[go: up one dir, main page]
Request a Demo

Fortify Integration

The Fortify integration with Opsera automates application security testing within CI/CD pipelines to detect and remediate vulnerabilities early, ensuring continuous compliance and risk reduction.

Enable Hummingbird AI Analysis for Pipelines

Pipelines are powered by Opsera’s Hummingbird AI, a cutting-edge AI technology introduced by Opsera to leverage the power of generative Al across your software delivery lifecycle. The AI analysis, summarizes the CI/CD pipelines that are executed, enabling users to step back and assess deployment pipelines holistically, rather than getting caught up in isolated step-by-step evaluations when issues arise. To learn more, read here. This feature is enabled on request. To have this enabled for your Pipelines, please get in touch with us at [email protected]

Key Values

  • End-to-End Application Security Across the SDLC: Fortify provides comprehensive security coverage, including static and dynamic analysis, throughout the entire software development lifecycle, ensuring vulnerabilities are identified and addressed at every stage.

  • Automated Security Testing in CI/CD Pipelines: The integration allows you to automatically scan code for vulnerabilities as part of your continuous integration and delivery workflows, reducing manual effort and speeding up the feedback loop for developers.

  • Early Detection and Remediation of Vulnerabilities: By embedding Fortify scans into the development process, security issues are caught and remediated early, before code reaches production, minimizing risk and reducing remediation costs.

  • Enhanced Developer Awareness and Best Practices: Continuous security feedback helps developers learn about and avoid introducing vulnerabilities, fostering a culture of security within development teams.

  • Centralized Security Governance and Visibility: Opsera provides a unified interface to monitor, manage, and orchestrate Fortify scans alongside other DevSecOps tools, offering real-time visibility into security posture and actionable intelligence.

Example Usecase

Continuous Security Scanning in a Financial Services Application

Scenario: A team integrates Fortify into their Opsera pipeline to automate static and dynamic application security testing (SAST and DAST) at every code push. The Fortify integration is configured to scan the application’s source code and running environment for vulnerabilities.

How It Works:

  • Pipeline Setup: A Fortify step is added to the Opsera pipeline, configured with the application name, release version, and relevant technology stack.

  • Automated Scanning: Every time code is committed, Fortify automatically scans the codebase and running application for security vulnerabilities.

  • Threshold Enforcement: If vulnerabilities above a defined severity threshold (e.g., High or Critical) are detected, the pipeline can be configured to fail or trigger alerts, preventing insecure code from progressing to production.

  • Remediation and Reporting: Developers receive immediate feedback on vulnerabilities, including actionable remediation guidance. Security teams and compliance officers can access detailed reports and audit logs within Opsera for compliance and governance purposes.

Prerequisite

Step-by-Step Procedure

Step 1: Fortify Platform Configuration

  1. Gather Tenant Code

  • Log in to the Fortify platform.

  • Click the down arrow next to your username in the upper right corner.

  • Select Account Settings from the dropdown menu.

  • On the Account Settings page, locate the Tenant field.

  • Copy the code provided to use in Opsera Tool Configuration.

  1. Obtain Access Key (API Key)

  • From the top banner, select Administration.

  • Click the gear icon on the left to access settings.

  • Select API from the top navigation.

  • In the NAME column, find StartScans.

  • Copy the API Key provided.

  1. Generate Secret Key

  • In the StartScans row (from the previous step), click NEW SECRET.

  • Confirm by clicking YES on the pop-up.

  • Copy the Secret Key displayed.

  • Note: This will only be shown once.

Step 2: Fortify Pipeline Configuration

  1. Navigate to Products > Pipelines.

  2. Open the required pipeline.

  3. Click Edit Workflow.

  4. Add a new step by clicking the + icon.

  5. Edit Step:

    • Click on the new step.

    • In Step Definition:

      • Enter a Step Name.

      • Select Fortify from the Tool dropdown.

      • Click Save and Close.

  6. Configure Step:

    • Click the step to configure the Fortify step.

    • Provide the following:

      • Fortify Tool: The specific Fortify security tool that has been registered and configured in the Opsera Tool Registry.

      • Application: The name or identifier of the software application being scanned for security vulnerabilities.

      • Release/Version: The specific release or version number of the application under assessment.

      • Assessment Type: The type of security assessment to perform (e.g., static analysis, dynamic analysis, or a combination).

      • Entitlement: License or entitlement that authorizes the use of Fortify for scanning this application.

      • Technology Stack: The primary technology or framework used in the application.

      • Language ID: The programming language(s) of the codebase to be scanned.

      • Audit Preference: Settings that determine how audit data is handled or prioritized during the scan.

      • Enable Client Side Thresholds: Option to set and enforce custom thresholds for vulnerabilities at the client (pipeline) level.

      • Vulnerability Threshold: The threshold configuration for vulnerability severity that triggers alerts or pipeline failures.

      • Level: The severity level (e.g., Critical, High, Medium, Low) for which thresholds are applied.

      • Count: The maximum number of allowed vulnerabilities at the specified severity level before the threshold is breached.

      • SCM Type: The type of source code management system (e.g., GitHub, GitLab, Bitbucket) where the application code resides.

      • Select Account: The SCM account or organization under which the repository is managed.

      • Repository: The specific repository within the SCM account that contains the application code.

      • Branch: The branch within the repository to be scanned for vulnerabilities15.

  7. Click Save.

Step 3: View Pipeline Logs and Reports

  1. Monitor Pipeline Execution:

    • After running the pipeline, open the pipeline.

    • Scroll down in the Summary tab to view Pipeline Logs.

  2. View Reports:

    • Under the Action column for the Fortify scan step, click Reports to access scan results and detailed logs.

FAQs

  1. Why should I use Fortify integration? Using Fortify integration helps organizations identify security risks in code, enforce security policies, and reduce the likelihood of vulnerabilities reaching production.

  2. What information do I need from Fortify to set up the integration? You need:

  • Tenant code (from Fortify Account Settings)

  • API Key (from Fortify Administration, StartScans section)

  • Secret Key (generated once for StartScans)

  1. How do I view Fortify scan results? After a pipeline run, you can view logs and detailed reports in the Opsera interface. Click Reports under the Fortify scan step for vulnerability details.

  2. Who are the intended users of Fortify integration? DevSecOps engineers, security engineers, platform administrators, development team leads, and compliance officers.

  3. Can I set thresholds for vulnerabilities? Yes, you can set vulnerability thresholds by severity level (e.g., Critical, High) and specify the maximum number of allowed findings before the pipeline fails or alerts are triggered.

PreviousIntended PersonaNextIntended Persona

Last updated

Was this helpful?