Cybersecurity
DevOps Cloud
IT Operations Cloud
What’s New in Micro Focus Fortify
Software 21.1.0
July 2021
We are excited to announce the general availability of our Micro Focus Fortify 21.1.0 release! With enhanced offerings to increase speed, accuracy, scalability, and ease of use, this marks an important chapter in Fortify’s elevation of application security. This release contains updates to Fortify Static Code Analyzer, Fortify WebInspect, Fortify Software Security Center, and Fortify Software Composition Analysis.
This release of Micro Focus Fortify Software includes the following new functions and features.
Micro Focus Fortify Software Security Center
The following features have been added to Fortify Software Security Center.
Oracle: JDBC Driver Requirement
If you use Oracle as your Fortify Software Security Center database, you no longer need to manually add the JDBC driver. The installer now includes the JDBC Thin Driver (ojdbc8.jar).
Autoconfigure Update
You no longer need to provide db.driver.class, db.dialect, or db.like.specialCharacters to deploy SSC using autoconfiguration (<app_context>.autoconfig file). Deployment works for all databases if you provide values for db.username, db.password, and jdbc.url only.
Required Attribute Alert
If an administrator creates a new required attribute, Fortify Software Security Center alerts you to the addition so that you can specify a value for it in an application version.
Export Open Source Results
You can now export your open source data to a comma-separated file.
DENY Button for Artifacts
There is now a DENY button for artifacts that require approval but were uploaded by mistake. The denied results will not be merged with the application version but can be retained as part of the record.
New Reports
The premium report bundle now includes three new issue reports:
StartTLS Support for LDAP
StartTLS is now supported as a connection method to LDAP servers.
Enhanced Issue Filtering
Issue filtering from the OVERVIEW and AUDIT pages now includes enhancements. You can now filter issues based on their category.
Kubernetes Support
Service Integrations Support
Micro Focus Fortify ScanCentral SAST
Improved Job Processing Messages
Previously, when a job was assigned to a sensor, the Controller sent the email message "ScanCentral job request accepted." After the job was completed, the Controller sent the email message "ScanCentral job completed."
Now, when the Controller accepts a job, it sends the email message "ScanCentral job request accepted." After the job is assigned to a sensor, the Controller sends the email message "ScanCentral job request assigned." Finally, after the job is completed, the Controller sends the email message "ScanCentral job completed."
New -debug Option
The -debug option, which enables debug logging on clients and sensors, was added in this release.
-upload Option Required for Scans When Fortify Software Security Center is in Lockdown Mode
Previously, if Fortify Software Security Center was in lockdown mode, you could run a scan even if you failed to specify the -upload option in the ScanCentral command. The results shown for the scan on the SCANCENTRAL > SAST tab in Fortify Software Security Center left out the application version and the scan was not uploaded. Now, if Fortify Software Security Center is in lockdown mode, and you try to start a scan without using the -upload option, client execution fails with an error.
Improved Sensor Cleanup
Now, the clean-up process on a sensor machine invokes the sourceanalyzer -clean command to remove Fortify Static Code Analyzer internal files related to the job.
Maven Remote Translation
You can now specify custom settings files for Maven remote translation.
New Email Properties
Two new properties in the config.properties file allow you to specify which outgoing email domains to use for outgoing emails and which domains are disallowed.
Micro Focus Fortify Static Code Analyzer
The following features have been added to Fortify Static Code Analyzer.
.NET
Added support for the following languages and frameworks:
To improve MSBuild integration, the custom msbuild executable and its assemblies were replaced by a Fortify-specific .targets file and task assemblies. These changes favorably impact translations under MSBuild Integration performed by the system’s MSBuild tool.
MSBuild Support Update
Added support for version 16.8 and 16.9.
Go
Java
JavaScript
Added support for the following languages and frameworks:
Kotlin
Added support for Kotlin 1.4.20.
PHP
Added support for PHP 7.2, 7.3, 7.4, and 8.0.
Python
Added support for the following languages and frameworks:
Swift/Obj-C
Added support for Xcode 12.4.
Operating Systems (Linux)
Added support for the following Linux servers:
Micro Focus Visual COBOL (Technology Preview)
Added support for Micro Focus Visual COBOL 6.0.
C/C++ (Technology Preview)
Improved support for constructs in C++11 using new Clang-based translation.
Speed Dial (Technology Preview)
Micro Focus Fortify Static Code Analyzer Tools
The following features have been added to Fortify Static Code Analyzer Tools.
ScanCentral SAST Support in Secure Code Plugins
Java 11 Runtime Support
Syntax Highlighting for Additional Languages in Audit Workbench
Improved Merge Behavior in Visual Studio Extension
New Versions of Reports
These can be generated from Fortify Audit Workbench, the secure code plugins, and the BIRTReportGenerator command-line interface.
Updated IDE Support
Service Integrations
Micro Focus Fortify ScanCentral DAST
The following features have been added to Fortify ScanCentral DAST.
Functional Application Security Testing (FAST)
FAST provides a CI/CD-friendly way to capture traffic from functional tests and send it to ScanCentral DAST for targeted DAST scanning.
API Scanning with Postman
In 21.1.0, ScanCentral DAST continues to simplify API scanning with its Postman integration. A new workflow in the WebInspect sensor automatically detects the authentication requests and excludes them from attack by default. There are also improvements to Oauth2.0 support.
Hacker Level Insights
Hacker Level Insights is a new framework that exposes those insights about an application that are interesting from a security perspective, but not necessarily a vulnerability. Detection of JavaScript client-side frameworks is included in 21.1.0.
Data Retention Policies
Configuring data retention policies at the application or scan level allows automatic purging of stale data to support ScanCentral DAST database maintenance and system performance in high usage environments.
Deny Intervals
ScanCentral DAST supports application and scan-level deny intervals when currently running scans are paused or forced to complete, and new scans do not start.
Base Settings
Base Settings provide ScanCentral DAST administrators the ability to apply scan setting templates across all applications or specific applications.
Policy Import
ScanCentral DAST supports using custom policies at both the application level and scan level.
Alerting
A messaging framework displays information about the quality and performance of scans in progress.
SiteExplorer Download
A link is provided in ScanCentral DAST to download SiteExplorer for visualization of a scan.
Horizontal Scaling (Technology Preview)
Horizontal scaling of sensor script engines provides dramatically faster scanning.
Micro Focus Fortify WebInspect
The following features have been added to Fortify WebInspect.
HTTP/2 Support
Modern applications have begun leveraging HTTP/2 to improve the user experience with improved speed and more efficient client/server communication. WebInspect now supports applications that use HTTP/2 technology.
API Scanning with Postman
WebInspect continues to simplify API scanning with its Postman integration. A new workflow in the sensor automatically detects the authentication requests and excludes them from attack by default. There are also improvements to Oauth2.0 support.
Hacker Level Insights
Hacker Level Insights is a new framework that exposes those insights about an application that are interesting from a security perspective but may not necessarily be a vulnerability. Detection of JavaScript client-side frameworks is included in 21.1.0.
Engine 6.0 Updates
Fortify continues to enhance its engines to improve scan coverage and performance. WebInspect 21.1.0 provides a faster crawl and audit, and better application support from the Web Macro Recorder with Macro Engine 6.0.
Masked Parameters in TruClient
The Web Macro Recorder with Macro Engine 6.0 allows values for parameters such as password to be masked so they are hidden from view.
Simplified User Agent Selection
Selection of a User Agent in settings during scan configuration is now applied to both TruClient macros and the scan settings.
Alerting
Alert-level scan log messages provide information about the quality and performance of scans in progress.
OpenSSL
The OpenSSL technical preview is now the default SSL/TLS implementation in WebInspect. This integration provides support for TLS 1.3, and provides an option for customers whose system administrators may be restricting the Microsoft SCHANNEL stack.
Micro Focus Fortify WebInspect Enterprise
The following features have been added to Fortify WebInspect Enterprise.
Engine 6.0 Updates
Fortify continues to enhance its engines to improve scan coverage and performance. WebInspect 21.1.0 provides a faster crawl and audit, and better application support from the Web Macro Recorder with Macro Engine 6.0.
Masked Parameter in TruClient
The Web Macro Recorder with Macro Engine 6.0 allows values for parameters such as password to be masked so they are hidden from view.
Simplified User Agent Selection
Selection of a User Agent in Advanced Settings during scan configuration are now applied to both TruClient macros and the scan settings.
Contact Micro Focus Fortify Customer Support
If you have questions or comments about using this product, contact Micro Focus Fortify Customer Support using one of the following options.
To Manage Your Support Cases, Acquire Licenses, and Manage Your Account
https://www.microfocus.com/support
For More Information
For more information about Fortify software products: https://www.microfocus.com/solutions/application-security