Fortify Vulnerability Integration

  • Release version: Washingtondc
  • Updated July 26, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Fortify Vulnerability Integration

    The Fortify Vulnerability Integration enables ServiceNow customers to assess and prioritize code vulnerabilities by utilizing scanner data from the Fortify product. This integration enhances the Application Vulnerability Response feature, ensuring that third-party vulnerabilities are accurately mapped and enriched within the ServiceNow instance.

    Show full answer Show less

    Key Features

    • Automated Integration: Scheduled jobs are configured to run daily, keeping the instance synchronized with other vulnerability management systems.
    • Manual Execution: Individual scheduled jobs can be executed manually if required.
    • Configured Run-As User: Each integration record uses a default run-as user (VR.System) that should not be modified.
    • Multiple Integrations: The integration includes various components such as:
      • Fortify on Demand Application List Integration: Retrieves application scanner data and enriches third-party application data; active by default.
      • Fortify on Demand Scan Summary Integration: Fetches scan records; inactive by default and runs after the Application List Integration.
      • Fortify on Demand Application Vulnerable Item Integration: Inserts Application Vulnerable Items (AVIs) and updates existing AVIs; also inactive by default and runs after the Scan Summary Integration.

    Key Outcomes

    By utilizing the Fortify Vulnerability Integration, ServiceNow customers can effectively streamline the vulnerability remediation life cycle, gain insights into vulnerability data, and ensure comprehensive management of application vulnerabilities through automated processes and enriched data.

    The Fortify Vulnerability Integration uses data imported from the Fortify product to help you determine the impact and priority of flaws in your code.

    Fortify Vulnerability Integration

    The Fortify product collects scanner data and makes that data available to the ServiceNow AI Platform®. It easily integrates with the ServiceNow® Application Vulnerability Response feature of Vulnerability Response to map third-party vulnerabilities enriching the data in your instance.

    There is a configured run-as user for each integration record. The default value for this user is VR.System. Do not change this value.

    Every day, scheduled jobs invoke the integrations automatically. Once all the integrations are activated, they are chained to run in sequence. You can also execute individual scheduled jobs manually. Scheduled jobs simplify the vulnerability remediation life cycle by keeping the instance synchronized with other vulnerability management systems.

    Available versions

    Release version Release Notes

    Fortify Vulnerability Integration Fortify: v 2.4, v2.3, v2.2

    		 Application Vulnerability Response release notes

    For compatibility information, see KB0856498 Vulnerability Response Compatibility Matrix and Release Schema Changes

    Fortify Vulnerability Integration

    To view the Fortify Vulnerability Integration, navigate to Fortify Vulnerability Integration > Integrations.

    The following integrations are included in the base system. These integrations are not all active by default.

    After the initial run, every day, scheduled jobs are chained to run the integrations automatically in order. You can also execute individual scheduled jobs manually. Scheduled jobs simplify the vulnerability remediation life cycle by keeping the instance synchronized with other vulnerability management systems.

    Table 1. Fortify Vulnerability Integrations
    Integration Description
    Fortify on Demand Application List Integration Retrieves Fortify application scanner data (vulnerabilities, metadata) and enriches your third-party application data. This integration is set to run daily at 00:00:00. It is active by default.
    Fortify on Demand Scan Summary Integration Retrieves scan records from Fortify. This integration is chained to run following the Fortify on Demand Application List Integration when activated. It is inactive, by default.
    Fortify on Demand Application Vulnerable Item Integration Retrieves scan results from Fortify, inserts AVIs, and enriches your third-party vulnerability data. If the scanner record is in the Closed state, AVIs are not created. Existing AVIs are still updated.

    Starting with v2.3, view details such as total processing times, average times for pre- and post-integration run processes, and reports on the integration run records for the Application Vulnerable Item integration.

    This integration is chained to run following the Fortify on Demand Scan Summary Integration when activated. It is inactive, by default.

    For integration run statuses see, View the Fortify Vulnerability Integration import run status.

    To view data in third-party vulnerabilities, see View vulnerability libraries.