Beruflich Dokumente
Kultur Dokumente
User Guide
Document Release Date: June 2013 Software Release Date: June 2013
Legal Notices
Warranty The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. The information contained herein is subject to change without notice. Restricted Rights Legend Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. Copyright Notice Copyright 2013 Hew lett-Packard Development Company, L.P.
Documentation Updates
The title page of this document contains the following identifying information: Software Version number, which indicates the software version Document Release Date, which changes each time the document is updated Software Release Date, which indicates the release date of this version of the software
To check for recent updates or to verify that you are using the most recent edition of a document, go to: http://h20230.www2.hp.com/selfsolve/manuals This site requires that you register for an HP Passport and sign in. To register for an HP Passport ID, go to: http://h20229.www2.hp.com/passport-registration.html You will also receive updated or new editions if you subscribe to the appropriate product support service. Contact your HP sales representative for details. Part Number:1-153-2013-06-390-01
Contents
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii Contacting HP Fortify. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .vii Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .vii Corporate Headquarters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .vii HP Corporate Website . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .vii About the HP Fortify Software Security Center Documentation Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .vii HP Fortify Assistive Technologies (Section 508). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .vii Chapter 1: Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Intended Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Related Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Chapter 2: Getting Started with Software Security Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 About the The Central Role of Software Security Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Security Management Workflow. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 About User Accounts and Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 About Active Directory/LDAP Integration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Logging on to Software Security Center for the First Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Requesting Access to HP Fortify Software Security Center. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Accessing Process Guidance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 About the Software Security Center Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Changing Your Account Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Configuring Dashboard Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Accessing HP Fortify Training Content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 About the Runtime Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Runtime Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Chapter 3: Managing User Accounts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 About Software Security Center User Account Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 About Administrator Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . About Security Lead Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Manager Accounts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Developer Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 20 21 22
Modifying Your User Own Account Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Customizing User Account Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Tracking Teams . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Creating Custom Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Contents
iii
About Software Security Center Account Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Creating Local User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Registering LDAP Entities with Software Security Center. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Chapter 4: Software Security Center Projects and Project Versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 About Tracking Development Teams. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Projects and Project Versions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 About Strategies for Creating Project Versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 About Annotating Project Versions for Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Displaying the Projects Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Project Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 About the Project Creation Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 About Project Version Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . About Project Dependencies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . About Project Version Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . About Project Template Selection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . About Process Templates for SSA Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 36 36 37 38
About Creating Project Versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Adding Project Versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 About Using Bug Tracking Systems to Help Manage Security Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Configuring Access to a Bug Tracker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Configuring Bug Tracking for a Project Version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 About Using State Management to File Many Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 Changing the Project Template Associated with a Project Version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Project On-Boarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 Requesting Project Attribute Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 Setting Analysis Result Processing Rules for Project Versions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 About Custom Tags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 Defining Custom Tags in Software Security Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Adding a Custom Tag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Modifying Custom Tag Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Globally Hiding a Custom Tag. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Deleting Custom Tags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Adding a Value for a Custom Tag. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Changing a Value for a Custom Tag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Deleting a Value for a Custom Tag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Associating a Custom Tag with a Project Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Viewing the Custom Tags Associated with a Project Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Disassociating a Custom Tag from a Project Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Associating a Custom Tag with a Project Version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Disassociating a Custom Tag from a Project Version. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Adding a Custom Tag Value While Auditing an Issue . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 56 57 58 58 59 59 60 60 61 62 63 64 64
Contents
iv
Managing Custom Tags Through Project Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 Managing Custom Tags Through a Project Template in an FPR File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 About CloudScan in Software Security Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 Chapter 5: SSA Project Version Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 About the Requirements Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 Displaying the Requirements Detail Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 About Process Requirements and Activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 About Activities, Requirements, and Process Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 About SSA Project Sign Offs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . About Sign-Off Personas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . About Signing Off Activities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . About Multi-Persona Sign Offs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . About Signing Off Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Overview of Sign Off Process Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 70 70 70 71 71
Assigning User Accounts to Personas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 Assigning a Power User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 About Process Template Work Owners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 About Assignment of Work Owners to Personas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 About Software Security Center Persona Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 Viewing and Editing Personas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 Deleting Personas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 Adding Tasks to Activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 About Adding Status Alerts to Requirements and Activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 About Working with Document Artifacts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 Chapter 6: Variables, Performance Indicators, and Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 About Working with Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 About Variable Syntax and Search Strings and Search String Modifiers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 Creating Variables. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 About Performance Indicators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 Creating Performance Indicators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 About Alert Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 Creating Alert Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 Setting Alert Notification Preferences. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 Chapter 7: Collaborative Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 About Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 About Current Issues State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 About Audit Conflicts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 Starting the Collaboration Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 About Collaboration Module Display Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Contents v
Auditing Issues with Collaboration Module. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 About Searching Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 About Search Modifiers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 Search Query Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 About HP Fortify Software Security Center and WebInspect Enterprise Integration . . . . . . . . . . . . . . . . . . . . 93 Viewing WebInspect Scan Results in Software Security Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . About WebInspect Audit Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . About False Positives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Requesting Dynamic Scans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Viewing the Status of the Last Dynamic Scan Request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 96 96 97 98
Mapping Scan Results to External Lists. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 Chapter 8: Software Security Center Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .102 Generating and Viewing Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102 About Software Security Center Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 About Software Security Center Issue Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 OWASP 2004, 2007, 2010 Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 PCI Compliance: Application Security Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 Penetration Testing Correlation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 Seven Pernicious Kingdoms Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 Understanding Software Security Center Portfolio Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 Hierarchical Summary Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 Hierarchical Trending Report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 Issue Trending Report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 Key Performance Indicators Report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 Security at a Glance Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 About HP Fortify Software Security Center Project Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 Overview of the Project Summary Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 About Software Security Center SSA Portfolio Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 About the SSA Progress Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 About Software Security Center SSA Project Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 About the SSA Project Summary Report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 About BIRT Reports in Software Security Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 About BIRT Libraries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 About BIRT Report Customization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 Acquiring the BIRT Report Designer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109 Exporting Report Definitions from Software Security Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109 Importing Report Definitions into Software Security Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109 About Authorization Tokens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 Advanced Authorization Tokens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Contents
vi
Preface
Contacting HP Fortify
If you have questions or comments about any part of this guide, use the HP Fortify contact information provided in the following sections.
Technical Support
650.735.2215 fortifytechsupport@hp.com
Corporate Headquarters
Moffett Towers 1140 Enterprise Way Sunnyvale, CA 94089 650.358.5600 contact@fortify.com
HP Corporate Website
http://www.hpenterprisesecurity.com
Preface
vii
Chapter 1: Introduction
This document contains information and procedures that enable you to install HP Fortify Software Security Center and perform the post-installation configuration tasks required to prepare the product for use.
Intended Audience
This guide is intended for use by enterprise security leads, development team managers, and developers. Software Security Center provide security team leads with a high-level overview of the history and current status of a project. Your security team can then ensure that both developers and auditors work effectively together to provide the best response to project issues. Software Security Center provides auditors with a centralized facility for managing issues. If the manager needs to work offline or with the advanced tools that HP Fortify Audit Workbench offers, current project state and up-to-date auditing information are made available for download. Managers can use Software Security Center to prioritize issues to reflect the needs of the enterprise. That prioritization can then be used to prioritize the activities of the project development team. Developers are responsible for creating and maintaining one or more code bases that conform to secure coding practices. Software Security Center provides a focal point for managing and transmitting information about specific issues received from analysis agents to supported Integrated Development Environments (IDEs), or to standalone clients such as HP Fortify Audit Workbench. Developers can then use the project snapshots produced by Software Security Center to measure their progress through the Secure Development life cycle.
Related Documents
The following documents provide additional information about Software Security Center: HP Fortify Software Security Center Installation and Configuration Guide This document provides system and database administrators with complete instructions on how to install and configure Software Security Center server software. HP Fortify Software Security Center System Requirements This document provides system and database administrators with the minimum and recommended requirements for installing and using Software Security Center server software. Software Security Center online Process Guide Software Security Centers online Process Guide provides information about how to use Software Security Center based on the role you play on your team. For information about how to access the Process Guide, see Accessing Process Guidance on page 13.
Chapter 1: Introduction
Software Security Center works within your organization to answer the following questions:
As scans are performed during development sprints, development teams submit periodic scan results from a continuous integration server into Software Security Center. Security teams submit periodic results of a dynamic assessment into Software Security Center. Software Security Center correlates and tracks the scan results and assessment results over time, and makes the information available to developers through the Audit Workbench web interface, or through IDE plug-ins such as the HP Fortify Plug-in for Eclipse, the HP Fortify Package for Microsoft Visual Studio, and others. Users can also push issues into defect tracking systems, including HP ALM, JIRA, and Bugzilla.
10
If Software Security Center is configured to use insecure HTTP protocol (not recommended), type the following URL:
http://[host_IP]:[port]/ssc/ where [port] represents the port number used by your application server.
The default logon credentials for a new Software Security Center installation are username admin and password admin. You must change your credentials at your first logon. 3. In both the Username and Password boxes, type admin. 4. Change your credentials when Software Security Center prompts you to do so.
11
2. Complete the required fields, and then click Send. 3. After you see the message indicating your request was successfully sent, click OK. The account creation request is sent to your Software Security Administrator.
12
The Software Security Center Process Guide opens in your browser. Review the steps detailed on the Process Guide pages.
13
By default, the Software Security Center Dashboard displays four panels or pods, which summarize various aspects of the Software Security Center project versions and features that you can access. Pod Alert Notifications Assigned Activities Issues Audit Status Project Inventory Project Security State Requirement State Runtime Host Status Runtime Events Description A list of alert notifications that the user has chosen to receive. Activities that the logged in user needs to perform. A graph that depicts the status of issues in the system. The user can choose either Trend or Current Issues. Shows the audit status which includes a count of issues that have been audited and a measure of the activity level during the last seven days. Graphical display of project inventory grouped by specified attribute. Graphical display of the state of projects (Not Started, In Progress, Awaiting Sign Off). Graphical display of signed off project requirements. List of runtime hosts with their status. Graphical display of runtime events. The user can choose from Trend, Pie, and Column graphs.
14
2. To change your first name, your last name, or your email address, select the default value in the corresponding box, and then type a new value. 3. To change your password: a. Click Change Password. The Change Password dialog box opens. b. In the Password box, type your existing password. c. In the New Password box, type a new password. d. In the Confirm Password box, re-type the new password. e. Click Save. 4. To save all changes to your account, in the Modify Account dialog box, click Save.
If a page displays only one pod, and you move the pod off that page, the page is deleted. If a page displays only one pod, the create page option is not available. Simply rename the page. You cannot arbitrarily remove a page of pods. You can only maximize one pod across the entire set of pages. You cannot change the order of the pages.
The following limitations apply to the Software Security Center Dashboard paging configuration:
16
2. Perform one or more of the tasks listed in the following table: Customization Specify the pods to display Change the names of Dashboard pages Specify the project versions to display Steps 1. On the Dashboard tab, click Pods. 2. In the Pods Displayed section, select the check boxes for the pods to display in your Dashboard view. 1. On the Dashboard tab, click Pods. 2. In the Tab Names section of the Dashboard tab, select a page name, and then type a new page name to replace it. 1. On the Dashboard tab, click Project Versions. 2. Under Project Versions Displayed, select one of the following options: Remove a project version from the list of projects displayed To display the last ten project versions, based on recent activity, leave Default selected. To open a list of the project versions currently displayed so that you can then modify that list, select Custom. Select All to display all project versions.
1. On the Dashboard tab, click Project Versions. 2. Under Project Versions Displayed, select the Custom option. 3. Select the project version name or names to remove, and then click Remove. 1. On the Dashboard tab, click Project Versions. 2. Under Project Versions Displayed, select the Custom option. 3. Click Add. The Select Project Versions dialog box opens. 4. To display all versions of a project, select the check box next to the project name. Alternatively, to display specific project versions, select the check boxes next to the project version names.
Enable or disable email alerts Alert notifications are visible (by default) on the Dashboard of all recipients Configure runtime notification options
1. Click the Alert Notifications tab. 2. Select the Email Alert Notifications check box to send email alerts in addition to the alerts visible on the Dashboard.
If runtime is enabled on your Software Security Center installation, do the following: To receive runtime notifications of security events flagged by the runtime system as alerts, on the Alert Notifications tab, click Runtime Alerts, and then select the Receive Runtime Alert Notifications check box.
1. Click the Display tab. 2. From the Date Format list, select a format for dates displayed in Software Security Center. 3. From the Time Format list, select the format for times displayed in Software Security Center.
17
3. Click Save. Software Security Center saves the settings and displays your customized Dashboard. Software Security Center Dashboard pods display the same information as that displayed on the Software Security Center Project details pages.
2. If you have an account for the eLearning site, submit your credentials and log on to the site. If you do not have logon credentials for the eLearning site, request access to the site, as follows: a. Under Is this your first time here?, click Fortify-Education@HP.com. An email template opens. b. Type a request for a new eLearning site account, and send the email. Although it might take a day or so, a Fortify Technical Support team member will send you account information. After you log on, the site lists the training module available for products in the HP Fortify suite. 3. Select a training module to open and complete at your own pace.
18
For information about how to use the Runtime tab, see the HP Fortify Runtime Application Protection Operator Guide.
Runtime Events
Events are occurrences in the system that are of particular interest. As events are tracked, they are displayed on the Runtime tab in Software Security Center, which is automatically refreshed as events occur. You can view events in different ways in the several charts available in Software Security Center. You can search on any event attribute. For example, if you specify the search criterion Category Contains SQL, the Runtime tab lists all events in the SQL injection category. You can also export events resulting from a search as an event log in the same format that you would get from a stand-alone Runtime Application Protection instance. You could then import that event log into a project version where the events become Runtime Application Protection issues.
19
The following sections provide information about each of these account types. For information about managing Software Security Center personas, see About Software Security Center Persona Management on page 73. This section contains information about Software Security Center roles, user account administration, and how to register AD/LDAP entities with Software Security Center.
R X X X
W X X X
Comments Project versions the Security Lead created or to which the Security Lead account is assigned
20
Table 1: Summary of Security Lead Account Read (R) and Write (W) Privileges (Continued)
Functional Area Artifact, FPR Event Log Performance Indicators Personas Process templates Project templates Project versions Reports Rulepacks Template Assignment Policies Users: local and LDAP Variables
R X X X X X X X X X X X X
W X
Comments
View all event logs X X X X X X X X Only Administrator accounts can create or edit users X Create, update, and re-sort Upload, download, and delete Create, manage assigned Add, edit, or delete report definitions Import or delete
Manager Accounts
With a Manager accounts, you can manage the secure development of the Software Security Center project versions to which you are assigned and perform tasks such as the assigning one or more Developer accounts to the project version. Table 2 summarizes the read (view) and write (create or modify) privileges for a Manager account.
Table 2: Summary of Manager Account Read (R) and Write (W) Privileges
Functional Area Access, to project versions Alerts Artifact, Documents Artifact, FPR Event Log Performance Indicators Personas Process templates
R X X X X X X X X X
W X X X X
Comments Project versions they are assigned Create for assigned project versions
Table 2: Summary of Manager Account Read (R) and Write (W) Privileges (Continued)
Functional Area Rulepacks Template Assignment Policies Users, local and LDAP Variables
R X X X X
W X
Comments Export
Developer Accounts
With a Developer account, you can perform secure development tasks for the Software Security Center project versions to which you are assigned. Table 3 summarizes the read (view) and write (create or modify) privileges for a Developer account.
Table 3: Summary of Developer Account Read (R) and Write (W) Privileges
Functional Area Access, to project versions Alerts Artifact, Documents Artifact, FPR Event Log Performance Indicators Personas Process templates
R X X X X X X X X X
X X X
View, comment, audit View events associated with assigned project versions
Project templates Project versions Reports Rulepacks Template Assignment Policies Users, local and LDAP Variables
X X X X X (Administrator accounts only) X Validate variable search strings View only assigned View or generate reports
22
Tracking Teams
As an administrator or security lead, you need access to information that enables you to track and monitor your teams progress and ensure that good application security practices are in place and followed. Software Security Center provides a central point for guiding the adoption of good security practices. By understanding how information is tracked and reported, you can accurately measure development team progress based on application security standards.
23
Roles
Roles determine the actions a user can perform in Software Security Center. Table 4 lists the pre-configured roles you can assign to users in Software Security Center.
Table 4: Software Security Center Roles
Description Has full access to the system and all results Can perform tasks that pertain to executing dynamic scan requests, including:
View project versions View and generate reports Process dynamic scans Upload scan results Audit issues
Developer
Developer responsible for producing security results and taking action to triage or remediate any security issues For a complete list of Developer permissions, see Table 3. Responsible for guiding developers to work on results. Managers cannot create projects but can grant or revoke access to members of their team For a complete list of Manager permissions, see Table 2.
Manager
Security team member who can create project versions and users For a complete list of Security Lead permissions, see Table 1. Can view results, but cannot interfere with the issue triage or remediation process. Example users: system automation account or temporary auditor Can connect a WebInspect Enterprise instance to Software Security Center and retrieve issue audit information. This role is intended for use only by a WebInspect Enterprise instance.
For more fine-grained control over user access to Software Security Center functionality, you can create custom roles and assign them permissions within the Software Security Center interface. For instructions on how to create a role, see Creating Custom Roles.
24
5. Provide the information described in the following table. Field (*Required field) *Name Description Universal Access
Description Role name Role description To assign the new role access to all project versions and runtime applications, select this check box. Note: HP Fortify strongly recommends that you select universal access only for administrator-level users.
6. To add permissions, click Add. (Permissions determine the functional areas available to Software Security Center users.)
25
7. Select the check boxes that correspond to the permission that you want to assign to the new role. Note: The Add Permissions dialog box provides a search feature that you can use to search for permissions based on search conditions that you specify. 8. Click OK. 9. In the Create Role dialog box, click Save. If the role and permissions you selected do not conflict, then you are returned to Software Security Center.
26
Software Security Center checks permissions to guard against states that are known to be incompatible.
27
The Role: <Role_Name> screen opens and displays detailed information about the new role.
28
5. Provide the information listed in the following table. Field or Check Box Username First Name Last Name Email Description Username for Software Security Center logon. First name of user. Last name of user. Email address of user.
29
Description To select the role or roles to assign to the user, click Add, and then select the check boxes that correspond to the roles you want to assign.
Suspended Password Confirm Password User must change password at next login Password never expires
User is not authorized to use Software Security Center. Default password for the new user. Default password for the new user. Select this check box to require the user to change the password at the next log-on to Software Security Center. Select this check box to allow the user to use the originally assigned password until he wants to change it. To require the user to change his or her password every thirty days, leave this check box cleared.
6. Do one of the following: To save your settings and exit the Create User panel, click Save. To save your settings and display a new instance of the Create User panel, click Save and Create Another.
Software Security Center adds the user account to the list of users.
30
4. In the Register LDAP Entity panel, in LDAP Entity list, choose the type of LDAP entity to register. 5. In the Name box, type the Software Security Center account name, then click the Search icon to validate that the entry exists in the LDAP server. To search for a name, in the Name box, type a search string, and then click the search tool. 6. In the Role(s) box, you can assign a role predefined by Software Security Center or a role you have already created for the selected LDAP entity. 7. Click Add. 8. Select Role(s) from the Select Role dialog box, and then click OK. 9. Click Save. Software Security Center adds the entity to its list of users. To learn how to specify the LDAP server, see the HP Fortify Security Center Installation and Configuration Guide.
31
A project version is the base unit for team tracking. It provides a destination for security results that is useful for getting information in front of developers and producing reports and performance indicators. Code analysis results for a project version are tracked as follows: Existing analysis results Results of any previous security analysis from HP Fortify Static Code Analyzer, WebInspect, or other analyzer + New scan results Merge with the existing results (from the same analyzer used to perform this scan) Mark resolved issues Identify new issues Keep unchanged issues Software Security Center analysis processing rules verify that the new scan is comparable to the older scan. = Trending results
Identify which security issues have been fixed, and which issues remain.
32
33
34
Project Icons
Table 5 lists the icons used to show project status on the Software Security Center Projects tab.
Table 5: List of Projects Type and Status Icons
Icon
Icon Category Project type Project type Project state Project state Project state Project state Sign-off state Sign-off state Sign-off state
Description Project version is of type Basic Remediation Project version is of type SSA Project version not started: No activities completed Project version in progress: At least one activity has been completed Project version is unfinished Project version requires attention: An activity must be performed Awaiting sign-off Signed off with exemption Signed off
For a conceptual orientation to the creation of a new Software Security Center project, proceed to About the Project Creation Process on page 36.
35
Each step presents the team members responsible for creating a Software Security Center project version with one or more strategic choices. After the team agrees upon and makes their selections, the security lead can click Finish to complete the project creation process. Typically, the security team evaluates and decides on all the project options before they actually start to create the project. The following sections describe the options displayed on the five project creation wizard screens.
When you create a new project version, the Create Project Version wizard guides you through the selection of required and optional business and technical project attributes. Neither the basic remediation nor the SSA project version type can be finished until you select values for all required attributes. For example, to create a project version, you must specify values for the following attributes: Business unit Development phase Development strategy Accessibility
Chapter 4: Software Security Center Projects and Project Versions 36
Table 6 lists the default set of Software Security Center project version attributes for basic remediation and SSA project version types. Note that this list does not include custom attributes that a Software Security Center administrator may have added to the system.
Table 6: Default Software Security Center Project Version Attributes
Attribute Category and Attributes (default set) *Required Business Attributes Business Risk Known Compliance Obligations Data Classification Project Classification *Business Unit
Basic Remediation
SSA
Technical Attributes *Development Phase *Development Strategy *Accessibility Project Type Target Deployment Platform Interfaces Development Languages Authentication System
37
38
3. On the Project Version page, provide the information listed in the following table. Field Use Existing Project Description Since you are working with a logical continuation of an existing code base, leave this option selected. From this list, select the name of an existing project.
39
Description Select this check box to copy settings and data from the previous version of the selected project. In addition to the project version attributes, you can copy the custom tags, analysis processing rules, user assignment, bug tracker or current state HP Fortify project results.
After you select the check box, this section expands to reveal a project version list and the categories of information to be copied. From the list to the right of the Copy From check box, select the project version that has the attributes you want to copy to the new project version. To exclude a category of information from being copied to the new version, clear its check box. Name In this box, type the version name. The wizard uses the project name and appends the version number to it automatically. Description Basic Remediation Project SSA Project In this box, type a description of the new project version. (Optional) Select this option to create a Basic Remediation Project type project version. For information about how to select a project version type, see About Project Version Types on page 36. Select this option to create an SSA type project version. For information about how to select a project version type, see About Project Version Types on page 36.
4. To finalize the project definition later, click Finish Later. To continue, click Next. The Dependencies page opens. 5. To specify optional dependent project versions to the new project version: a. Click Add. The Add Dependent Project Version dialog box lists list all Software Security Center project versions.
40
b. Select one or more project versions that affect the secure development of the project, and then click Save. (Use the CTRL and SHIFT keys to select multiple versions.) 6. Click Next.
7. On the Business Attributes page, do the following: a. If email notification has been configured for your Software Security Center instance, and you want to request attribute information for the project from another team member, click Send Attribute Information Request. Software Security Center prompts you to supply the email address for the individual to whom the request is to be sent. b. Configure the business attributes for the project version. Note: Because default values are selected for each list on the Business Attributes page, make sure that you actively select the values for each field. 8. Click Next.
41
9. Configure the technical attributes for the project. 10. Click Next. 11. On the Project Template (or Process Template) page, do one of the following: If you are creating a new basic remediation project version, from the Template list, select a project template. If you are creating a new SSA project version, select a process template. Software Security Center uses the project attributes to recommend a process template, and then displays the recommended choice as the default selection in the list of process templates.
Software Security Center assigns a project template to the new project version based on your choice of process template. 12. Click Finish. If you created a new project, Software Security Center adds the new project to the list of projects; the new project contains its initial project version. If you created a new project version, Software Security Center adds the new project version to its parent project. To display unfinished or inactive project versions, on the Projects tab, select the Show Inactive Versions check box. The default is to display all active project versions. To designate a project version as inactive, clear the Active check box in the Edit Project Versions dialog box.
42
43
6. From the Bug Tracker list, select the bug tracker to use to file bugs against the project version. 7. Complete any required fields. 8. To test the bug tracker connection to Software Security Center: a. Click Test. b. In the Test Bug Tracker Configuration dialog box, type your bug tracker authentication credentials, and then click Test. 9. If you do not want to enable batch bug submission and possibly bug state management for this project version, click Save. If you want to enable batch bug submission and possibly bug state management, see About Using State Management to File Many Issues.
44
If the scan result indicate that one of more security issues associated with the bug are still present (and match the selection criteria), Software Security Center checks the bug tracking system to ensure that the bug is in a valid open state and, if necessary, re-opens the bug. If all issues associated with a bug are removed (either because the issues were remediated or no longer match the selection criteria), Software Security Center updates the bug to indicate that stakeholders may resolve or close this ticket. To enable auditing and traceability, Software Security Center does not automatically resolve or close bugs.
45
5. From the Project Template list, select a different project template to apply to the project version.
46
Software Security Center displays a warning message to advise you that changing the template can alter the metrics calculated for the project, and that existing metrics will not be recalculated.
6. To continue with the change, click Yes. After you change the project template, Software Security Center invalidates any auditing session of the affected project version (for example, by a different user) and displays an error message to advise you that the project version audit session must be restarted.
Note: An HP Fortify Audit Workbench user auditing the affected project version does not see this information. 7. Click OK.
47
Project On-Boarding
A security team that creates a project version may not always know what the business and technical attributes of the project are. Software Security Centers project on-boarding feature provides the project version creator a mechanism for requesting that information from the development team. It also provides the development team a way to provide that information to the system. Typical scenarios for implementing the project on-boarding feature are: A development group new to the Software Security Assurance program can easily understand what is expected of them. They may identify and plan for key users to participate in the security effort. A development group new to the Software Security Assurance program can easily supply the information necessary to start a project version within Software Security Center.
48
2. In the Recipient Email box, type the email address of the person to whom you want to send this email. 3. Click Send. The form contains pre-populated fields and links to forms that external users can use to specify project attributes. To continue the project version creation process after you send the request, click the links provided on the Projects page.
Note: Typically, you wait for the development team to provide the technical and business attributes, and then return to finish creating the project version. The value in the State column on the Project list page indicates that the development team has provided the requested attributes.
Chapter 4: Software Security Center Projects and Project Versions 49
The panel to the right of the Projects panel shows that the project version is unfinished and you can continue the project version creation process to create it using the links provided.
The email notification sent in response to your request for attribute information contains links to information request forms, which the recipient can use to provide the requested attribute information. Another link takes the recipient to the Software Security Center Process Guide, which presents an overview of the software security assurance process.
The last link takes the recipient to the Account Request form, in case the recipient does not yet have a Software Security Center user account and wants to request one.
50
The second link takes you to the Business Attributes step of the Create Project Version wizard, where you can configure the business attributes for your project. For descriptions of each business attribute, see Adding Project Versions on page 39.
51
The third link takes you to the Technical Attributes step of the Create Project Version wizard, where you can configure the technical attributes of your project.
The fourth link takes you to the Account Request step, from which you can request a Software Security Center account.
52
53
7. Select or clear the check boxes for the rules listed in the following table, and then click Save. Rule Require approval if the Build Project is different between scans Check external metadata file versions in scan against versions on server Require approval if file count differs by more than 10% Require approval if result has analysis warnings Require approval if the Rulepacks used in the scan do not match the Rulepacks used in the previous scan Software Security Center checks to see whether you have added or removed a Rulepack, and whether a version of a Rulepack has changed. If it detects that a Rulepack has been added, removed, or updated, it flags the upload for management approval. Software Security Center checks to see whether any scan engine (SCA, WebInspect, SecurityScope) version is newer than the one already used in the project. If it detects newer versions, it flags the upload for management approval. A newer version of SCA or a Rulepack can change an instance ID from an instance ID created in a previous scan by an older version of SCA or a Rulepack. In reality, both instance IDs identify the same issue. When enabled, this rule automatically migrates old instance IDs to the corresponding new instance IDs to preserve the history of the issues. It is sometimes useful to disable this rule a troubleshooting measure for customer support. Software Security Center compares the line count for the scan and the scan that preceded it. If the count differs by more than ten percent, management approval is required. Blocks the processing of SCA scans done in Quick Scan Mode, which searches for high-confidence, high-severity issues. Software Security Center checks to see that a SCA or SecurityScope scan has valid certification. If the certification is not valid, then someone may have tampered with the results in the upload. If the certification is missing, it is not possible to detect tampering. If certification is missing or is not valid, the rule requires management approval. If audit information includes an unknown custom tag, the rule requires management approval. If an analysis result still requires approval, this rule blocks its upload. Software Security Center compares the file count for the scan and the scan that preceded it. If the count differs by more than ten percent, management approval is required. Description Software Security Center compares the Build Project for the scan and the scan that preceded it. If the Build Projects differ, management approval is required.
Require approval if the engine version of a scan is newer than the engine version of the previous scan Automatically perform Instance ID migration on upload
Require approval if line count differs by more than 10% Ignore SCA scans performed in Quick Scan mode Require approval if SCA or SecurityScope scan does not have valid certification
Warn if audit information includes unknown custom tag Disallow upload of analysis results if there is one pending approval
54
55
2. Type the name (required) and a description (optional) of the new tag. 3. To specify a value for the new tag: a. Click Add.
b. In the Name box, type a value. A value can be a discrete attribute for the issue that this tag addresses. For example, you might specify that this custom tag addresses a due date or server quality issue. c. (Optional) In the Description box, type a description of what the value represents.
Chapter 4: Software Security Center Projects and Project Versions 56
d. To prevent the tag from being displayed in Collaboration Module or HP Fortify Audit Workbench (AWB), select the Hidden check box. e. Click Save. 4. From the Default Value list, select the default value for the tag. If the custom tag has a default value, then issues with no value set for the tag acquire that default value. If no default value is defined, then the tag value becomes Not Set. To allow only users with specific permission (managers, security leads, administrators) to modify the tag, select the Restricted check box. To enable the addition of new values to the tag during audits, select the Extensible check box. To prevent the display of the tab in Collaboration Module or HP Fortify Audit Workbench (AWB), select the Hidden check box.
6. Click Save.
57
58
59
5. Click Save.
60
4. Click Add. The Add Custom Tags To Project Template dialog box opens.
5. Select the check box for the custom tag to associate with the project template.
You can also edit or delete a custom tag from this project template from the Custom Tags tab.
61
4. Select the custom tag to disassociate from the project template, and then click Remove.
62
5. Click Add.
63
6. Select the check box for the custom tag to associate with the project version.
7. Click OK. 8. In the Edit Project Version dialog box, click Save.
64
4. On the left side of the Summary panel, expand the list for the custom tag to which you want to add a value, and select Create New.
5. Type a name and, optionally, a description for the new value. 6. Click Save.
You must update existing custom tags through the custom tag administration section of Software Security Center. From the Software Security Center Dashboard, select Administration Projects Custom Tags and complete the update. You can add a new custom tag through a project template upload. This could, for example, allow a member of a security team who is not part of a software audit to define the project template and the custom tags in the project template.
65
From the Jobs panel, you can view running scans and scans completed within the last seven days. CloudScan permissions determine what jobs you can see in the left panel based on the project version associated with the job. CloudScan permissions are described in the following table. Field
Download CloudScan Artifacts Manage CloudScan View CloudScan
Description
User can view and download CloudScan data User can view, download, and manage CloudScan data User can view CloudScan data
The right panel includes the General and Task Details tabs. The information on the General tab displays summary information about the scan such as when it started, when it was completed, and so on. The Task Details tab displays specific information about Static Code Analyzer and the status of the FPR upload to Software Security Center. You can download a log file or analysis results file from the Task Details tab.
Chapter 4: Software Security Center Projects and Project Versions 66
With the Controller feature section selected, two tabs are provided for closer inspection of the CloudScan infrastructure used and what the current status is of the CloudScan Controller. The information presented in the Statistics tab can be useful to determine why you do not see a job represented in the Jobs panel. The information displayed on the Settings tab reflects the content of two properties files. The information included under the General, Tasks Interval, and Email headings reflects config.properties file content. The information provided under the Cloud and Software Security Center headings reflects content in the hadoop.properties file. For more information about these files, see the HP Fortify CloudScan Installation, Configuration, and Usage Guide.
67
68
Icon
Description Time lapse activity: Activities that must be performed within a specific time period. For example, uploading an SCA scan within the preceding 14 days. Project state activity: Activities that ensure the project conforms to applicable measurement guidelines. For example, auditing 100 percent of all High Priority Issues. Document activity: Activities that require the submission of an external process document. An example of a document activity is the completion and sign off of a peer review checklist.
Activity type
Activity type
Project state Project state Sign Off state Sign Off state Sign Off state Sign Off state
Project version not started: No activities completed. Project version in progress: At least one activity has been completed Awaiting sign off Signed Off with exemption Signed Off Document rejected
69
70
3. From the User list, select a Software Security Center user account name. 4. Click Save. Software Security Center saves the change then displays the list of personas. The list includes the Software Security Center user account assigned to the persona.
72
Table 8 provides descriptions of the default personas that you can add to your process template activities or requirements in Software Security Center. To add personas to process template activities or requirements, you must use the Software Security Center Process Designer client tool. For information about how to incorporate personas into your process templates, see the HP Fortify Software Security Center Process Designer User Guide.
Table 8: HP Fortify Software Security Center Personas
Persona Name Architect Business Risk Owner Developer Operations and Build Teams Project Manager QA Tester Security Expert/Champion Support Operations
Example Responsibilities High-level design and system engineering Sign off on the complete set of business and technological risks for an application Design and implement code, scan the code for vulnerabilities, and address any security issues in the code Deploy and maintain applications in production settings Ensure that all project milestones are enumerated and completed Test and verify software throughout the secure development process Define and ensure compliance with the security strategy and delivery of an SSA project version Internal and external customer support and technical operations support
73
Creating a Persona
To create a persona: 1. Log on to Software Security Center and click the Administration tab. 2. In the Administration panel on the left, under Process Management, click Personas. 3. Click Add. The Create Persona dialog box opens. 4. In the Name box, type a descriptive name for a job title that is to have responsibility for one or more portions of a Software Security Center SSA project version. 5. (Optional) In the Description box, type a description of the responsibilities or functions the persona is to assume. 6. Click Save. The Personas page lists the new persona. For information about how to incorporate a persona into a Software Security Center process template, see the HP Fortify Software Security Center Process Designer User Guide.
74
Deleting Personas
If a persona listed on the Personas page has no user accounts assigned to it, you can delete that persona. To delete a persona: 1. Log on to Software Security Center as an Administrator or Security Lead and click the Administration tab. 2. In the Administration panel on the left, under Process Management, click Personas. 3. In the Name column in the Personas panel, select the persona you want to delete. 4. Click Delete. A warning dialog box opens and prompts you to confirm that you want to delete the persona. 5. Click Yes.
75
76
About Variable Syntax and Search Strings and Search String Modifiers
The format of a Software Security Center variable is as follows: modifier:searchstring Table 9 lists the Software Security Center relational operators.
Table 9: HP Fortify Software Security Center Relational Operators
Relational Operator
Search String
Description Searches for string without qualification Searches for an exact match of the term enclosed in quotation marks (" ") A comma-separated pair of numbers used to specify the beginning and end of a range of numbers. Use a left or right bracket ([ ]) to specify that the range includes the adjoining number. Use a begin or end parenthesis (( )) to specify that the range excludes (is greater than or less than) the adjoining number.
Example
"Search String"
Number range
(2,4]
Indicates a range of greater than two, and less than or equal to four
! (not equal)
!file:Main.java
77
Modifier
[issue age] <custom_tagname>
Description Searches for the issue age, which is either removed, existing, or new Searches the specified custom tag. Note that tag names that contain spaces must be delimited by square brackets. Example: [my tag]:value Searches for issues that have the specified audit analysis value (such as exploitable, not an issue, and so on) Searches the issues for the specified analyzer Searches for issues by intended audience. Valid values are targeted, medium, and broad Searches the issues to find true if Primary Custom Tag is set and false if Primary Custom Tag is not set Searches for the given category or category substring Searches the comments submitted on the issue Searches for issues with comments from a specified user Searches for issues that have the specified confidence value. Fortify Source Code Analyzer calculates the confidence value based on the number of assumptions made in code analysis. The more assumptions made, the lower the confidence value. Searches for issues with the specified dynamic hot spot ranking value Searches for issues where the primary location or sink node function call occurs in the specified file. Searches for issues that have a priority level that matches the specified priority determined by the HP Fortify analyzers. Valid values are critical, high, medium, and low, based on the expected impact and likelihood of exploitation. The impact value indicates the potential damage that might result if an issue is successfully exploited. The likelihood value is a combination of confidence, accuracy of the rule, and probability that the issue can be exploited. Audit Workbench groups issues into folders based on the four priority values (critical, high, medium, and low) by default.
analysis
analyzer audience
audited
dynamic
file
Searches for issues with audit data modified by the specified user. Searches for all issues in the specified kingdom Searches for all issues that have a confidence value up to and including the number specified as the search term Searches the specified metagroup. Metagroups include [OWASP Top 10 2010], [sans top 25 2010], and [pci 2.1], and others. Square braces delimit field names that include spaces.
Chapter 6: Variables, Performance Indicators, and Alerts 78
metagroup
Modifier
minconf
Description Searches for all issues that have a confidence value equal to or lower than the number specified as the search term Searches for issues where the primary location occurs in the specified package or namespace. (For data flow issues, the primary location is the sink function.) Searches for issues where the primary location or sink node function call occurs in the specified code context. Also see sink, [source context]. Searches for all issues related to the specified sink rule Searches for all issues reported by the specified rule IDs used to generate the issue source, sink and all passthroughs Searches for issues with the specified sink function name. Also see [primary context]. Searches for data flow issues with the specified source function name. Also see [source context]. Searches for data flow issues with the source function call contained in the specified code context Also see source, [primary context]. Searches issues that have the status reviewed, not reviewed, or under review Searches for suppressed issues Searches for issues that have the specified taint flag Searches for issues that have any of the most common attributes that match the specified string
package
[primary context]
sink
source
[source context]
Note: Software Security Center does not recognize the following Audit Workbench search modifiers:
ruleid trace tracenode
Software Security Center search-string syntax is identical to that used with HP Fortify Audit Workbench. Table 11 lists common Software Security Center variable search strings.
Table 11: Software Security Center Variables, Common Search Strings
Search String Target All issues that contain cleanse as part of any modifier Categories other than SQL injection File names that contain the string com/fortify/awb Paths that contain traces with cleanse as part of the name Paths that contain traces with mydbcode.sqlcleanse as part of the name
79
Search String Target Privacy violations in filenames that contain jsp with getSSN() as a source Suppressed vulnerabilities with asdf in the comments
Creating Variables
To create a Software Security Center variable: 1. Log on as a Manager-level or higher user, and then click the Administration tab. Note: Users who have Developer accounts cannot create Software Security Center variables. 2. In the Administration panel on the left, under Projects, click Variables. 3. In the Variables panel on the right, click Add. The Create Variable dialog box opens.
4. Provide the information described in the following table. Field (*Required) *Name Description
Description Type a variable name that begins with a letter (a-z, A-Z), and that contains only letters, numerals (0-9), and the underscore character (_). Type a variable description so that other users can understand what the variable is used for.
80
Description Type a valid Software Security Center variable search string. (For information about how to construct search strings, see About Variable Syntax and Search Strings and Search String Modifiers on page 77.) From this list, select a folder from the default filter set to associate with the variable. The Folder list displays the unique folder names associated with all available project templates. (The folder names are configured in Software Security Center Process Designer.) The variable value is calculated if the folder name is associated with the project template for the project version.
*Folder
5. Click Validate. Software Security Center displays the variable validation result. 6. After you configure and validate the Software Security Center variable, click Save. Software Security Center displays details about the new variable.
81
4. Provide the information described in the following table. Field (*Required) *Name Description *Equation *Return Type 5. Click Validate. Software Security Center displays the performance indicator validation result. 6. After you configure and successfully validate the Software Security Center performance indicator, click Save. Software Security Center displays details about the new performance indicator.
Description Type a performance indicator name. Type a description so that other users can understand what the performance indicator is used for. Type a valid Software Security Center performance indicator equation. From this list, select the value type to return.
82
5. In the Alert Definition section, next to Type, select the type of alert you want to create. 6. Provide the information for the alert type you selected, as shown in one of the following tables. Process Alert a. From the Alert When list on the left, select a process template, process requirement, or process activity for a Software Security Center SSA project version to which you have access. b. From the Alert When list on the right, select a process state. c. If the process state you selected enables the calendar box, specify a date. Note: If you choose a process state of if not signed off by or if not ready to be signed off by, then Software Security Center enables both the date and Remind Every boxes. d. To add a recurring email alert, select the Remind Every check box, and then in the Days box, specify the frequency for the alert by typing the number of days. Software Security Center continues to send recurring email alerts until the process state has been satisfied, or until you clear Remind Every. e. To apply the alert to the children of the process entity, select the Include Children check box. Performance Indicator Alert a. From the Alert When list on the left, select a performance indicator. b. From the list of operators, select an operator. c. Type a numeric value. The type of performance indicator you d. selected determines whether the value represents an integer or a percentage.
83
Variable Alert a. From the Alert When list on the left, select a variable. b. From the list of operators, select the appropriate operator. c. Type a numeric value. The type of performance indicator you selected determines whether the value represents an integer or a percentage. System Event Alert From the Alert When list on the left, select the Software Security Center system event to trigger the alert.
7. If you are creating a system event alert, click Save. Otherwise, proceed to the next step. 8. To specify the scope of the alert: a. In the Scope section, click Add. The Select Project Versions dialog box opens. b. Select the check boxes that correspond to the project versions to which your new alert applies, and then click OK. 9. In the Notification section, next to Recipient, select one of the following recipient preferences: Note: Regardless of the option you select, you will receive the notification. To have the notification sent only to you, select Me Only. If you are creating a process alert, and you want the notification sent to the process entity work owner and Software Security Center users who sign off on project version, select Process Entity Stakeholders. To have the notification sent to all Software Security Center users who have access to the project versions you specified (in the Scope section), select All Project Version Users.
10. Click Save. Software Security Center displays the details for your new alert.
84
About Auditing
Issue audits, whether performed in Software Security Center or Audit Workbench accomplish the following: Condense and focus project information Enable the security team to collaboratively decide which issues represent real vulnerabilities Enable the security team to collaboratively prioritize issues based on vulnerability
Software Security Center uses project templates to categorize and display issues.
85
Software Security Center loads the analysis results for the project version. In the panel on the left, Software Security Center displays the Issue List. The Issue List summarizes the current audited state of all issues associated with the projects current snapshot. By default, the Issue List displays summary information for critical issues. The Issues panel on the right lists all of the issues included in the category selected in the Issue List panel. By default, the panel displays any and all critical issues.
86
The Issues panel on the right lists issues based on your selections in the left panel. After you select a listed issue, the panel displays the Summary, Details, Recommendations, and History tabs under the issue list.
87
Use the Summary tab to audit the selected issue. The History tab displays a summary of the auditing activities performed on the selected issue. In the Details tab presents the following information about the selected issue: The Abstract section provides a summary description of the issue, which may include abstracts defined by your organization. The Explanation section displays a description of the conditions under which this type of issue occurs. The description includes a discussion of the vulnerability, the constructs typically associated with it, how it can be exploited, and the potential impact of an attack. The Explanation section also includes any explanations defined by your organization. The Instance ID section shows the unique identifier for the issue. The Rule ID section displays the unique identifier for the rule that generated the issue. The SCA Confidence section displays the SCA-calculated number (ranging from 0.1 to 5.0) that represents the estimated likelihood that an issue represents a real vulnerability. The higher the number, the greater the confidence that the issue is valid. The more assumptions SCA has to make, the lower the confidence score. The Recommendation section provides recommendations on how you might fix the type of issue you selected. This section includes examples and any custom recommendations defined by your organization. The Tips section provides tips for the type of issue selected, including any custom tips defined by your organization. The References section lists the references on which the recommendations and tips are bases. It includes custom references defined by your organization.
Software Security Center displays the Collaboration Module. By default, the left-side panel of the Collaboration Module contains the Issue List. The Issues List includes folder tabs, Filter Set and Group By lists, and at the bottom a View Options link. Use these tools to customize the list of issues displayed in the Collaboration Module. 3. In the Issue List, choose an issue, then in the central Issues panel click View Details. The Collaboration Module updates the upper-left panel with issue details. The lower right panel displays tools you can use to audit the issue, suppress the issue, or to submit the issue to your secure deployment teams bug tracking server. If this is the first File Bug action for the current session and project, and if the bug tracker requires authentication, Software Security Center prompts you to provide log-on credentials.
If you log on successfully, Software Security Center maintains the connection state for the remainder of the current Software Security Center session. If you do not log on unsuccessfully, Software Security Center displays an error message and aborts the action.
88
Software Security Center displays a submit dialog box for the associated bug tracker. If default values are available, these are used in the dialog box. Required fields are marked as such. Software Security Center acquires the fields and corresponding values dynamically from the bug tracker associated with the selected Software Security Center project. Software Security Center submits the defect and logs the defect id within the HP Fortify database. If the submission succeeds, Software Security Center displays an message that states that the defect was successfully submitted. Software Security Center also sets the value of vulnerability attribute Defect Id to the defect ID returned by the bug tracker. If the submission fails, Software Security Center displays an error message. For information about configuring Software Security Center bug tracker integration, refer to the HP Fortify Software Security Center Installation and Configuration Guide. 4. To return to the Issue List page, click Issue List in the upper right part of the page.
Searches for a term without any qualifying delimiters Searches for an exact match if the term is wrapped in quotation marks ("") Searches for values that match a Java-style regular expression delimited by a forward slash (/) Example:/eas.+?/ Uses standard mathematical syntax, such as (and) for exclusive range, and [ and ] for inclusive range, where (2,4] represents the range of numbers greater than two, and less than or equal to four Excludes issues specified by the string by preceding the string with an exclamation character (!) For example, file:!Main.java returns all issues that are not in the Main.java file.
number range
not equals
Search terms can be further qualified with modifiers. For more information, see About Search Modifiers on page 90. The basic syntax for using a modifier is modifier:<search term>. A search string can contain multiple modifiers and search terms. If you specify more than one modifier, the search returns only issues that match all the modified search terms. For example, file:ApplicationContext.java category:SQL Injection returns only SQL injection issues found in ApplicationContext.java. If you use the same modifier more than once in a search string, then the search terms qualified by those modifiers are treated as an OR comparison. So, for example, file:ApplicationContext.java category:SQL Injection category:Cross-Site Scripting returns SQL injection issues and cross-site scripting issues found in ApplicationContext.java.
89
For complex searches, you can also insert the AND or the OR keyword between your search queries. (Note that AND and OR operations have the same priority in searches.) To search issues, do one of the following: Type a search string in the box and press ENTER.
Alternatively, To select a search term you used earlier during the current work session, click the arrow in the search box, and then select a search term from the list.
Note: After you log off of Software Security Center, all search terms are discarded.
Modifier
[issue age] <custom_tagname>
Description Searches for the issue age, which is either removed, existing, or new Searches the specified custom tag. Note that tag names that contain spaces must be delimited by square brackets. Example: [my tag]:value Searches for issues that have the specified audit analysis value (such as exploitable, not an issue, and so on) Searches the issues for the specified analyzer Searches for issues by intended audience. Valid values are targeted, medium, and broad Searches the issues to find true if Primary Custom Tag is set and false if Primary Custom Tag is not set Searches for the given category or category substring Searches the comments submitted on the issue Searches for issues with comments from a specified user
Chapter 7: Collaborative Auditing 90
analysis
analyzer audience
audited
Modifier
confidence (con)
Description Searches for issues that have the specified confidence value. Fortify Source Code Analyzer calculates the confidence value based on the number of assumptions made in code analysis. The more assumptions made, the lower the confidence value. Searches for issues that have the specified dynamic hot spot ranking value Searches for issues where the primary location or sink node function call occurs in the specified file. Searches for issues that have a priority level that matches the specified priority determined by the HP Fortify analyzers. Valid values are critical, high, medium, and low, based on the expected impact and likelihood of exploitation. The impact value indicates the potential damage that might result if an issue is successfully exploited. The likelihood value is a combination of confidence, accuracy of the rule, and probability that the issue can be exploited. Software Security Center groups issues into folders based on the four priority values (critical, high, medium, and low) by default.
dynamic
file
Searches for issues that have audit data modified by the specified user Searches for all issues in the specified kingdom Searches for all issues that have a confidence value up to and including the number specified as the search term Searches the specified metagroup. Metagroups include [owasp top ten 2010], [sans top 25 2010], and [pci 2.1], and others. Square braces delimit field names that include spaces. Searches for all issues that have a confidence greater than or equal to the specified value. Searches for issues where the primary location occurs in the specified package or namespace. (For data flow issues, the primary location is the sink function.) Searches for issues where the primary location or sink node function call occurs in the specified code context. Also see sink, [source context]. Searches for all issues related to the specified sink rule Searches for all issues reported by the specified rule IDs used to generate the issue source, sink and all passthroughs Searches for issues that have the specified sink function name. Also see [primary context] Searches for data flow issues that have the specified source function name. Also see [source context] Searches for data flow issues that have the source function call contained in the specified code context Also see source, [primary context].
<metagroup_name>
minconf
package
[primary context]
sink
source
[source context]
91
Modifier sourcefile
Description Searches for data flow issues with the source function call that the specified file contains Also see: file Searches issues that have the status reviewed, not reviewed, or under review Searches for suppressed issues Searches for issues that have the specified taint flag Searches for issues that have the specified string in the data flow trace Enables you to search on the nodes within an issues analysis trace. Each tracenode search value is a concatenation of the tracenodes file path, line number, and additional information. Searches for issues that have any of the most common attributes that match the specified string
<no attribute>
To search for all file names that contain com/fortify/awb, type the following:
file:"com/fortify/awb"
To search for all paths that contain traces with mydbcode.sqlcleanse as part of the name, type the following:
trace:mydbcode.sqlcleanse
To search for all paths that contain traces with cleanse as part of the name, type the following:
trace:cleanse
To search for all issues that contain cleanse as part of any modifier, type the following:
cleanse
To search for all suppressed vulnerabilities with asdf in the comments, type the following:
suppressed:true comments:asdf
To search for all categories except for SQL Injection, type the following:
category:!SQL Injection
92
The top right panel includes the following tabs: The Request tab displays the request of the issue highlighting the attack. The Response tab displays the response of the issue highlighting the trigger. The Stack Trace tab displays a SecurityScope stack trace. The Steps tab (visible only if the steps are included in the WebInspect results file) displays the workflow that led to the discovery of an issue. Select the Auto-scroll check box to bypass any header information to automatically jump to the first highlighted section of the response or request. Select the Wrap Text check box to format the text to fit within your current display area.
The top right panel includes the following two check boxes, which are selected by default:
93
The Information icon is displayed to the right of the Auto-scroll and Wrap Text check boxes. If you want to leave your workspace layout as is, you can click this icon and view the information presented in the Request and Response tabs in a separate window with a larger viewing area.
The top left panel displays a summary of the data displayed on the Details tab on the bottom right panel. You can use the arrows in this summary panel to go forward or backward in the issue list. To return to the full issue list display, click the Issue List link.
94
The bottom right panel also includes the Details tab, which displays a summary of the type of potential vulnerability posed by the selected issue. To read more about the issue, scroll to the Reference Info section of the Details tab, and then click a link to open a separate browser window.
The Steps tab displays the workflow that led to the discovery of an issue. WebInspect captures the sequence of actions that occurred between a clean state of the scanned application up until the vulnerability was discovered. These steps are helpful if the workflow for a particular issue is difficult to reproduce. Note: The Steps tab is available only if the steps are included in the WebInspect results file.
The Screenshots tab, shown in the following screen capture, displays any screenshots transferred from WebInspect. You can add, edit, delete, and download screenshots from the Screenshots tab.
95
Note: If the selected value for Analysis has changed from Not an Issue or is missing, or if the Analysis list has been removed from your project version, then the false positive status of the issue is lost. The issue is marked as Suppressed.
96
3. From the Dynamic Scan Request list, select Create. The Dynamic Scan Request dialog box opens.
97
4. Provide values for the attributes listed in the following table. Note: The following table does not list custom dynamic scan attributes that you or another Software Security Center administrator may have added to the system. Dynamic Scan Attribute URL Site Login Site Passcode Network Login Network Passcode Related Host Name(s) Web Services Used Technologies Used Description URL of the site to scan Username required to log on to the site to scan Password to use to gain access to the site Username required for network authentication Password required for network authentication Allowable hosts for the application to scan Comma-delimited list of web services used by the application to scan Comma-delimited list of technologies used by the site to scan Examples: SSO, WebSphere, SharePoint, Flash, Silverlight, Catalog Site, Shopping Cart Compliance Implications Allowable Scan Times Provide information about any potential compliance implications Dates and times during which the tester can perform the scan Example: From 17:00 h to 06:00 h, Monday through Friday, from 09/03/12 to 11/30/12 Note: The dynamic tester who handles the scan request on WebInspect may be interested in additional project version attributes, such as business risk and compliance implications. The tester can use existing web services methods to retrieve those attributes for a project version. 5. Click Submit. Software Security Center displays a message to verify that the request submission was successful. Next, the WebInspect tester who monitors and responds to scan requests runs the scan during the hours you specified, and then uploads the results to Software Security Center.
2. From the Dynamic Scan Request list, select Last Scan Status.
98
Software Security Center displays the date and time the scan request was submitted, and request status information.
99
3. Edit the values for the dynamic scan attributes, and then click Submit. To cancel a pending dynamic scan request, do the following: Note: You can only cancel scan requests that you have submitted. 1. Navigate to the Issues tab on the details page for the project version for which you have requested a dynamic scan.
2. From the Dynamic Scan Request list, select Cancel. Software Security Center prompts you to confirm that you want to cancel the last dynamic scan request. 3. Click Yes.
100
101
102
Hierarchical Summary
Issue Trending
Summary Glossary Seven Pernicious Kingdoms Defs. Instance Details, as Appendix Category Descriptions, as Appendix Security Issues Projects in the System Project Type Details Enterprise Summary Vulnerabilities Per Line of Code Projects By Technical Risk OWASP Top 10 2004 Definition OWASP Top 10 2007 Definition Project Description Security Findings Summary Security Findings Details Instance Details (as Appendix) Category Descriptions (as Appendix) Technical Risk (as High, Medium, Low) Requirement State Requirement Progress Activity State by Requirement Project State, as icons
X X
X X X X
X X X
SSA Progress
X X
X X X X X X X
X X X X X X
X X
X X X X X
Security at a Glance
Project Summary
Hierarchical Summary
Issue Trending
Contributing Users Requirement Template Details (as Appendix) Top 5 Risky Projects Project Count By Technical Risk Most Frequent Issues by Category Top 10 Category Comparison Overall Project Security By Technical Risk Project Versions, list of Issues by Project Issues by Project, High Priority Issues by Project, Critical Exposure Issue Details Issues by OWASP Top 10 2004 Issues by OWASP Top 10 2007 Issues by Kingdom Issues by HP Fortify Priority Order Overview (Projects, Scans, Lines of Code, Files Project Summary by Dev. Strategy Reference (concise summary) Overview (Process / Project T-plates, activity) Details Activity Summary Issue Trending X X X X X X X X X X X X X X X
X X
SSA Progress
X X X X X X X
Security at a Glance
Project Summary
Hierarchical Summary
Issue Trending
Issue Breakdown, by categories Audited Issue Details Suppressed Issues Removed Issue Details Dependencies Vulnerability Categories Requirement Progress Requirement State Activity State by Requirement Project Version State Contributing Users Dependent Project Versions Process Template Details The following sections describe each type of report in greater detail.
SSA Progress
X X X X X X X X X X X X X
Security at a Glance
Project Summary
You can choose to exclude the project summary and owner details categories from the report.
106
107
4. Use the Report Designer to add report design elements to the report definition, and add database queries to those design elements. 5. Use a local instance of Software Security Center to test the operation of a customized BIRT report. 6. Import the customized report definition into Software Security Center. For information about importing report definitions into Software Security Center, see Importing Report Definitions into Software Security Center on page 109.
2. Download the Report Designer Full Eclipse Install for your operating system.
Software Security Center displays the Create Report Definition panel. 4. Configure the new report definition as follows: Type or choose the Name, Description, Report Engine, and Category settings. In the Template area, browse to the Software Security Center BIRT definition (with the rptdesign filename extension). In the Parameters area, click Add. Type or choose the Name, Description, Identifier, and Data Type settings that correspond to those values in the BIRT template you are uploading.
5. Add one or more optional parameters to the new Software Security Center report definition.
6. To add the new report definition to the list of definitions, click Save.
110
Option
AnalysisUploadToken AuditToken AnalysisDownloadToken
Description
Upload scan results to Software Security Center and list projects Load details about current security issues and apply analysis tags Download merged result files
111