What is Fortify?
Fortify is a comprehensive suite of application security solutions that helps organizations identify, prioritize, and remediate security vulnerabilities in their software. It provides static and dynamic application security testing (SAST and DAST) capabilities to detect vulnerabilities across the entire application stack.
Key Features
- Static Application Security Testing (SAST): Analyzes source code, bytecode, and binaries to identify security vulnerabilities without executing the application.
- Dynamic Application Security Testing (DAST): Tests running applications to identify vulnerabilities that might be exploited from the outside.
- Software Security Center: Centralized management console for application security activities, including vulnerability tracking, remediation, and reporting.
- Comprehensive Language Support: Supports over 25 programming languages and frameworks, including Java, .NET, PHP, Python, JavaScript, and more.
- CI/CD Integration: Seamlessly integrates with popular CI/CD tools to automate security testing in your development pipeline.
Integration with DevOps Pipeline
Fortify can be integrated into your DevOps pipeline to automate security testing throughout the development lifecycle. Here's how you can integrate Fortify into your pipeline:
1. Static Analysis with Fortify SCA
Integrate Fortify Static Code Analyzer (SCA) into your build process to scan your code for vulnerabilities during development.
# Example Jenkins pipeline stage for Fortify SCA
stage('Fortify SCA') {
steps {
sh 'sourceanalyzer -b my-build-tag -clean'
sh 'sourceanalyzer -b my-build-tag -source 1.8 -cp "lib/**/*.jar" "src/**/*.java"'
sh 'sourceanalyzer -b my-build-tag -scan -f results.fpr'
sh 'FPRUtility -information -project -f results.fpr'
sh 'fortifyclient -url https://fortify.example.com/ssc -authtoken my-ssc-token uploadFPR -file results.fpr -application MyApp -applicationVersion 1.0'
}
}2. Dynamic Analysis with Fortify WebInspect
Integrate Fortify WebInspect into your deployment pipeline to scan your running application for vulnerabilities.
# Example Jenkins pipeline stage for Fortify WebInspect
stage('Fortify WebInspect') {
steps {
sh 'wi.exe -u https://myapp.example.com -s "Default Scan" -ep "MyScanPolicy" -rt xml -f scan_results.xml'
sh 'fortifyclient -url https://fortify.example.com/ssc -authtoken my-ssc-token uploadDynamicScan -file scan_results.xml -application MyApp -applicationVersion 1.0'
}
}3. Integrate with Software Security Center
Use Fortify Software Security Center (SSC) to manage and track vulnerabilities across your applications.
# Example Jenkins pipeline stage for checking security policy compliance
stage('Security Policy Compliance') {
steps {
script {
def result = sh(script: 'fortifyclient -url https://fortify.example.com/ssc -authtoken my-ssc-token issueExists -application MyApp -applicationVersion 1.0 -query "status:New,Triaged category:SQL Injection"', returnStatus: true)
if (result == 0) {
error "Critical security issues found. Pipeline failed."
}
}
}
}Best Practices
- Integrate Fortify SCA early in the development process to catch vulnerabilities as soon as possible.
- Use Fortify WebInspect to test your application in a staging environment before deploying to production.
- Implement security gates in your CI/CD pipeline to prevent code with critical vulnerabilities from being deployed.
- Train developers on how to interpret and remediate Fortify findings to improve code quality over time.
- Regularly update Fortify rules and policies to stay protected against the latest security threats.
Conclusion
Fortify is a powerful application security testing solution that can help you identify and remediate security vulnerabilities throughout your development lifecycle. By integrating Fortify into your DevOps pipeline, you can automate security testing and ensure that your applications are secure before they reach production.