Fortify on Demand Vulnerability Integration

  • Release version: Yokohama
  • Updated January 30, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Fortify on Demand Vulnerability Integration

    The Fortify on Demand Vulnerability Integration connects Fortify scanner data with ServiceNow’s Application Vulnerability Response feature, enhancing your vulnerability management by importing and enriching third-party vulnerability data within your ServiceNow instance. This integration helps you better assess the impact and prioritize flaws detected in your code by synchronizing vulnerability information automatically on a daily basis.

    Show full answer Show less

    Key Features

    • Data Import and Enrichment: Retrieves application scanner data, scan summaries, and scan results from Fortify, enriching your existing vulnerability records.
    • Automated Scheduled Jobs: Integrations run sequentially every day via scheduled jobs, ensuring continuous synchronization with Fortify data. You can also trigger these jobs manually.
    • Run-as User Configuration: Uses a dedicated run-as user (default VR.System) for integration processes; this should remain unchanged to ensure proper operation.
    • Integration Components:
      • Fortify on Demand Application List Integration: Active by default, runs daily to import application scanner data.
      • Fortify on Demand Scan Summary Integration: Retrieves scan records, runs after the application list integration, inactive by default.
      • Fortify on Demand Application Vulnerable Item Integration: Imports detailed scan results and updates vulnerability items; inactive by default and skips creating items for closed scans.
    • Integration Monitoring: Provides visibility into integration run statuses and processing times starting with version 2.3 for better tracking and troubleshooting.

    Practical Benefits for ServiceNow Customers

    • Streamlines vulnerability remediation by keeping your ServiceNow instance automatically updated with the latest Fortify scan data.
    • Enables comprehensive vulnerability analysis by combining Fortify data with ServiceNow’s native vulnerability response capabilities.
    • Reduces manual effort through automated scheduled synchronization while allowing manual control if needed.
    • Supports better prioritization and impact analysis of application vulnerabilities detected by Fortify, improving security posture management.

    The Fortify on Demand Vulnerability Integration uses data imported from the Fortify product to help you determine the impact and priority of flaws in your code.

    Fortify on Demand Vulnerability Integration

    The Fortify product collects scanner data and makes that data available to the ServiceNow AI Platform®. It easily integrates with the ServiceNow® Application Vulnerability Response feature of Vulnerability Response to map third-party vulnerabilities enriching the data in your instance.

    There is a configured run-as user for each integration record. The default value for this user is VR.System. Do not change this value.

    Every day, scheduled jobs invoke the integrations automatically. Once all the integrations are activated, they are chained to run in sequence. You can also execute individual scheduled jobs manually. Scheduled jobs simplify the vulnerability remediation life cycle by keeping the instance synchronized with other vulnerability management systems.

    Available versions

    Release version Release Notes
    Vulnerability Response integration with

    Fortify v2.4

    Fortify v2.3

    Fortify v2.2

    Fortify v2.1

    		 Application Vulnerability Response release notes

    For compatibility information, see KB0856498 Vulnerability Response Compatibility Matrix and Release Schema Changes

    Fortify Vulnerability Integration

    To view the Fortify on Demand Vulnerability Integration, navigate to Fortify Vulnerability Integration > Integrations.

    The following integrations are included in the base system. These integrations are not all active by default.

    After the initial run, every day, scheduled jobs are chained to run the integrations automatically in order. You can also execute individual scheduled jobs manually. Scheduled jobs simplify the vulnerability remediation life cycle by keeping the instance synchronized with other vulnerability management systems.

    Table 1. Fortify Vulnerability Integrations
    Integration Description
    Fortify on Demand Application List Integration Retrieves Fortify application scanner data (vulnerabilities, metadata) and enriches your third-party application data. This integration is set to run daily at 00:00:00. It is active by default.
    Fortify on Demand Scan Summary Integration Retrieves scan records from Fortify. This integration is chained to run following the Fortify on Demand Application List Integration when activated. It is inactive, by default.
    Fortify on Demand Application Vulnerable Item Integration Retrieves scan results from Fortify, inserts AVITs, and enriches your third-party vulnerability data. If the scanner record is in the Closed state, AVITs are not created. Existing AVITs are still updated.

    Starting with v2.3, view details such as total processing times, average times for pre- and post-integration run processes, and reports on the integration run records for the Application Vulnerable Item integration.

    This integration is chained to run following the Fortify on Demand Scan Summary Integration when activated. It is inactive, by default.

    For integration run statuses see, View the Fortify on Demand Vulnerability Integration import run status.

    To view data in third-party vulnerabilities, see View vulnerability libraries.