Fortify on Demand
cicdclouddevops

Fortify on Demand

Discover how Fortify on Demand enhances application security through efficient cloud-based testing.

lalatendu.swain
lalatendu.swainJune 1, 2021 · 4 min read

Introduction

In an era where software development is rapid and continuous, ensuring the security of applications is more critical than ever. Fortify on Demand (FoD) is a cloud-based application security testing (AST) service that empowers organizations to identify and mitigate security vulnerabilities throughout the software development lifecycle. For sysadmins and developers, integrating security testing into the development process is essential to reduce risks and enhance the overall security posture of applications before they go live.

What Is Fortify on Demand?

Fortify on Demand is a comprehensive application security testing solution that helps organizations evaluate the security of their applications. It provides tools to analyze code, identify vulnerabilities, and ensure compliance with security standards. By leveraging FoD, teams can perform security assessments via various methodologies, including static and dynamic testing, as well as software composition analysis, all while integrating seamlessly into existing development workflows.

How It Works

FoD operates on the principle of "shifting left", which involves incorporating security testing early in the development cycle rather than waiting until the deployment phase. This proactive approach allows developers to identify and fix vulnerabilities sooner, reducing the likelihood of security issues in production. Key components of FoD include:

  • Static Application Security Testing (SAST): This method analyzes source code and binaries without executing the program, identifying vulnerabilities such as injection flaws and insecure coding practices.
  • Dynamic Application Security Testing (DAST): DAST tests applications in a running state, simulating real-world attacks to uncover vulnerabilities that may appear only during execution, such as cross-site scripting.
  • Software Composition Analysis (SCA): SCA scans third-party libraries and dependencies for known vulnerabilities and ensures compliance with licensing requirements.
  • Continuous Integration/Continuous Deployment (CI/CD) Integration: FoD can be integrated into CI/CD pipelines, allowing for automated security scans with each build or deployment, thus enhancing security without slowing down development.

Prerequisites

Before getting started with Fortify on Demand, ensure you have the following:

  • A valid Fortify on Demand account
  • An API key generated from your account settings
  • curl or another HTTP client installed on your Linux machine
  • Basic knowledge of API interactions

Installation & Setup

To set up Fortify on Demand, follow these steps:

  1. Create an Account:

  2. API Key Setup:

    • After logging in, navigate to the API settings in your account to generate an API key. This key will be used for authentication in your API requests.

  3. Install Required Tools:

    • Ensure you have curl installed. If not, you can install it using the following commands:
    # For Debian/Ubuntu
sudo apt-get install curl

# For RHEL/CentOS
sudo yum install curl

Step-by-Step Guide

  1. Prepare Your Application:

    • Ensure your application’s source code is ready, packaged in either a zip or tar format.

  2. Upload Your Application for SAST:

    • Use the following command to upload your application. Replace your_api_key with your actual API key and path/to/your/app.zip with the path to your application:
    curl -X POST "https://api.fortify.com/on-demand/api/v1/analyze" \
-H "Authorization: Bearer your_api_key" \
-F "file=@path/to/your/app.zip"

  3. Check the Status of the Scan:

    • After uploading, check the status of your scan using the project ID returned during the upload:
    curl -X GET "https://api.fortify.com/on-demand/api/v1/analyze/project_id"

  4. Retrieve Scan Results:

    • Once the scan is complete, retrieve the results with the following command (replace project_id with your actual project ID):
    curl -X GET "https://api.fortify.com/on-demand/api/v1/analyze/project_id/results"

Real-World Examples

Example 1: Scanning a Web Application

You have a web application that you want to secure. Package your source code into a zip file and upload it to FoD using the commands provided above. After the scan, analyze the results to identify vulnerabilities such as SQL injection or cross-site scripting.

Example 2: Continuous Integration Pipeline

Integrate FoD into your CI/CD pipeline by adding a step that triggers a security scan after each build. Use the API commands to upload the latest build and check results automatically, ensuring that vulnerabilities are addressed before deployment.

Best Practices

  • Integrate Early: Incorporate FoD into your development process as early as possible to catch vulnerabilities sooner.
  • Automate Scans: Use CI/CD pipelines to automate security scans with every build, ensuring continuous security assessment.
  • Review Results Regularly: Make it a practice to review scan results and address vulnerabilities promptly.
  • Educate Your Team: Provide training for developers on secure coding practices and how to interpret FoD results.
  • Prioritize Vulnerabilities: Focus on fixing high-risk vulnerabilities first to reduce the most significant threats.
  • Maintain Dependencies: Regularly update third-party libraries and dependencies to minimize exposure to known vulnerabilities.

Common Issues & Fixes

Issue Cause Fix
API Key Authentication Error Invalid or expired API key Regenerate your API key in the settings
Upload Failure Incorrect file path or format Verify the file path and format
Slow Scan Results Large application size or complex code Optimize code or split into smaller parts
Missing Dependencies Third-party libraries not included in the scan Ensure all dependencies are packaged

Key Takeaways

  • Fortify on Demand is a cloud-based application security testing service that helps identify vulnerabilities early in the development lifecycle.
  • The service utilizes SAST, DAST, and SCA methodologies to provide comprehensive security assessments.
  • Integrating FoD into your CI/CD pipeline enables automated security testing with every build.
  • Regularly reviewing scan results and prioritizing vulnerabilities is essential for maintaining application security.
  • Following best practices and addressing common issues will enhance the effectiveness of your security testing efforts.

Responses

Sign in to leave a response.

Loading…

— More from lalatendu.swain

The Code Auditor That Never Sleeps: What Anthropic's Glasswing Project Tells Us About the Next Decade of Cybersecurity

10 min read

Understanding Zero Trust: The Future of Cybersecurity Frameworks

9 min read

The Day I Stopped Fighting My Tools

4 min read

Ensuring Proper Tagging of AWS AMIs and Snapshots in Your Automation Scripts

3 min read