Has anyone completed a Fortify Application Scanner Integration?

jzayicek
Kilo Contributor

Customer is asking for a  Fortify Application Scanner Integration.  Has anyone completed this type of integration and if so any issues?

1 ACCEPTED SOLUTION

Alex Cox
ServiceNow Employee
ServiceNow Employee

Hi Refocused Dad,

We do not have an out of the box integration today, however I reached out to our Business Development group and they let me know that they are in initial conversations to understand customer requirements for an out of the box solution. They are in early stages and do not have an ETA at this time. Naturally I am obliged to make it clear that this is not a commitment to deliver this feature, but they are looking into it!

If you have any requirements I'd be happy to pass them along?

That said - implementing this today is possible using the technique described above, if needed!

View solution in original post

5 REPLIES 5

Alex Cox
ServiceNow Employee
ServiceNow Employee

Hey there JZ,

I haven't built a Fortify integration but I was able to create a WhiteHat integration, and I think the high level concepts would be the same:

  • Scheduled Job to populate "Third Party Vulnerability" table, if necessary (it looks like REST is an option with Fortify)
    • Note that with web application scanners like these, catching the CWE is usually important (where we normally look for CVE)
  • Scheduled Job to populate the "Vulnerable Item" table,  pairing hosts/apps with CWE's or Third Party Vulns.
    • Again the CWE will become important here
    • Note that CWEs can be imported out of box from the NVD, making your job a lot easier here.
    • See the Vulnerability > Libraries > CWE menu item
    • You may, or may not be able to map each vulnerable item to a CI (that's ok)
      • If you have an ip_address, dns, and/or netbios value on the vulnerable item:
      • Use the sn_vul.VulnerabilityUtils.findCIByNetworkDetails  function to apply a CI using that data, if possible
        • This can be found in the VulnerabilityUtils script include
        • It takes a single glide record of a vulnerable item as an argument and will populate the cmdb_ci field if it can find one.

Hopefully that should help get you started.

Best of luck!

Alex

 

Hope you are doing well my friend.

 

Outstanding information.


Thanks

 

Refocused Dad
Kilo Expert

Hi JZ, Alex Cox,

I'm just beginning to look into this for my company and it appears that there are no integrations already available in the store. Do either of you have any additional insights on Fortify integration with ServiceNow? 

 

Thanks.

Alex Cox
ServiceNow Employee
ServiceNow Employee

Hi Refocused Dad,

We do not have an out of the box integration today, however I reached out to our Business Development group and they let me know that they are in initial conversations to understand customer requirements for an out of the box solution. They are in early stages and do not have an ETA at this time. Naturally I am obliged to make it clear that this is not a commitment to deliver this feature, but they are looking into it!

If you have any requirements I'd be happy to pass them along?

That said - implementing this today is possible using the technique described above, if needed!