Pre-requisite
Start Scans application role with API authorization access. In order to create the application, follow the instructions:
Log to Fortify account
Navigate to Administration --> Settings --> API --> Add Key
Add Application Name
Choose Start Scans role
Enable Authorize app to use API
Click Save
Copy the Secret Code and keep it somewhere safe.
Copy the Api Key of the relevant application and keep it somewhere safe
Configuring Fortify On-Demand DAST
In the Connectors page, click on Add a Connector
Click on Fortify DAST connector
Fill in the relevant fields:
Data Center - Choose Data Center from list to determine the API Root URL
Client Api ID - Key to communicate with Fortify API. Instructions of how to get the API Id can be found under section 1 in this document.
Client Api Secret - Key to authenticate with Fortify API. Instructions of how to get the API Secret can be found under section 1 in this document.
Click on Create.
Viewing data from Fortify DAST in Vulcan
Vulcan provides the option to remediate vulnerabilities from 2 different angels:
Assets
Vulnerabilities
Assets
The data from Fortify On-Demand DAST will be displayed under Websites - This tab gathers all data that was pulled from dynamic scans. To filter only Fortify DAST data, simply use the Search Bar
The Site Name column will indicate the Applications that were scanned by dynamic assessment tool.
Last Scan column will indicate the last completed scan dynamic scan time in Fortify.
Scanned Pages column will indicate the number of unique pages scanned in this Application.
Top Risk column will indicate the highest risk-value from all risks that exists in a project.
Vulnerabilities column will indicate the number of issues instances. For example:
If Fortify indicates the following issues, Vulcan will display their total number under Vulnerabilities.
Tags column will indicate the following values from Fortify: 'Business Criticality' and 'Application Type'.
Clicking on each website will open its Asset Card where you can view in website's data, including - All related vulnerabilities, number of vulnerabilities associated with each page and correlated data from other sources.
Pages tab will indicate the exact location of the vulnerabilities:
Vulnerabilities
You can view all data from Fortify On-Demand DAST in Vulnerabilities. In order to filter only Fortify data, simply use the Search Bar.
You can start the remediation process by clicking on a vulnerability and view all details fetched from your Fortify account.
All the data from Fortify including the descriptions, the offered solutions, available fixes and more are in Vulcan.
Click on Take Action if you wish to open a ticket and assign it to a specific team or share your findings via Slack channels or emails.
FAQ
Which Fortify API version are you using?
We use API Version 3.
Can I pull also result from Static scans ?
Yes, by defining a dedicated Fortify SAST connector.