Integrate Fortify with Service Now Vulnerability Management module

Ruud3
Giga Contributor

‎01-18-2019 06:38 AM

I'm a Fortify Professional Services consultant, and a customer has asked me to develop an integration that allows for submiting Fortify vulnerability information (for both static source code scans and dynamic web application scans) to the Service Now Vulnerability Management module.

We have an existing utility for integrating with 3rd-party defect tracking/vulnerability management systems. In order to add support for Service Now, I would need REST API endpoints for the following:

  1. Phase 1: Create a new vulnerability record in Service Now
  2. Phase 1: Potentially query Service Now for mapping for example names to id's (if needed for #1)
  3. Phase 2: Retrieve existing vulnerability record from Service Now
  4. Phase 2: Update existing vulnerability record in Service Now
  5. Phase 2: Mark vulnerability records as open/closed in Service Now

As an example, see JiraRestConnection.java for the REST API calls that the utility makes to JIRA.

I've had a look at the Service Now REST API documentation; for phase 1 it seems you can either directly push data into Service Now tables using the tables API, or post data to the /api/sn_vul/vulnerability_integration_svc endpoint. For the latter approach, you would need to configure a new vulnerability integration and corresponding integration script and report processor in Service Now.

Being completely new to Service Now, I have the following questions:

  1. Does it make sense/is it possible to submit Fortify vulnerability data to the vulnerability management module, or would we need to develop a completely new Service Now application/module?
  2. Also taking Phase 2 into account, and not seeing any endpoints in the vulnerability management module for querying data, what would be the preferred approach for Phase 1; using the tables API or the vulnerability_integration_svc endpoint?
  3. Would Fortify vulnerability data be inserted in an existing Service Now Vulnerability Management table, or would a Service Now administrator need to set up a new table?
  4. Are there any other tasks to be performed on the Service Now side in order to have it accept and process Fortify vulnerability data?
  5. Any other suggestions on how to implement this, based on the JIRA-based example listed above?

Thanks,

Ruud

 

 

Labels:
  • 2,351 Views
4 REPLIES 4

Refocused Dad
Kilo Expert

‎06-03-2019 03:42 PM

Did you ever find an answer to your questions? I am looking into a similar integration in my organization. Thanks.

0 Helpfuls

Ruud3
Giga Contributor

‎06-03-2019 11:00 PM

Unfortunately not; the only reactions to this post that I received were people asking the same as you. 

chris_bertelsen
Tera Contributor

‎07-23-2021 09:44 AM

Hi Ruud.

Did you ever get an answer on this?  And is this still a need for you?  3y ago, so you probably have moved on. 

We have this same need and are in a reverse position.  We know ServiceNow, but not Fortify.  If you would like to partner, reach out.

Chris.

0 Helpfuls

Ruud3
Giga Contributor

‎07-26-2021 02:13 AM

Hi Chris,

I never got an answer, and indeed I'm no longer working on this.

Being in Fortify Professional Services, I (or one of my colleagues) can provide assistance on the Fortify side of this but it would be paid services.

Best regards,

Ruud

0 Helpfuls