Am I reading the correct user guide?
Am I reading the correct user guide?
Some connectors on the Vulcan help center offer multiple user guides tailored to different setups and versions.
Click on 'How to connect' on the Connector's setup page to open the right guide for your setup and version, ensuring accuracy and relevance.
Overview
About Fortify Software Security Center
Fortify Software Security Center (Fortify SSC) enables management, development, and security teams to work together to triage, track, validate, automate, and manage software security activities.
Why integrate Fortify Software Security Center into the Vulcan platform?
The Fortify Software Security Center Connector by Vulcan integrates with the Fortify Software Security Center platform to pull and ingest assets and vulnerability data into your Vulcan Platform. Once the integration is complete, the Vulcan Platform scans the report's findings to correlate, consolidate, and contextualize the ingested data to impact risk and remediation priority.
Fortify Software Security Center Connector Details
Supported products | |
Category | Application Security SAST + DAST |
Ingested asset type(s) | Code Projects Websites |
Integration type | UNI directional (data is transferred from the Connector to the Vulcan Platform in one direction) |
Supported version and type | Fortify SAST, Fortify DAST |
Connector Setup
Prerequisites and user permissions
Before you begin configuring the Connector, make sure you have the following:
Fortify User with access to the Administration tab in Fortify:
Fortify SSC Server URL:
https://<host>:<port>
Generating Fortify SSC API KEY
Go to Fortify SSC Platform
Navigate to Administration > Users > Token Management.
Click New.
Choose CIToken from the Token Type dropdown, input an indicative description, and click Save.
Copy the resulting token for later use, as it won’t be visible again.
Configuring the Fortify SSC Connector
Log in to your Vulcan Cyber dashboard and go to Connectors.
Click on Add a Connector.
Click on the Fortify SSC icon.
Set up the Connector as follows:
Enter the Server URL of your Fortify SSC instance.
Enter the API Key you generated earlier.
Click the Test Connectivity button to verify that Vulcan Cyber can connect to your Fortify SSC instance, then click Create (or Save Changes).
The Advanced Configuration drop-down allows you to set the Connector's sync time. By default, all days are selected.
Inactive Assets: You can configure a Vulcan rule to consider inactive assets, and Vulcan will remove assets that do not appear in scans within the configured time range.
Allow some time for the sync to complete. Then, you can review the sync status under Log on the Connector's setup page.
To confirm the sync is complete, navigate to the Connectors page. Once the Fortify SSC icon shows Connected, the sync is complete.
Fortify SSC in the Vulcan Platform
Viewing Fortify SSC vulnerabilities in the Vulcan Platform
To view vulnerabilities by Connector:
Go to the Vulnerabilities page.
Click on Filter and set the condition to Vulnerability > Connector is Fortify SSC.
You can add more filters to narrow down your search further.
See the complete list of available vulnerability filters.Click on a vulnerability for more vulnerability details.
Viewing Fortify SSC assets in the Vulcan Platform
To view assets by Connector:
Go to the Assets page.
Click on Filter and set the condition to Assets > Connector is Fortify SSC.
You can add more filters to narrow down your search further.
See the complete list of available asset filters.Click on any asset for more asset details.
Taking Action on vulnerabilities and assets detected by Fortify SSC
To take remediation action on vulnerabilities and assets detected by Fortify SSC:
Go to the Vulnerabilities pr Assets Page.
Use the Filter to filter vulnerabilities by the Fortify SSC connector and display all synced vulnerabilities/assets along with their associated assets/vulnerabilities.
Select the relevant Vulnerabilities/assets out of the results list.
Click on Take Action to proceed with remediation or further actions.
Automating remediation actions on vulnerabilities detected by Fortify SSC
Use Vulcan Playbooks to create automation and remediate vulnerabilities at scale.
From Fortify SSC to the Vulcan Platform - Data Mapping
The Vulcan Platform integrates with Fortify SSC through API to pull relevant vulnerabilities and assets data and map it into the Vulcan Platform pages and fields.
Code Project field mapping
Fortify SSC field | Vulcan field | Value Example |
project_version_id | Asset Uniqueness criteria |
|
project.name | Asset Name |  |
Code Projects | Asset type |
|
project.id, project.name, project.description, project.createdBy, project.creationDate, projectVersionId, project_version_name, project_version_description, project_version_created_by, project_version_createtion_date attributes:BusinessRisk, InfoClassification, ProjectClassification, BusinessUnit, Industry, Region, Accessibility, Compliance, DevStrategy, Interfaces, ProjectType, RelatedHostNames, TargetPlatform, TechnologiesUsed, WebServicesUsed
| Asset details |
|
attributes:BusinessRisk, InfoClassification, ProjectClassification, BusinessUnit, Industry, Region, Accessibility | Asset Tags - Additional |
|
attributes.Languages | Asset languages |
|
attributes.DevPhase | Asset’s Status |
|
project.creationDate | Asset first seen |
|
currentState.lastFprUploadDate | Asset Last report |  |
asset id + issue_id + unique vulnerability id | Vulnerability instance uniqueness criteria |
|
fullFileName OR shortFileName | Asset codebase - Source (SAST) |  |
lineNumber | Asset codebase - Location (SAST) |
|
foundDate | Vulnerability instance first seen |  |
priority | Vulnerability instance score |  |
file_name, file_location, issueStatus, packageName, revision, issueInstanceId, issue_id, Analysis, brief, tips, primaryLocation, impact, likelihood, severity confidence, friority, accuracy, probability, className, sink, sinkContext | Vulnerability instance connection- additional information |  |
issueName | Unique Vulnerability uniqueness criteria |
|
issueName | Unique Vulnerability title |  |
priority | Unique Vulnerability score |
|
detail | Unique Vulnerability description |  |
kingdom | Unique Vulnerability details |  |
references | Unique Vulnerability CVE/S |
|
references | Unique Vulnerability CWE |
|
issueName | Solution uniqueness criteria |
|
Recommendations from Fortify SSC | Solution Title |
|
recommendation | Solution Description |  |
appSecTrainingUrl | Solution References |
|
Websites mapping
Fortify SSC field | Vulcan field | Value Example |
project_version_id | Asset Uniqueness criteria |
|
project.name | Asset Name |  |
Websites | Asset type |
|
project.id, project.name, project.description, project.createdBy, project.creationDate, projectVersionId, project_version_name, project_version_description, project_version_created_by, project_version_createtion_date attributes:BusinessRisk, InfoClassification, ProjectClassification, BusinessUnit, Industry, Region, Accessibility, Compliance, DevStrategy, Interfaces, ProjectType, RelatedHostNames, TargetPlatform, TechnologiesUsed, WebServicesUsed
| Asset detail |
|
attributes:BusinessRisk, InfoClassification, ProjectClassification, BusinessUnit, Industry, Region, Accessibility | Asset Tags - Additional |
|
currentState.lastFprUploadDate | Asset Last scan |  |
attributes.DevPhase | Asset’s Status |
|
project.creationDate | Asset Creation date |
|
asset id + issue_id + unique vulnerability id | Vulnerability instance uniqueness criteria |
|
foundDate | Vulnerability instance first seen |  |
url | Vulnerability instance url |  |
issue_url, issueStatus, packageName, revision, issueInstanceId, issue_id, Analysis, brief, tips, primaryLocation, impact, likelihood, severity confidence, friority, accuracy, probability, method, attack_payload, attack_type | Assets-Vulnerability instance connection (info tooltip) |  |
priority | Vulnerability instance score |  |
- | Vulnerability instance location path |  |
issueName | Unique Vulnerability uniqueness criteria |
|
issueName | Unique Vulnerability title |  |
detail | Unique Vulnerability description |  |
kingdom | Unique Vulnerability details |
|
references | Unique Vulnerability CVE/S |
|
references | Unique Vulnerability CWE |
|
issueName | Solution uniqueness criteria |
|
Recommendations from Fortify SSC | Solution Title |
|
recommendation | Solution Description |  |
appSecTrainingUrl | Solution References |  |
Vulnerability status mapping
Fortify SSC Status | Vulcan Status |
issueState: Open Issue | Vulnerable |
<There is no fixed status. Once an issue is removed from Fortify SSC, it becomes fixed> | Fixed |
issueState: Not an Issue | Ignored - false positive |
suppressed OR hidden (regardless of issueState) | Ignored risk acknowledged |
Vulnerability score mapping
Fortify SSC score | Vulcan score |
Critical | 10 |
High | 7 |
Medium | 5 |
Low | 3 |
None | 0 |
Status Update Mechanisms
Every day, the Vulcan Platform syncs with the vendor's platform to receive updates on existing vulnerabilities and assets and to retrieve new ones (if any are added).
The table below lists how the status update mechanism works in the Fortify SSC connector for the vulnerabilities and assets in the Vulcan Platform.
Update type in Vulcan | Mechanism (When?) |
The asset is archived | - Asset not seen for X days according to "Last Seen" - Asset status on the Connector's side indicates irrelevancy ("Retired"). |
The vulnerability instance status changes to "Fixed" | - If the vulnerability no longer appears in the scan findings. |
Note: Asset or vulnerability updates on the vendor side are reflected on the Vulcan Platform only on the next scheduled connector sync (the next day).
Support and Expected Behaviour
Support and expected behavior remarks on some Fortify SSC ingested vs. un-ingested fields:
Token Management:
Fortify SSC tokens remain valid for a maximum of 365 days. It's advisable to generate a new token annually to ensure uninterrupted access.
Assets (Fortify SSC Applications):
Only the most recent version of each application is ingested.
For ingestion to occur, an application version must be active (with the active field set to true).
Applications devoid of any issues are omitted from the ingestion process.
Asset Archiving:
Assets are archived based on attributes such as the DevPhase value and user input. The available options for DevPhase include New, Active, Maintenance, and Retired. By default, only the Retired option is selected.
Vulnerability Instances (Fortify SSC Issues):
Issues are fetched from either the latest application version exclusively or from all versions, depending on the configuration of the "Fetch only issues from the last version of each application" checkbox.
The ingestion status of issues that are hidden, removed, or suppressed is contingent upon the application version settings available in Fortify SSC under PROFILE → ADVANCED SETTINGS.
API Endpoints in Use
API version: V1
API | Use in Vulcan | Permissions required |
/ssc/api/v1/projects | Running the versions API | Token type - CIToken |
/ssc/api/v1/projects/{{project_id}}/versions | Running later APIs ,asset enrichment | Token type - CIToken |
/ssc/api/v1/projectVersions/{{project_version_id}}/attributes | Asset enrichment | Token type - CIToken |
/ssc/api/v1/projectVersions/{{project_version_id}}/issues | Running the issue details API | Token type - CIToken |
Data Validation
This section outlines how to validate and match data between Fortify SSC and Vulcan.
Matching Assets
In Fortify SSC:
Navigate to the "DASHBOARD" tab and select "ISSUE STATS."
Set the "Aggregate by" filter to "Application" and note the total number of applications.
In Vulcan:
In Vulcan's sidebar, go to "Assets" and then click on both the "Websites" and "Code Projects" tabs.
Click on "Filter," choose "Asset > Connector," select "Fortify SSC" from the dropdown, and click "Apply."
Note the number of assets displayed for each tab.
Ensure that the total number of assets in Vulcan matches the count from Fortify SSC.
Matching Vulnerability Instances when the 'Last Version Issues' Checkbox is ON
In Fortify SSC:
Navigate to the "DASHBOARD" tab and select "ISSUE STATS."
Set the "Group by" filter to "Application."
For each application, find the latest version and note the count of Open Issues.
In Vulcan:
Go to Vulcan's "Vulnerabilities" section in the sidebar and click on the "All" tab.
Turn on the Vulnerability Instance Mode slider.
Click on "Filter," choose "Vulnerability > Connector," select "Fortify SSC" from the dropdown, and click "Apply."
Note the total number of results, including the count shown on the upper-left side, starting with "Showing."
Ensure that the counts match, considering any unique behavior and limitations.
Matching Vulnerability Instances when the 'Last Version Issues' Checkbox is OFF
In Fortify SSC:
Navigate to the "DASHBOARD" tab and select "ISSUE STATS."
Set the "Aggregate by" filter to "Application."
For each application, note the count of Open Issues.
In Vulcan:
Go to Vulcan's "Vulnerabilities" section in the sidebar and click on the "All" tab.
Turn on the Vulnerability Instance Mode slider.
Click on "Filter," choose "Vulnerability > Connector," select "Fortify SSC" from the dropdown, and click "Apply."
Optionally, add "Asset > Name" to the filter and input the asset name for specific asset filtering.
Note the total number of results, including the count shown on the upper-left side, starting with "Showing."
Ensure that the counts match, considering any unique behavior and limitations.
