Fortify Justin Derry-Business Software Assurance-Protecting your Assets

SERVICE BRIEFFortiCare Technical Support and RMA ServicesDevice-Level Technical SupportIntroductionOrganizations depend on Fortinet solutions to provide critical services. If any issues arise, they need to be addressed quickly to help ensure security and business continuity.Adequate Support Is Key to Smooth OperationsExtended downtime due to choosing inadequate support can be costly for businesses of all sizes. Organizations need tobe sure the support is readily available—when they need it—to provide committed service levels to their internal users or external customers.In addition to the right support level, the right return merchandise authorization (RMA) replacement contract should be in place to meet the committed service levels, even if the organization has a high availability (HA) architecture. Replacing the failed device in the HA architecture should be swift to maintain the desired level of redundancy.Technical Support and RMA OverviewWe provide FortiCare technical support and RMA services on a per-device basis for 24x7 support and timely issue resolution. FortiCare support services are available across the entire Fortinet Security Fabric, enabling a single source for support and troubleshooting. Flexible support options help organizations maximize uptime, security, and performance according to the unique needs of each business.Technical support is delivered through our Global Technical Assistance Centers. Each geographical region has a Center of Expertise that is supplemented by regional support centers. This enables us to provide regional and local language support. Foundational FortiCare device-level support includes:n Global toll-free numbers that are available 24x7, depending on the service optionn Web chat for quick answersn A support portal for ticket creation or to manage assets and life cyclesn Access to software updates and next-business-day RMA service is available, depending on the service optionFeature Highlights: Technical SupportFlexible support options help organizations maximize uptime, security, and performance according to the individual needsof each business. Fortinet offers three different per-device support options to meet customer needs: FortiCare Essential, FortiCare Premium, and FortiCare Elite. Organizations have the flexibility to buy different levels of service for different devices based on their needs.FortiCare Essential is the base-level service targeted toward devices that require a limited amount of supportand can tolerate next-business-day, web-only response for critical as well as non-critical issues. This serviceis only offered to FortiGate models 9x and below and to low-end FortiWifi devices.RMA is on a return-and-replace basis at this service level.FortiCare Premium is targeted toward devices that require 24x7x365 withone-hour response for critical issues and the next-business-day response fornon-critical issues. Standard next-business-day RMA services are included at thisservice level. Fortinet will ship a replacement device (Advanced Replacement) the next business day, before wereceive the faulty device from the customer.FortiCare Elite offers enhanced service-level agreements (SLAs) and accelerated issue resolution. This advancedsupport offering provides access to a dedicated support team. Single-touch ticket handling by the experttechnical team streamlines resolution. FortiCare Elite services are available for FortiGate, FortiGate VM, FortiWiFi,FortiManager, FortiAnalyzer, FortiAP, and FortiSwitch appliances. This option also provides access to an intuitiveportal with a single unified view of device and security health. Standard next-business-day RMA services areincluded at this service level. Fortinet will ship a replacement device (Advanced Replacement) the next businessday, before we receive the faulty device from the customer.Figure 1: FortiCare Elite Portal dashboardThe FortiCare Elite Portal provides a single unified view of device and security health. The dashboard iscustomizable, or customers can use the default views. In addition to alerting about device and security health, theportal also provides remediation recommendations. And since this is cloud-based, it is easy to scale.In addition, FortiCare offers a subscription-based Best Practice Service (BPS) for specific products to guide customers on planning, deployment, improvement, upgrade, and migration.Feature Highlights: Priority RMA ServicesStandard next-business-day RMA services are included with both Premium and Elite per-device support contracts. Priority RMA (PRMA) add-on options are available across the product family for expedited replacement of defective hardware. Priority RMA options cover weekends and holidays.Only return-and-replace RMA is included with Essential per-device support contract. Essential customers are not eligible for Priority RMA add-on options.Priority RMA Optionsn Next Calendar Day delivery. If the exchange is confirmed, a replacement part will be delivered by courier service and arrivethe next calendar day in accordance with the applicable country cutoff time.n Four-hour courier. A replacement part will be delivered on-site by a courier service.n Four-hour courier with on-site engineer. A replacement part will be delivered on-site by a courier service. An engineer willarrive separately, rack and cable the appliance, and leave with the defective part if requested.*Available for FortiGate only.Secure RMAThe Secure RMA service is designed for customers with strict requirements for protection of data within their physical environment. In general, Fortinet products store configuration information on solid-state media that are not field-replaceable. As a result, it is not possible to remove these items without invalidating the warranty. For maximum security, the Secure RMA service allows for the nonreturn of the defective hardware and therefore the protection of data within the customer’s premises. FortiCare RMA services are not available in all locations. Please check with your Fortinet sales representative for your location-specific availability.Self-Service ResourcesFor expedited answers, Fortinet maintains ample self-service resources to get you the answers you need, fast. All the answers to your questions are now in one place. The Fortinet community is a knowledge-sharing hub for customers, partners, Fortinet experts, and colleagues. The community is a place to collaborate, share insights and experiences, and get answers to questions. FortiCare Technical Support and Priority RMA help maximize uptime, security, and performance.Copyright © 2023 Fortinet, Inc. All rights reserved. Fortinet, FortiGate, FortiCare and FortiGuard, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.。

Product OfferingsFortiADC and FortiGSLB Cloud Available in:Appliance VirtualMachine SaaS CloudApplication delivery without any limitsFortiADC is an advanced Application Delivery Controller (ADC) that ensures application availability, application security, and application optimization. FortiADC offers advanced security features (WAF, DDoS, and AV) and application connectors for easy deployment and full visibility to your networks and applications. You can deploy FortiADC as a physical or virtual machine (VM), or as a cloud solution.FortiADC provides unmatched application acceleration, load balancing, and web security, regardless of whether it is used for applications within a single data center or serves multiple applications for millions of users around the globe. FortiADC includes application acceleration, WAF, IPS, SSLi, link load balancing, and user authentication in one solution to deliver availability, performance, and security in a single, all-inclusive license.FortiADC also offers the FortiGSLB Cloud service that helps optimize end client requests fora specific domain by dynamically distributing workload across virtual servers, data centers, and locations. You can route traffic to your network resources based on geography, server performance (CPU/memory) and load, measured client and network performance, weighted distributions, consistent (sticky) routing, and more.• VM Subscription (Public/Private Cloud): virtual solution supported across public and private clouds.• Hardware appliance: on-premise FortiADC appliance providing multicore processor technology combined with hardware-based SSL offloading and server optimization to increase end-user QoE.• FortiGSLB Cloud Service: DNS-based load balancing as a service, enabling you to deploy redundant resources around the globe without having to maintain and manage your own load-balancing infrastructure. Leverage FortiGSLB Cloud to keep your businesses online in the event of localized traffic spikes or outages.ADVANCED APPLICATION DELIVERY CONTROLLER1HARDWARE ACCELERATED APPLIANCES120F220F300F400F1200F2200F4200F5000F3 GBPS 5 GBPS8 GBPS12 GBPS40 GBPS60 GBPS100 GBPS250 GBPS L4 Throughput 3 Gbps5 Gbps8 Gbps15 Gbps40 Gbps60 Gbps100 Gbps250 Gbps L7 Throughput 1.8 Gbps 4 Gbps8 Gbps12 Gbps30 Gbps35 Gbps80 Gbps220 GbpsSSL Throughput500 Mbps (NoASIC)1.2 Gbps (NoASIC)3 Gbps (NoASIC)6 Gbps (SSLASIC)20 Gbps (SSLASIC)25 Gbps (SSLASIC)50 Gbps (SSLASIC)120 Gbps (SSLASIC)Global Server Load Balancing (GSLB) Web Application Firewall SECURITY SERVICES10/100/10006xGE4xGE, 4xSFP4xGE, 4xSFP4xGE, 4xSFP8xGE, 8x SFP8x SFP10G SFP+4xSFP+8x SFP+12x SFP+8x SFP+40G QSFP4xQSFP8xQFSP 100G QSFP 284xQSFP28Dual PSSingle(optionalRedundant PS)Dual Dual Dual DualForm Factor1RU1RU1RU1RU1RU1RU2RU2RU SECURITY SERVICESIP Reputation StandardWAF Signature StandardCredential Stuffing Defense Services AdvancedAntiVirus AdvancedIPS AdvancedCloud Sandbox AdvancedWeb Filtering Add-on licenseADDITIONAL SERVICES24x7 SupportHARDWARE ACCELERATED APPLIANCESHARDWARE BUNDLES120F220F300F400F1200F2200F4200F5000FStandard Renewal Bundle FAD-120F-BDL-973-DDFAD-220F-BDL-973-DDFAD-300F-BDL-973-DDFAD-400F-BDL-973-DDFAD-1200F-BDL-973-DDFAD-2200F-BDL-973-DDFAD-4200F-BDL-973-DDFAD-5000F-BDL-973-DDAdvanced Renewal Bundle FAD-120F-BDL-619-DD FAD-220F-BDL-619-DDFAD-300F-BDL-619-DDFAD-400F-BDL-619-DDFAD-1200F-BDL-619-DDFAD-2200F-BDL-619-DDFAD-4200F-BDL-619-DDFAD-5000F-BDL-619-DDFortiADC application delivery controllers are available as hardware appliances, virtual machines, and public cloud VMs. FortiADC-HW provides multicore processor technology combined with hardware-based SSL offloading.FortiADC-VM S-series is a yearly subscription of our virtual ADC supported on all common hypervisors and public cloud providers. When choosing the virtual ADC (FortiADC-VM S series), remember this is a yearly subscription. Choose between the standard and advanced subscription bundles, which vary by the type of services included.FORTIADC PRODUCT OFFERINGSORDER INFORMATION22 ORDERING GUIDE | FORTIADCVIRTUAL MACHINE SUBSCRIPTIONSVM01VM02VM04VM08VM16VM321 GBPS2 GBPS 4 GBPS8 GBPS16 GBPS24 GBPS L4 Throughput 1 Gbps 2 Gbps 4 Gbps8 Gbps16 Gbps24 Gbps L7 Throughput500 Mbps 1 Gbps 2 Gbps 4 Gbps8 Gbps12 Gbps SSL Throughput500 Mbps 1 Gbps 2 Gbps3 Gbps 4.5 Gbps 6 Gbps Global Server Load Balancing (GSLB) Web Application Firewall SECURITY SERVICESIP Reputation StandardWAF Signature StandardCredential Stuffing Defense Services AdvancedAntiVirus AdvancedIPS AdvancedCloud Sandbox AdvancedWeb Filtering Add-on licenseADDITIONAL SERVICES24x7 Support FORTIADC PRODUCT OFFERINGSVIRTUAL MACHINE SUBSCRIPTIONSVM SUBSCRIPTIONS VM01VM02VM04VM08VM16VM32Standard Bandwidth Bundle FC1-10-ADVMS-942-02-DD FC2-10-ADVMS-942-02-DDFC3-10-ADVMS-942-02-DDFC4-10-ADVMS-942-02-DDFC5-10-ADVMS-942-02-DDFC6-10-ADVMS-942-02-DDAdvanced Bandwidth Bundle FC1-10-ADVMS-635-02-DD FC2-10-ADVMS-635-02-DDFC3-10-ADVMS-635-02-DDFC4-10-ADVMS-635-02-DDFC5-10-ADVMS-635-02-DDFC6-10-ADVMS-635-02-DDORDER INFORMATION3ORDERING GUIDE | FORTIADCORDERING GUIDE | FORTIADCFORTIGSLB CLOUD PRODUCT OFFERINGSFortiGSLB Cloud provides load balancing across multiple data centers and cloud applications based on GSLB Cloud policies, with site selection according to application/server availability (health checks) and client geolocation. FortiGSLB supports stackable licenses.FORTIGSLB CLOUDLICENSES OFFERINGDNS Query Per Second100 QPS500 QPS1,000 QPSAdvanced Health Check 2 Advanced Health Check10 Advanced Health Check100 Advanced Health Check SERVICESGlobal Application LBDNS ServicesApplication Visibility ADDITIONAL SERVICES24x7 Support Included Included Included ORDER INFORMATIONFORTIGSLB CLOUDDNS QUERY PER SECOND100 QPS500 QPS1,000 QPSDNS Subscription FC2-10-CGSLB-330-02-DD FC3-10-CGSLB-330-02-DD FC4-10-CGSLB-330-02-DD ADVANCED HEALTH CHECK 2 Advanced Health Check10 Advanced Health Check100 Advanced Health Check Health Check Subscription FC1-10-CGSLB-332-02-DD FC2-10-CGSLB-332-02-DD FC4-10-CGSLB-332-02-DD44FORTIADC CHEAT SHEETThe SpaceThe ADC market continues to evolve with application automation and software-centric use cases:• Application automation and integration with microservices (CI/CD)• Autoscaling and application security (WAF)• “Over the top” ADC services (GSLB)• Application visibility and ease-of-use focusProduct LineupFortiADC product line includes various options:• On-premise: any FortiADC can be purchased as HW, VM, and Cloud VM models. Models are from1.5 Gbps and up to 300 Gbps throughput.• Cloud VM: FortiADC also runs on public cloud (AWS, OCI, Azure, and GCP). We support perpetual licenses (BYOL and PAYG).Ordering GuideProduct Offerings: OPEX and CAPEX options OPEX: one option available:• FortiADC-VM: S-series provides yearlysubscription for IaaS/private cloud. All-inclusivestandard/advanced bundle options.CAPEX: two options available:• HW appliances: selected by throughput (1.5 Gbps to 250 Gbps)• FortiADC-VM: preferably choose S-series though perpetual license is available.Where to Find More Info• Demo: FortiADC automation, SAP security and availability, FortiADC SSL proxy and FW LB• What’s New: FortiADC new features• Training: the most commonly use FortiADC features Application connectors and automation for autoscaling and service availability.Advanced application LB with L7 routing, advanced health checks, and application optimization.Unleash the power of the script: With FortiADC Script, you can manage and control network/application traffic.SSL visibility and inspection: SSL-based attacks are rising. With FortiADC, you can monitor and block SSL attacks.Global LB: real-time traffic LB between multiple locations/data centers for best availability and quality of experience to reduce latency.Application security: The most secure ADC in the market with WAF (OWASP Top-10), antivirus, IPS, DDoS protection, and Sandbox integration.Ease of use: FortiView provides real-time data analytics and application visibility. FortiADC has integration with Splunk, FortiAnalyzer, and FortiSIEM.Major Capabilities to Pitch5ORDERING GUIDE | FORTIADC。

中国建设银行网上银行投资产品创新项目F o r t i f y使用手册总行信息技术管理部广州开发中心2008 年6 月编号日期描述版本作者审核发布日期2008-6-2网银投资产品创新项目文档 1.1廖敏飞、羌雪本文档中所包含的信息属于机密信息，如无中国建设银行的书面许可，任何人都无权复制或利用。

®Copy Right2008by China Construction Bank目录1、引言 (4)1.1 目的 (4)1.2 背景 (4)1.3 定义 (4)1.4 环境说明 (5)1.5 提醒注意 (5)1.6 相关要求 (5)２、安装FORTIFY (6)2.1进入F ORTIFY安装目录 (6)2.2输入LICENSE KEY:BAHODPERE9I9 (6)2.3 选择ALL U SERS (7)2.4 下面选项全部选中 (8)2.5 选择N O选项 (9)３、使用FORTIFY (9)3.1 进入源码目录执行SCA COMMANDLINE S CAN.BAT (9)3.2SCA COMMANDLINE S CAN.BAT 的内容 (9)4、结果查询 (10)4、可能的问题 (11)5、结果分析 (12)6.1R ACE C ONDITION (12)6.2SQL I NJECTION (12)6.3C ROSS-S ITE S CRIPTING (13)6.4S YSTEM I NFORMATION L EAK (14)6.5HTTP R ESPONSE S PLITTING (14)1、引言1.1 目的提高中心项目软件安全意识转达总行关于软件安全编码及测试的相关要求了解、学习fortify SCA 的使用1.2 背景网银投资产品创新项目文档。

1.3 定义Fortify Source Code Analysis Suite是美国Fortify Software 为软件开发企业提供的软件源代码安全漏洞扫描、分析和管理的工具。

简述fortify代码审计过程Fortify代码审计是一种用于发现和修复软件中潜在安全漏洞的静态代码分析工具。

它可以帮助开发人员识别潜在的安全问题，并提供相应的修复建议。

本文将简要介绍Fortify代码审计的过程，以及如何使用它来提高软件的安全性。

Fortify代码审计的过程可以分为以下几个步骤：1. 代码收集：首先，需要收集待审计的代码。

这可以是一个或多个软件项目的源代码、二进制文件或静态库。

Fortify支持多种编程语言和开发环境，包括Java、C/C++、C#等。

2. 代码扫描：接下来，将使用Fortify进行代码扫描。

Fortify会对代码进行静态分析，识别潜在的安全漏洞和问题。

它使用一系列预定义的规则和模式来检测常见的安全问题，如缓冲区溢出、SQL注入、跨站脚本等。

3. 漏洞识别：在代码扫描完成后，Fortify会生成一个报告，列出所有发现的安全漏洞和问题。

报告中将包含漏洞的类型、位置、严重程度等详细信息。

开发人员可以根据报告中的信息来定位和修复问题。

4. 问题修复：根据报告中的指导，开发人员可以开始修复漏洞和问题。

修复可能包括修改代码、重构逻辑、添加安全控制等。

修复后的代码应再次进行扫描，以确保问题已被解决。

5. 报告生成：最后，可以生成一个最终的审计报告，其中包含所有漏洞和问题的详细信息，以及修复情况的总结。

这个报告可以用于内部审计、安全评估或与其他团队共享。

使用Fortify代码审计可以提供以下几个方面的好处：1. 发现潜在的安全问题：Fortify可以帮助开发人员发现代码中的潜在安全漏洞和问题。

通过及早发现这些问题，可以避免将来可能出现的安全威胁。

2. 提供修复建议：Fortify会为每个发现的漏洞提供详细的修复建议。

这些建议可以帮助开发人员了解问题的根本原因，并提供相应的修复方案。

3. 加强代码质量：通过修复安全漏洞和问题，可以提高代码的质量和可靠性。

这可以减少软件的故障和漏洞，提高系统的稳定性和可维护性。

Fortify Static Code Analyzer (SCA) Static Application Security TestingCyberRes Static Code Analyzer (SCA) pinpoints the root cause of security vulnerabilities in the source code, prioritises the most serious issues,and provides detailed guidance on how to fix them so developers canresolve issues in less time with centralised software security management.Static Testing Helps Build Better Code Static Application Security Testing (SAST) identifies security vulnerabilities during early stages of development when they are least expensive to fix. It reduces security risks in applications by providing immediate feedback to developers on issues introduced into code during development. Static Application Security Testing also helps educate developers about security while they work, enabling them to create more secure software.Fortify Static Code Analyzer (SCA) uses multiple algorithms and an expansive knowledge base of secure coding rules to analyse an application’s source code for exploitable vulnerabilities. This technique analyses every feasible path that execution and data can follow to identify and remediate vulnerabilities. Find Security Issues EarlyTo process code, Fortify SCA works much like a compiler—which reads source code files and converts them to an intermediate structure enhanced for security analysis. This intermediate format is used to locate security vulnerabilities. The analysis engine, which consists of multiple specialised analysers, uses secure coding rules to analyse the code base for violations of secure coding practices. Fortify SCA also provides a rules builder to extend and expand static analysis capabilities and be able to include custom rules. Results areviewed in a number of ways depending onthe audience and task.Manage Results with FortifySoftware Security Center (SSC)Fortify Software Security Center (SSC)is a centralised management repositoryproviding visibility to an organisation’s entireapplication security programme to helpresolve security vulnerabilities across thesoftware portfolio. Users can review, audit,prioritise, and manage remediation efforts,track software security testing activities, andmeasure improvements via the managementdashboard and reports to optimise staticand dynamic application security test results.Fortify SSC helps to provide an accuratepicture and scope of the application securityposture across the enterprise. The FortifySSC server resides in a central location andreceives results from different applicationsecurity testing activities, such as static,dynamic, and real‑time analysis.Fortify SSC correlates and tracks the scanresults and assessment results over time,and makes the information available todevelopers through Fortify Audit Workbench,or through IDE plugins such as the FortifyPlugin for Eclipse, the Fortify Extension forVisual Studio, and others.Integration Ecosystem Includes:• F lexible Deployment Options: AppSec‑as‑a‑Service, On Premise, or in the cloud• I ntegrated Development Environments (IDE):Eclipse, Visual Studio, JetBrains (including IntelliJ)• C I/CD Tools: Jenkins, Bamboo, Visual Studio,Gradle, Make, Azure DevOps, GitHub, GitLab,Maven, MSBuild• Issue Trackers: Bugzilla, Jira, ALM Octane• O pen Source Security Management: Sonatype,Snyk, WhiteSource, BlackDuck• C ode Repositories: GitHub, Bitbucket• Swaggerised API for unlimited customisationData SheetUsers can also manually or automatically push issues into defect tracking systems, including ALM Octane, Jira, Azure DevOps Server, and Bugzilla.• Audit Workbench− Smart View—Visualisation makesauditing and fixing easier: • Q uickly understand how multipleissues are related from a data flowperspective • A pply Smart View filters to begintriaging or fixing issues at mostefficient pointKey BenefitsFast and Accurate Scanning• Static application security testing (SAST) captures the majority of code related issues early in development.• Identify and eliminate vulnerabilities in source, binary, or byte code• Fortify SCA detects 815 unique categories of vulnerabilities across 27 programming languages and spans over one million individual APIs• Accuracy as demonstrated by a true positive rate of 100% in the OWASP1.2b BenchmarkAutomate Security in the CI/CD Pipeline • Reduces risk by identifying and prioritising which vulnerabilities pose the greatest threat• Fortify integrates with CI/CD tools including Jenkins, ALM Octane, Jira, Atlassian Bamboo, Azure DevOps, Eclipse and Microsoft Visual Studio. See Fortify Integrations.• Review scan results in real‑time with access to recommendations, line‑of‑code navigation to find vulnerabilities faster and collaborative auditing.Reduce Development Time & Cost• When embedded within the SDLC, development time and cost can be reduced by 25%. The production/post‑release phase is 30 times more costlyto fix than vulnerabilities found earlierin the lifecycle.• 2X as many vulnerabilities found with upto 95% reduced false positives (reference:Mainstay Continuous Delivery of BusinessValue with Micro Focus Fortify 2017)• Enables secure coding practices byeducating developers about staticapplication security testing while they workKey Features• Developer‑friendly language coverage− Support for ABAP/BSP, ActionScript,Apex, , C# (.NET), C/C++, Classic,ASP (with VBScript), COBOL, ColdFusionCFML, Go, HTML, Java (includingAndroid), JavaScript/AJAX, JSP, Kotlin,MXML (Flex), Objective C/C++, PHP,PL/SQL, Python, Ruby, Swift, T‑SQL,, VBScript, Visual Basic,and XML− Supported languages are detailed in the“Fortify Software System Requirements”documentation.• Integration into CI/CD tools (IDEs, BugTrackers, Open Source)− Support for all major IDEs: Eclipse,Visual Studio, JetBrains, including IntelliJ− Defect management integrationsprovide transparent remediation forsecurity issues− Open Source integration: Sonatype,WhiteSource, Snyk, BlackDuck− The combination of swagger supportedrest APIs, open source GitHub repo,with plugins and extensions for Bamboo,Azure Devops and Jenkins are thetypes of tools to leverage to automatethe CI/CD pipeline.• Flexible deployment options to suit theenvironment your team is developing in− Fortify On Demand allows teams towork in a fully SaaS based environment− Fortify Hosted gives you the best ofboth SaaS and On‑prem by workingin a isolated virtual environment withcomplete control of the user data.− Fortify On‑Prem allows a team to haveabsolute control over all aspects of thefortify solution.• Security Assistant provides real time,as‑you‑type code, security analysis andresults for developers.− It provides structural and configurationanalysers which are purpose built forspeed and efficiency to power our mostinstantaneous security feedback tool.− Security Assistant only finds highconfidence (all true positives or withvery low false positive rates) findingswith immediate results in the IDE(Microsoft Visual Studio, Eclipse,and IntelliJ). Security Assistant issuggested to be used as an additionaljob aid for developers and used inconjunction with full static scans for amore comprehensive view of securityissues. All current Fortify Static CodeAnalyzer and Fortify on Demand StaticAssessments customers are entitledto use Security Assistant with noadditional licences/cost.• Audit Assistant saves manual audit timewith machine learning to identify andprioritise the most relevant vulnerabilitiesto your organisation. Automation withapplied machine learning reduces manualaudit time to amplify ROI of your staticapplication security testing initiative.− Provides automated audit results inminutes− Minimises auditor workload− Prioritises issues with confidence level− Creates accurate and consistent auditresults throughout projects− Audit results at the speed of DevOps;this makes it possible to integrateSCA to build servers, source codemanagement servers and scan moreoften with immediate results.− Reduces the number of issues needingdeep manual examination23760‑A40015‑003 | M | 06/22 | © 2022 Micro Focus or one of its affiliates. Micro Focus and the Micro Focus logo, among others, are trademarks or registered trademarks of Micro Focus or its subsidiaries or affiliated companies in the United Kingdom, United States and other countries. All other marks are the property of their respective owners.− Identifies relevant issues and removing false positives sooner − Scales application security with existing resources • ScanCentral enables lightweight packaging on the build server, and provides a scalable, centralised, Fortify scanning infrastructure to meet the growing demands of modern development needs from within Fortify Software Security Center.• Flexibility to achieve desired coverage by adjusting scan. − Improved scanning performance − Tune for fast scans− Tune for comprehensive, more accurate − Restful API/ Swaggerised API • Scalable with on‑premise, on demand, or hybrid approachesAccurately Assess the Security State of Y our ApplicationsFortify offers the broadest set of software security testing products spanning the software lifecycle:• Fortify Static Code Analyzer (SCA) for Static Application Security Testing (SAST): Identifies vulnerabilities during development, and prioritises those critical issues when they are easiest and least expensive to fix. Scanned results are stored in Fortify SSC. Learn more about Fortify SCA at: /en-us/cyberres/application-security/static-code-analyzer .• WebInspect for Dynamic Application Security Testing (DAST): Identifies and prioritises security vulnerabilities in running web applications and web services.Integrates Interactive Application Security T esting (IAST) to identify more vulnerabilities by expanding coverage of the attack surface. Scanned results can be stored in Fortify SSC.• Fortify Software Security Center: An AppSec platform that enables organisations to automate an application security programme. It provides management, development, and security teams a way to work together to triage, track, validate, and manage software security activities.• Fortify on Demand for Security as aService: Easy and flexible way to test the security of your software quickly, accurately, and without dedicating additional resources, or having to install and manage any software.System RequirementsFor detailed product specifications andsystem requirements, visit: /documentation/fortify-static-code/.Company OverviewAt CyberRes we help you run your business and transform it. Our software provides the critical tools you need to build,operate, secure, and analyse your enterprise. By design, these tools bridge the gapbetween existing and emerging technologies— which means you can innovate faster, with less risk, in the race to digital transformation.Fortify offers the most comprehensive static and dynamic application security testing technologies, along with runtime application monitoring and protection, backed byindustry‑leading security research. Solutions can be deployed in‑house or as a managedservice to build a scalable, nimble Software Security Assurance programme that meets the evolving needs of today’s IT organisation.“We can identify, analyse, and resolve possible issues far more efficiently with Fortify Static Code Analyzer than we ever could before.”Brenton WitonskiSenior IT Security Engineer Acxiom。

E.F.赫顿股份有限公司审计案例内容简介E·F·赫顿公司是美国第二大的证券经纪公司。

它利用其复杂的现金管理制度，侵害了银行利益，被美国司法部指控犯有2,000多件邮件与通讯欺诈罪。

在调查该案例过程中，由于该公司的特殊的管理体制，司法部竟无法指控该公司任何一个具体管理人员或部门，应对此欺诈负责。

相反，有关部门认为，审核该公司的安达信会计师事务所对此却有不可推卸，于是，有关注册会计师是否有责任的问题调查与诉辩就开始了……。

一E·F·赫顿股份有限公司的发家史1876年，爱德华·F·赫顿出生在纽约的一个穷苦家庭。

他在10岁时失去父亲，没有上过高中，辍学后一直在纽约的金融街谋生渡日，做过各式各样的工作。

赫顿在27岁时时来运转，他结了婚，妻子是一位成功的经纪商的女儿。

1904年，在岳父的资金支持下，赫顿创立了一家小型经纪公司E.F.赫顿公司。

作为一名乐此不疲的机会主义者，当赫顿意识到加利弗尼亚州发展前景日益看好时，他立即在旧金山开办了自己的分公司。

他的经纪公司从而也成为首家在东、西海岸同时开展业务和首家拥有联结纽约和旧金山两地的专用电报线路的经纪公司。

借助这条通讯线路，赫顿公司能在3分钟左右的时间内，完成东、西海岸间的证券交易手续。

颇具讽刺意识着的是，E.F.赫顿公司的经济成功在很大程序上要归功于毁灭性的1906年旧金山大地震。

地震发生后，赫顿公司旧金山分公司与纽约间的直接电报线路立即成为少数几条与东海岸联结的通讯线路之一，而且也可能是唯一的一条通讯线路。

由于华尔街的其他经纪公司在几个小时后才知道旧金山发生了地震，因而赫顿公司能够利用这短暂而宝贵的时间，为客户和自己赚取大笔利润。

事实上，E.F.赫顿公司自始至终都在注意培植、鼓励企业的这种独创精神。

高层管理当局认为，官僚主义作风、集权式的决策管理以及僵硬的机构设置，会阻碍雇员创造性的发挥，因而对这样的管理方式不屑一顾。

FortiOS Is the Foundation of the Fortinet Security FabricExecutive SummaryFortiOS, Fortinet’s operating system, is the foundation of the Fortinet SecurityFabric. The Security Fabric is the industry’s highest-performing and most expansivecybersecurity platform, organically built on a common management and securityframework. FortiOS ties all of the Fabric’s security and networking componentstogether to ensure seamless integration. This enables the convergence ofnetworking and security functions to deliver a consistent user experience andresilient security posture across all manner of environments. On-premises, cloud,hybrid, and converging IT/OT/IoT infrastructure are included.FortiOS 7.4 is packed with powerful new features that give IT leadersunprecedented visibility and enforcement across even the most complex hybridenvironments. Updates include:"FortiOS … improves operational efficiency and provides consistent security no matter where users or applications are distributed.”1SOLUTION BRIEF n Industry-first unified networking and security architecture for OT, IoT, and IT devicesn Industry-first unified management and analytics capabilities across Fortinet’s entire secure networking portfolio through FortiAnalyzern Greater automation and real-time response capabilities for SOC teams to protect against and reduce time to resolution for sophisticated attacks such as weaponized AI attacks, targeted ransomware, and criminal-sponsored APTsn Enhancements to reduce alert triage and incident investigation across early detection solutions including FortiEDR,FortiXDR, FortiRecon, and FortiDeceptorn New features to reduce risk across converging OT/IT/IoT environmentsFortiOS and the Fortinet Security Fabric Enable Broad, Integrated, and Automated SecurityFigure 1: The Fortinet Security FabricHaving one unifying operating system that spans the entire distributed Security Fabric ensures:n Consistent, centralized management and orchestration of security policy and configurationsn Broad reach and control across the expanded attack surface and at every step of the attack cyclen High-performance enforcement of context-aware security policyn Artificial intelligence (AI)-based threat detection and recommendationsn AI-based data correlation for analysis and reporting across a unified Fabric-level datasetn Automated, multipronged response in real time to cyberattacks across the attack surface and throughout the attack cyclen Improved threat response and reduced risk through enhanced security orchestration, automation, and response (SOAR) capabilitiesFortiOS 7.4 Delivers New CapabilitiesFortiOS uniquely empowers organizations to run their businesses without compromising performance, protection, or puttingthe brakes on innovation. A few of the key FortiOS 7.4 and Security Fabric enhancements designed to address today’s unique challenges are listed below.Secure networking and managementNew innovations to Fortinet’s Secure Networking Portfolio and FortiOS 7.4 span FortiManager, hybrid mesh firewall, Secure SD-WAN, single-vendor SASE, Universal zero-trust network access (ZTNA), and secure WLAN/LAN.Unified management and analytics across hybrid networksFortiManager provides IT leaders with unprecedented visibility and enforcement across all secure networking elements, including hybrid mesh firewall, single-vendor SASE, Universal ZTNA, Secure SD-WAN, and secure WLAN/LAN.Hybrid mesh firewall for data center and cloudFortiGate 7080F is a new series of next-generation firewalls (NGFWs) that eliminates point products, reduces complexity, and delivers higher performance through purpose-built ASIC technology and AI/ML-powered advanced security.FortiFlex is a points-based consumption program with support for hybrid mesh firewall deployments and a variety of products, such as virtual machines, FortiGate appliances, and SaaS-based services, among others.Secure SD-WAN for branch officesFortinet Secure SD-WAN enables consistent security and superior user experience for business-critical applications, whether in the cloud or on-premises, and supports a seamless transition to single-vendor SASE. New enhancements include automation in overlay orchestration to accelerate site deployments and a redesign of the monitoring map view to provide global WAN status for each.Single-vendor SASE for remote users and branch officesFortiSASE converges cloud-delivered security and networking to simplify operations across hybrid networks. FortiSASEnow integrates with FortiManager, allowing unified policy management for Secure SD-WAN and SASE along with unmatched visibility across on-premises and remote users.Universal ZTNA for remote users and campus locationsFortinet Universal ZTNA provides the industry’s most flexible zero-trust application access control no matter where the user or application is located. Universal ZTNA now delivers user-based risk scoring as part of our continuous checks for ongoing application access.“Via the power of the FortiOS operating system, FortiGate delivers one of the top secure SD-WAN solutions, includes a powerful LAN edge controller, enables the industry’s only Universal ZTNA application gateway, and facilitates the convergence of NOC and SOC.”2WLAN/LAN for branch offices and campus locationsFortiAP secure WLAN access points now integrate with FortiSASE, marking theindustry’s first AP integration with SASE. This enables secure micro-brancheswhere an AP is deployed to send traffic to a FortiSASE solution and ensurecomprehensive security of all devices at the site.Prevention, early detection, and real-time responseFortinet has added new real-time response and automation capabilities acrossthe Security Fabric to enable SOC teams to protect against and reduce time toresolution for sophisticated attacks such as weaponized AI attacks, targetedransomware, and criminal-sponsored APTs. New solutions and enhancementsacross five key areas include:Endpoint security and early responseFortiEDR and FortiXDR now provide additional interactive incident visualizationwith enriched contextual incident data using multiple threat intelligence feeds toenable customers to simplify and expedite investigations.FortiNDR Cloud combines robust artificial intelligence, complemented by pragmatic analysis and breach protectiontechnology. The solution provides 365-day retention and visibility into network data, built-in playbooks, and threat hunting capabilities to detect anomalous and malicious behavior on the network. Choose from a self-contained, on-premisesdeployment powered by the Fortinet Virtual Security Analyst, or a new guided SaaS offering maintained by advanced threat experts from FortiGuard Labs.FortiRecon , supported by threat experts from FortiGuard Labs, now delivers enhanced proactive threat intelligence into critical risks associated with supply chain vendors and partners, including external exposed assets, leaked data, and ransomware attack intelligence.FortiDeceptor now offers vulnerability outbreak defense. When a vulnerability is reported by FortiGuard Labs, it is automatically pushed as a feed to the outbreak decoy to redirect attackers to fake assets and quarantine the attack early in the kill chain.Further, a SOAR playbook can automatically initiate the creation of and strategically place deception assets to gather granular intel and stop suspicious activities. FortiDeceptor also now offers a new attack exchange program that allows FortiDeceptor users to anonymously exchange valuable intel on the most current attacks and take proactive steps to avoid a breach.SOC automation and augmentationFortiAnalyzer enables more sophisticated event correlation across different types of log sources using a new intuitive rules editor that can be mapped to MITRE ATT&CK use cases.FortiSOAR now offers a turnkey SaaS subscription option, inline playbook recommendations driven by machine learning, extensive OT security features and playbooks, and unique no/low-code playbook creation enhancements.FortiSIEM now includes new link graph technology that allows for easy visualization of relationships between users, devices, and incidents. The solution is also now powered by an advanced machine learning framework, which enhances protection by detecting anomalies and outliers that may be missed by traditional methods.FortiGuard SOC-as-a-Service now offers AI-assisted incident triage as well as new SOC operations readiness andcompromise assessment services from FortiGuard Labs.AI-powered threat intelligenceFortiGuard Industrial Security Service significantly reduces time to protection with enhanced automated virtual patching for both OT and IT devices based on global threat intelligence, zero-day research, and Common Vulnerabilities and Exposures (CVE) query service.FortiGuard IoT Service enhances granular OT security at the industry level with Industrial-Internet-of-Things (IIoT) and Internet-of-Medical-Things (IoMT) device convergence.FortiSIEM unified security analytics dashboards now incorporate mapping of industrial devices and communication paths to the Purdue model hierarchy, include new OT-specific playbooks for threat remediation, and use of the ICS MITRE ATT&CK matrix for OT threat analysis.Identity and accessFortiPAM privileged account management provides remote access for IT and OT networks. It now includes ZTNAcontrols when users try to access critical assets. The ZTNA tags can be applied to check device posture continuously for vulnerabilities, updated AV signatures, location, and machine groups.Application securityFortiDevSec provides comprehensive application security testing for application code and runtime applications. The solution incorporates SAST, DAST, and SCA, for early vulnerability and misconfigurations detection, and protection including secret discovery. Risk reduction for cyber-physical and industrial control systemsFortinet’s portfolio of solutions and our Security Fabric for OT are designed specifically for cyber-physical security. New enhancements include:FortiGate 70F Rugged Next-Generation Firewall (NGFW) is the latest addition to Fortinet’s rugged portfolio designed for harsh environments. It features a new compact design with converged networking and security capabilities on a single processor. FortiDeceptor Rugged 100G is now available as an industrially hardened rugged appliance, ideal for harsh industrial environments. FortiPAM offers enterprise-grade privileged access management for both IT and OT ecosystems.FortiSIEM unified security analytics dashboards now include event correlation and mapping of security events to the Purdue model. FortiSOAR now offers features to reduce alert fatigue and enable security automation and orchestration across IT andOT environments.FortiGuard Industrial Security Service now includes more than 2,000 application control signatures for OT applications and protocols that support deep packet inspection.Fortinet Cyber Threat Assessment Program (CTAP) for OT validates OT network security effectiveness, application flows, and includes expert guidance.OT tabletop exercises for OT security teams are led by FortiGuard Incident Response team facilitators with expertise in threat analysis, mitigation, and incident response.FortiOS and the Fortinet Security Fabric Address Current and Emerging Security Challenges FortiOS 7.4 provides features and enhancements to support today’s fast-changing hybrid networking and security needs. FortiOS is continually updated to ensure organizations stay ahead of today’s ever-evolving threat landscape. With an expansive Fortinet Security Fabric solution in place, organizations of any size can be assured that they have the tools they need to address all their security and networking challenges, no matter how broadly their users and networks are distributed, today and in the future.1 “Ken Xie Q&A: Growth, Differentiators, and FortiSP5,” Fortinet, February 13, 2023.2 John Maddison, “Setting the Record Straight on Competitor Misinformation,” Fortinet, November 11, 2022. Copyright © 2023 Fortinet, Inc. All rights reserved. Fortinet, FortiGate, FortiCare and FortiGuard, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise。

Executive summarySecurity today requires consistent tools and policies across data centers,branch offices, and clouds. The goal is to attain uniform policy enforcement,visibility, and orchestration wherever the compute occurs. The averagesecurity stack, which includes multiple, disparate tools, can lead to operationalsilos and security gaps that prevent organizations from achieving this goal.Organizations must realize the importance of converging and uniting security,network, and computing practices. An integrated suite of security productsthat provides protection, no matter where their applications and data live, isthe answer.The organizations that power the world run on Microsoft Azure and protecttheir clouds and data centers with Fortinet’s enterprise-class securitysolutions. Because of the extensive partnership between Microsoft andFortinet, Azure customers of any size can leverage jointly engineered solutionsto migrate to– and grow in–the cloud with confidence.Understanding the security challenges of cloud adoptionMoving to the cloud has many benefits, from the possibility of creating newrevenue streams to a shortened time to market. But cloud migrations alsoraise particular security considerations. According to the Fortinet 2023 CloudSecurity Report 1, ninety-five percent of enterprises reported being “very” to“highly” concerned about cloud security. Several variables contribute to thisfeeling, including:• Attack surfaces expand as organizations grow• Increased complexity from hybrid and multi-cloud deployments• Lack of visibility due to fragmented security solutions• Ever-increasing number of networks, devices, and applicationswith remote work• Shortage of skilled security professionals to tackle a rapidlyevolving threat landscapeFortinet offers trailblazing protection for AzureBacked by the continuous research of FortiGuard Labs , the Fortinet SecurityFabric is essential to reducing complexity and increasing overall securityeffectiveness across today’s expanding networks. Azure customers canleverage solutions from Fortinet and Microsoft that are designed to worktogether to achieve comprehensive visibility and multi-layered security.SOLUTION BRIEFStep Up Y our Security onMicrosoft Azure with Fortinet Why Fortinet More than 100 integrations between Fortinet and Microsoft.Recognized as winner of the Microsoft Partner of the Year Award.A Leader in the 2022 Gartner Magic quadrant for Network Firewalls, SD-WAN, SIEM, and Enterprise Wired and Wireless LAN Infrastructure.Microsoft has been a Fortinet Fabric Ready Partner since 20171 2023 Fortinet Cloud Security ReportManaging different Azure security use cases with FortinetUse case #1Safely migrate and build on AzureWhether you are a Fortinet customer migrating applications to Azure, or an Azure user seeking superior protection for your environment, pairing Fortinet and Microsoft is an effective joint approach for securing your cloud deployments. Fortinet protects Azure-based applications and workloads with solutions for network, cloud platform, and application defense. Fortinet offers a superior set of security solutions that are natively integrated into the Azure infrastructure and available on the Microsoft Commercial Marketplace. Better still, Fortinet’s security solutions are all part of a security fabric that extends across clouds and data centers.The Fortinet Security Fabric is backed by FortiGuard Labs, which gathers and analyzes over 14 billion security events per day. Utilizing artificial intelligence and machine learning, it continuously improves threat intelligence in real-time. The Fortinet Security Fabric uses this data to identify and defend against the latest threats.• Fortinet solutions integrate with numerous Azure services, including Azure Sentinel, Azure Active Directory, Azure Security Center, Microsoft Defender for Cloud, Azure Cloud Functions, Azure Application Gateway, and more.• FortiGate Next-Generation Firewall (NGFW) for Azure secures native, hybrid, and multi-cloud environments. FortiGate NGFW can recognize and understand unique applications and make relevant security decisions around proprietary traffic, detect botnets, and segment traffic.• FortiWeb web application firewall (WAF) protects business-critical web applications and their APIs from attacks. Advanced ML-powered features improve security and reduce administrative overhead.• Integration with Azure Virtual Machine facilitates scale-up and scale-out security.Use case #2Defend web applications and their APIs built on AzureAccording to Verizon’s 2022 Data Breach Investigation Report, web applications are the top action vector in security incidents, and in 42 percent of breaches.2FortiWeb Cloud can protect all of an organization’s web applications and APIs in one solution that is simple to deploy and easy to manage. With FortiWeb Cloud, organizations benefit from enterprise-level features while saving time and budget. FortiWeb Cloud delivers advanced visual analytics and machine learning capabilities to defend against such threats as the OWASP Top 10 and zero-day attacks. It goes beyond traditional WAFs to offer advanced features, including:• API discovery and protection to enable B2B communications and support your mobile applications.• Bot management to take action on malicious bots, while welcoming good bots, with automated identification and mitigation.• Threat analytics to reduce alert fatigue and ensure analysts can quickly focus on the most important threats.• The latest threat intelligence with signature updates and analytics from FortiGuard Labs.2 2022 Data Breach Investigations Report | VerizonUse case #3Build a global SD-WAN with Azure Virtual WAN integrationAzure Virtual WAN is a networking service that allows customers to leverage the Azure network backbone so they canbuild high-speed global transit network architectures. Fortinet FortiGate Secure SD-WAN for Microsoft Azure vWAN can be deployed directly into the Microsoft WAN hub, securing both north/south and east/west traffic and allowing organizations to utilize Microsoft Azure as a global backbone for their secure SD-WAN deployments.This solution deploys a set of FortiGate NGFWs as a managed application in Azure vWAN to support a secure SD-WAN with layer 4-7 inspection. Fortinet Secure SD-WAN delivers enterprise-class security and branch networking between Azure VNETs, the internet, and corporate branches or datacenters. Organizations can easily integrate SD-WAN and NGFW intoall traffic flows, and enforce layer 4-7 inspection and control powered by FortiGuard Labs. Cost-effective and offering fast connectivity, FortiGate for Azure vWAN delivers operational efficiencies through automation, deep analytics, and self-healing. • Deploy the FortiGate NGFW within vWAN to secure intra-cloud connectivity, as well as-site-to site, remote userand private connectivity.• Centralize control with FortiManager, which offers a single pane of glass view that reduces vulnerabilitiesfrom configuration errors.• Remain compliant with FortiAnalyzer, which simplifies compliance management and reporting with customizable regulatory templates, audit logging, and role-based access control, eliminating the need for many manual processes related to auditing.Use case #4Improve protections for Microsoft Windows on Azure Virtual DesktopsA complete desktop and app virtualization solution, Windows Virtual Desktop (WVD) runs in the cloud. In order to facilitate remote work, more companies are turning to WVD. However, these installations need sophisticated routing and securityin order to connect to data centers, branches, and client-to-site access to Azure services. By offering network inspection across all of these footprints with virtual private network (VPN) linkages from the endpoint into the cloud, FortiGate includes the ability to enforce advanced security policies such as zero trust and data leak prevention.• FortiGate NGFW adds to the core capabilities of Azure by providing network inspection across data centers, branches, and client-to-site access to Azure resources via virtual private network (VPN). It interconnects from the endpoint, through the premise, and into the cloud.• FortiGate’s deep packet inspection capabilities, along with SSLi for inspecting encrypted traffic, ensure network security.• FortiGate’s support for secure SD-WAN allows for secure connectivity among branches and virtual desktops.• FortiGate is ideal for enforcing zero trust policies, promoting rigorous validation before remote users and devices access their Microsoft environment.• Secure RISE with SAPSeek a security partner, not a productMaking a decision in cloud security should focus on seeking the best globalsecurity partner, not on tactical decisions about products.Fortinet, a leading security provider and the worldwide leader of unified threatmanagement solutions, keeps your workloads and applications safe on MicrosoftAzure. Powered by comprehensive threat intelligence and more than 20 yearsof cybersecurity innovation and experience, the broad suite of Fortinet solutionsprotects any application on Azure.To learn how to gain the most advanced protection on Azure, visit:/azure Copyright © 2023 Fortinet, Inc. All rights reserved. Fortinet, FortiGate, FortiCare and FortiGuard, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.。

Deployment GuideInstallation and Configuration of Scan Central on Fortify 20.1.0 Fortify SSC 20.xAuthor: Vikas JohariDate: 17 March 2021Document Version: v0.2ContentsContents (2)Installing ScanCentral Controller (3)Configuring ScanCentral in SSC (8)Configuring ScanCentral Sensor (10)Configuring the ScanCentral Client (13)Running a Simple Sample Scan using Build Tool (14)Running a Sample Scan from Visual Studio 2019 (15)Configuring Jenkins Project to use ScanCentral (20)Running a Sample Scan and uploading to SSC (23)Installing ScanCentral ControllerIn the Download folder extract ScanCentral Controller zip file.Unzip the Fortify_ScanCentral_Controller_20.1.0_x64.zip.Move the "Fortify_ScanCentral_Controller_20.1.0_x64" folder to C:\Program Files\Fortify folder.Open the folder.Open server.xml of tomcat\conf folder in Notepad++.Note: In this server SSC and Jenkins is already running on port 8080 so, we need to change port of ScanCentral components i.e. 8280 else there will be a port conflict.Find the server port 8005, and change it to 8205.Find the port Connector port 8080 and change it to 8280.Note: In case you are planning to use SSL Port then make sure port 8443 is also change to some other non conflicting port.Save the file.Open the C:\ProgramFiles\Fortify\Fortify_ScanCentral_Controller_20.1.0_x64\tomcat\webapps\scancentra l-ctrl\WEB-INF\classes\config.properties file in Notepad++.Locate and fix the URLs.Save the File.Open CMD in ScanCentral_Controller's tomcat\bin folder. Make sure CMD is having Adminstrator privilidge.Run the command –> service.bat install ScanCentralControllerOpen services.mscFind the new Apache Tomcat 9.0 ScanCentralController service.Make this service Automatic (Delayed Start).In Log On, change to "Local System account" and Enable "Allow service to interact with desktop".Start the service.Start the Browser and connect to port 8280. The URL will be :8280/scancentral-ctrlThis message indicates that Fortify ScanCentral Controller is working. Configuring ScanCentral in SSCNow open SSC and login as admin.Open Administration -> Configuration -> ScanCentral.Enable the ScanCentral.In the ScanCentral URL: :8280/scancentral-ctrlThe Poll Period: 30 secondsShared Secret: changemeClick Save.Note: if you want to use different Shared Secret then make the changes in the below file –Restart SSC's Tomcat.Login into SSC and click on SCANS -> Controller.Validate that the information from the config file displays in the screen.Configuring ScanCentral SensorNow configure the Sensor –Create a file as "C:\ProgramFiles\Fortify\Fortify_SCA_and_Apps_20.1.0\Core\config\worker.properties" and enter the text as above.Note: if you want to change the different token then you need to first change in the controllerconfig.properties file then on worker.properties.Go to the folder "C:\ProgramFiles\Fortify\Fortify_SCA_and_Apps_20.1.0\bin\scancentral-worker-service" open CMD as Administrator.Create a folder named C:\ScanCentralWorkdirThe command will be -setupworkerservice.bat 20.1.0 :8280/scancentral-ctrl CHANGEME123!Type "Y" and hit Enter key.Open Services.mscOpen Properties of the FortifyScancentralWorkerServiceSet the Startup type as "Automatic (Delayed Start).In Log On -> Local System account and Allow service to interact with desktop. Click OK and Start the Service.Open SSC go to SCANS -> Sensors.Check the State of it.The Active State indicates that the sensor is running fine.Configuring the ScanCentral ClientOpen the "C:\ProgramFiles\Fortify\Fortify_SCA_and_Apps_20.1.0\Core\config\client.properties" and update the client_auth_token value as per the C:\ProgramFiles\Fortify\Fortify_ScanCentral_Controller_20.1.0_x64\tomcat\webapps\scancentra l-ctrl\WEB-INF\classes\config.properties file.Running a Simple Sample Scan using Build ToolChange the folder toC:\Program Files\Fortify\Fortify_SCA_and_Apps_20.1.0\plugins\maven\maven-plugin-src\samples\EightBall using CMD to test ScanCentral client.Run the below command to use mavan as build tool –scancentral -url :8280/scancentral-ctrl start -bt mvnWait for the message "Submitted job and received token: .."Go back to SSC -> SCANS -> Scan Requests.Validate the Build ID and Job token and Status of the job. Wait for few min let it to complete.can be download from EXPORT dropdown.The FPR file can be opened in AWB.Running a Sample Scan from Visual Studio 2019Open Riches DotNet Solution in Visual Studio 2019 -> Extensions -> Fortify -> Options -> ScanCentralSettings.Configure the ScanCentral Settings.Open SSC -> Administration -> Users -> Token Management.Click New.Select the ScanCentralCtrlToken, enter a description, click Save.Copy and Save the Tokens in the safe place. Click Close.Create a new version "5.0" for Visual Studio of Riches DotNet Application. The FPR file from Visual Studio's ScanCentral will be uploaded on version 5.0.Go back to Visual Studio.Enable the Send Scan Results to SSC and enter the Controller Token. Click OK.Extensions -> Fortify -> Upload Solution to ScanCentral.Enter the credentials of SSC and click OK.Select 5.0, click OK.The plugin will display the confirmation along with the Job token. Click OK to close the window. Open SSC -> SCANS -> Scan Requests.The RichesDotNet job will appear in few seconds, hit Fefresh if it is not visible.Wait for it to complete.ScanCentral will upload the FPR into the Application version. Validate in the application version -> Artifact.FPR file will be uploaded there.Configuring Jenkins Project to use ScanCentralIn SSC, create a new version "6.0" of Riches DotNet Application.Open Jenkins -> Manage Jenkins -> Configure System, scroll down to the end of the page.Validate that the SSC URL is configured and Controller URL is blank and non editable. Because this plugin expects the ScanCentral should be configured before configuring Jenkins plugin.Lets use the workaround.Remove the SSC URL, now Controller URL will be active, now enter the Controller URL, Controller Token and then SSC URL.Test SSC Connection and Test Controller Connection.Click Save.Create a new Jenkins Project named "Riches DotNet via ScanCentral", and select Copy from "Riches DotNet via GitLab" Project. This option is in the bottom of the screen.In the Post Build Action -> Fortify Assessment, select the below options –Save and run the Project.If everything goes well then the Scan job will be submitted to ScanCentral and the token will be received.Note: The logic gate will not work with ScanCentral, that’s why option for Logic Gate will be missing at this point and you will need to create them later in the software lifecycle. Since the goal with ScanCentral is to perform asynchronous scans in a way that the build pipeline does not have to wait for it to finish.Now check the Scan Requests in SSC –version.Running a Sample Scan and uploading to SSCCreate a new Application named "WebGoat for ScanCentral" version "5.0".Run the fortifyclient command to extract the list of application -fortifyclient -url :8080/ssc -authtoken db796568-9a96-4611-82d9-9a9954902087 listApplicationVersionsNote: The token generated in section "Running a Sample Scan from Visual Studio 2019" should be used.Create the build using –cd "C:\ProgramFiles\Fortify\Fortify_SCA_and_Apps_20.1.0\Samples\advanced\webgoat"sourceanalyzer -b WebGoat_via_ScanCentral -cleansourceanalyzer -b WebGoat_via_ScanCentral -source 1.5 -cp"WebGoat5.0/WebContent/WEB-INF/lib/*.jar" WebGoat5.0/JavaSourceWebGoat5.0/WebContentSubmit the scan using –scancentral -url :8280/scancentral-ctrl start -upload –-application "WebGoat for ScanCentral" --application-version "5.0" -bWebGoat_via_ScanCentral -uptoken db796568-9a96-4611-82d9-9a9954902087 -scan -Xmx2GScan is submitted to ScanCentral -Validate the Scan in Scan Requests. When status changed to "Upload Completed"< !! End of the Document !! >。

Micro Focus Fortify Software, Version 22.2.0Release NotesDocument Release Date: November 2022, updated: 1/31/2023Software Release Date: November 2022IN THIS RELEASEThis document provides installation and upgrade notes, known issues, and workarounds thatapply to release 22.2.0 of the Fortify product suite.This information is not available elsewhere in the product documentation. For information onnew features in this release, see What's New in Micro Focus Fortify Software 22.2.0, which isavailable on the Micro Focus Product Documentation website:https:///support/documentation.FORTIFY DOCUMENTATION UPDATESAccessing Fortify DocumentationThe Fortify Software documentation set contains installation, user, and deployment guides. Inaddition, you may find technical notes and release notes that describe forthcoming features,known issues, and last-minute updates. You can access the latest HTML or PDF versions ofthese documents from the Micro Focus Product Documentation website:https:///support/documentation.If you have trouble accessing our documentation, please contact Fortify Customer Support.•The Micro Focus Fortify Plugin for Eclipse User Guide now covers only the Fortify Eclipse Complete Plugin. The new document Micro Focus Fortify Remediation Pluginfor Eclipse User Guide describes the Fortify Remediation plugin for Eclipse.•The Micro Focus Fortify Plugins for JetBrains IDEs and Android Studio User Guide has been renamed to Micro Focus Fortify Analysis Plugin for IntelliJ IDEA and AndroidStudio User Guide and covers only the Fortify Analysis plugin. A new document MicroFocus Fortify Remediation Plugin for IntelliJ IDEA and Android Studio User Guidedescribes the Fortify Remediation plugin.•Support for versions of the GNU gcc and GNU g++ compilers has been expanded to 6.x – 10.4 on Windows, Linux, and macOS operating systems. This change is documented inthe Compiler section of the Micro Focus Fortify Software System Requirements.INSTALLATION AND UPGRADE NOTESComplete instructions for installing Fortify Software products are provided in the documentation for each product.Fortify Static Code AnalyzerMigrating from a Patched Release of Fortify Static Code Analyzer: If your Fortify Static Code Analyzer installation has been patched, the last digit in the version number will be greater than zero. For instance, release 21.2.0 has a zero as the last digit which identifies it as a major release that has not been patched. Versions 20.1.6, 20.2.4, 21.1.4, and 21.2.3 are examples of patched releases. When upgrading from a patched Fortify Static Code Analyzer release, your configuration files and properties (fortify-sca.properties) might not carry over to the new installation. If you would like to migrate your configuration and properties settings to the new installation, please contact Fortify Customer Support for assistance.Fortify Audit Workbench, Secure Code Plugins, and Tools•Eclipse Remediation Plugin is not included inthe Fortify_SCA_and_Apps_<version>_<OS>.zip in this release. It isavailable for download from the Eclipse Marketplace.•IntelliJ IDEA and Android Studio Remediation Plugin is not included in the Fortify_SCA_and_Apps_<version>_<OS>.zip in this release. It is available fordownload from the JetBrains Marketplace.USAGE NOTES FOR THIS RELEASEThere is a landing page (https://fortify.github.io/) for our consolidated (Fortify on Demand + Fortify On-Premises) GitHub repository. It contains links to engineering documentation and the code to several projects, including a parser sample, our plugin framework, and our JavaScript Sandbox Project.Fortify Static Code Analyzer•The SCAState utility does not work in the 22.2.0 release. This functionality will be restored in the upcoming 22.2.1 patch. If you require the SCAState functionality in the22.2.0 release, you can request a hotfix through Customer Support.•For security reasons, Fortify Static Code Analyzer sample projects have been removed from the installer. These samples are now available as a separate ZIP package.Fortify Software Security Center•Recent Chrome or Chromium-based browsers default to SameSite=Lax cookie policy.That means cookies are not sent with sub-requests to 3rd-party sites. Therefore, SAMLSingle Logout will not work correctly in cases when it is not initiated from FortifySoftware Security Center. To make SAML Single Logout work in Chrome or Chromium-based browsers, SameSite policy for session cookies must be changed to “None”. Please note that this denotes less secure policy than the default one, so changing it is left for your consideration. To change the policy for container deployments, useHTTP_SERVER_SAME_SITE_COOKIES environment variable. For non-container deployments, add <CookieProcessor sameSiteCookies="none"/> to the context section of your Tomcat configuration. See https:///tomcat-9.0-doc/config/context.html#Nested_Components for details. Fortify Software SecurityCenter must be restarted for the changes to have effect.• A major upgrade of libraries providing functionality for SAML Single Sign On and Single Logout solutions was delivered in this release. Fortify strongly recommends to test SAML SSO behavior after upgrade on non-production environment first. For successful SAML SSO migration, please follow the instructions below right after upgrading to22.2.0.o HTTP Redirect and HTTP POST bindings are supported, however only one at a time for inbound SAML messages. The default binding is set to HTTP POST. Incase your IdP only supports HTTP Redirect (GET) for sending Single Logoutmessages (this is the case of e.g. Microsoft Azure AD) you must switch to HTTPRedirect binding for inbound Single Logout messages. Addsso.saml.logout.binding.consume=REDIRECT property toapp.properties. Fortify Software Security Center must be restarted for thechanges to have effect.o Navigate to<hostname>:<port>/<context>/saml/metadata/<SP_alias> tore-generate Fortify Software Security Center SAML metadata and re-upload themto your IdP server. To make the transition as smooth as possible, an effort wasmade for SAML SSO to work correctly after upgrade even with SAML metadatagenerated pre-22.2.0 release. However, it is necessary to update the metadata filein IdP server at your earliest convenience.o Please also note that▪HTTP Artifact binding is not supported anymore.▪Logout responses and Logout requests sent by IdP are required to besigned, Fortify Software Security Center will refuse to process themotherwise.•If host.url property includes default port (443 for https or 8080 for http), Fortify Software Security Center will strip it as a part of URL normalization. This behavior can be changed by adding property host.url.normalization.forcePort=true to app.properties. When this property is used, host.url will be normalized to always include a port, adding a default one if none is specified.•Velocity template engine libraries affecting bugtracker filing templates were upgraded in this release from version 1.7 to version 2.3. For detailed list of changes in 2.3 since 1.7 see https:///engine/2.3/upgrading.html. Custom bugtracker filingtemplates, or custom changes to built-in bugtracker templates might be affected by the listed changes. If so, custom template content needs to be manually updated. If you wish to maximize backward compatibility instead, add propertytemplates.velocity.enhancedBackwardCompatibility=true toapp.properties. Please note that this is a best effort for maintaining backwardcompatibility and some manual changes might still be necessary.•In previous releases, a PUT request to ap/v1/issueTemplates/{id} returned 200 even in case a non-existing Issue Template ID was used. Such request will fail with 409 from now on.•Azure DevOps bug filing template was updated and now escapes HTML characters for issue deeplinks and bug attributes. In case this template was customized (specifically, the Description field was altered) in previous releases, the template update might not beapplied in full range, and manual changes might be necessary. For more details on how to apply HTML escaping, please refer to “Editing tips” available when editing bug filingtemplate’s fields in Administration page.Fortify ScanCentral SAST•Due to an issue where scans fail because of very long generated build IDs (multi-modal projects), ScanCentral SAST now uses a hash string for the build ID.KNOWN ISSUESThe following are known problems and limitations in Fortify Software 22.2.0. The problems are grouped according to the product area affected.Fortify Software Security Center•Enabling the "Enhanced Security" option for BIRT reports breaks report generation if Fortify Software Security Center is installed on a Windows system.•For successful integration with Fortify WebInspect Enterprise, Fortify Software Security Center must be deployed to /ssc context. In particular, the context must be changed for Fortify Software Security Center Kubernetes deployment, which uses root context bydefault.•The migration script downloaded from the maintenance page will be saved to file with PDF extension when using Firefox. The contents of the file are accurate, and it can beused for migration upon changing the file extension to .sql.•Fortify Software Security Center does not verify optional signature on SAML identity provider metadata even if it is present. Recommended mitigation is using file:// or https:// URL to provide identity provider's SAML metadata to Fortify Software Security Center (avoid using http:// URL).•When editing Issue Templates in UI, it is not possible to replace the template file. As a workaround, /upload/projectTemplateUpload.html API endpoint can beused to replace existing template file.•Fortify Software Security Center API Swagger spec contains two definitions that differ only in case:o Custom Tag used for assigning custom tag values to issues in an application versiono Custom tag used for managing custom tagsPlease pay attention when using tools to auto-generate API clients from Swagger spec.This might cause conflicts due to case insensitive process, and the generated client might need manual modification.Fortify Static Code Analyzer•While scanning JSP projects, you might notice a considerable increase in vulnerability counts in JSP-related categories (e.g. cross-site scripting) compared to versions of Fortify Static Code Analyzer prior to 22.1.0. To remove these spurious findings, specify the -legacy-jsp-dataflow option on the Fortify Static Code Analyzer command lineduring the analysis phase.•In some circumstances when upgrading Fortify Static Code Analyzer to a new version, the custom settings in the fortify-sca.properties configuration file might not get migrated. As a workaround, copy the custom settings from the fortify-sca.properties configuration file from the old installation location to the new one. Fortify Audit Workbench, Secure Code Plugins, and Tools•If you encounter crashes with Audit Workbench on an older version of Linux make sure you have the required version 3.22 (or later) of the GTK3 library.•Selecting File Bug for the first time on Linux produces an error, but it disappears if you click on the button the second time.•Authenticating with Azure DevOps from the Eclipse Complete plugin results in an error message on Linux.•Clearing the date-typed custom tag's value is not working from the Fortify Remediation plugin for IntelliJ.•BIRT reports do not support generating the XLS file format anymore.•If you are not connected to the internet, you will get an Updating Security Content error when you first start Fortify Security Assistant for Eclipse. After importing the rules, you will no longer get this error upon startup.Fortify ScanCentral DAST•Users who do not have permissions to create settings, and who click EDIT from the Settings List, cannot save the edited settings as a new template. As a workaround, these users can use the Settings Configuration wizard by clicking NEW SCAN or NEWSETTINGS.•The Data Retention setting is not displayed in Base Settings. If Data Retention was set in Base Settings that were configured in ScanCentral DAST 22.1.0, then those settings still apply, but are not displayed in the UI. Also, if Data Retention is enabled at theApplication level, then the setting will be applied to the Base Settings. The DataRetention setting is displayed in the scan Settings. If you create new templates or runscans using these settings, then the Data Retention setting will be applied.•Container names for the DAST Sensor and Utility Service must not exceed 50 characters in Docker run commands or Docker compose files.•ScanCentral DAST uploads the scanner service logs to the database, but there is no UI option to download the logs. To get the logs, use the following API endpoint:GET /api/v2/scans/{scanId}/download-dast-service-logsA ZIP file that may contain multiple ZIP files is downloaded. This is because each time ascan is paused, interrupted, or completed, the logs are uploaded to the database. A scanmay be resumed on a different scanner each time the scan is paused or interrupted, and the logs are saved each time.•When importing an HTTP archive (.har) file to use as a workflow macro, the file size is limited to 4 MB. To increase the file size limit to 30MB, run the following SQLcommand:IF NOT EXISTS (SELECT IdFROM ConfigurationSetting WHERE SettingName ='UtilityWorkerServiceSettings.MaxReceiveMessageSize')INSERTINTO ConfigurationSetting (SettingName, SettingValue, IsEncrypted)VALUES('UtilityWorkerServiceSettings.MaxReceiveMessageSize','31457280', 0)GO•Global Restrictions and Application Settings Domain Restrictions are applied only for Standard Scans or API scans that use a start URL.•The Fortify ScanCentral DAST download package that you obtain from the Software and License Download site includes the scancentral-dast-config-linux.tar file for Alpine Linux distribution. The documentation does not describe how to use theApline Linux version, but instead describes the preferred scancentral-dast-config-ubi.tar file for RedHat Linux distribution. To obtain the RedHat Linuxversion, contact Micro Focus Fortify Customer Support.Fortify WebInspect Enterprise•Completed scan request data presented in the WebInspect Enterprise WebConsole - Scan Requests UI may be overwritten when a new scan request is submitted for thesame application version in Fortify Software Security Center. This issue will beresolved in a hotfix to 22.2.0.•When exporting a scan in XML format to import as an artifact to Fortify Software Security Center, fewer findings may be present in the imported file than were in theoriginal scan.NOTICES OF PLANNED CHANGESThis section includes product features that will be removed from a future release of the software. In some cases, the feature will be removed in the very next release. Features that are identified as deprecated represent features that are no longer recommended for use. In most cases, deprecated features will be completely removed from the product in a future release. Fortify recommends that you remove deprecated features from your workflow at your earliest convenience.Note: For a list of technologies that will lose support in the next release, please see the “Technologies to Lose Support in the Next Release” topic in the Micro Focus Fortify Software System Requirements document.Fortify Static Code Analyzer•Support for the GOPATH will be removed in a future release to align with changes in the Go language.Fortify Software Security Center•SOAP API is deprecated and is scheduled for removal, togetherwith fortifyclient and the wsclient library. Please use REST API(/api/v1/*, /download/* and /transfer/*) endpoints instead of SOAP API (/fm-ws/*) endpoints.•SOAP API is deprecated and is scheduled for complete removal as of the Fortify Software Security Center 24.1.0 release. The phased deprecation is scheduled as follows: - In SSC version 23.1.0, SOAP remains the default- In SSC version 23.2.0, SOAP is disabled by default, but is not removed- In SSC version 24.1.0, SOAP is removed entirelyPlease use REST API (/api/v1/*, /download/* and /transfer/*)endpoints instead of SOAP API (/fm-ws/*) endpoints. A new sample command-linebased Fortify Software Security Center client (ssc-client) using REST API isincluded in the Fortify Software Security Center distribution. The ssc-client sample serves as a starting point for using a REST API-based client as a replacement for theSOAP API-based fortifyclient.Note: It is always possible that, because of schedule delays, SOAP will be removedentirely in a release later than SSC 24.1.0.•Starting with 23.1.0 release, it will not be possible to suppress Plugin Framework’s validation of engineType using system environment variableFORTIFY_PLUGINS_PARSER_VULN_ENGINETYPECHECK or JVM system property fortify.plugins.parser.vuln.engineTypeCheck. Any third-party parsers failing the validation will cease to work. EngineType of the submitted vulnerabilitiesmust be coherent with engineType provided in the plugin metadata.•REST API endpointapi/v1/projectVersions/{parentId}/dynamicScanRequests/actio n/cancel was deprecated and is scheduled for removal.Fortify WebInspect•The Web Service Test Designer tool will be removed in a future release. FEATURES NOT SUPPORTED IN THIS RELEASEThe following features are no longer supported.•Fortify Software Security Center REST API token endpoint /api/v1/auth/token has been removed. Please use the /api/v1/tokens endpoint instead.•Fortify Static Code Analyzer no longer supports Visual Studio Web Site projects. You must convert your Web Site projects to Web Application projects to ensure that FortifyStatic Code Analyzer can scan them.•Fortify WebInspect no longer supports Flash parsing•Fortify ScanCentral SAST -The allow_insecure_clients_with_empty_token property, used toconfigure the Controller, was removed from the config.properties fileNote: For a list of technologies that are no longer supported in this release, please see the “Technologies no Longer Supported in this Release” topic in the Micro Focus Fortify Software System Requirements document. This list only includes features that have lost support in this release.SUPPORTIf you have questions or comments about using this product, contact Micro Focus Fortify Customer Support using the following option.To Manage Your Support Cases, Acquire Licenses, and Manage YourAccount: https:///support.LEGAL NOTICES© Copyright 2022-2023 Micro Focus or one of its affiliates.WarrantyThe only warranties for products and services of Micro Focus and its affiliates and licensors (“Micro Focus”) are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Micro Focus shall not be liable for technical or editorial errors or omissions contained herein. The information contained herein is subject to change without notice.Restricted Rights LegendConfidential computer software. Except as specifically indicated otherwise, a valid license from Micro Focus is required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license.。

Case StudyAt a Glance IndustryTechnologyLocationQuito, EcuadorChallengeFind a more efficient way to identify and remediate vulnerabilities across a growing portfolio of applications and microservicesProducts and ServicesFortify on DemandFortify Static Code AnalyzerSuccess Highlights• Saves time and money by detectingvulnerabilities earlier in the development lifecycle • Enables delivery of higher-quality applications to clients• Boosts developer efficiency, helping teams keep pace with rising workloads • Strengthens Location World’s globalrecognition as a trusted software provider using cutting-edge technologies based on best practices and world-class standards and frameworksLocation WorldFortify supports high-quality application release with less expense and effort.Who is Location World?Location World is the leader in providing telematic solutions, fleet management, and connected car technology for the automotive, security, logistics, and insurance industries. With clients in 10 countries across LATAM and Spain, the company works with more than 6,500 customers, including YPF, Entel, AVIS, AB InBev, and Prosegur. Its telematics solutions connect more than 75,000 vehicles, generating insights that empower companies to optimize their vehicle fleets and better understand driver behavior. The company aims to make a difference for its customers:it wants not only to track vehicles but also to create useful sources of information for users.Securing a Growing Application LandscapeLocation World has established strategic alliances in the region with big players in the market with innovative and disruptive B2B and B2B2C business models connecting thousands of vehicles and Internet of Things (IoT) devices, with several use cases for different industry segments that help them in its day-to-day operations to maximize their efficiency and return on investment (ROI) in less time. In the words of CIO Jaime Baracaldo, the company generates and implements powerful “TelematicsMega Ecosystems” with highest add value throughout digital transformation and Internet of Things (IoT) with PaaS and SaaS solutions around the world generating high impact. To develop and deploy its array of web and mobile applications and microservices, the company counts on an in-house development team that follows an agile, DevOps approach. As Wilson González, DevOps Manager at Location World,explains: “In total we have 789 microservices and 460 pipelines, so you can imagine the“We received excellent sales and technical support from CyberRes (now OpenT ext Cybersecurity), which set the tone for a smooth and successful implementation. We decided to work with T elefónica on this project. Their specialists had great knowledge about the Fortify tools and how to best integrate them with our development process.”Jaime Baracaldo CIOLocation WorldLocation Worldtransaction volumes that we generateday by day.”Delivering applications and microservices with the highest levels of quality, stability, and security has always been a top priority for Location World. However,with development workload continuously growing, the company was keen to adopta more scalable and rigorous approach to managing application security.González continues: “We’ve always been trying to innovate in terms of security.Our first beginnings were manual. Then,we introduced a cloud-based code quality and security tool. As our operations grew, we found ourselves reaching the limits of this tool. We needed something more, and that’s why we decided to look for a solution that supported both static (SAST) and dynamic (DAST) analysis integrated with our DevOps pipelines.”Finding the Right Solution Supported by longtime partner Telefónica, Location World launched the search for a solution, and soon homed in on Fortify by Open T ext: a unified vulnerability management platform that integrates static, dynamic, and mobile application security testing with continuous application monitoring.Not only was Location World impressed by Fortify’s comprehensive, enterprise-grade application security capabilities, OpenText TM Cybersecurity also offered strong local-language support, which proved to be a key differentiator.Following a promising proof-of-concept, Location World moved ahead with an implementation of Fortify on Demand byOpenText—an application security-as-a-service solution running in the Cybersecuritycloud—and Fortify Static Code Analyzerby OpenText, deployed in the company’sprivate Microsoft Azure and GoogleCloud environment.Throughout the implementation, LocationWorld was able to count on strong supportfrom both Telefónica and Cybersecurity.Baracaldo confirms: “We received effectivesales and technical support from CyberRes(now OpenText Cybersecurity), whichset the tone for a smooth and successfulimplementation. Telefónica specialists hadgreat knowledge and gave us their guidanceabout the Fortify tools and how to bestintegrate them with our processes.”Integrated, AutomatedApplication Security TestingToday, Fortify Static Code Analyzer isintegrated seamlessly with Location World’sIntegrated Development Environments(IDEs)—Microsoft Visual Studio, AndroidStudio and Xcode—as well as its AzureDevOps integration platform, used to createbuild and deployment pipelines. Fortify StaticCode Analyzer pinpoints the root causesof security vulnerabilities in source code,prioritizes results sorted by severity of risk,and provides detailed guidance on how to fixvulnerabilities. Alongside this, Location Worlduses Fortify on Demand to perform finalchecks on code before it is released.Baracaldo explains how the Fortify solutionsare used on a day-to-day basis: “When adeveloper launches an upload for DevOpsto the pipeline, Fortify Static Code Analyzerautomatically launches the vulnerabilityanalysis and shares the results with ourSecurity Operations Center (SOC) in realtime. After that, the SOC then carries out thedynamic analysis process with the Fortify onDemand module to certify whether or not thecode passes. If it does not pass, there is noapproval to go to production and an analysiswith the development team is required to fixthe detected vulnerabilities before SOC canretest and approve publishing any code tothe production environment.”Delivering Secure Software, FastWith Fortify now integrated into itsdevelopment cycle, Location World can scanfor software vulnerabilities in parallel withdevelopment processes and fix any issuesas they arise. The Cybersecurity solutionis helping both development and securityteams work more productively, and hassteadily driven down the number of potentialvulnerabilities identified during development.“Fortify allows us to analyze a greater volumeof code in a much more agile and rapid way,”notes Gonzalez. “Now, our pipelines usuallyreach me without vulnerability errors becausethey’ve already been detected up front in thedevelopment process.”Gabriel Ayala, SOC Manager at LocationWorld, adds: “Fortify has helped ourdevelopment team to substantiallyimprove the way they identify and mitigatevulnerabilities in code. We can also replicatethese improvements in other applications,which contributes to higher-quality codeacross the entire organization.”Comprehensive vulnerability managementgives Location World the confidence thatit is releasing highly secure and reliable2applications. In turn, this is helping the company strengthen its global recognition as a trusted software provider.Baracaldo concludes: “Many of our clients also have a control process where they perform their own vulnerability analysis, so they’ve been able to see first-hand the improvements that we’ve made since introducing Fortify. It’s a very positive situation for everyone: our clients have greater peace of mind about the applications they’re using, and we grow our recognition as a global provider of high-quality, secure software.”“Fortify allows us to analyze a greater volume of code in a much more agile and rapid way. Now, our pipelines usually reach me withoutvulnerability errors because they’ve already been detected up front in the development process.”Wilson González DevOps Manager Location World768-000088-001 | M | 07/22 | © 2022 Micro Focus or one of its affiliates. Micro Focus and the Micro Focus logo, among others, are trademarks or registered trademarks of Micro Focus or its subsidiaries or affiliated companies in the United Kingdom, United States and other countries. All other marks are the property of their respective owners.OpenText Cybersecurity provides comprehensive security solutions for companies and partners of all sizes. From prevention, detection and response to recovery, investigation and compliance, our unified end-to-end platform helps customers build cyber resilience via a holistic security portfolio. Powered by actionable insights from our real-time and contextual threat intelligence, OpenText Cybersecurity customers benefit from high efficacy products, a compliant experience and simplified security to help manage business risk. 768-000088-003 | O | 11/23 | © 2023 Open Text。

商业级别Fortify⽩盒神器介绍与使⽤分析转⾃：/sectool/95683.html什么是fortify它⼜能⼲些什么？答：fottify全名叫：Fortify SCA ，是HP的产品，是⼀个静态的、⽩盒的软件源代码安全测试⼯具。

它通过内置的五⼤主要分析引擎：数据流、语义、结构、控制流、配置流等对应⽤软件的源代码进⾏静态的分析，分析的过程中与它特有的软件安全漏洞规则集进⾏全⾯地匹配、查找，从⽽将源代码中存在的安全漏洞扫描出来，并给予整理报告。

它⽀持扫描多少种语⾔？答：FortifySCA⽀持的21语⾔，分别是：1. 2. 3. c#.Net4. ASP5. VBscript6. VS67.java8.JSP9.javascript10. HTML11. XML12. C/C++13.PHP14.T-SQL15.PL/SQL16. Action script17. Object-C (iphone-2012/5)18. ColdFusion5.0 - 选购19. python -选购20. COBOL - 选购21.SAP-ABAP -选购他是免费的吗？答：不是，是收费的。

当然⽹上也没有破解的。

貌似他⼀个⽉收费10万。

如何使⽤？安装fortify之后，打开界⾯：选择⾼级扫描他问要不要更新？我就选择No,因为这是我私⼈的，我是在2015年7⽉份购买的试⽤期为1个⽉。

怕更新了就⽤不了了。

如果你购买了可以选择YES。

选择之后出现如下界⾯浏览意思是：扫描之后保存的结果保存在哪个路径。

然后点击下⼀步。

参数说明：enable clean :把上⼀次的扫描结果清楚，除⾮换⼀个build ID,不然中间⽂件可能对下⼀次扫描产⽣影响。

enable translation: 转换，把源码代码转换成nst⽂件-64：是扫描64位的模式，sca默认扫描是32位模式。

-Xmx4000m:4000M⼤概是4G，制定内存数-Xmx4G ：也可以⽤G定义这个参数建议加-encoding: 定制编码，UTF-8⽐较全，⼯具解析代码的时候指定字符集转换的⽐较好，建议加，如果中⽂注释不加会是乱码。

Fortify--安装与使⽤前⾔：Fortify是旗下AST （应⽤程序安全测试）产品，其产品组合包括：Fortify Static Code Analyzer提供静态代码分析器（SAST），Fortify WebInspect是动态应⽤安全测试软件（DAST），Software Security Center是软件安全中⼼（SSC）和 Application Defender 是实时应⽤程序⾃我保护（RASP）。

Fortify 能够提供静态和动态测试技术，以及运⾏时应⽤程序监控和保护功能。

为实现⾼效安全监测，Fortify具有源代码安全分析，可精准定位漏洞产⽣的路径，以及具有1分钟1万⾏的扫描速度。

⼀、下载（百度⽹盘）1、将下载的压缩包解压（解压后如下图）2、双击Fortify_SCA_and_Apps_19.1.0_windows_x64.exe进⾏安装3、弹出安装导向，点击Next4、选择“I accept the agreement”后，点击Next5、选择⼀个安装⽬录，点击Next6、选择安装的模块，点击Next7、读取Fortify中的.license⽂件，点击Next8、设置更新服务器，点击Next9、SCA Migration页⾯选择No，点击Next10、Samples页⾯选择Yes,点击Next11、Ready to Install（准备安装）页⾯，点击Next12、Finish三、使⽤1、将安装包中的规则复制到安装⽬录Core\config\rules⽂件夹下2、打开Fortify，两种⽅式⽅式⼀：进⼊安装⽬录，打开bin⽂件夹，双击auditworkbench.cmd⽅式⼆：在win开始菜单中，双击Audit Workbench3、选择静态代码所在⽬录，进⾏扫描4、扫描完成5、导出报告。

Article Fortify on Demand’sLatest and GreatestFortify on Demand 23.1 : Build Secure Software FastGeneral Availability—Fortify on Demand 23.1 ReleaseWe are excited to announce the general availability of our Fortify on Demand 23.1 by OpenText™ release! This new release showcases features that will enhance the developer experience, automation processes, and reporting capabilities to allow our customers to reach increased productivity.New Features and ImprovementsFortify Audit Assistant 2.0Fortify on Demand has implemented Fortify Audit Assistant 2.0 (formerly Fortify Scan Analytics). Fortify Audit Assistant by OpenText™ predicts whether or not the issues returned from Fortify Static Code Analyzer by OpenText™ scan results represent true vulnerabilities. Fortify Audit Assistant 2.0 has improved prediction algorithms.For 23.1, users have the option of enabling Fortify Audit Assistant 2.0 for existing releases. The setting cannot be reverted once it has been saved. Fortify Audit Assistant 2.0 is permanently enabled for new releases. For 23.2, Fortify Audit Assistant will be enabled forall releases.Fortify Audit Assistant 2.0 is applied to both manual audit and automated audits. Issues suppressions by Fortify Audit Assistant 2.0 are logged to the issue history.Debricked Integration UpdatesThe following updates have been made to the Debricked integration: • The Vulnerability tab of the Issues page show CVE published and updated dates. In addition, OWASP and PCI mappings have been updated to OWASP 2021 and PCI 4.0.• The Open Source Components pages and the Recommendations tab on the Issues page show a link to a component’s Open Source Select page. Open Source Select is Debricked’s database of open source projects that are on GitHub.Bulk Edit Issue UpdatesThe following updates have been made to improve bulk editing issues with the same instance ID:• On the Application Issues page, selecting an issue found in multiple releases now shows each issue as a separate item on the audit panel. Previously, the issues were shown as one group. Issues can be individually removed.• On the Application Issues page, selecting a group now shows issues found in the same release as a separate group on the auditpanel. Previously, issues from all releases were shown as one group. Release groups can be individually removed.• Filtering by release has been added to the Application Issues page. • Selecting issues on the Release Issues page now functions the same as selecting issues on the Application Issues page.• Release, Attachment, and Scan Tool columns have been added to the Release Issues and Application Issues pages.• The Issue ID column on the audit panel shows the link to the issue. Comprehensive How-to GuidesThe how-to link on the help menu now points to comprehensive how-to video guides. The how-to guides are part of the Fortify Digital Learning offerings and are publicly available.Android 12 SupportFortify on Demand now supports Android 12 for Mobile+ assessments. Fortify on Demand Connect (Available Soon)The Fortify on Demand Connect solution enables users to easily set up site-to-site VPN for dynamic assessments of internally facing web applications.Mailing list subscribers will be notified once Fortify on Demand Connect is available. Upon availability, contact support if you are interested in trying out Fortify on Demand Connect.API UpdatesThe following updates have been made to the Fortify on Demand API: • The following endpoints have been added:− GET /api/v3/tenant-open-source-entitlements(returns a list of active open source entitlements)− GET /api/v3/releases/{releaseId}/dynamic-scans/ scan-setup (returns a list of Fortify on Demand Connectnetworks)• Fortify on Demand network detail has been added to GET /api/ v3/releases/{releaseId}/dynamic-scans/scan-setup. • The following endpoints have been updated in conjunction with the microservice attribute updates:− GET /api/v3/attributes: returns microservice attributes − GET /api/v3/applications/{applicationId}/microservices: returns microservice attribute values for each microservices− POST /api/v3/applications/{applicationId}/microservices: specify microservice attribute values for anew microservice− PUT /api/v3/applications/{applicationId}/microservices/{microserviceId}: update attributevalues for the microservice• The following endpoints have been updated in conjunction with adding user group descriptions:− The description parameter has been added to POST /api/v3/ user-management/user-groups for providing a description for a user group− The user group description has been added to GET /api/v3/user-management/user-groups.Microservice Attribute UpdatesMicroservice attributes have been moved from the application level to the microservice level. In conjunction, the following updates have been made:• Microservice attributes are associated with microservices in the application creation wizard and application settings.• Reports display the microservice attribute values for the microservice associated with the release.• Microservice name and microservice attributes have been added to the Executive Summary report module.• Microservice attributes can be any data type.• Users can filter applications by microservice attributes that are picklists.Open Source Scan Portal UpdatesThe following updates have been made for viewing open source scans in the portal:• The release Open Source Components page now shows only the vulnerabilities found in the release for a component. Previously, the page was showing all vulnerabilities found for that component across all releases.• Software Bill of Materials that contain components without a BOM-ref value can now be successfully imported and viewed in the portal. Event Notifications UpdateThe following updates have been made to event notifications:• Duplicate email notifications for certain events have been removed. • Note: Emails are always sent for scan canceled and scan paused events to the release owner and scan submitter. • The Send Emails column has been added to the My Subscriptions and Global Subscription pages to show which triggers have email notifications enabled.• Global and custom subscriptions are fully editable.• Scan Canceled and Scan Paused triggers have the Send Emails option permanently enabled.Add User Group DescriptionDescriptions can now be added to user groups.Link to Copy State SourceY our Releases, Application Overview, and Release Overview pages now show a link to the source release for releases created using copy state.Other Portal Updates• Users can cancel long-running data exports.• The Created By column in the Reports pages now shows the user who scheduled a report instead of the release owner.• The Grouped By option has been removed from the Entitlements trending chart tile.• Tenants that use Fortify Insight can contact support to have the Dashboard page include a link to their Fortify Insight instance. • Y our Applications, Y our Releases, Application Overview, and Release Overview pages now show the open source scan status. Engine and Rulepack UpdatesFortify Static Code Analyzer 22.2.x Support (February 2023) Fortify on Demand has implemented Fortify Static Code Analyzer 22.2.0 and associated patches for scanning source code. Fortify Static Code Analyzer 22.2.x offers the following features:Compiler updates:• Clang 14.0.0• Swiftc 5.7, 5.7.1Language and Framework updates :• COBOL− IBM Enterprise COBOL for zOS 6.2 and 6.3− Micro Focus Visual COBOL 7.0 and 8.0• Apex 55• Kotlin 1.6• PHP 8.1OpenText Cybersecurity provides comprehensive security solutions for companies and partners of all sizes. From prevention, detection and response to recovery, investigation and compliance, our unified end-to-end platform helps customers build cyber resilience via a holistic security portfolio. Powered by actionable insights from our real-time and contextual threat intelligence, OpenText Cybersecurity customers benefit from high efficacy products, a compliant experience and simplified security to help manage business risk.• TypeScript / JavaScript − React 17.0 − React Native .68 − Vue 2Fortify WebInspect 22.2.0 Support (February 2023)Fortify on Demand has implemented Fortify WebInspect 22.2.0 for scanning web applications. Fortify WebInspect 22.2.0 offers the following features: • GraphQL native support• Fortify WebInspect now supports scanning GraphQL natively. A Postman collection or workflow is no longer required to get a comprehensive GraphQL scan. • Macro Engine 7.1• Fortify WebInspect provides a faster crawl and audit, and better application support from the Web Macro Recorder with Macro Engine 7.1.Fortify Software Security Content 2022 Update 4 Support (February 2023)Fortify on Demand has implemented Fortify Software Security Content 2022 update 4 from Fortify Security Research (SSR). For more information, see https:///cyberres/fortify/w/fortify-product-announcements/43722/cyberres-fortify-software-security-content-2022-update-4.Learn more at/en-us/cyberres/application-security/ fortify-on-demand。

Fortify Audit AssistantTriaging and validating raw static analysis results is the most time intensive process within application security testing. Fortify Audit Assistant leverages past audit decisions to power machine learning-assisted auditing— validating results immediately and dramatically reducing auditing effort.Product HighlightsCurrent Challenges withSecuring ApplicationsAs the world becomes more connected than before, businesses rely heavily on applications to succeed. To meet business expectations, developers face tight deadlines and ambitious feature, functionality requirements. Software vulnerabilities are a serious problem introduced by mistake, through poor software security practices, or intentionally by internal threat actors. One of the best methods to avoid negative impact is to develop code with quality and security in mind from the early phases of development.Static Application Security TestingStatic application security testing (SAST)is a great method to ensure that code is being developed without security issues and these issues (if any) are fixed early in the development process. SAST provides the enterprise with the intelligence necessary to identify, monitor, and reduce the business risk from an application’s source code and provides recommendations to remediate issues. It has been widely recognised asa necessary component of securing the digital enterprise for nearly two decades.Auditing SAST ResultsSAST takes application source code or binaries and returns raw scan results (set of potential issues) which are then audited by human auditors. Auditors validate and prioritise true positives, eliminate false positives(or “uninteresting findings” depending oncontext) and add additional insight to findings.Developers then receive the audited andvalidated list of issues to work on fixes.Auditing raw static scan results is the mosttime consuming and effort intensive aspectof SAST and requires a skill set that is oftendifficult to find and keep. The scan resultsfrom a scan that takes minutes to run cantake days or weeks for human auditors toreview and validate. With traditional methods,auditing of raw scan results continues tobe one of the significant bottlenecks forapplication security and makes it harderfor security teams to deliver the speedrequirements of developers. Combined withthe skills shortage in application security,auditing raw scan results can become achallenge for organisations, especially fororganisations running application securityprogrammes at scale. Human auditors aretypically a resource that is very difficult toscale, and Fortify Audit Assistant is readyfor the challenge.Leveraging Machine Learning for AuditingFortify has been the industry leader in staticapplication security testing for over a decadeand is no stranger to the problems above.In addition to continuous customer feedback,we operate our very own application securityas a service offering (Fortify on Demand),running thousands of static, dynamic andmobile scans per week, scanning billionsof lines of code. Static application securitytesting service of Fortify on Demand takescustomer application source code or binariesand runs scans, then passes these raw scanresults to the team of expert auditors whoare subject matter experts. Auditors pointout and prioritise the noteworthy findingswhile removing the noise from the results.Consequently, Fortify on Demand customersreceive actionable results and can primarilyfocus on fixing these issues.Over the years, Fortify developed machinelearning algorithms which feed off of thehundreds of millions of anonymised auditdecisions from Fortify on Demand experts.These decision models have been tested andverified to provide up to 98% accuracy inaddition to being actively used and developedfor Fortify on Demand. These expertdecisions can now be automatically appliedto Fortify Static Code Analyzer results byusing Audit Assistant.How Does Audit Assistant Work?Audit Assistant leverages the knowledge andexperience of these previous audit decisionsand applies them for scan results with similarpatterns. The audit decision model offersimmediate value using these models, can becustomised for organisational preferencesand context. Customers can also opt to createtheir own audit decision models and leveragetheir previous audit decisions to do so.Data SheetAudit Assistant integrates with Software Security Center (SSC) and customers can opt to auto-apply analysis tags or review these automated audit decisions before applying in their environments. It is available as a cloud hosted service offering or as an on-premise installation. Audit Assistant validates raw static scan results immediately and reduces manual audit effort.Key Benefits • Get immediate and actionable results to developers,• Reduce manual audit time and effort by up to 30%,• Identify and prioritise high impact issues (with up to 98% accuracy),• Remove up to 90% of false positives. Key Features• Start getting audit results in minutes by using Fortify on Demand’s dataset comprised of subject matter experts audit decisions • Start with as a service in minutes—with no local installation, configure SSC and get audit results,• Deploy on-premise for isolated networks, • Create and train your own classifiers & policies for your organisation’s unique context with regards to auditing• Benefit from up to 98% audit decision accuracy from the start, continuously improve the accuracy through feedback.Learn more at/appsecurityWhitepaper: Increase Efficiency with Automated Auditing of Static Scans with Fortify Contact us at Like what you read? Share it.760-A40029-001 | M | 07/21 | © 2021 Micro Focus or one of its affiliates. Micro Focus and the Micro Focus logo, among others, are trademarks or registered trademarks of Micro Focus or its subsidiaries or affiliated companies in the United Kingdom, United Statesand other countries. All other marks are the property of their respective owners.。

福斯特审计之友风险评估过程
福斯特审计之友风险评估是一种风险管理方法，它通过对组织的内部和外部环境进行全面评估，以确定潜在风险的存在和潜在影响，并采取相应的措施进行管理和控制。

其评估过程如下：
1. 确定评估目标：明确评估的目的和范围，确定所关注的风险类型和重要性。

2. 收集信息：收集相关的内部和外部信息，包括组织的业务模式、战略目标、组织结构和运营流程等。

3. 识别风险：通过分析和讨论，识别出可能对组织目标实现产生负面影响的风险。

4. 评估风险：根据风险的可能性和影响程度，对识别出的风险进行评估，确定其对组织的重要性。

5. 优先级排序：根据评估结果，对风险进行优先级排序，以确定哪些风险需要优先考虑和管理。

6. 制定风险管理策略：根据风险的优先级和组织的资源限制，制定相应的风险管理策略，包括风险避免、减轻、转移和接受等措施。

7. 实施控制措施：根据风险管理策略，制定相应的控制措施，并确保其有效实施。

8. 监测与复评估：对所实施的风险控制措施进行监测和评估，及时调整和改进措施，以保持风险管理的有效性。

需要注意的是，具体的风险评估过程可能因组织的特点和目标而略有不同，以上步骤仅供参考。

在实践中，福斯特审计之友风险评估通常会结合诸多方法和工具，以确保全面、科学地评估和管理风险。