Set up security testing integration (technical preview)

This topic explains how to set up integration with Fortify on Demand, bringing security testing into your development cycle.

DevOps admin permissions are required.

Overview of the ALM Octane integration with Fortify on Demand

What is Fortify on Demand?

Fortify on Demand is a cloud-based application security testing service. It performs static code analysis on your application's code, assessing it for potential security vulnerabilities.

Why integrate ALM Octane with Fortify on Demand?

Integrate ALM Octane with Fortify on Demand to bring security testing into your development cycle:

  • Identify security vulnerabilities soon after they are introduced into the code and correct them.
  • Raise developers' awareness, encouraging them developers to avoid introducing vulnerabilities.

How does the integration work?

Periodically, during the development cycle, run a pipeline on Jenkins that includes a Fortify on Demand Upload step. After this step uploads the application's code to Fortify on Demand, a security assessment of your code begins.

If the pipeline run is successful, ALM Octane polls the Fortify on Demand server. When the assessment is complete, ALM Octane retrieves the newly found vulnerabilities and displays them in the pipeline run.

After reviewing the vulnerabilities, you can create a relevant defect to fix in your code, or dismiss and close the issue. For details, see Track security vulnerabilities (technical preview).

Important privacy note: If your Fortify on Demand data contains personally identifiable information (PII), contact your system administrators to check the geographical locations of the Fortify on Demand data farm and the ALM Octane server. If the two are located in different geographical locations, verify with your chief information security officer or privacy office that this integration complies with your regional regulations.

Back to top

Prerequisite: Set up Fortify on Demand and ALM Octane to integrate with Jenkins

ALM Octane collects security assessment results after a pipeline runs a Jenkins job that uploads your application's code to Fortify on Demand.

Start by setting up Jenkins to integrate with Fortify on Demand and setting up ALM Octane to integrate with Jenkins:

  1. Set up your Fortify on Demand account. For details, see https://software.microfocus.com/en-us/software/fortify-on-demand.

    Define an application whose code you want Fortify on Demand to assess.

    We recommend that you run the first security assessment on your code manually and audit it with security experts, before integrating with ALM Octane.

    Obtain the URL and API keys required to access the Fortify on Demand server using API. The keys must permit reading vulnerabilities.

  2. Set up Jenkins to upload your code to Fortify on Demand.

    1. Install and configure the Fortify on Demand Uploader plugin on your Jenkins server.
    2. Create a Fortify on Demand Upload step on Jenkins to upload your application's code to Fortify on demand for assessment. In the build step information (BSI) fields, configure the application and release that you used to define your application in your Fortify on Demand account.

    For details, see https://wiki.jenkins.io/display/JENKINS/Fortify+On+Demand+Uploader+Plugin.

  3. Set up ALM Octane integration with your Jenkins server. For details, see Set up CI servers.

Back to top

Create a Fortify on Demand security tool connection in ALM Octane

Add Fortify on Demand as a security tool in the DevOps settings page, so ALM Octane can retrieve the assessment results from the Fortify on Demand server:

  1. In ALM Octane, click Settings , select Spaces and select a workspace.

  2. Select the DevOps > Security Tools tab.

  3. Click + Connection.

  4. Define a name for the connection and select the security tool (Fortify On Demand).

  5. Enter the URL for your Fortify on Demand server, and the API keys required to access it.

  6. Click Test Connection to make sure the configuration is correct.

  7. Click Add to add the security tool to the list.

    After a pipeline step uploads code to Fortify on Demand for assessment, ALM Octane will use this connection information to contact Fortify on Demand and retrieve the assessment results.

Back to top

Create a pipeline with a Fortify on Demand Upload step

In ALM Octane, create a pipeline that includes the Fortify on Demand Jenkins Upload step that you created earlier:

  1. In the Pipelines > Pipelines page, add a new pipeline.
  2. Select the Fortify on Demand Upload job or the root of a flow that includes it.
  3. In the Type field, select Security.
  4. Select the option This pipeline includes a Fortify on Demand job.
  5. Enter the Application and Release that you used when configuring the Jenkins Fortify on Demand Upload step. These details identify the application whose code Fortify on Demand is scanning.

After this pipeline runs successfully, ALM Octane polls the Fortify on Demand server, waiting to retrieve the assessment results.

Back to top

Configuration options

By default, ALM Octane checks Fortify on Demand every 2 minutes for 48 hours to see if the scan is finished. If there are more than 100 vulnerabilities, ALM Octane retrieves none.

All these limits can be configured using the following configuration parameters:

  • FORTIFY_POLLING_TIMEOUT_HOURS
  • FORTIFY_POLLING_DELAY_MINUTES
  • FORTIFY_UPPER_LIMIT_OF_ISSUES

For details, see Configuration parameters.

Back to top

See also: