Has anyone completed a Fortify Application Scanner Integration?

Go to solution
jzayicek
Kilo Contributor

‎10-25-2018 05:36 AM

Customer is asking for a  Fortify Application Scanner Integration.  Has anyone completed this type of integration and if so any issues?

Labels:
0 Helpfuls
  • 1,781 Views
1 ACCEPTED SOLUTION

Go to solution
Alex Cox
ServiceNow Employee
ServiceNow Employee

‎06-03-2019 05:13 PM

Hi Refocused Dad,

We do not have an out of the box integration today, however I reached out to our Business Development group and they let me know that they are in initial conversations to understand customer requirements for an out of the box solution. They are in early stages and do not have an ETA at this time. Naturally I am obliged to make it clear that this is not a commitment to deliver this feature, but they are looking into it!

If you have any requirements I'd be happy to pass them along?

That said - implementing this today is possible using the technique described above, if needed!

View solution in original post

5 REPLIES 5

Go to solution
Alex Cox
ServiceNow Employee
ServiceNow Employee

‎10-25-2018 08:28 AM

Hey there JZ,

I haven't built a Fortify integration but I was able to create a WhiteHat integration, and I think the high level concepts would be the same:

  • Scheduled Job to populate "Third Party Vulnerability" table, if necessary (it looks like REST is an option with Fortify)
    • Note that with web application scanners like these, catching the CWE is usually important (where we normally look for CVE)
  • Scheduled Job to populate the "Vulnerable Item" table,  pairing hosts/apps with CWE's or Third Party Vulns.
    • Again the CWE will become important here
    • Note that CWEs can be imported out of box from the NVD, making your job a lot easier here.
    • See the Vulnerability > Libraries > CWE menu item
    • You may, or may not be able to map each vulnerable item to a CI (that's ok)
      • If you have an ip_address, dns, and/or netbios value on the vulnerable item:
      • Use the sn_vul.VulnerabilityUtils.findCIByNetworkDetails  function to apply a CI using that data, if possible
        • This can be found in the VulnerabilityUtils script include
        • It takes a single glide record of a vulnerable item as an argument and will populate the cmdb_ci field if it can find one.

Hopefully that should help get you started.

Best of luck!

Alex

 

Go to solution
jzayicek
Kilo Contributor
In response to Alex Cox

‎10-25-2018 10:17 AM

Hope you are doing well my friend.

 

Outstanding information.


Thanks

 

Go to solution
Refocused Dad
Kilo Expert

‎06-03-2019 03:51 PM

Hi JZ, Alex Cox,

I'm just beginning to look into this for my company and it appears that there are no integrations already available in the store. Do either of you have any additional insights on Fortify integration with ServiceNow? 

 

Thanks.

Go to solution
Alex Cox
ServiceNow Employee
ServiceNow Employee

‎06-03-2019 05:13 PM

Hi Refocused Dad,

We do not have an out of the box integration today, however I reached out to our Business Development group and they let me know that they are in initial conversations to understand customer requirements for an out of the box solution. They are in early stages and do not have an ETA at this time. Naturally I am obliged to make it clear that this is not a commitment to deliver this feature, but they are looking into it!

If you have any requirements I'd be happy to pass them along?

That said - implementing this today is possible using the technique described above, if needed!