Integrating Vulnerabilities into Fortify Software Security Center

Note: This topic applies only if Fortify WebInspect Enterprise is integrated with Fortify Software Security Center.

Fortify Software Security Center is a suite of tightly integrated solutions for identifying, prioritizing, and fixing security vulnerabilities in software. It uses Fortify Static Code Analyzer to conduct static analysis and Fortify WebInspect to conduct dynamic application security testing. Fortify WebInspect Enterprise provides a central location for managing multiple Fortify WebInspect scanners and correlating scan results that can be published directly to individual application versions within Fortify Software Security Center.

Fortify WebInspect Enterprise maintains a history of all vulnerabilities for a particular Fortify Software Security Center application version. After Fortify WebInspect conducts a scan, it synchronizes with Fortify WebInspect Enterprise to obtain that history, compares vulnerabilities in the scan with those in the history, and then assigns a status to each  vulnerability. The statuses are described in the following table.

Fortify Software Security Center Status Description
New A previously unreported issue.
Existing A vulnerability in the scan that is already in the history.
Not Found A vulnerability in the history that is not found in the scan. This can occur because (a) the vulnerability has been remediated and no longer exists, or (b) because the latest scan used different settings, or scanned a different portion of the site, or for some other reason did not discover the vulnerability.
Resolved A vulnerability that has been fixed.
Reintroduced A vulnerability that appears in a current scan but was previously reported as "Resolved."
Still an Issue A vulnerability that was "Not Found" in the current scan does, in fact, exist.

To change the Fortify Software Security Center status for an individual vulnerability,  right-click a vulnerability on the Findings tab and select Modify Pending Status. This option appears only after connecting to Fortify WebInspect Enterprise and is enabled only after you have synchronized Fortify WebInspect with Software Security Center.

The following example demonstrates a hypothetical series of scans for integrating vulnerabilities into Fortify Software Security Center.

First scan

  1. Scan the target site with Fortify WebInspect. In this example, assume that only one vulnerability (Vuln A) is discovered.

  2. Examine the results. You can add screenshots and comments to vulnerabilities or mark vulnerabilities as false positive or ignored. You can also review, retest, and delete vulnerabilities.

  3. Synchronize the scan with an application version in Fortify Software Security Center, then publish the scan.

Second scan

  1. The second scan again reveals Vuln A, but also discovers four more vulnerabilities (Vulns B, C, D, and E).

  2. Synchronize the scan with the application version in Fortify Software Security Center.

  3. Now examine the results. If you added audit data (such as comments and screenshots) to Vuln A when publishing the first scan, the data will be imported into the new scan.

  4. Publish the scan to Fortify Software Security Center. Vuln A will be marked "Existing," Vulns B-E will be marked "New," and five items will exist in the Fortify Software Security Center system.

Third scan

  1. The third scan discovers Vulns B, C, and D, but not Vuln A or Vuln E.

  2. Synchronize the scan with the application version in Fortify Software Security Center.

  3. After retesting Vuln A, you determine that it does, in fact, exist. You change its pending status to "Still an Issue."

  4. After retesting Vuln E, you determine that it does not exist. You change its pending status to "Resolved."

  5. Publish the scan to Fortify Software Security Center. Vulns B, C, and D will be marked "Existing." Five items will exist in the Fortify Software Security Center system.

Fourth Scan

  1. The fourth scan does not find Vuln A or Vuln B.  The scan does find Vulns C, D, E, and F. 

  2. Synchronize the scan with the application version in Fortify Software Security Center.

  3. Vuln E was previously declared to be resolved and so its status is set to “Reintroduced.”

  4. You examine the vulnerabilities that were not found (A and B, in this example). If you determine that the vulnerability still exists, update the pending status to “Still an Issue.”  If a retest verifies that the vulnerability does not exist, update the pending status to “Resolved.”

  5. Publish the scan to Fortify Software Security Center. Vulns C and D remain marked "Existing."