile Top 10 columns have been added to the issues data export.

DISA STIG 4.1 and OWASP 2014 Mobile Top 10 options have been added to the Release Issue page’s grid view.

Fortify Source Code Analyzer 16.20

Fortify on Demand has implemented the latest version of Micro Focus Fortify Security Source Code Analyzer (version 16.20) for scanning source code. Fortify Source Code Analyzer 16.20 offers the following features:

Extended Swift support

Swift 2.2 support

Supported features include dataflow analysis, semantic analysis, control flow analysis, better object interoperability, and higher order analysis

Release Notes Fortify on Demand v17.1 Release Overview

Fortify on Demand (17.1) Page 9 of 11

New .NET front end

Eliminates need for the pre-compiled step

Enables and expands new robust functionalities

Objective-C for Xcode 8.0, 8.1 support

Support for additional ABAP keywords and statements

Improved TSQL support

Quality improvements for the Java translator, Javascript translator, and Dataflow Analyzer

User Experience Improvements

Show or Hide Fixed and Suppressed Issues Separately

Users can now show or hide fixed (Fixed / Fixed Validated) and suppressed (False Positive Confirmed, Suppressed) issues separately on the Application Monitoring, Release Overview, and Release Issues pages.

Improved Global Search

The Fortify on Demand portal’s global search now provides filtering search results by applications, releases, and/or reports. The number of results displayed is also increased.

Improved Navigation by Scan Status Icons

Users can now directly access details of the most recent scan status for a release by clicking the status icons displayed in the Your Applications, Your Releases, Application Overview, and Release Overview pages.

Not Started (not applicable for Your Applications page): you are redirected to the relevant Scan Setup page or to the Release Scans page for a network scan.

Scheduled: you are redirected to the relevant Scan Setup page.

In Progress: you are redirected to the Release Scans page.

Paused: you are redirected to the Release Scans page and the Help Center Tickets modal window.

Canceled: you are redirected to the relevant Scan Setup page or to the Release Scans page for a canceled network scan.

Completed: you are redirected to the Release Issues page filtered by the relevant scan type.

Monitoring: you are redirected to the application's Application Monitoring page.

Release Notes Fortify on Demand v17.1 Release Overview

Fortify on Demand (17.1) Page 10 of 11

Improved Display and Logging of Paused Scan Activity

The portal now has improved display and logging of paused scan activity.

All release-level pages display a status bar notifying the pause and pause reason, along with a link to access associated Help Center tickets.

The application’s event log now records the paused date and time, pause reason, and associated Help Center tickets.

Data exports include the Paused Count (number of times scan was paused) and Pause Reasons (reasons for the scan pause) columns.

The pause count and pause reasons have been added to the scan summary available on the Application Scans and Release Scans pages

The following API endpoints now return pause count and pause reasons:

GET /api/v3/applications/{applicationId}/scans

GET /api/v3/releases/{releaseId}/scans

Standardized False Positive Challenge Submission Process

The False Positive Challenge submission process has been standardized to support timely, accurate review of false positive challenges by the Fortify on Demand security experts.

The False Positive Challenge form guides users through the supplemental information needed by the security experts. This must be completed to update the Developer Status and enable the challenge to be submitted.

Users can only flag issues during the remediation period of the last scan where the issues were found. After the remediation period has expired, security experts no longer have access to certain relevant scan details.

If a user believes multiple issues are false positives due to a common mitigating control or similar reason, users should mark one representative issue for the false positive challenge. Based on feedback from the Fortify on Demand experts, the user can then choose whether to suppress other potentially related issues.

Improved Reporting of Static Scan Files

The Static File Listing report module now lists all scanned files according to the FPR, including file size and last modified date. This helps users to check which files were scanned as well as compare differences in previous scans.

Updated Software Security Center Link Utility

Software Security Center (SSC) Link Utility version 4.0.0 has been released. The SSC Link Utility now allows customization of the Fortify on Demand API URL through the user interface, along with several bug fixes.

Note: The Static File Listing report module has been removed from the Static Summary and Hybrid Summary report templates.

Release Notes Fortify on Demand v17.1 Release Overview

Fortify on Demand (17.1) Page 9 of 11

API Improvements

The following improvements have been made to the Fortify on Demand API:

The following endpoints have been added:

POST /api/v3/releases/{releaseId}/static-scans/start-scan-with-defaults

GET /api/v3/releases/{releaseId}/vulnerabilities/{vulnId}/traces/{traceIndex}/{traceEntryIndex}/snippet

The includeFixed and includeSuppressed optional parameters have been added to the following endpoints:

GET /api/v3/releases/{releaseId}/vulnerabilities

GET /api/v3/releases/{releaseId}/vulnerability-filters

AnalyzerName has been added to GET /api/v3/releases/{releaseId}/vulnerabilities/{vulnId}/details.

GET /api/v3/releases/{releaseId}/vulnerability-filter uses the text value for scanType.

PrimaryLocationFull has been added to GET /api/v3/releases/{releaseId}/vulnerabilities/{vulnId}/summary.

The keywordSearch optional parameter has been added to GET /api/v3/releases/{releaseId}/vulnerabilities.

Support for filtering by package has been added to GET /api/v3/releases/{releaseId}/vulnerabilities.

Support for filtering and sorting by parentAssessmentTypeName, parentAssessmentTypeScanType,and parentAssessmentTypeScanTypeId has been added to GET /api/v3/releases/{releaseId}/assessment-types.

The VulnerabilitySeverityTypes, TechnologyTypes, LanguageLevels, and AuditActionTypes optional parameters have been added to GET /api/v3/lookup-items.

The emailList parameter is optional on POST /api/v3/applications and PUT /api/v3/applications/{applicationId}.

Case-insensitive filtering has been added to the releaseName, releaseDescription, and applicationName properties for the following endpoints:

GET /api/v3/releases

GET /api/v3/applications/{applicationId}/

Case-insensitive filtering and string matching have been added to the applicationName and emailList properties for GET /api/v3/applications.

AuditPendingSuppression has been added to the following endpoints:

GET /api/v3/releases/{releaseId}/vulnerabilities

GET /api/v3/releases/{releaseId}/vulnerability-filters

GET /api/v3/releases/{releaseId}/vulnerabilities/{vulnId}/all-data

GET /api/v3/releases/{releaseId}/vulnerabilities/{vulnId}/summary

Performance Improvements

This release includes performance improvement for page loading times.

Release Notes

Micro Focus Fortify on Demand (17.1) Page 10 of 11

Legal Notices

Warranty

The only warranties for Micro Focus Development products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Micro Focus shall not be liable for technical or editorial errors or omissions contained herein.

The information contained herein is subject to change without notice.

Restricted Rights Legend

Confidential computer software. Valid license from Micro Focus required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license.

The software is restricted to use solely for the purpose of scanning software for security vulnerabilities that is (i) owned by you; (ii) for which you have a valid license to use; or (iii) with the explicit consent of the owner of the software to be scanned, and may not be used for any other purpose.

You shall not install or use the software on any third party or shared (hosted) server without explicit consent from the third party.

Copyright Notice

© Copyright 2010- 2017 Micro Focus Plc

Trademark Notices

Adobe® is a trademark of Adobe Systems Incorporated.

Microsoft® and Windows® are U.S. registered trademarks of Microsoft Corporation.

UNIX® is a registered trademark of The Open Group.

Documentation Updates

The title page of this document contains the following identifying information:

Software Version number

Document Release Date, which changes each time the document is updated

Software Release Date, which indicates the release date of this version of the software

To check for recent updates or to verify that you are using the most recent edition of a document, go to:

https://community.saas.hpe.com/t5/Fortify-Product-Documentation/ct-p/fortify-product-documentation

You will receive updated or new editions if you subscribe to the appropriate product support service. Contact your Micro Focus sales representative for details.

Release Notes

Micro Focus Fortify on Demand (17.1) Page 11 of 11

Contacting Micro Focus Fortify on Demand Support

If you have questions or comments about using this product, contact Micro Focus Fortify on Demand Technical Support using one of the following options.

• Contact your Technical Account Manager (TAM).

For More Information

For more information about Micro Focus software products:

https://software.microfocus.com/en-us/software/enterprise-security