9

10

11

LIM on Docker Requirements

Fortify ScanCentral DAST Requirements

Architectural Best Practices

Fortify ScanCentral DAST Configuration Tool CLI

Fortify ScanCentral DAST Database Requirements

Database Recommendations

Important Recommendation About Disk I/O

Fortify ScanCentral DAST Core Components VM

Fortify ScanCentral DAST Sensor

Fortify WebInspect on Docker Option

Classic Fortify WebInspect Installation Option

Fortify Connect Client on Fortify ScanCentral DAST

Fortify ScanCentral DAST Ports and Protocols

DAST API Required Connections

DAST Global Service Required Connections

DAST Sensor Required Connections

DAST Utility Service Required Connections

Fortify Connect Server Required Connections

Fortify Software (24.4.0)

Page 3 of 73

System Requirements

Kafka Required Connections

17

18

19

Fortify ScanCentral DAST Browsers

Event-based Web Macro Recorder (Standalone)

Windows Version Software Requirements

Mac Version Software Requirements

Running as Administrator

Software Integrations for Fortify ScanCentral DAST

Fortify ScanCentral SAST Requirements

Fortify ScanCentral SAST Controller Requirements

Controller Hardware Requirements

Controller Platforms and Architectures

Controller Application Server

Interoperability with Fortify Software Security Center

Fortify ScanCentral SAST Client and Sensor Requirements

Client and Sensor Hardware Requirements

Sensor Disk Space Requirements

Client and Sensor Software Requirements

Client Languages and Build Tools

Languages

Build Tools

Fortify Software Security Center Server Requirements

Database Hardware Requirements

23

Database Performance Metrics for Minimum and Recommended Hardware

Fortify Software Security Center Database

Application Server

Deploying to a Kubernetes Cluster (Optional Deployment Strategy)

Kubernetes Cluster Requirements

Locally-Installed Tools Required

Additional Requirements

Browsers

Authentication Systems

Single Sign-On (SSO)

BIRT Reports

(Linux only) Installing Required Fonts

Fortify Software (24.4.0)

Page 4 of 73

System Requirements

(Non-GUI Linux only) Installing Required Libraries

28

29

Service Integrations for Fortify Software Security Center

Fortify Static Code Analyzer Requirements

Libraries, Frameworks, and Technologies

Build Tools

Compilers

Fortify Software Security Content

Fortify Static Code Analyzer Applications and Tools Requirements

Service Integrations for Fortify Applications and Tools

Secure Code Plugins

Authentication for Connecting to Fortify Software Security Center

BIRT Reports

Fortify WebInspect Requirements

WebInspect Hardware Requirements

WebInspect Software Requirements

Notes on SQL Server Editions

WebInspect on Docker

Notes on Image Databases

Fortify WebInspect Ports and Protocols

Required Connections

Optional Connections

Connections for Tools

WebInspect Software Development Kit (SDK)

Software Integrations for Fortify WebInspect

Fortify WebInspect Agent Requirements

Java Runtime Environments

Java Application Servers

54

55

.NET Framework

Fortify Software (24.4.0)

Page 5 of 73

System Requirements

IIS for Windows Server

55

Fortify WebInspect Enterprise Requirements

Important Information About This Release

Integrations for Fortify WebInspect Enterprise

Fortify WebInspect Enterprise Database

Fortify WebInspect Enterprise Hardware Requirements

Fortify WebInspect Enterprise Software Requirements

Administrative Console Requirements

Fortify WebInspect Enterprise Ports and Protocols

Required Connections

Optional Connections

Connections for Tools

Fortify WebInspect Enterprise Sensor

Fortify WebInspect Enterprise Notes and Limitations

Fortify Project Results (FPR) File Compatibility

Virtual Machine Support

63

64

65

Technologies no Longer Supported in this Release

Technologies to Lose Support in the Next Release

Acquiring Fortify Software

66

71

Verifying Software Downloads

Preparing Your System for Digital Signature Verification

Assistive Technologies (Section 508)

72

Send Documentation Feedback

73

Fortify Software (24.4.0)

Page 6 of 73

System Requirements

Preface

Contacting Customer Support

Visit the Support website to:

l

Manage licenses and entitlements

l

Create and manage technical assistance requests

l

Browse documentation and knowledge articles

l

Download software

l

Explore the Community

https://www.microfocus.com/support

For More Information

For more information about Fortify software products:

https://www.microfocus.com/cyberres/application-security

About the Documentation Set

The Fortify Software documentation set contains installation, user, and deployment guides for all

Fortify Software products and components. In addition, you will find technical notes and release notes

that describe new features, known issues, and last-minute updates. You can access the latest versions

of these documents from the following Product Documentation website:

https://www.microfocus.com/support/documentation

To be notified of documentation updates between releases, subscribe to Fortify Product

Announcements on the OpenText Fortify Community:

https://community.microfocus.com/cyberres/fortify/w/announcements

Fortify Product Feature Videos

You can find videos that highlight Fortify products and features on the Fortify Unplugged YouTube

channel:

https://www.youtube.com/c/FortifyUnplugged

Fortify Software (24.4.0)

Page 7 of 73

System Requirements

Change Log

The following table lists revisions made to this document.

Document Revision

Changes

Revision 2: January

16, 2025

Updated:

l

AIX version support (see "Platforms and Architectures" on page 30)

l

Xcode, Swift, and Clang support included in Fortify Static Code

Analyzer version 24.4.1 (see "Languages" on page 32, "Build Tools" on

page 40, "Compilers" on page 41 )

Incorporated changes available with Fortify Software Security Content

25.1 Update (see "Libraries, Frameworks, and Technologies" on

page 34)

Revision 1: November Updated:

12, 2024

l

Updated the supported cloud database support (see "Fortify Software

Security Center Database" on page 25)

l

Announced deprecation of SQL Server 2017 database for Fortify

Software Security Center (see "Technologies to Lose Support in the

Next Release" on page 65)

Added .NET version 9.x support for dotnet in Fortify Static Code

Analyzer and Fortify ScanCentral SAST (see "Build Tools" on page 40

and "Client Languages and Build Tools" on page 22 )

Fortify Software (24.4.0)

Page 8 of 73

System Requirements

Introduction

This document describes the environments and products that OpenText supports for this version of

Fortify Software, which includes:

l

OpenText™ Fortify License and Infrastructure Manager

l

OpenText™ Fortify ScanCentral DAST

l

OpenText™ Fortify ScanCentral SAST

l

OpenText™ Fortify Software Security Center Server

l

OpenText™ Fortify Static Code Analyzer

l

OpenText™ Fortify Static Code Analyzer Applications and Tools

l

OpenText™ Fortify WebInspect

l

OpenText™ Fortify WebInspect Agent

l

OpenText™ Fortify WebInspect Enterprise

Software Delivery

Fortify Software is delivered electronically. See "Acquiring Fortify Software" on page 66 for more

information.

Software Licenses

Fortify Software products require a license. For Fortify ScanCentral DAST, Fortify Static Code

Analyzer, Fortify WebInspect, and Fortify WebInspect Enterprise, you will receive an email with

instructions for how to activate your product.

For all other Fortify Software products described in this document (including Fortify Static Code

Analyzer and Secure Code Plugins), you must download the Fortify license file for your product from

the Software Licenses and Downloads (SLD) portal (https://sld.microfocus.com). Use the credentials

that Customer Support has provided for access.

Note: Using Fortify License and Infrastructure Manager (LIM) to manage concurrent licenses for

Fortify Static Code Analyzer requires LIM version 21.2.0 or later.

Fortify License and Infrastructure Manager

Requirements

This section describes the hardware and software requirements for Fortify License and Infrastructure

Manager (LIM).

Fortify Software (24.4.0)

Page 9 of 73

System Requirements

Hardware Requirements

OpenText recommends that you install the LIM on a system that conforms to the supported

components listed in following table.

Component

Requirement

Notes

Processor

2.5 GHz single-core or faster Recommended

1.5 GHz single-core

2+ GB

Minimum

RAM

Recommended

Minimum

1 GB

Hard disk

Display

50+ GB

Recommended

Minimum

20 GB

1280 x 1024

1024 x 768

Recommended

Minimum

Software Requirements

LIM runs on and works with the software packages listed in the following table. Beta or pre-release

versions of operating systems, service packs, and required third-party components are not supported.

Package

Versions

Notes

Microsoft Windows

Server®

Windows Server 2019

Windows Server 2022

IIS 8.5

Web Server

Recommended

IIS 7.5, 8.0, 10

.NET Platform

ASP.NET Core Runtime 8.0.10 Hosting Bundle or

later

.NET SDK Core Runtime 8.0.2 or later

All modern browsers and versions

Browser

Fortify Software (24.4.0)

Page 10 of 73

System Requirements

LIM on Docker Requirements

LIM on Docker has the requirements listed in the following table.

Software

Version

Red Hat Universal Base Image (UBI) 8.x x86_64

Fortify ScanCentral DAST Requirements

Before you install Fortify ScanCentral DAST, make sure that your system meets the requirements

described in this section. OpenText does not support beta or pre-release versions of operating

systems, service packs, or required third-party components.

Architectural Best Practices

The Fortify ScanCentral DAST core components are available as Docker images only. The Fortify

WebInspect sensor is either a Docker image or a Microsoft Windows® computer with both Fortify

WebInspect and the Fortify ScanCentral DAST sensor service installed.

Follow these best practice guidelines when you configure Fortify ScanCentral DAST:

l

Run the DAST API, DAST Global Service, DAST Utility Service, and Fortify License and

Infrastructure Manager (LIM) Docker containers on the same VM or on separate VMs.

l

Do not run the Fortify WebInspect sensor (container or classic installation) on the same VM as any

of the other DAST components.

For more information about the Fortify ScanCentral DAST components, see the OpenText™ Fortify

ScanCentral DAST Configuration and Usage Guide.

Fortify ScanCentral DAST Configuration Tool CLI

This topic describes the software and hardware requirements for the machine on which the

configuration tool CLI runs to configure settings for the Fortify ScanCentral DAST components.

Fortify Software (24.4.0)

Page 11 of 73

System Requirements

Software Requirements

The Fortify ScanCentral DAST Configuration Tool CLI runs on and works with the software packages

listed in the following table.

Package

Versions

Windows

Windows 10

Windows Server 2019

.NET SDK Core Runtime 8.0

.NET Platform

Red Hat® Enterprise Linux® (RHEL) 8.x x86_64

Hardware Requirements

OpenText recommends that you use the Fortify ScanCentral DAST Configuration Tool CLI on a

system that conforms to the supported components listed in the following table.

Component

Requirement

2+ GB

Notes

RAM

Recommended

Minimum

1 GB

Fortify ScanCentral DAST Database Requirements

Fortify ScanCentral DAST supports the databases listed in the following table.

Package

Versions

Notes

Microsoft®

SQL Server®

SQL Server

2022

Recommended

No scan database limit; SQL Server must use Mixed Mode.

(English-

language

version only)

SQL Server

2019

No scan database limit; SQL Server must use Mixed Mode.

Azure SQL

Server

Using Azure SQL Server outside the Azure infrastructure might

cause poor performance for Fortify ScanCentral DAST.

OpenText recommends using Azure SQL Server with Fortify

ScanCentral DAST inside the Azure infrastructure only.

Fortify Software (24.4.0)

Page 12 of 73

System Requirements

Package

Versions

Notes

Amazon RDS

for SQL

Server

PostgreSQL®

PostgreSQL

15 or later

Azure

PostgreSQL

Amazon RDS

for

PostgreSQL

Database Recommendations

OpenText recommends that you configure the database server on a separate machine from either

Fortify Software Security Center or any other Fortify ScanCentral DAST components.

The Fortify ScanCentral DAST SQL database requires case-insensitive collation.

Important! This is opposite the requirement for Fortify Software Security Center databases as

described in "Fortify Software Security Center Database" on page 25.

Important Recommendation About Disk I/O

Disk I/O encompasses the input/output operations on a physical disk. If you are reading data from a

file, the processor must wait for the file to be read (the same applies to writing data to a file). Fortify

ScanCentral DAST is a high I/O-intensive application, which affects performance. Make sure that your

disk subsystem provides low read/write latency. OpenText recommends that you monitor disk I/O as

the database grows.

Fortify ScanCentral DAST Core Components VM

This topic describes the hardware and software requirements to run the DAST API, DAST Global

Service, and DAST Utility Service containers.

Fortify Software (24.4.0)

Page 13 of 73

System Requirements

Software Requirements

The DAST API, DAST Global Service, and DAST Utility Service containers run on and work with the

software packages listed in the following table.

Software

Versions

Windows

Windows Server 2019

Red Hat Enterprise Linux (RHEL) 8.x x86_64

Follow Docker recommendations for the Docker engine version to use for these versions of Windows

and Red Hat images.

Hardware Requirements

OpenText recommends that you use the DAST API, DAST Global Service, and DAST Utility Service

containers on a system that conforms to the supported components listed in the following table.

Component

RAM

Requirement

32 GB

Processor

8 Core

Fortify ScanCentral DAST Sensor

The following options are available for a Fortify ScanCentral DAST sensor:

l

Use the Fortify WebInspect on Docker image in a container

l

Use a classic Fortify WebInspect installation with the Fortify ScanCentral DAST sensor service

Fortify WebInspect on Docker Option

For system requirements for this option, see "WebInspect on Docker" on page 48.

Classic Fortify WebInspect Installation Option

For hardware and software requirements for this option, see "WebInspect Hardware Requirements" on

page 45 and "WebInspect Software Requirements" on page 46 . Additionally, if you plan to conduct

Postman scans, see "Support for Postman" on page 47 .

Important! When running a Fortify ScanCentral DAST sensor outside of a container, such as a

sensor service on the same machine as a classic Fortify WebInspect installation, you must install

the .NET SDK Core Runtime 8.x.x.

Fortify Software (24.4.0)

Page 14 of 73

System Requirements

Fortify Connect Client on Fortify ScanCentral DAST

The Fortify Connect client executable runs on and works with the software packages listed in the

following table.

Software

Versions

ASP.NET Core Runtime 7.0

OpenSSH Client

7.6 or later

Fortify ScanCentral DAST Ports and Protocols

This section describes the ports and protocols that the Fortify ScanCentral DAST components use to

make required and optional connections.

DAST API Required Connections

The following table lists the ports and protocols that the DAST API container uses for required

connections.

Endpoint

Port

Protocol

Notes

Fortify Software 80

Security Center

HTTP

If SSL is not configured, the port on the host running

the container is forwarded to port 80 on the container.

DAST Global

Service

Host port mapping is customizable to the container

port.

DAST Sensor

Service

Fortify Software 443

Security Center

HTTPS

If SSL is configured, the port on the host running the

container is forwarded to port 443 on the container.

DAST Global

Service

Host port mapping is customizable to container port.

DAST Sensor

Service

SQL Server,

Azure SQL

Server, or

1433

TCP

This is the default SQL Server port.

Fortify Software (24.4.0)

Page 15 of 73

System Requirements

Endpoint

Port

Protocol

Notes

Amazon RDS for

SQL Server

PostgreSQL,

Azure

5432

TCP

This is the default PostgreSQL port.

PostgreSQL, or

Amazon RDS for

PostgreSQL

DAST Global Service Required Connections

The DAST Global Service does not expose any ports.

The following table lists the ports and protocols that the DAST Global Service container uses for

required connections.

Endpoint

Port

Protocol

Notes

SQL Server,

Azure SQL

1433

TCP

This is the default SQL Server port.

Server, or

Amazon RDS

for SQL Server

PostgreSQL,

Azure

5432

TCP

This is the default PostgreSQL port.

PostgreSQL, or

Amazon RDS

for PostgreSQL

DAST Sensor Required Connections

The DAST sensor does not expose any ports.

The DAST sensor communicates with the DAST API over the port that is exposed on the host running

the DAST API container.

Fortify Software (24.4.0)

Page 16 of 73

System Requirements

DAST Utility Service Required Connections

The following table lists the ports and protocols that the DAST Utility Service container uses for

required connections.

Endpoint

Port

Protocol

Notes

DAST API

5000

HTTP

If SSL is not configured, the port on the host running

the container is forwarded to port 5000 on the

container.

Host port mapping is customizable to the container

port.

DAST API

5001

1433

HTTPS

TCP

If SSL is configured, the port on the host running the

container is forwarded to port 5001 on the container.

Host port mapping is customizable to container port.

This is the default SQL Server port.

SQL Server,

Azure SQL

Server, or

Amazon RDS for

SQL Server

PostgreSQL,

Azure

5432

TCP

This is the default PostgreSQL port.

PostgreSQL, or

Amazon RDS for

PostgreSQL

Fortify Connect Server Required Connections

The DAST API, DAST Global Service, DAST Utility Service, and DAST Scanner Service (when running

in remote mode) access the internal host and internal port that are specified in the

"FortifyConnectServerSettings" when configuring your ScanCentral DAST environment.

Kafka Required Connections

If Apache® Kafka® is configured, Fortify Software Security Center publishes messages to Kafka using

the list of servers in the stream.kafka.bootstrapServersspecified in the app.propertiesfor

Fortify Software Security Center. Fortify ScanCentral DAST consumes messages from Kafka using the

list of servers listed in the SSCSettings.KafkaSettings.BootstrapServersin the settings file

used to configure Fortify ScanCentral DAST.

Fortify Software (24.4.0)

Page 17 of 73

System Requirements

Fortify ScanCentral DAST Browsers

For Fortify ScanCentral DAST browser requirements, see "Browsers" on page 27 for Fortify Software

Security Center.

Event-based Web Macro Recorder (Standalone)

By default, the Event-based Web Macro Recorder is installed as part of the Fortify WebInspect toolkit

when Fortify WebInspect is installed on Windows. However, Fortify ScanCentral DAST allows you to

download a Windows or Mac version of the Event-based Web Macro Recorder and install it as a

standalone tool.

Hardware Requirements

OpenText recommends that you install the standalone Event-based Web Macro Recorder on a system

that conforms to the supported components listed in the following table.

Component

Requirement

Intel x86

Apple® silicon

16 GB

Notes

Processor

Windows

macOS®

RAM

Hard disk

1 TB

Windows Version Software Requirements

The Windows version of the Event-based Web Macro Recorder tool runs on and works with the

software packages listed in the following table.

Package

Version

Windows

Windows 10

Windows Server 2019

Fortify Software (24.4.0)

Page 18 of 73

System Requirements

Mac Version Software Requirements

The Mac version of the Event-based Web Macro Recorder tool runs on and works with the software

packages listed in the following table.

Package

Versions

Operating System macOS 14

Running as Administrator

The standalone Web Macro Recorder tool requires administrative privileges for proper operation of all

features. Refer to the Windows or macOS documentation for instructions on changing the privilege

level to run the Web Macro Recorder tool as an administrator.

Software Integrations for Fortify ScanCentral DAST

The following table lists products that you can integrate with Fortify ScanCentral DAST.

Product

Versions

Fortify Software Security Center 24.4.0

Kubernetes on Azure

1.19 or later

Fortify ScanCentral SAST Requirements

Fortify ScanCentral SAST has three major components: a ScanCentral SAST Controller, ScanCentral

SAST clients, and ScanCentral SAST sensors.

Fortify ScanCentral SAST Controller Requirements

This section describes the hardware and platform requirements for the Fortify ScanCentral SAST

Controller.

Controller Hardware Requirements

OpenText recommends that you install the Fortify ScanCentral SAST Controller on a high-end 64-bit

processor running at 2 GHz with at least 8 GB of RAM.

Fortify Software (24.4.0)

Page 19 of 73

System Requirements

To estimate the amount of disk space required on the machine that runs the Fortify ScanCentral

SAST Controller, use one of the following equations:

Intended use Equation

Remote scan

only

<num_jobs_per_day> x (<size_avg_MBS> + <size_avg_FPR> + <size_avg_SCA_

log>) x <number_days_data_is_persisted>

Remote

translation

and scan

<num_jobs_per_day> x (<size_avg_archived_project_with_dependencies> + <size_

avg_FPR> + <size_avg_SCA_log>) x <num_days_data_is_persisted>

By default, data is persisted for seven days.

Controller Platforms and Architectures

The Fortify ScanCentral SAST Controller supports the platforms and architectures listed in the

following table.

Operating system

Versions

Windows

Server 2016

Server 2019

Server 2022

Linux

Red Hat Enterprise Linux 8, 9

SUSE Linux Enterprise Server 15

Controller Application Server

The Fortify ScanCentral SAST Controller installation includes the supported Apache® Tomcat™

version 10.1.x that runs on JRE 17.

Interoperability with Fortify Software Security Center

OpenText supports integrating the Fortify ScanCentral SAST Controller with a Fortify Software

Security Center version that is the same or one version earlier than the Controller version. For

example, the 24.4.0 version of the Controller works with the 24.2.0 or 24.4.0 versions of Fortify

Software Security Center

Fortify ScanCentral SAST Client and Sensor Requirements

This section describes the requirements for the Fortify ScanCentral SAST clients and sensors.

Fortify Software (24.4.0)

Page 20 of 73

System Requirements

Client and Sensor Hardware Requirements

Fortify ScanCentral SAST clients and sensors run on any Windows and Linux system that Fortify

Static Code Analyzer supports. Fortify ScanCentral SAST embedded clients and sensors are installed

on build machines that run Fortify Static Code Analyzer. See "Fortify Static Code Analyzer

Requirements" on page 29 for hardware, platform, and architecture requirements.

Sensor Disk Space Requirements

To estimate the amount of disk space required on the machine that runs a Fortify ScanCentral SAST

sensor, use one of the following equations:

Intended

use

Equation

Remote scan <num_of_scans> x (<size_avg_MBS> + <size_avg_FPR> + <size_avg_SCA_log>) x

only

<num_days_data_is_persisted>

Remote

translation

and scan

<num_jobs_per_day> x (<size_avg_archived_project_with_dependencies> + <size_

avg_project_with_dependencies> + <size_avg_FPR> + <size_avg_SCA_log>) x

<number_days_data_is_persisted>

By default, data is persisted for seven days.

Client and Sensor Software Requirements

Fortify ScanCentral SAST embedded clients and sensors are installed on build machines that run

Fortify Static Code Analyzer.

Clients

In addition to the requirements for specific project types listed in "Software Requirements" on

page 31 for Fortify Static Code Analyzer, the following requirements must be met for Fortify

ScanCentral SAST clients:

l

Standalone clients require Java 17 or later.

l

Packaging of .NET projects requires the software listed in the following table.

Operating system

Software

Windows

.NET Framework 4.8 or later

.NET SDK 8.0

Linux

.NET SDK 8.0

Fortify Software (24.4.0)

Page 21 of 73

System Requirements

Sensors

The following table lists sensor software requirements for remote translation of specific project types.

Language

Software

Operating systems

.NET applications

.NET SDK 8.0

Windows, Linux

.NET web applications .NET Framework 4.8 or later Windows

.NET SDK 8.0

COBOL

Not applicable

Windows

Client Languages and Build Tools

Fortify ScanCentral SAST supports remote translation and scan for the languages and build tools

described in this section.

Languages

Fortify ScanCentral SAST clients support generating packages with sources and dependencies for

remote translation on sensors for the following languages. See "Languages" on page 32 for specific

supported versions.

l

.NET applications in C# and Visual Basic (VB.NET) (.NET Core, .NET Standard, ASP.NET)

See "Software Requirements" on page 31 for the specific Fortify Static Code Analyzer requirements

for .NET applications.

l

ABAP®

l

Apex

l

Classic ASP

l

COBOL

l

ColdFusion

l

Dockerfiles

l

Go

l

Java

l

JavaScript

l

Kotlin

l

PHP

l

PL/SQL

l

Python

l

Ruby

l

T-SQL

Fortify Software (24.4.0)

Page 22 of 73

System Requirements

l

TypeScript

l

Visual Basic 6.0

Build Tools

Fortify ScanCentral SAST clients support the build tools listed in the following table.

Build tool

dotnet

Versions

6.0–8.0, 9.x

5.0–8.10

Gradle

Apache Maven™ Software 3.5.x, 3.6.x, 3.8.x, 3.9.x

MSBuild 14.0, 15.x, 16.x, 17.0–17.11

Fortify Software Security Center Server

Requirements

This section describes the system requirements for the Fortify Software Security Center server.

Hardware Requirements

Fortify Software Security Center requires the hardware specifications listed in the following table.

Minimum

required

Minimum

recommended

Server

Component

Java heap size

Processor

RAM

Application server

Database server

4 GB

24 GB

Quad-core

8 GB

Eight-core

64 GB

Database Hardware Requirements

OpenText recommends an eight-core processor with 64 GB of RAM for the Fortify Software Security

Center database. Using less than this recommendation can impact Fortify Software Security Center

performance.

Fortify Software (24.4.0)

Page 23 of 73

System Requirements

Use the following formula to estimate the size (in GB) of the Fortify Software Security Center

database disk space:

((<num_issues>*30 KB) + <size_of_artifacts>) ÷ 1,000,000

where:

l

<num_issues> represents the total number of issues in the system

l

<size_of_artifacts> represents the total size in KB of all uploaded artifacts and analysis results

Note: This formula produces only a rough estimate for database disk space allocation. Do not use

it to estimate disk space requirements for long-term projects. Disk requirements for Fortify

Software Security Center databases increases in proportion to the number of projects, scans, and

issues in the system.

Database Performance Metrics for Minimum and Recommended Hardware

Requirements

The following table shows performance metrics (number of issues discovered per hour) for Fortify

Software Security Center configured with the minimum and the recommended hardware

requirements.

Issues per hour

Database

Minimum configuration

Recommended configuration

MySQL

362,514

231,392

725,028

2,589,385

3,020,950

3,625,140

Oracle® Database

SQL Server

Platforms and Architectures

Fortify Software Security Center supports the platforms and architectures listed in the following table.

Operating system

Versions

Windows

Server 2016

Server 2019

Server 2022

Linux

Red Hat Enterprise Linux 8, 9

SUSE Linux Enterprise Server 15

Fortify Software (24.4.0)

Page 24 of 73

System Requirements

Note: Although Fortify Software Security Center is not tested on all Linux variants, most

distributions are not known to have issues.

Application Server

Fortify Software Security Center supports Apache Tomcat version 9.0.x for the following JDK

versions:

l

Oracle JDK 17

l

Red Hat OpenJDK 17

l

SUSE OpenJDK 17

l

Zulu OpenJDK 17 from Azul

OpenText only supports the deployment of a single Fortify Software Security Center instance. That

instance must not be behind a layer 7 load balancer of your own implementation. However, OpenText

does support a Fortify Software Security Center implementation behind a layer 4 load balancer in a

deployment to a Kubernetes cluster.

Important! OpenText does not support the installation of any third-party performance

monitoring agents on the Tomcat instance that is hosting Fortify Software Security Center.

Fortify Software Security Center Database

Fortify Software Security Center requires case-sensitive database schema collations.

Important! Fortify Software Security Center is a high I/O-intensive application, which affects

performance. Make sure that your disk subsystem provides low read/write latency. OpenText

recommends that you monitor disk I/O as the database grows.

All required database drivers are included in the WAR file. Fortify Software Security Center supports

the databases listed in the following table.

Database

Versions

Collation / character sets

MySQL

8.0 (Community Edition)

latin1_general_cs

Amazon RDS for MySQL (8.0)

utf8mb3_bin (if available, preferred over utf8_

bin)

utf8_bin (only if utf8 is a synonym for utf8mb3

character set)

Oracle

19c (19.3)

AL32UTF8 for all languages

WE8MSWIN1252 for US English

Fortify Software (24.4.0)

Page 25 of 73

System Requirements

Database

Versions

Collation / character sets

SQL Server

2017

2019

2022

SQL_Latin1_General_CP1_CS_AS

Amazon RDS for SQL Server

(2019, 2022)

Azure SQL Database (2019,

2022)

Note: Fortify Software Security Center does not support the following cloud managed database

platforms:

l

Azure Database for MySQL

l

Oracle in the cloud

l

SQL Server on Google Cloud

OpenText does not support the direct conversion from one database server type to another, such as

converting from MySQL to Oracle. To do this, you must use the Server API to move data from your

current Fortify Software Security Center instance to a new instance that uses the database server

type you want to use going forward. Professional Services can assist you with this process.

Deploying to a Kubernetes Cluster (Optional Deployment

Strategy)

To deploy Fortify Software Security Center to a Kubernetes cluster, make sure that the following

requirements are met.

Kubernetes Cluster Requirements

The following are the minimum requirements for the default installation:

l

Kubernetes versions 1.29, 1.30, or 1.31

l

Kubernetes persistent volumes with optional support for Pod security context fsGroup option

Using a non-default container user ID requires fsGroup support.

l

Kubernetes LoadBalancer Service type (recommended)

l

28 GB of available RAM and 8 CPUs on a single Kubernetes node

l

4 GiB of storage for persistent volume

Fortify Software (24.4.0)

Page 26 of 73

System Requirements

Locally-Installed Tools Required

l

A kubectl command-line tool

OpenText recommends that you use the same kubectl command-line tool version as the

Kubernetes cluster version or follow the Version Skew Policy on the Kubernetes website.

l

Helm command-line tool versions 3.14, 3.15, or 3.16

To determine which Helm command-line tool version matches your Kubernetes cluster version, see

the Helm Version Support Policy on the Helm website.

l

(Recommended) A Docker client and server installation (any version)

Additional Requirements

l

Kubeconfig file for the Kubernetes cluster

l

Docker Hub account with access to Fortify Software Security Center images

Note: If you need access to the Fortify Docker repository, contact mfi-

fortifydocker@opentext.com with your first name, your last name, and your Docker ID.

OpenText will then give you access to the Docker organization that contains the Fortify

Software Security Center images.

l

DNS name for the Fortify Software Security Center web application (address used to access the

service)

l

Java keystore for setting up HTTPS

For details, see the OpenText™ Fortify Software Security Center User Guide.

The keystore must contain a CA certificate and a server certificate for the Fortify Software Security

Center DNS name with an associated private key.

l

Keystore password

l

Private key password

l

Fortify license file

Browsers

OpenText recommends that you use one of the browsers listed in the following table and a screen

resolution of 1400 x 800.

Browser

Version

Google Chrome™ 116 or later

Microsoft® Edge 114 or later

Mozilla® Firefox® 116 or later

Fortify Software (24.4.0)

Page 27 of 73

System Requirements

Browser

Version

14 or later

Apple® Safari

Authentication Systems

Fortify Software Security Center supports the following directory services:

l

LDAP: LDAP 3 compatible

Important! Although Fortify Software Security Center supports the use of multiple LDAP

servers, it does not support the use of multiple LDAP servers behind a load balancer unless

they are exact copies.

l

Windows Active Directory service

Single Sign-On (SSO)

Fortify Software Security Center supports:

l

Central Authentication Service (CAS) SSO

l

HTTP Headers SSO (Oracle SSO, CA SSO)

l

SAML 2.0 SSO

l

SPNEGO/Kerberos SSO

l

X.509 SSO

BIRT Reports

Fortify Software Security Center custom reports support BIRT Report Designer version 4.16.0.

(Linux only) Installing Required Fonts

To generate BIRT reports on a Linux system from Fortify Software Security Center, you must install

the fontconfig library, DejaVu Sans fonts, and DejaVu Serif fonts on the server. If you need to, you can

download these fonts from the DejaVu Fonts website.

(Non-GUI Linux only) Installing Required Libraries

To generate reports on a non-GUI Linux system, you must install the GTK and X Window System

(X11) libraries.

Fortify Software (24.4.0)

Page 28 of 73

System Requirements

Service Integrations for Fortify Software Security Center

Fortify Software Security Center supports the service integrations listed in the following table.

Service

Application

Versions

Bug tracking

OpenText™ ALM Quality Center

Azure DevOps

12.50

Not

applicable

Note: Only basic user password authentication is

supported.

Azure DevOps Server

2019

2020

2022

Jira Software Server

Jira Software Cloud

8.13

9.10

Not

applicable

Dynamic assessments

Issue Auditing

Fortify ScanCentral DAST

24.4.0

23.2.x

Fortify WebInspect Enterprise

OpenText™ Fortify Audit Assistant

Not

applicable

OpenText™ Fortify Audit Assistant on Premises

23.2.0 or

later

Fortify Static Code Analyzer Requirements

This section describes the system requirements for Fortify Static Code Analyzer.

Fortify Software (24.4.0)

Page 29 of 73

System Requirements

Hardware Requirements

OpenText recommends that you install Fortify Static Code Analyzer on a high-end processor with the

hardware requirements described in the following table.

RAM

(GB)

CPU cores

Programming language to analyze

16

4

8

Non-dynamic languages

32

Dynamic languages such as JavaScript, TypeScript, Python, PHP, and

Ruby

Increasing the number of processor cores and RAM both result in faster processing. If your software is

complex, you might require more RAM or processors. See the information about improving

performance in the OpenText™ Fortify Static Code Analyzer User Guide for recommendations.

Platforms and Architectures

Fortify Static Code Analyzer supports the platforms and architectures listed in the following table.

Distributions

Operating system

Platforms

and versions

Notes

Windows

x64

Windows 10, 11

Windows Server

2019, 2022

Linux

x64

CentOS Linux

7.x (7.6 or later)

ARM

Red Hat

Enterprise

Linux 7.x (7.2

or later), 8.x

(8.2 or later),

9.x

SUSE® Linux®

Enterprise

Server 15

Ubuntu®

Fortify Software (24.4.0)

Page 30 of 73

System Requirements

Distributions

and versions

Operating system

Platforms

Notes

20.04.1 LTS,

22.04.1 LTS

macOS

x64

13, 14

The M series are Apple designed CPUs

based on the ARM architecture. Fortify

Static Code Analyzer can run on M series

processors through the Rosetta

emulation layer.

M series

IBM® AIX®

Power ISA

7.1, 7.2, 7.3

Important! You must have the

IBM XL C/C++ for AIX 16.1 Runtime

environment package installed.

Software Requirements

The Fortify Static Code Analyzer installation includes an embedded OpenJDK/JRE version 17.0.11,

which the software requires. You do not need to install Java 17.

To use Fortify Static Code Analyzer, you must have Read and Write permissions for the Fortify Static

Code Analyzer installation directory.

The following table lists software requirements for analysis of specific project types.

Language

Software

Operating systems

Visual Studio, MSBuild, or

.NET projects

.NET Framework 4.8 or later (MSBuild Windows

only)

.NET SDK 8.0

Windows, Linux

ABAP/BSP

Fortify ABAP Extractor is supported

on a system running SAP® release

7.02, SP level 0006.

All

Bicep

.NET SDK 8.0

Windows, Linux

Windows

COBOL

Microsoft Visual C++ 2017

Redistributable (x86)

Note: This is not a requirement

for legacy COBOL analysis.

Fortify Software (24.4.0)

Page 31 of 73

System Requirements

Language

Software

Operating systems

Scala

Scala Fortify compiler plugin is

available in the Maven Central

Repository

All

Languages

Fortify Static Code Analyzer supports the programming languages listed in the following table.

Language /

framework

.NET (Core)

.NET Framework

ABAP/BSP

ActionScript

Apex

Versions

2.0-9.x

2.0–4.8

6.x, 7.x

3.0

55–61

Bicep

0.12.x–0.15.31

C#

5–13

C

C11, C17, C23 (see "Compilers" on page 41)

C++11, C++14, C++17, C++20 (see "Compilers" on page 41)

2.0, 3.0

C++

Classic ASP

(with VBScript)

COBOL

IBM Enterprise COBOL for z/OS 6.1–6.3 (CICS, IMS, DB2, and IBM MQ)

Visual COBOL 6.0–8.0

ColdFusion

Dart

8–10

2.12-3.1

Docker (Dockerfiles) any

Flutter

2.0–3.13

Fortify Software (24.4.0)

Page 32 of 73

System Requirements

Language /

framework

Versions

1.12–1.23

2.0

Go

HCL

Note: HCL language support is specific to Terraform and supported

cloud provider Infrastructure as Code (IaC) configurations.

HTML

5 or earlier

7–21

Java

(including Android)

JavaScript

JSON

ECMAScript 2015–2023

ECMA-404

JSP

1.2–2.1

Kotlin

1.3–2.0

MXML (Flex)

Objective-C/C++

PHP

4

2.0 (see "Compilers" on page 41)

7.3–8.3

PL/SQL

Python

Ruby

8–23

2.6–2.7, 3.0–3.12

1.x

Scala

2.11–2.13, 3.3–3.4

Solidity

Swift

0.4.12–0.8.21

5.0–5.10, 6.0 (see "Compilers" on page 41 for supported swiftc versions)

T-SQL

SQL Server 2005, 2008, 2012

TypeScript

VBScript

3.6–5.4

2.0, 5.0

Fortify Software (24.4.0)

Page 33 of 73

System Requirements

Language /

framework

Versions

Visual Basic

(VB.NET)

15.0–16.9

Visual Basic

XML

6.0

1.0

1.2

YAML

Libraries, Frameworks, and Technologies

Fortify Static Code Analyzer supports the libraries, frameworks, and technologies listed in this section

with dedicated Fortify Secure Coding Rulepacks and vulnerability coverage beyond core supported

languages.

Java

Adobe Flex Blaze DS

Ajanta

Apache Slide

iBatis

Mozilla Rhino

MyBatis

Spring AI

Apache Spring

Security (Acegi)

IBM MQ

Spring MVC

Amazon Web Services

(AWS) SDK

IBM WebSphere

Jackson

MyBatis-Plus

Netscape LDAP API

OkHttp

Spring Boot

Apache Struts

Apache Tapestry

Apache Tomcat

Apache Torque

Apache Util

Spring Data Commons

Spring Data JPA

Spring Data MongoDB

Spring Data Redis

Spring HATEOAS

Spring JMS

Android

Jakarta Activation

Jakarta EE (Java EE)

Jasypt

Android Jetpack

Apache Axiom

Apache Axis

Apache Beam

OpenCSV

Oracle Application

Development

Framework (ADF)

Java Annotations

Java Excel API

JavaMail

Apache Velocity

Oracle BC4J

Apache Beehive NetUI Apache Wicket

Spring JMX

Oracle JDBC

Apache Catalina

Apache Cocoon

Apache Commons

Apache ECS

Apache Xalan

Apache Xerces

ATG Dynamo

Azure SDK

JAX-RS

Spring Messaging

Spring Security

Spring Webflow

Spring WebSockets

Spring WS

Oracle OA Framework

Oracle tcDataSet

JAXB

Jaxen

Oracle XML Developer

Kit (XDK)

JBoss

Apache Hadoop

Castor

JDesktop

JDOM

OWASP Enterprise

Security API (ESAPI)

Apache

HttpComponents

Display Tag

Dom4j

Stripes

OWASP HTML

Sanitizer

Jetty

Sun JavaServer Faces

(JSF)

Apache Jasper

Apache Log4j

Apache Lucene

GDS AntiXSS

Google Cloud

Google Dataflow

JGroups

OWASP Java Encoder

Plexus Archiver

Tungsten

Weblogic

json-simple

Fortify Software (24.4.0)

Page 34 of 73

System Requirements

Apache MyFaces

Apache OGNL

Apache ORO

Apache POI

Google Guava

JTidy Servlet

JXTA

Realm

WebSocket

XStream

Google Web Toolkit

gRPC

Restlet

JYaml

SAP Web Dynpro

Saxon

YamlBeans

ZeroTurnaround ZIP

Zip4J

Gson

Liferay Portal

MongoDB

Apache SLF4J

Hibernate

SnakeYAML

Spring

Kotlin

Kotlin support includes all libraries covered for Java and the following Kotlin libraries.

Kotlin standard library

Scala

Scala support includes all libraries covered for Java and the following Scala libraries.

Akka HTTP

Scala Play

Scala Slick

.NET

.NET Framework, .NET Azure SDK

Core, and .NET

Standard

Hot Chocolate

MongoDB

SharePoint Services

SharpCompress

SharpZipLib

Castle ActiveRecord

IBM Informix .NET

Provider

MySQL

Connector/NET

CsvHelper

.NET WebSockets

Json.NET Log4Net

NHibernate

NLog

Dapper

SQLite .NET Provider

SubSonic

ADO.NET Entity

Framework

Microsoft

ApplicationBlocks

DB2 .NET Provider

DotNetZip

Npgsql

Sybase ASE ADO.NET

Data Provider

ADODB

Microsoft My

Framework

Open XML SDK

Entity Framework

Entity Framework Core

fastJSON

Amazon Web Services

(AWS) SDK

Oracle Data Provider

for .NET

Xamarin

Microsoft Practices

Enterprise Library

Xamarin Forms

YamlDotNet

ASP.NET MVC

OWASP AntiSamy

Saxon

ASP.NET SignalR

ASP.NET Web API

Microsoft Web

Protection Library

gRPC

C

ActiveDirectory LDAP CURL Library

Apple System Logging GLib

MySQL

OpenSSL

Sun RPC

WinAPI

Netscape LDAP

ODBC

POSIX Threads

SQLite

(ASL)

JNI

Fortify Software (24.4.0)

Page 35 of 73

System Requirements

C++

Boost Smart Pointers

MFC

STL

WMI

SQL

Oracle ModPLSQL

PHP

ADOdb

PHP DOM

PHP Mhash

PHP Mysql

PHP Reflection

PHP Simdjson

PHP SimpleXML

PHP Smarty

PHP WordPress

PHP XML

Advanced PHP

Debugging

PHP Extension

PHP Hash

PHP OCI8

PHP XMLReader

PHP Zend

CakePHP

PHP JSON

PHP Mcrypt

PHP OpenSSL

PHP PostgreSQL

PHP Debug

PHP Sodium

PHP Zip

JavaScript/TypeScript/HTML5

Angular

Gemini API

GraphQL.js

Handlebars

Helmet

JS-YAML

React

Sequelize

Underscore.js

Vue

Anthropic Claude

Apollo Server

Bluebird

LangChain

React Native

Mustache

React Native Async

Storage

Node.js Azure Storage

React Router

child-process-promise iOS JavaScript Bridge Node.js Core

SAPUI5/OpenUI5

Express

jQuery

OpenAI

Python

aiopg

Graphene

_mysql

pycrypto

PyCryptodome

pycurl

requests

simplejson

six

Amazon Web Services gRPC

(AWS) Lambda

MySQL

Connector/Python

httplib2

Amazon SageMaker

Anthropic Claude

Azure Functions

Django

MySQLdb

OpenAI

Jinja2

pylibmc

TensorFlow

Twisted Mail

urllib3

LangChain

libxml2

PyMongo

PySpark

oslo.config

Paramiko

psycopg2

lxml

PyYAML

WebKit

Flask

memcache-client

Google Cloud

Ruby

MySQL

pg

Rack

Thor

SQLite

Fortify Software (24.4.0)

Page 36 of 73

System Requirements

Objective-C

AFNetworking

Apple CoreFoundation Apple

LocalAuthentication

Apple

WatchConnectivity

SBJson

Apple AddressBook

Apple AppKit

Apple CoreLocation

SFHFKeychainUtils

SSZipArchive

ZipArchive

ZipUtilities

ZipZap

Apple MessageUI

Apple Security

Apple Social

Apple WatchKit

Apple WebKit

Hpple

Apple CoreServices

Apple CoreTelephony

Apple Foundation

Apple CFNetwork

Apple ClockKit

Apple UIKit

Objective-Zip

Realm

Apple CommonCrypto Apple HealthKit

Apple CoreData

Swift

Alamofire

Apple CoreFoundation Apple MessageUI

Apple WatchKit

Apple WebKit

Hpple

Zip

Apple AddressBook

Apple CFNetwork

Apple ClockKit

Apple CoreLocation

Apple Foundation

Apple HealthKit

Apple Security

Apple Social

Apple SwiftUI

Apple UIKit

ZipArchive

ZIPFoundation

ZipUtilities

ZipZap

Realm

Apple CommonCrypto Apple

SQLite

LocalAuthentication

Apple CoreData

Apple

SSZipArchive

WatchConnectivity

COBOL

Auditor

CICS

Micro Focus

COBOL Run-time

System

POSIX

SQL

DLI

MQ

Go

GORM

logrus

gRPC

Fortify Software (24.4.0)

Page 37 of 73

System Requirements

Configuration

.NET Configuration

Docker Configuration Java Apache Struts

Java OWASP

AntiSamy

OpenAPI Specification

(Dockerfiles)

Adobe Flex

(ActionScript)

Configuration

Java Apache Tomcat

Oracle Application

Development

Framework (ADF)

GitHub Actions

Configuration

Java Spring and

Spring MVC

Google Android

Configuration

Java Blaze DS

Ajax Frameworks

Java Spring Boot

Java Spring Mail

Java Spring Security

Java Spring

PHP Configuration

PHP WordPress

Java Hibernate

Configuration

Amazon Web Service

(AWS)

iOS Property List

J2EE Configuration

Java Apache Axis

Java iBatis

Configuration

Silverlight

Configuration

Ansible

AWS CloudFormation

Java IBM WebSphere WebSockets

Terraform (AWS,

Azure, GCP)

Java Apache Log4j

Configuration

Azure Resource

Manager (ARM)

Java MyBatis

Configuration

Java Weblogic

Kubernetes

Mule

WS-SecurityPolicy

XML Schema

Java Apache Spring

Security (Acegi)

Build Management

Infrastructure as Code: Amazon Web Services

API Gateway

AppSync

Database Migration

Service (DMS)

ElastiCache

EMR

Lightsail

Rekognition

Route 53

Location Service

DocumentDB

DynamoDB

EC2

Athena

FinSpace

FSx

Mainframe

Modernization

SageMaker

Aurora

Secrets Manager

Managed Streaming

for Apache Kafka

(MSK)

Backup

Global Accelerator

Glue

Simple Notification

Service (SNS)

Elastic Block Store

(EBS)

Batch

Simple Queue Service

(SQS)

Certificate Manager

CloudFormation

CloudFront

CloudTrail

CloudWatch

CodeStar

Cognito

GuardDuty

MemoryDB for Redis

MQ

Elastic Container

Registry (ECR)

Identity and Access

Management (IAM)

Simple Storage Service

(S3)

Elastic Container

Service (ECS)

Neptune

Image Builder

OpenSearch Service

Timestream

Transfer Family

VPC

Key Management

Service (KMS)

Elastic File System

(EFS)

Quantum Ledger

Database (QLDB)

Kinesis

Elastic Kubernetes

Service (EKS)

RDS

WorkSpaces Family

Kinesis Video Streams

Redshift

Config

Elastic Load Balancing

(ELB)

Fortify Software (24.4.0)

Page 38 of 73

System Requirements

Infrastructure as Code: Microsoft Azure

App Service

Automation

Batch

Database for MySQL

IoT Hub

SignalR Service

Site Recovery

Spring Apps

SQL

Blob Storage

Database for

PostgreSQL

Key Vault

Logic Apps

Media Services

Monitor

Microsoft Entra

Domain Services

Cache for Redis

Cognitive Search

Container Registry

Cosmos DB

Databricks

Azure Health Data

Services

Defender for Cloud

Event Hubs

Front Door

Storage Accounts

NetApp Files

Policy

Virtual Machine Scale

Sets

Azure Kubernetes

Service (AKS)

Database for MariaDB

IoT Central

Virtual Machines

Web PubSub

Portal

Infrastructure as Code: Google Cloud

Apigee API

Management

Cloud DNS

Cloud Spanner

Cloud SQL

Filestore

Identity and Access

Management (IAM)

Cloud Functions

Google Cloud Platform

App Engine

BigQuery

Media CDN

Pub/Sub

Cloud Key

Management

Cloud Storage

Compute Engine

Google Kubernetes

Engine (GKE)

Cloud Bigtable

Cloud Load Balancing

Cloud Logging

Secret Manager

Secrets

.netrc

Defined

DES

HashiCorp (Terraform,

Vault)

New Relic

npm

Sendbird

SendGrid

Sentry

1Password

Heroku

Actually Good

Encryption (AGE)

DigitalOcean

Docker

NuGet

Okta

HexChat

SHA1

Adafruit

HubSpot

Doppler

Droneci

Dropbox

Duffel

OpenVPN

SHA256

SHA512

Shippo

Adobe

Intercom

Password in

comment

Airtable

Java

Algolia

JFrog (Artifactory)

JSON Web Token

KDE Wallet (Kwallet)

KeePass

Password in

connection string

Shopify

Sidekiq

Alibaba (Aliyun)

Amazon (AWS, MWS)

Apple (macOS)

Apache HTTP

Asana

Dynatrace

EasyPost

Encryption key

Etsy

Password in

PowerShell script

Slack

SonarQube

Square

Password in URI

Password Safe

PayPal (Braintree)

Pidgin

Kraken

Kucoin

Facebook

Fastly

Squarespace

StackHawk

Stripe

Atlassian

LaunchDarkly

Linear

Authress

Finicity

Plaid

Fortify Software (24.4.0)

Page 39 of 73

System Requirements

Basic access

authentication

Finnhub

Lob

Planetscale

PostgreSQL

Postman

Prefect

Sumologic

Travis

Flickr

bcrypt

Flutterwave

Frame.io

Freshbooks

Git

Mailchimp

Mailgun

Mapbox

Mattermost

MD5

Beamer

Trello

Bearer token

Bitbucket

Bittrex

Pulumi

Twilio

PuTTY

Twitch

GitHub

PyPI

Twitter

Typeform

Yandex

Zendesk

Brevo (Sendinblue)

Clojars

GitLab

MessageBird

RapidAPI

Readme

RSA Security

Gitter

Microsoft (Azure App

Storage, Cosmos DB,

Functions and Bitlocker,

PowerShell, RDP, VBScript)

Code Climate

Codecov

GNOME

GNU (Bash)

GoCardless

Ruby (Ruby on Rails,

RubyGems)

Coinbase

Confluent

Contentful

Databricks

Datadog

Microsoft (Outlook)

Mutt

Sauce Labs

Secret key

Google (API, Google

Cloud, OAuth)

MySQL

Grafana

Secure Shell Protocol

(SSH)

Netlify

Build Tools

Fortify Static Code Analyzer supports the build tools listed in the following table.

Build tool

Ant

Versions

Notes

1.9.x, 1.10.x

Bazel

6.x (6.4.0 or later), 7.x

6.0–8.0, 9.x

dotnet

Gradle

5.0–7.4.x, 7.6, 8.0.2, 8.1,

8.3, 8.5

Fortify Static Code Analyzer Gradle integration

supports the following language and operating

system combinations:

Language

Java

Operating Systems

Windows, Linux, macOS

Windows, Linux

Linux

Kotlin

C, C++

Fortify Software (24.4.0)

Page 40 of 73

System Requirements

Build tool

Versions

Notes

5.6.4 - 8.3.x, 8.5

Fortify Static Code Analyzer Gradle Plugin supports

the following language and operating system

combinations:

Language

Java

Operating Systems

Windows, Linux

Kotlin

Maven

3.0.5, 3.5.x, 3.6.x, 3.8.x,

3.9.x

MSBuild

xcodebuild

14.0, 15.x, 16.x, 17.0–

17.11

MSBuild integration is supported on Windows and

Linux

14.3, 14.3.1, 15, 15.0.1,

15.1, 15.2, 15.3, 15.4, 16,

16.1, 16.2

Compilers

Fortify Static Code Analyzer supports the compilers listed in the following table.

Compiler

Versions

Operating systems

Windows, Linux, macOS

Windows, Linux, macOS, AIX

Windows, Linux, macOS

Windows, Linux, macOS, AIX

Windows, Linux, macOS

Windows

gcc

GNU gcc 6.x–10.4, 11, 12, 13

GNU gcc 4.9, 5.x

g++

GNU g++ 6.x–10.4, 11, 12, 13

GNU g++ 4.9, 5.x

OpenJDK javac

Oracle javac

cl (MSVC)

Clang

9, 10, 11, 12, 13, 14, 17, 21

7, 8, 9

2015, 2017, 2019, 2022

14.0.3, 15.0.0, 16.0.0

5.8, 5.8.1, 5.9, 5.9.2, 5.10, 6.0, 6.0.2, 6.0.3

macOS

1

Swiftc

macOS

Fortify Software (24.4.0)

Page 41 of 73

System Requirements

1

Fortify Static Code Analyzer supports applications built in the following Xcode versions: 14.3, 14.3.1,

15, 15.0.1, 15.1, 15.2, 15.3, 15.4, 16, 16.1, 16.2.

Fortify Software Security Content

Fortify Secure Coding Rulepacks are backward compatible with all supported Fortify Software

versions. This ensures that Rulepack updates do not break any working Fortify Software installation.

Fortify Static Code Analyzer Applications and Tools

Requirements

This section describes the system requirements for Fortify Static Code Analyzer applications and

tools.

Hardware Requirements

Fortify Static Code Analyzer applications and tools require a system with at least 8 GB of RAM. In

addition, Fortify Static Code Analyzer applications used to perform code analysis have the same

hardware requirements as Fortify Static Code Analyzer (see "Hardware Requirements" on page 30).

Platforms and Architectures

Fortify Static Code Analyzer applications and tools support the platforms and architectures listed in

the following table.

Operating system

Windows

Platforms / versions

10, 11

Linux

Red Hat Enterprise Linux 7.x, 8, 9

SUSE Linux Enterprise Server 15

Important! Fortify Audit Workbench, Fortify Custom Rules Editor, and

Fortify Scan Wizard require GTK version 3.22 or later. Some platform

versions include this requirement such as Red Hat Enterprise Linux 7.4

and later.

macOS

13, 14

Fortify Software (24.4.0)

Page 42 of 73

System Requirements

Software Requirements

The Fortify Applications and Tools installation includes an embedded OpenJDK/JRE version 17.0.11,

which the applications and tools require. You do not need to install Java 17.

To use Fortify Static Code Analyzer applications and tools, you must have Read and Write

permissions for the Fortify Applications and Tools installation directory.

To run Fortify Audit Workbench, Fortify Custom Rules Editor, or Fortify Scan Wizard remotely from a

local server, you must use a remote desktop connection such as Virtual Network Computing (VNC) or

Windows Remote Desktop Connection. Do not use X Window System (X11) forwarding to access

these applications from a remote server.

Service Integrations for Fortify Applications and Tools

The following table lists the supported service integrations for Fortify Audit Workbench and the

Secure Code Plugins.

Service

Versions

Supported applications

ALM Quality Center

12.50

Fortify Audit Workbench

Fortify Plugin for Eclipse

Azure DevOps Server

2019

2020

2022

Fortify Audit Workbench

Fortify Plugin for Eclipse

Fortify Extension for Visual

Studio

Azure DevOps

Not applicable

Fortify Audit Workbench

Fortify Plugin for Eclipse

Note: Only basic user password

authentication is supported.

Jira Software Server

Jira Software Cloud

8.13

9.10

Fortify Audit Workbench

Fortify Plugin for Eclipse

Not applicable

Fortify Audit Workbench

Fortify Plugin for Eclipse

Fortify Software Security Center Bug 24.4.0

Tracker

Fortify Audit Workbench

Fortify Plugin for Eclipse

Fortify Software (24.4.0)

Page 43 of 73

System Requirements

Service

Versions

Supported applications

Fortify Extension for Visual

Studio

Secure Code Plugins

The following table lists the supported integrated development environments (IDE) for the Secure

Code Plugins.

Secure Code Plugin

IDE

Versions

Notes

Fortify Plugin for Eclipse

Eclipse

2023-x

2024-03

2024-06

Fortify Analysis Plugin for

IntelliJ IDEA and Android

Studio

IntelliJ IDEA

2023.x

2024.1

2024.2

IntelliJ IDEA Ultimate and

Community Edition are

supported.

Android Studio

2023.x

2024.1

Fortify Extension for Visual Visual Studio

Studio

2017

2019

2022

Visual Studio Community,

Professional, and Enterprise

editions for Windows are

supported. For supported

MSBuild versions, see "Build

Tools" on page 40.

Authentication for Connecting to Fortify Software Security

Center

In addition to user name and password authentication, Fortify Audit Workbench and all the Secure

Code Plugins can use token-based and SSO authentication with Fortify Software Security Center.

The following table lists the SSO methods that are supported for Fortify Static Code Analyzer

applications to connect to Fortify Software Security Center.

Application

SSO method

Fortify Audit Workbench

X.509

Fortify Software (24.4.0)

Page 44 of 73

System Requirements

Application

SSO method

Fortify Plugin for Eclipse

X.509

Fortify Extension for Visual Studio X.509

SPNEGO/Kerberos

BIRT Reports

To generate BIRT reports on a Linux system from the Secure Code Plugins or the

BIRTReportGenerator utility, you must install the fontconfig library, DejaVu Sans fonts, and DejaVu

Serif fonts on the server.

To run the BIRTReportGenerator utility in a Linux Docker container, you must have the X Window

System (X11) libraries installed in the image. The X11 libraries provide the graphical user interface

API that BIRT requires for data visualization.

Example for Red Hat Enterprise Linux and CentOS:

yum -y install xorg-x11-xauth xorg-x11-fonts-* xorg-x11-utils

Example for Ubuntu:

apt-get install x11-apps

Fortify WebInspect Requirements

Before you install Fortify WebInspect, make sure that your system meets the requirements described

in this section. OpenText does not support beta or pre-release versions of operating systems, service

packs, or required third-party components.

WebInspect Hardware Requirements

OpenText recommends that you install Fortify WebInspect on a system that conforms to the

supported components listed in the following table.

Component

Requirement

Notes

Processor

2.5 GHz quad-

core or faster

Complex applications might benefit from additional cores.

Fortify Software (24.4.0)

Page 45 of 73

System Requirements

Component

Requirement

Notes

RAM

16 GB

Complex applications might benefit from additional memory.

OpenText recommends 32 GB of memory to scan with

single-page application (SPA) support.

Hard disk

Display

40 GB

Using SQL Express and storing scans locally requires

additional disk space per scan.

1280 x 1024

WebInspect Software Requirements

Fortify WebInspect runs on and works with the software packages listed in the following table.

Package

Versions

Notes

Windows

Windows 10

Recommended

Important! Not all builds of Windows 10

support .NET Framework 4.8. Refer to

Microsoft’s website to identify Windows 10

builds that support .NET Framework 4.8.

Windows 11

This version is required for conducting scans of

gRPC APIs.

Windows Server 2019

Windows Server 2022

.NET Framework 4.8

SQL Server 2019

.NET Platform

SQL Server

Recommended

(English-language

versions only)

No scan database limit

SQL Server 2022

No scan database limit

Fortify Software (24.4.0)

Page 46 of 73

System Requirements

Package

Versions

Notes

Azure SQL Server

Using Azure SQL Server outside the Azure

infrastructure might cause poor performance for

Fortify WebInspect. OpenText recommends

using Azure SQL Server with Fortify WebInspect

inside the Azure infrastructure only.

SQL Server Express

SQL Server 2019

Express

Recommended

(English-language

versions only)

10 GB scan database limit

SQL Server 2022

Express

10 GB scan database limit

Portable Document

Format

Adobe Acrobat Reader Recommended

11

Adobe Acrobat Reader Minimum

8.1.2

Support for Postman

A Postman collection version 2.0 or 2.1 is required to conduct scans in Fortify WebInspect.

Additionally, you must install the following third-party software on the machine where Fortify

WebInspect is installed:

l

Newman command-line collection runner 4.5.1 or later

Important! You must install Newman globally rather than locally. You can do this by adding a

-goption to the installation command, as follows:

npm install -g newman

When you install Newman, a path variable for Newman is automatically added to the user

variables. The path variable is similar to the following:

<directory_path>\AppData\Roaming\npm

You must manually add the same Newman path variable to the system environment variables.

Ensure that the variable is in both the user variables and system environment variables before

proceeding.

System variables are read only when the machine boots, so after manually adding the path

variable, you must restart your machine. See your Windows documentation for specific

instructions on how to add a system environment variable.

Fortify Software (24.4.0)

Page 47 of 73

System Requirements

l

Node.js and the included Node Package Manager (NPM)

Note: Install the Node.js version that is required for the version of Newman that you install. For

more information, see https://www.npmjs.com/package/newman.

Notes on SQL Server Editions

When using the Express edition of SQL Server:

l

Scan data must not exceed the database size limit. If you require a larger database or need to share

your scan data, use the full version of SQL Server.

l

During the installation you might want to enable “Hide advanced installation options.” Accept all

default settings. Fortify WebInspect requires that the default instance is named SQLEXPRESS.

When using the full edition of SQL Server:

l

You can install the full version of SQL Server on the local host or nearby (co-located). You can

configure this option in Fortify WebInspect Application Settings (Edit > Application Settings >

Database).

l

The account specified for the database connection must also be a database owner (DBO) for the

named database. However, the account does not require sysadmin (SA) privileges for the database

server. If the database administrator (DBA) did not generate the database for the specified user,

then the account must also have the permission to create a database and to manipulate the

security permissions. The DBA can rescind these permissions after Fortify WebInspect sets up the

database, but the account must remain a DBO for that database.

WebInspect on Docker

Fortify WebInspect on Docker has the software requirements listed in the following table.

Package

Versions

Notes

Windows

Windows Server The Windows version supports the process

2019

isolation runtime mode.

Red Hat Universal Base

Image (UBI)

8.x x86_64

The Linux version supports conducting scans of

gRPC APIs.

Follow Docker recommendations for the Docker engine version to use for these versions of Windows

and Red Hat images.

Notes on Image Databases

SQL Server Express is the default database for the Fortify WebInspect images. There is a 10 GB scan

database limit.

Fortify Software (24.4.0)

Page 48 of 73

System Requirements

Hardware Requirements

OpenText recommends that you install Fortify WebInspect on Docker on a host that conforms to the

supported components listed in the following table and configure the container to use these

resources. OpenText does not support beta or pre-release versions of operating systems, service

packs, and required third-party components.

Component

Requirement

Notes

Processor

2.5 GHz quad-

core or faster

Complex applications might benefit from additional cores.

RAM

16 GB

Complex applications might benefit from additional memory.

OpenText recommends 32 GB of memory to scan with

single-page application (SPA) support.

Hard disk

40 GB

Using SQL Express and storing scans locally requires

additional disk space per scan.

Fortify WebInspect Ports and Protocols

This section describes the ports and protocols Fortify WebInspect uses to make required and optional

connections.

Required Connections

The following table lists the ports and protocols Fortify WebInspect uses to make required

connections.

Direction

Endpoint

URL or details

Port

Protocol

Notes

Fortify

Target host

Scan target host

Any

HTTP

Fortify

WebInspect

to target host

WebInspect must

connect to the

web application or

web service to be

scanned.

Fortify

WebInspect

to SQL

SQL Server Express,

SQL Server

Standard/Enterprise,

or Azure SQL Server

SQLEXPRESS service on localhost or

SQL TCP service locally installed or

remote host

1433

SQL TCP

Used to maintain

the scan data and

to generate

reports within the

Fortify

database

WebInspect

application.

Fortify Software (24.4.0)

Page 49 of 73

System Requirements

Direction

Endpoint

URL or details

Port

Protocol

Notes

Fortify

Sectigo CRL

http://crl.sectigo.com/

80

HTTP

Offline

WebInspect

to Certificate

Revocation

List (CRL)

SectigoPublicCodeSigningCAR36.crl

installations of

Fortify

WebInspect or

Fortify

WebInspect

Enterprise require

you to manually

download and

apply the CRL

from Verisign.

Fortify

WebInspect

products prompt

for these lists

from Windows

and their absence

can cause

problems with the

application. A

one-time

download is

sufficient,

however

OpenText

recommends that

you download the

CRL as part of

regular

maintenance.

Optional Connections

The following table lists the ports and protocols Fortify WebInspect uses to make optional

connections.

Direction

Endpoint

URL or details

Port

Protocol

Notes

Fortify

Remote Fortify https://licenseservice.

443

HTTPS

For one-time

WebInspect to Licensing

Fortify License Service

activation

over SSL

activation of a Fortify

WebInspect Named

User license. You

may optionally use

the following:

server

Fortify Software (24.4.0)

Page 50 of 73

System Requirements

Direction

Endpoint

URL or details

Port

Protocol

Notes

l

An offline

activation process

instead of using

this direct

connection

l

Upstream proxy

with

authentication

instead of a direct

connection

Fortify

Remote

https://smartupdate.

443

HTTPS

over SSL

Used to

automatically update

the Fortify

WebInspect product.

SmartUpdate is

automatic when

opening the product

UI, but can be

WebInspect to SmartUpdate

SmartUpdate

server

service

disabled and run

manually. Can

optionally use

upstream proxy with

authentication

instead of a direct

connection.

Fortify

Remote Fortify https://supportchannel.

443

HTTPS

over SSL

Used to retrieve

product marketing

messages and to

upload Fortify

WebInspect to Support

Fortify Support Channel

Channel server service

https://www.debricked.com/api/

WebInspect data or

product suggestions

to Customer Support.

Message check is

automatic when

opening the product

UI, but can be

disabled and run

manually. Can

optionally use

upstream proxy with

authentication

instead of a direct

connection.

Fortify

Lease Concurrent User license

443

Web

services

over SSL

Required for Fortify

WebInspect client to

lease and use a

WebInspect to WebInspect

Fortify License LIM

Fortify Software (24.4.0)

Page 51 of 73

System Requirements

Direction

Endpoint

URL or details

Port

Protocol

Notes

and

Infrastructure

Manager (LIM) Service)

(Local

Licensing

Concurrent User

license maintained in

a LIM license pool.

You can detach the

client license from

LIM after activation

to avoid a constant

connection.

Fortify

WebInspect API API, or network webinspect/api

listener IP address

Local machine http://localhost:8083/

8083 or

user-

specified

HTTP

Use to activate a

Fortify WebInspect

API Windows Service.

This opens a

listening port on your

machine, which you

can use locally or

remotely to generate

scans and retrieve

the results

programmatically.

This API can be SSL

enabled, and

supports Basic or

Windows

authentication.

Fortify

User-specified Fortify WebInspect

server

443 or

user-

HTTP or

HTTPS

The Enterprise

Server menu

WebInspect to WebInspect

Fortify

WebInspect

Enterprise

server

specified

over SSL

connects Fortify

WebInspect as a

client to the

enterprise security

solution to transfer

findings and user role

and permissions

management.

Fortify

WebInspect

sensor service Enterprise

to Fortify

WebInspect

Enterprise

Fortify

WebInspect

User-specified Fortify WebInspect

server

443 or

user-

specified

HTTP or

HTTPS

over SSL

Separate from the

Fortify WebInspect

UI, you can configure

the local installation

as a remote scan

engine for use by the

enterprise security

solution community.

This is done through

a Windows Service.

This constitutes a

different product

server

Fortify Software (24.4.0)

Page 52 of 73

System Requirements

Direction

Endpoint

URL or details

Port

Protocol

Notes

from Fortify

WebInspect desktop

and is recommended

to be run on its own,

non-user-focused

machine.

Browser to

Fortify

WebInspect

localhost

Manual Step-Mode Scan

Dynamic,

8081, or

user-

HTTP or

HTTPS

over SSL

Fortify WebInspect

serves as a web

proxy to the browser,

enabling manual

specified

testing of the target

web server through

Fortify WebInspect.

Fortify

ALM Quality

User-specified ALM Quality Center

server

Server-

specified

HTTP or

HTTPS

over SSL

Permits submission

of findings as defects

to the ALM Quality

Center bug tracker.

WebInspect to Center server

ALM Quality

Center

Fortify

WebInspect to service

Debricked API

Debricked

https://www.debricked.com/select/

443

HTTPS

over SSL

If enabled, provides

Debricked Health

Metrics and extends

the local NVD to

include the newest

CVEs.

Connections for Tools

The following table lists the ports and protocols that the Fortify WebInspect tools use to make

connections.

Tool

Direction

Endpoint

Port

Protocol

Notes

Web Proxy

To target host

localhost

8080 or

user-

HTTP or

HTTPS

Intercepts and displays web traffic

specified

over SSL

Web Form

Editor

To target host

localhost

Dynamic,

8100, or

user-

HTTP or

HTTPS

over SSL

Intercepts web traffic and captures

submitted forms

specified

Login or

Workflow

Macro

Dynamic,

8081, or

user-

HTTP or

HTTPS

over SSL

Records browser sessions for replay

during scan

Recorders

specified

Web

Discovery

Fortify WebInspect Target host User-

machine to network specified

HTTP and Scanner for identifying rogue web

HTTPS

applications hosted among the targeted

Fortify Software (24.4.0)

Page 53 of 73

System Requirements

Tool

Direction

Endpoint

Port

Protocol

Notes

targeted IP range

range

over SSL

scanned IP and port ranges

Use to provide targets to Fortify

WebInspect (manually)

WebInspect Software Development Kit (SDK)

The WebInspect SDK requires the following software:

l

Visual Studio 2019 (version 16.9.0)

l

.NET Framework 4.8

Important! Visual Studio Express versions do not support third-party extensions. Therefore,

these versions do not meet the software requirements to use the WebInspect SDK.

Software Integrations for Fortify WebInspect

The following table lists products that you can integrate with Fortify WebInspect.

Product

Versions

Fortify WebInspect Enterprise

OpenText™ ALM Quality Center

23.2.0

11.5, 12.01,

12.21, 12.53

Note: You must also install the ALM Quality Center Connectivity tool to

connect Fortify WebInspect to ALM Quality Center.

Fortify Software Security Center

24.4.0

11.5

OpenText™ Unified Functional Testing (UFT) One

Fortify WebInspect Agent Requirements

Fortify WebInspect Agent technology is delivered for production application logging and protection.

Platforms and Architectures

Fortify WebInspect Agent supports 32-bit and 64-bit applications written in Java 5, 6, 7, 8, and 10.

Fortify Software (24.4.0)

Page 54 of 73

System Requirements

Java Runtime Environments

Fortify WebInspect Agent supports the Java Runtime Environments listed in the following table.

JRE

Versions

IBM J9

5 (SR10 or later)

6 (SR6 or later)

Oracle HotSpot 5, 6, 7, 8

Oracle JRockit 5, 6 (R27.6 or later)

Note: The Java agent is supported on Windows, Linux, and UNIX®.

Java Application Servers

Fortify WebInspect Agent supports the Java application servers listed in the following table.

Application server

Apache Tomcat

Versions

6.0, 7.0, 8.0, 9.0

IBM® WebSphere®

Oracle® WebLogic®

7.0, 8.0, 8.5, 8.5.5

10.0, 10.3, 11g, 11gR1, 12c

Red Hat® JBoss® Application Server Enterprise Application Platform 7.3.0 or earlier

Eclipse® Jetty®

9.3

Red Hat® WildFly

20.0.1 or earlier

.NET Framework

Fortify WebInspect Agent supports .NET Framework versions 2.0, 3.0, 3.5, 4.0, and 4.5–4.8.

IIS for Windows Server

Fortify WebInspect Agent supports Internet Information Services (IIS) versions 6.0, 7.0, 7.5, 8, 8.5, and

10.0.

Fortify Software (24.4.0)

Page 55 of 73

System Requirements

Fortify WebInspect Enterprise Requirements

Before you install Fortify WebInspect Enterprise, make sure that your systems meet the requirements

described in this section. OpenText does not support beta or pre-release versions of operating

systems, service packs, or required third-party components.

Note: Product versions that are not specifically listed in this document are not supported.

Important Information About This Release

Fortify WebInspect Enterprise was not updated for the 24.4.0 release. However, Fortify WebInspect

Enterprise 23.2.0 is compatible with Fortify Software Security Center 24.4.0 and the Fortify

WebInspect 24.4.0 sensor.

Integrations for Fortify WebInspect Enterprise

You can integrate Fortify WebInspect Enterprise with the following components:

l

Fortify WebInspect sensors 24.4.0

l

Fortify WebInspect Agent 24.4.0

Fortify WebInspect Enterprise Database

OpenText recommends that you configure the database server on a separate machine from either

Fortify Software Security Center or Fortify WebInspect Enterprise.

The Fortify WebInspect Enterprise Server SQL database requires case-insensitive collation.

Important! This is opposite the requirement for Fortify Software Security Center databases as

described in "Fortify Software Security Center Database" on page 25.

Fortify WebInspect Enterprise Hardware Requirements

The following table lists the hardware requirements for the Fortify WebInspect Enterprise server.

Component

Processor

RAM

Requirement

3.0 GHz quad-core

16 GB

Hard disk

Display

100+ GB

1920 x 1080

Fortify Software (24.4.0)

Page 56 of 73

System Requirements

Fortify WebInspect Enterprise Software Requirements

Fortify WebInspect Enterprise server runs on and works with the software packages listed in the

following table.

Package

Versions

Notes

Windows

Windows Server 2016 Recommended

Windows Server 2019

.NET Platform

Web Server

.NET Framework 4.8

IIS 10

Recommended

IIS 7.5, 8.0, 8.5

SQL Server 2019

SQL Server

Recommended

(English-language

versions only)

No scan database limit

SQL Server 2017

No scan database limit

SQL Server 2016 SP2 No scan database limit

Browser

All modern browsers

and versions

Administrative Console Requirements

This section describes the hardware and software requirements for the Fortify WebInspect Enterprise

Administrative Console.

You do not need to install the Fortify WebInspect Enterprise Administrative Console on the same

machine as the Web Console of the Fortify WebInspect Enterprise server. The two consoles have

different system requirements. In addition, you can install multiple Administrative Consoles on

different machines connected to the same Fortify WebInspect Enterprise server.

Fortify Software (24.4.0)

Page 57 of 73

System Requirements

Hardware Requirements

The following table lists the hardware requirements for Fortify WebInspect Enterprise Administrative

Console.

Component

Processor

RAM

Requirement

Notes

2.5 GHz dual-core Minimum

4 GB

Minimum

Hard disk

Display

2 GB

1980 x 1080

1280 x 1024

Recommended

Minimum

Software Requirements

The Fortify WebInspect Enterprise Administrative Console runs on and works with the software

packages listed in the following table.

Package

Versions

Notes

Windows

Windows 10

Recommended

Windows 8.1

Windows Server 2016

Windows Server 2019

.NET Framework 4.8

.NET

Fortify WebInspect Enterprise Ports and Protocols

This section describes the ports and protocols Fortify WebInspect Enterprise uses to make required

and optional connections.

Fortify Software (24.4.0)

Page 58 of 73

System Requirements

Required Connections

The following table lists the ports and protocols Fortify WebInspect Enterprise uses to make required

connections.

URL or

Direction

Endpoint

details

Port

Protocol

Notes

Fortify WebInspect

Enterprise Manager

server to SQL

SQL Server

Standard/Enterprise

SQL TCP

service on

locally

1433 or

user-

specified

SQL TCP

Used to maintain the scan data

and full Enterprise environment.

Custom configurations of

database

installed or

remote host

SQL Server are permitted,

including port changes and

encrypted communication.

Fortify WebInspect

Enterprise Manager

machine to Fortify

Software Security

Center server

Fortify Software

Security Center server specified

User-

8180 or

user-

specified

HTTP or

HTTPS

over SSL

As a modular add-on, Fortify

WebInspect Enterprise requires

a connection to its core Fortify

Software Security Center

server.

Fortify

Software

Security

Center server

Note: This connection is

required only if you

integrate Fortify

WebInspect Enterprise

with Fortify Software

Security Center.

Sensor machines to

Fortify WebInspect

Enterprise Manager

server

Fortify WebInspect

Enterprise server

User-

specified

Fortify

WebInspect

Enterprise

server

443 or

user-

specified

HTTPS

over SSL

Communication is two-way

HTTP traffic, initiated in-bound

by the Fortify WebInspect

sensor machine.

Browser users to

Fortify WebInspect

Enterprise server UI

Fortify WebInspect

Enterprise server

User-

specified

Fortify

WebInspect

Enterprise

server

443 or

user-

specified

HTTPS

over SSL

You can configure Fortify

WebInspect Enterprise not to

use SSL, but tests indicate that

it might affect the product

usability.

Browser user to

Fortify Software

Security Center UI

Fortify Software

Security Center server specified

User-

8180 or

user-

specified

HTTP or

HTTPS

over SSL

You can configure the Fortify

Software Security Center server

on any available port during

installation.

Fortify

Software

Security

Center server

Fortify Software (24.4.0)

Page 59 of 73

System Requirements

Optional Connections

The following table lists the ports and protocols Fortify WebInspect Enterprise uses to make optional

connections.

Direction

Endpoint

URL or details

Port

Protocol

Notes

Fortify

WebInspect

desktop

machines to

Fortify

User-specified Fortify

WebInspect Enterprise user-

server

443 or

HTTPS

over SSL

Communication is two-way HTTP

traffic, initiated in-bound by the

Fortify WebInspect desktop

machine.

WebInspect

Enterprise

server

specified

WebInspect

Enterprise

Manager

server

Fortify

Licensing

Service

https://licenseservice.

443

HTTPS

over SSL

For one-time activation of the

Fortify WebInspect Enterprise

server license as well as periodic

checks during an update. You may

optionally use the following:

WebInspect

Enterprise

Manager

machine to

Fortify License

activation

server

l

An offline activation process

instead of using this direct

connection

l

Upstream proxy with

authentication instead of a

direct Internet connection

Important! If you use the

offline activation process,

then you must also use the

offline SmartUpdate process.

For more information, see the

OpenText™ Fortify

WebInspect Enterprise User

Guide or the WebInspect

Enterprise Administrative

Console help.

Fortify Software (24.4.0)

Page 60 of 73

System Requirements

Direction

Endpoint

URL or details

Port

Protocol

Notes

Fortify

SmartUpdate

https://smartupdate.