SCA Tools Advanced AWB Options Static Training October

SCA Tools & Advanced AWB Options Static Training October 2015 1 © Copyright 2015 Hewlett-Packard Development Company, L. P. The information contained herein is subject to change without notice.

The Static Suite Static Analysis Dynamic Analysis Runtime Analysis Actual Attacks SCA Source Code Mgt System Static Analysis Via Build Integration Dynamic Testing In QA Or Production Real-Time Protection Of Running Application Vulnerability Management Remediation Audit Workbench IDE Plug-ins (Eclipse, Visual Studio, etc. ) & Secure Coding Plugins Developers (onshore or offshore) Application Lifecycle Normalization (Scoring, Guidance) Correlate Target Vulnerabilities With Common Guidance and Scoring Vulnerability Database SSC Server Defects, Metrics And KPIs Used To Measure Risk Correlation (Static, Dynamic, Runtime) Threat Intelligence Rules Management © Copyright 2015 Hewlett-Packard Development Company, L. P. The information contained herein is subject to change without notice. Development, Project and Management Stakeholders Hackers

Software Scanning Process Check in Code Scheduled Check-out, Build and Scan Code Repository Build / Scan Static Code Analysis (SCA) Developers Developer Fixes Bug / Security Finding Repeat as Necessary Upload Scan Results Bug Tracking Submit Findings to Bug Tracker Fortify SSC Auditor Reviews Auditor /Security Results © Copyright 2015 Hewlett-Packard Development Company, L. P. The information contained herein is subject to change without notice.

SCA Tools

Scan Wizard • Step by step instructions • Build integration support • Generates a Windows or Unix script • Perfect for running the same scan over and over • Perfect for new users © Copyright 2015 Hewlett-Packard Development Company, L. P. The information contained herein is subject to change without notice.

FPRUtility Merge 2 FPR files: > FPRUtility -merge -project my. Audited. Project. fpr -source my. Project. fpr -f output. fpr Extract FPR information: > > > FPRUtility FPRUtility -information -signature -project my. Project. fpr -f output. txt -information -errors -project my. Project. fpr -f output. txt -information -category. Issue. Counts -project my. Project. fpr -f output. txt -information -analyzer. Issue. Counts -project my. Project. fpr -f output. txt -information -search -project my. Project. fpr -query "file: foo. java" -f output. txt © Copyright 2015 Hewlett-Packard Development Company, L. P. The information contained herein is subject to change without notice.

Report. Generator Generating a command line report: > Report. Generator -format pdf -f output. File. pdf -source my. Audited. Project. fpr -template Scan. Report. xml -filter. Set Hide. XSS. xml -show. Hidden fortifyclient & fortifyupdate Manage FPR’s on SSC Server: Upload FPR’s / Download FPR’s / Manage authentication tokens / List SSC Projects / Purge Projects Download rulepacks: > fortifyupdate -accept. Key -core. Dir <core. Dir> -locale <locale> -url <url> © Copyright 2015 Hewlett-Packard Development Company, L. P. The information contained herein is subject to change without notice.

Advanced AWB Options

Filtering Results Filter files -filter. txt #List of categories, IID’s and Rule ID’s Poor Logging Practice 60 AC 727 CCEEDE 041 DE 984 E 7 CE 6836177 823 FE 039 -A 7 FE-4 AAD-B 976 -9 EC 53 FFE 4 A 59 filter. txt Scan time filters -project-template Project. Template. xml -Dcom. fortify. sca. Filter. Set=OWASP_Filter_set xml Project. Template. xml © Copyright 2015 Hewlett-Packard Development Company, L. P. The information contained herein is subject to change without notice.

Creating FPRs without Source Code Bring down scan time and reduce the FPR size with: Dcom. fortify. sca. FPRDisable. Metatable=true* *Undocumented property FPR Normal scan including both source and snippets FPR Scan run with -disable-sourcebundling Scan run with -disable-source-bundling and -Dcom. fortify. sca. FVDLDisable. Snippets=true © Copyright 2015 Hewlett-Packard Development Company, L. P. The information contained herein is subject to change without notice.

Opening Large FPRs Set in <SCA Install Directory>Coreconfigfortify. properties com. fortify. Disable. Program. Info=true This disables use of the code navigation features within AWB. com. fortify. model. Issue. Cut. Off. Start. Index=<number> (inclusive) com. fortify. model. Issue. Cut. Off. End. Index=<number> (exclusive) The Issue. Cut. Off. Start. Index property is inclusive and Issue. Cut. Off. End. Index is exclusive so that you can specify a subset of issues you wish to see. E. g. To see the first 100 issues, you can specify: com. fortify. model. Issue. Cut. Off. Start. Index=0 com. fortify. model. Issue. Cut. Off. End. Index=101 However because the Issue. Cut. Off. Start. Index is 0 by default, this can be left out. com. fortify. model. Issue. Cut. Off. By. Category. Start. Index=<number> (inclusive) com. fortify. model. Issue. Cut. Off. By. Category. End. Index=<number> (exclusive) These are similar to the above properties except these are specified for every category. E. g. If you wanted to see the first 5 issues for every category you would specify: com. fortify. model. Issue. Cut. Off. By. Category. End. Index=6 com. fortify. Restrict. Issue. Loading=true This restricts the data that is held in memory, but may cause poor performance. com. fortify. model. Minimal. Load=true This restricts a lot of data from being loaded in the FPR so that only the bare minimum information is loaded. This will also restrict usage of the functions view and may prevent the source being loaded from within the FPR. com. fortify. model. Max. Engine. Error. Count=<number> Available from v 4. 20. Limits the number of errors loaded with the FPR. For projects with a large number of scan warnings this can significantly reduce both load time in AWB and the amount of memory required to © Copyright 2015 Hewlett-Packard Development Company, L. P. The information contained herein is subject to change without notice. FPR

Questions? 12 © Copyright 2015 Hewlett-Packard Development Company, L. P. The information contained herein is subject to change without notice.

Follow up tasks… Review the SCA Utilities Guide: https: //protect 724. hp. com/docs/DOC-12311 Use Scan Wizard to create a script to scan Web. Goat. Once done audit a selection of your results in AWB. Perform a fresh scan and use FPRUtility to merge you 2 sets of results Use FPRUtility to identify list all of the. jsp files scanned in your Web. Goat. fpr Generate a Developer Workbook report using the reportgenerator tool Run a scan with a filter file to remove all SQL Injection issues Create an FPR file without source code 13 © Copyright 2015 Hewlett-Packard Development Company, L. P. The information contained herein is subject to change without notice.