In this article you will find:

  1. Pre-requisite

  2. How to configure Fortify DAST connector

  3. How to view data from Fortify in Vulcan

  4. FAQ

1. Pre-requisite

Start Scans application role with API authorization access. In order to create the application, follow the instructions:

  1. Log to Fortify account

  2. Navigate to Administration --> Settings --> API --> Add Key

  3. Add Application Name

  4. Choose Start Scans role

  5. Enable Authorize app to use API

  6. Click Save

  7. Copy the Secret Code and keep it somewhere safe.

  8. Copy the Api Key of the relevant application and keep it somewhere safe

2. Configuring Fortify On-Demand DAST

In the Connectors page, click on Add a Connector

Click on Fortify DAST connector

Fill in the relevant fields:
Data Center - Choose Data Center from list to determine the API Root URL

Client Api ID - Key to communicate with Fortify API. Instructions of how to get the API Id can be found under section 1 in this document.
Client Api Secret - Key to authenticate with Fortify API. Instructions of how to get the API Secret can be found under section 1 in this document.

Click on Create.

3. Viewing data from Fortify DAST in Vulcan

Vulcan provides the option to remediate vulnerabilities from 2 different angels:

  • Assets

  • Vulnerabilities

Assets
The data from Fortify On-Demand DAST will be displayed under Websites - This tab gathers all data that was pulled from dynamic scans. To filter only Fortify DAST data, simply use the Search Bar

The Site Name column will indicate the Applications that were scanned by dynamic assessment tool.

Last Scan column will indicate the last completed scan dynamic scan time in Fortify.

Scanned Pages column will indicate the number of unique pages scanned in this Application.
Top Risk column will indicate the highest risk-value from all risks that exists in a project.
Vulnerabilities column will indicate the number of issues instances. For example:
If Fortify indicates the following issues, Vulcan will display their total number under Vulnerabilities.

Tags column will indicate the following values from Fortify: 'Business Criticality' and 'Application Type'.

Clicking on each website will open its Asset Card where you can view in website's data, including - All related vulnerabilities, number of vulnerabilities associated with each page and correlated data from other sources.

Pages tab will indicate the exact location of the vulnerabilities:

Vulnerabilities
You can view all data from Fortify On-Demand DAST in Vulnerabilities. In order to filter only Fortify data, simply use the Search Bar.

You can start the remediation process by clicking on a vulnerability and view all details fetched from your Fortify account.
All the data from Fortify including the descriptions, the offered solutions, available fixes and more are in Vulcan.

Click on Take Action if you wish to open a ticket and assign it to a specific team or share your findings via Slack channels or emails.

4. FAQ

Which Fortify API version are you using?
We use API Version 3.

Can I pull also result from Static scans ?

Yes, by defining a dedicated Fortify SAST connector.

Did this answer your question?