What is FortiDevSec
FortiDevSec is a cloud-based automated application security tool that performs intensive and comprehensive scans for an accurate vulnerability assessment of your application. It integrates continuous application security testing into major DevOps Continuous Integration (CI)/Continuous Deployment (CD) environments, embedding itself into the process of developing and deploying applications to evaluate and detect security gaps that you can mitigate/remediate in the course of the Software Development Lifecycle (SDLC). The automated scanning process resides in your CI/CD pipeline and allows you to scan your applications without manual intervention and is completely non-intrusive with no disruptions to your setup. The easy-to-understand application security assessment approach of FortiDevSec allows you to build secure applications and involves a simple 3-step procedure that facilitates application scanning with minimal know-how of the application security domain.
FortiDevSec packages multiple security scanners into a single solution that includes source code scanners, run-time scanners, and open source component or third-party scanners. The FortiDevSec scanning process automatically determines the relevant scanner type(s) based on the application context and architecture. It uses Docker images with the latest version of those scanners and scans applications across multiple languages and frameworks. FortiDevSec provides zero effort deployment and saves you the overhead of installing and managing multiple scanners and plugging these into your setup individually.
The FortiDevSec application scanning is a simple procedure that includes creating a single unified configuration file and running the scan CLI. The fdevsec.yaml file integrates basic and advanced configurations for all security scanners and application languages avoiding fragmentation or multiple configuration steps.
The architecture of FortiDevSec integrates continuous application security testing into your DevOps CI/CD workflow and adopts a minimalistic approach towards the security testing procedure enabling DevOps personnel to integrate and run comprehensive application security scans without any domain expertise. It seamlessly integrates with all major devops CI/CD platforms to find security issues during the SDLC.
The scan result is aggregated and correlated for all applications across different scan types using advanced Artificial Intelligence (AI)/Machine Learning (ML) and uploaded in the FortiDevSec cloud providing a detailed insight into the scanned applications with a complete view of security risks. The applications are assigned standardized risk rating based on Open Web Application Security Project (OWASP) and SysAdmin, Audit, Network and Security (SANS) factors. FortiDevSec associates each vulnerability to an OWASP Top 10 category or a SANS Top 25 rank by assessing the CWE IDs. The AI driven scan results and risk rating methodology prioritize the detected vulnerabilities based on the assessed severity with minimum false positives and noise. The interactive and customizable dashboard user interface is organized to display scan statistics in a distinctive way with ease of accessibility, navigation, and data filtering.
FortiDevSec allows you to integrate Jira projects for unified bug management. Jira integration is optional and avoids the overhead of maintaining the detected vulnerabilities in multiple systems.
- Jira plugins are supported per FortiDevSec application.
- When vulnerability issues are reported in the FortiDevSec dashboard, the associated Jira project is also updated.
- The vulnerability updates in Jira are synchronized to FortiDevSec prior to scanning the application. You can also synchronize the Jira updates manually.
The high vulnerability detection rate and their intelligent prioritization in the FortiDevSec scan result offers robust risk determination capabilities that facilitate prompt response and appropriate remedial measures for the identified risks. You can configure the risk rating criteria for your application and based on the result analysis, you can manage the scan findings in the dashboard by assigning a suitable status to each vulnerability.