Fortify On Demand Reporting

Fortify is a great security tool, but doesn’t provide all the tools required to implement good DevSecOps. There are some extensions for Fortify On Demand to start scans, but nothing to get the feedback into the pipeline, which is key for the DevSecOps.

This Azure DevOps extension bridges that gap. There are some catches that you cannot avoid, but it can work. The catches are that the report it uses is the vulnerabilities details not the scan report. This means if your current scan has 50 critical issues, the report might not return all of them. This is a good thing though, as these will be issues that you have already remediated and we do not want show up again. If we report on the scan then every issue, even though you have said it is not an issues, will be reported on and then validated against.

The other is if you trigger a scan you would need to wait for this to finish before you can report on it. As there is no feedback to say if or when the scan has finished, you will need to enforce some delay. A recommendation that I have implemented, is to do reporting into the development environment to give early feedback, but don’t block the deployment and only give warnings. This is so if the scan that will fix the issues is just running then you don’t want to stop developers developing. However, you can then put another report before Pre-Production, by which point all scans and deployments for development should have finished. This report can then block the release if new issues have been found.

With this tool you can create a good DevSecOps pipeline in Azure DevOps, so find out more detail about the tool on the Marketplace here >