Integrating vulnerabilities into Application Security

Note: This topic applies only if Fortify WebInspect Enterprise is integrated with Application Security.

OpenText Application Security Center (Software Security Center) is a suite of tightly integrated solutions for identifying, prioritizing, and fixing security vulnerabilities in software. It stores static analysis scans from OpenText™ Static Application Security Testing and dynamic application security scans from OpenText DAST. Fortify WebInspect Enterprise provides a central location for managing multiple OpenText DAST scanners and correlating scan results that can be published directly to individual application versions within Application Security.

Fortify WebInspect Enterprise maintains a history of all vulnerabilities for a particular Application Security application version. After OpenText DAST conducts a scan, it synchronizes with Fortify WebInspect Enterprise to obtain that history, compares vulnerabilities in the scan with those in the history, and then assigns a status to each  vulnerability. The statuses are described in the following table.

Application Security Center Status Description
New A previously unreported issue.
Existing A vulnerability in the scan that is already in the history.
Not Found A vulnerability in the history that is not found in the scan. This can occur because (a) the vulnerability has been remediated and no longer exists, or (b) because the latest scan used different settings, or scanned a different portion of the site, or for some other reason did not discover the vulnerability.
Resolved A vulnerability that has been fixed.
Reintroduced A vulnerability that appears in a current scan but was previously reported as "Resolved."
Still an Issue A vulnerability that was "Not Found" in the current scan does, in fact, exist.

To change the Application Security status for an individual vulnerability,  right-click a vulnerability on the Findings tab and select Modify Pending Status. This option appears only after connecting to Fortify WebInspect Enterprise and is enabled only after you have synchronized OpenText DAST with Application Security.

The following example demonstrates a hypothetical series of scans for integrating vulnerabilities into Application Security.

First scan

  1. Scan the target site with OpenText DAST. In this example, assume that only one vulnerability (Vuln A) is discovered.

  2. Examine the results. You can add screenshots and comments to vulnerabilities or mark vulnerabilities as false positive or ignored. You can also review, retest, and delete vulnerabilities.

  3. Synchronize the scan with an application version in Application Security, then publish the scan.

Second scan

  1. The second scan again reveals Vuln A, but also discovers four more vulnerabilities (Vulns B, C, D, and E).

  2. Synchronize the scan with the application version in Application Security.

  3. Now examine the results. If you added audit data (such as comments and screenshots) to Vuln A when publishing the first scan, the data will be imported into the new scan.

  4. Publish the scan to Application Security. Vuln A will be marked "Existing," Vulns B-E will be marked "New," and five items will exist in the Application Security system.

Third scan

  1. The third scan discovers Vulns B, C, and D, but not Vuln A or Vuln E.

  2. Synchronize the scan with the application version in Application Security.

  3. After retesting Vuln A, you determine that it does, in fact, exist. You change its pending status to "Still an Issue."

  4. After retesting Vuln E, you determine that it does not exist. You change its pending status to "Resolved."

  5. Publish the scan to Application Security. Vulns B, C, and D will be marked "Existing." Five items will exist in the Application Security system.

Fourth scan

  1. The fourth scan does not find Vuln A or Vuln B.  The scan does find Vulns C, D, E, and F. 

  2. Synchronize the scan with the application version in Application Security.

  3. Vuln E was previously declared to be resolved and so its status is set to “Reintroduced.”

  4. You examine the vulnerabilities that were not found (A and B, in this example). If you determine that the vulnerability still exists, update the pending status to “Still an Issue.”  If a retest verifies that the vulnerability does not exist, update the pending status to “Resolved.”

  5. Publish the scan to Application Security. Vulns C and D remain marked "Existing."