Jump to content

HP Fortify Help

vadukunnantha_vaduko

By vadukunnantha_vaduko
in Discussions

 Share

Recommended Posts

vadukunnantha_vaduko Jr Artist

vadukunnantha_vaduko

Posted
  • Author
Posted

@Spartan

oka requirement undhi...devops with Fortify........Fortify gurinchi konchem knowledge undali......

youtube lo chusenu but adhi tool separate ga vadala lekunte dhenitho naina automate cheyyala anedhi ardham avvatle........

konchem mi experiance share cheyyandi bhayya......and emmmaina source videos unte links share cheyyandi

 

Thanks

Link to comment
Share on other sites
Spartan PRODUCER

Spartan

Posted
Posted
Just now, vadukunnantha_vaduko said:

@Spartan

oka requirement undhi...devops with Fortify........Fortify gurinchi konchem knowledge undali......

youtube lo chusenu but adhi tool separate ga vadala lekunte dhenitho naina automate cheyyala anedhi ardham avvatle........

konchem mi experiance share cheyyandi bhayya......and emmmaina source videos unte links share cheyyandi

 

Thanks

Fortify code scanner ga vadtaru..mainly C# projects. ki.

example usage chepta.

lets say me source code Git lo undi.

And you need to scan the code and project for every checkin on the Git repo

So You setup a jenkins Job, to trigger the build and scan of that repo.

Scanner will be installed on Slave machines for the jenkins Cluster.

Scan ayyaka a tool report ni Fortify site lo upload chestadi.

Fortify lo u can view latest report, and any security code threats catogerised according to threat levels.

a code, exact line, and how to remidiate such threats chupistadi both tool and report.

then u can alert the developer to fix the code or close it if it is a false alarm.

 

drawback..it checks only C# and .Net codes.

 

.Net Core kavalante u need to use checkmarx or any other scanners.

Link to comment
Share on other sites
bhaigan LEGEND

bhaigan

Posted
Posted
1 hour ago, Spartan said:

Fortify code scanner ga vadtaru..mainly C# projects. ki.

example usage chepta.

lets say me source code Git lo undi.

And you need to scan the code and project for every checkin on the Git repo

So You setup a jenkins Job, to trigger the build and scan of that repo.

Scanner will be installed on Slave machines for the jenkins Cluster.

Scan ayyaka a tool report ni Fortify site lo upload chestadi.

Fortify lo u can view latest report, and any security code threats catogerised according to threat levels.

a code, exact line, and how to remidiate such threats chupistadi both tool and report.

then u can alert the developer to fix the code or close it if it is a false alarm.

 

drawback..it checks only C# and .Net codes.

 

.Net Core kavalante u need to use checkmarx or any other scanners.

nuvvu keka bhayya

you work only on microsoft technologies or java also

Link to comment
Share on other sites
masakali Side Hero

masakali

Posted
Posted
2 hours ago, Spartan said:

Fortify code scanner ga vadtaru..mainly C# projects. ki.

example usage chepta.

lets say me source code Git lo undi.

And you need to scan the code and project for every checkin on the Git repo

So You setup a jenkins Job, to trigger the build and scan of that repo.

Scanner will be installed on Slave machines for the jenkins Cluster.

Scan ayyaka a tool report ni Fortify site lo upload chestadi.

Fortify lo u can view latest report, and any security code threats catogerised according to threat levels.

a code, exact line, and how to remidiate such threats chupistadi both tool and report.

then u can alert the developer to fix the code or close it if it is a false alarm.

 

drawback..it checks only C# and .Net codes.

 

.Net Core kavalante u need to use checkmarx or any other scanners.

Are you sure it only checks C# or .net, their website claims fortify can scan 23 diff languages including java.

We are also looking into some SAST tools, and fortify is one of them, other contenders for us are sonarqube and veracode. Our developers use findbugs , not at their local level. We will be setting up a Jenkins-sast tool scanning soon

Link to comment
Share on other sites
Spartan PRODUCER

Spartan

Posted
Posted
12 minutes ago, masakali said:

Are you sure it only checks C# or .net, their website claims fortify can scan 23 diff languages including java.

We are also looking into some SAST tools, and fortify is one of them, other contenders for us are sonarqube and veracode. Our developers use findbugs , not at their local level. We will be setting up a Jenkins-sast tool scanning soon

They do multiple languages,

but issue with non-msft platforms code is Fortify generates lots of false positive alarms, which is pain in the a$$ everytime to check for it.

But for C# and .net the % of false positives are very low.

anduke we are moved to other sources for other platforms.

Link to comment
Share on other sites
Spartan PRODUCER

Spartan

Posted
Posted
59 minutes ago, bhaigan said:

nuvvu keka bhayya

you work only on microsoft technologies or java also

i donno man..all mix fruit juice la undi work from last 2 yrs or so

Link to comment
Share on other sites
masakali Side Hero

masakali

Posted
Posted
11 minutes ago, Spartan said:

They do multiple languages,

but issue with non-msft platforms code is Fortify generates lots of false positive alarms, which is pain in the a$$ everytime to check for it.

But for C# and .net the % of false positives are very low.

anduke we are moved to other sources for other platforms.

ok cool. We are a java shop, so mostly we are signing with veracode

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...