Fortify on Demand Vulnerability Integration

  • Release version: Xanadu
  • Updated August 1, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Fortify on Demand Vulnerability Integration

    The Fortify on Demand Vulnerability Integration enables ServiceNow customers to assess the impact and priority of code flaws by utilizing data from the Fortify product. This integration supports the ServiceNow Application Vulnerability Response feature, enriching your instance with third-party vulnerability data.

    Show full answer Show less

    Key Features

    • Automated Integration: Scheduled jobs run daily to synchronize vulnerability data automatically, keeping your instance updated with external vulnerability management systems.
    • Run-as User Configuration: Each integration record uses a default run-as user, VR.System, which should not be changed.
    • Multiple Integrations: Includes various integrations such as:
      • Fortify on Demand Application List Integration: Retrieves scanner data daily; active by default.
      • Fortify on Demand Scan Summary Integration: Retrieves scan records; inactive by default and runs after the Application List Integration.
      • Fortify on Demand Application Vulnerable Item Integration: Retrieves scan results and enriches vulnerability data; inactive by default and runs after the Scan Summary Integration.

    Key Outcomes

    By implementing this integration, you will streamline the vulnerability remediation lifecycle, ensuring your vulnerability data is current and actionable. With detailed processing metrics available starting from version 2.3, you can monitor integration performance effectively. Access to the Fortify Vulnerability Integration can be found under Fortify Vulnerability Integration > Integrations in your ServiceNow instance.

    The Fortify on Demand Vulnerability Integration uses data imported from the Fortify product to help you determine the impact and priority of flaws in your code.

    Fortify Vulnerability Integration

    The Fortify product collects scanner data and makes that data available to the ServiceNow AI Platform®. It easily integrates with the ServiceNow® Application Vulnerability Response feature of Vulnerability Response to map third-party vulnerabilities enriching the data in your instance.

    There is a configured run-as user for each integration record. The default value for this user is VR.System. Do not change this value.

    Every day, scheduled jobs invoke the integrations automatically. Once all the integrations are activated, they are chained to run in sequence. You can also execute individual scheduled jobs manually. Scheduled jobs simplify the vulnerability remediation life cycle by keeping the instance synchronized with other vulnerability management systems.

    Available versions

    Release version Release Notes
    Vulnerability Response integration with

    Fortify v2.4

    Fortify v2.3

    Fortify v2.2

    Fortify v2.1

    		 Application Vulnerability Response release notes

    For compatibility information, see KB0856498 Vulnerability Response Compatibility Matrix and Release Schema Changes

    Fortify Vulnerability Integration

    To view the Fortify Vulnerability Integration, navigate to Fortify Vulnerability Integration > Integrations.

    The following integrations are included in the base system. These integrations are not all active by default.

    After the initial run, every day, scheduled jobs are chained to run the integrations automatically in order. You can also execute individual scheduled jobs manually. Scheduled jobs simplify the vulnerability remediation life cycle by keeping the instance synchronized with other vulnerability management systems.

    Table 1. Fortify on Demand Vulnerability Integrations
    Integration Description
    Fortify on Demand Application List Integration Retrieves Fortify application scanner data (vulnerabilities, metadata) and enriches your third-party application data. This integration is set to run daily at 00:00:00. It is active by default.
    Fortify on Demand Scan Summary Integration Retrieves scan records from Fortify. This integration is chained to run following the Fortify on Demand Application List Integration when activated. It is inactive, by default.
    Fortify on Demand Application Vulnerable Item Integration Retrieves scan results from Fortify, inserts AVITs, and enriches your third-party vulnerability data. If the scanner record is in the Closed state, AVITs are not created. Existing AVITs are still updated.

    Starting with v2.3, view details such as total processing times, average times for pre- and post-integration run processes, and reports on the integration run records for the Application Vulnerable Item integration.

    This integration is chained to run following the Fortify on Demand Scan Summary Integration when activated. It is inactive, by default.

    For integration run statuses see, View the Fortify Vulnerability Integration import run status.

    To view data in third-party vulnerabilities, see View vulnerability libraries.