HP Fortify SSC User Guide 3.90

HP Fortify Software Security Center
Software Version 3.90
User Guide
Document Release Date: June 2013 Software Release Date: June 2013
Legal Notices
Warranty The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. The information contained herein is subject to change without notice. Restricted Rights Legend Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. Copyright Notice Copyright 2013 Hew lett-Packard Development Company, L.P.
Documentation Updates
The title page of this document contains the following identifying information: Software Version number, which indicates the software version Document Release Date, which changes each time the document is updated Software Release Date, which indicates the release date of this version of the software
To check for recent updates or to verify that you are using the most recent edition of a document, go to: http://h20230.www2.hp.com/selfsolve/manuals This site requires that you register for an HP Passport and sign in. To register for an HP Passport ID, go to: http://h20229.www2.hp.com/passport-registration.html You will also receive updated or new editions if you subscribe to the appropriate product support service. Contact your HP sales representative for details. Part Number:1-153-2013-06-390-01
Contents
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii Contacting HP Fortify. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .vii Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .vii Corporate Headquarters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .vii HP Corporate Website . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .vii About the HP Fortify Software Security Center Documentation Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .vii HP Fortify Assistive Technologies (Section 508). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .vii Chapter 1: Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Intended Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Related Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Chapter 2: Getting Started with Software Security Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 About the The Central Role of Software Security Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Security Management Workflow. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 About User Accounts and Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 About Active Directory/LDAP Integration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Logging on to Software Security Center for the First Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Requesting Access to HP Fortify Software Security Center. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Accessing Process Guidance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 About the Software Security Center Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Changing Your Account Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Configuring Dashboard Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Accessing HP Fortify Training Content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 About the Runtime Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Runtime Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Chapter 3: Managing User Accounts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 About Software Security Center User Account Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 About Administrator Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . About Security Lead Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Manager Accounts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Developer Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 20 21 22
Modifying Your User Own Account Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Customizing User Account Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Tracking Teams . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Creating Custom Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Contents
iii
About Software Security Center Account Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Creating Local User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Registering LDAP Entities with Software Security Center. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Chapter 4: Software Security Center Projects and Project Versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 About Tracking Development Teams. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Projects and Project Versions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 About Strategies for Creating Project Versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 About Annotating Project Versions for Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Displaying the Projects Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Project Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 About the Project Creation Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 About Project Version Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . About Project Dependencies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . About Project Version Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . About Project Template Selection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . About Process Templates for SSA Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 36 36 37 38
About Creating Project Versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Adding Project Versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 About Using Bug Tracking Systems to Help Manage Security Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Configuring Access to a Bug Tracker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Configuring Bug Tracking for a Project Version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 About Using State Management to File Many Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 Changing the Project Template Associated with a Project Version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Project On-Boarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 Requesting Project Attribute Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 Setting Analysis Result Processing Rules for Project Versions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 About Custom Tags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 Defining Custom Tags in Software Security Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Adding a Custom Tag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Modifying Custom Tag Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Globally Hiding a Custom Tag. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Deleting Custom Tags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Adding a Value for a Custom Tag. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Changing a Value for a Custom Tag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Deleting a Value for a Custom Tag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Associating a Custom Tag with a Project Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Viewing the Custom Tags Associated with a Project Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Disassociating a Custom Tag from a Project Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Associating a Custom Tag with a Project Version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Disassociating a Custom Tag from a Project Version. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Adding a Custom Tag Value While Auditing an Issue . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 56 57 58 58 59 59 60 60 61 62 63 64 64
Contents
iv
Managing Custom Tags Through Project Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 Managing Custom Tags Through a Project Template in an FPR File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 About CloudScan in Software Security Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 Chapter 5: SSA Project Version Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 About the Requirements Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 Displaying the Requirements Detail Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 About Process Requirements and Activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 About Activities, Requirements, and Process Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 About SSA Project Sign Offs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . About Sign-Off Personas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . About Signing Off Activities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . About Multi-Persona Sign Offs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . About Signing Off Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Overview of Sign Off Process Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 70 70 70 71 71
Assigning User Accounts to Personas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 Assigning a Power User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 About Process Template Work Owners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 About Assignment of Work Owners to Personas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 About Software Security Center Persona Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 Viewing and Editing Personas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 Deleting Personas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 Adding Tasks to Activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 About Adding Status Alerts to Requirements and Activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 About Working with Document Artifacts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 Chapter 6: Variables, Performance Indicators, and Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 About Working with Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 About Variable Syntax and Search Strings and Search String Modifiers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 Creating Variables. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 About Performance Indicators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 Creating Performance Indicators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 About Alert Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 Creating Alert Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 Setting Alert Notification Preferences. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 Chapter 7: Collaborative Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 About Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 About Current Issues State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 About Audit Conflicts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 Starting the Collaboration Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 About Collaboration Module Display Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Contents v
Auditing Issues with Collaboration Module. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 About Searching Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 About Search Modifiers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 Search Query Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 About HP Fortify Software Security Center and WebInspect Enterprise Integration . . . . . . . . . . . . . . . . . . . . 93 Viewing WebInspect Scan Results in Software Security Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . About WebInspect Audit Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . About False Positives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Requesting Dynamic Scans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Viewing the Status of the Last Dynamic Scan Request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 96 96 97 98
Mapping Scan Results to External Lists. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 Chapter 8: Software Security Center Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .102 Generating and Viewing Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102 About Software Security Center Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 About Software Security Center Issue Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 OWASP 2004, 2007, 2010 Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 PCI Compliance: Application Security Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 Penetration Testing Correlation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 Seven Pernicious Kingdoms Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 Understanding Software Security Center Portfolio Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 Hierarchical Summary Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 Hierarchical Trending Report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 Issue Trending Report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 Key Performance Indicators Report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 Security at a Glance Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 About HP Fortify Software Security Center Project Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 Overview of the Project Summary Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 About Software Security Center SSA Portfolio Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 About the SSA Progress Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 About Software Security Center SSA Project Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 About the SSA Project Summary Report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 About BIRT Reports in Software Security Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 About BIRT Libraries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 About BIRT Report Customization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 Acquiring the BIRT Report Designer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109 Exporting Report Definitions from Software Security Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109 Importing Report Definitions into Software Security Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109 About Authorization Tokens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 Advanced Authorization Tokens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Contents
vi
Preface
Contacting HP Fortify
If you have questions or comments about any part of this guide, use the HP Fortify contact information provided in the following sections.
Technical Support
650.735.2215 fortifytechsupport@hp.com
Corporate Headquarters
Moffett Towers 1140 Enterprise Way Sunnyvale, CA 94089 650.358.5600 contact@fortify.com
HP Corporate Website
http://www.hpenterprisesecurity.com
About the HP Fortify Software Security Center Documentation Set

The HP Fortify Software Security Center documentation set contains installation, user, and deployment guides for all HP Fortify Software Security Center products and components. It also includes technical notes and release notes that describe new features, known issues, and last-minute updates. The latest versions of these documents are available on the HP Software Product Manuals site (http://h20230.www2.hp.com/ selfsolve/manuals).
HP Fortify Assistive Technologies (Section 508)

In accordance with Section 508 of the U.S. Rehabilitation Act, HP Fortify Software Security Center, HP Fortify Audit Workbench, HP Fortify Plug-in for Eclipse, and HP Fortify Package for Microsoft Visual Studio have been engineered to work with the JAWS screen-reading software package from Freedom Scientific. JAWS provides text-to-speech support for use by the visually impaired. With JAWS, labels, text boxes, and other textual components can be read aloud, providing greater access to the information therein. For information about how to use JAWS, see the HP Fortify Software Security Center System Requirements document. For additional information or assistance, visit HP Accessibility at http://www.hp.com/
accessibility.
Preface
vii
Chapter 1: Introduction
This document contains information and procedures that enable you to install HP Fortify Software Security Center and perform the post-installation configuration tasks required to prepare the product for use.
Intended Audience
This guide is intended for use by enterprise security leads, development team managers, and developers. Software Security Center provide security team leads with a high-level overview of the history and current status of a project. Your security team can then ensure that both developers and auditors work effectively together to provide the best response to project issues. Software Security Center provides auditors with a centralized facility for managing issues. If the manager needs to work offline or with the advanced tools that HP Fortify Audit Workbench offers, current project state and up-to-date auditing information are made available for download. Managers can use Software Security Center to prioritize issues to reflect the needs of the enterprise. That prioritization can then be used to prioritize the activities of the project development team. Developers are responsible for creating and maintaining one or more code bases that conform to secure coding practices. Software Security Center provides a focal point for managing and transmitting information about specific issues received from analysis agents to supported Integrated Development Environments (IDEs), or to standalone clients such as HP Fortify Audit Workbench. Developers can then use the project snapshots produced by Software Security Center to measure their progress through the Secure Development life cycle.
Related Documents
The following documents provide additional information about Software Security Center: HP Fortify Software Security Center Installation and Configuration Guide This document provides system and database administrators with complete instructions on how to install and configure Software Security Center server software. HP Fortify Software Security Center System Requirements This document provides system and database administrators with the minimum and recommended requirements for installing and using Software Security Center server software. Software Security Center online Process Guide Software Security Centers online Process Guide provides information about how to use Software Security Center based on the role you play on your team. For information about how to access the Process Guide, see Accessing Process Guidance on page 13.
Chapter 1: Introduction
Chapter 2: Getting Started with Software Security Center

Software Security Center is a browser-based product that provides a set of capabilities across the software development lifecycle to automate detection of security vulnerabilities in applications. It helps your security and development teams work together to resolve security flaws quickly and accurately by making correlated data from HP Fortify Static Code Analyzer (SCA), HP WebInspect, and HP Fortify Runtime Application Protection available through its online collaboration environment.
About the The Central Role of Software Security Center

Software Security Center provides a location for collecting, correlating, and exporting security analysis results. The Software Security Center server resides in a central location and receives results from different security activities, such as static, dynamic, and real-time analyses. Software Security Center is designed to help you: Identify and prioritize a baseline of existing vulnerabilities Prevent new vulnerabilities from being introduced Remediate existing vulnerabilities and lower the baseline Ensure that your code is in compliance with internal and external security mandates How do we drive the adoption of good application security practices? How do we get actionable results to development teams? Do we measure application teams on a team-by-team basis or as a unit? How do we track results over time?
Software Security Center works within your organization to answer the following questions:
Security Management Workflow

The following figure illustrates the flow of security management processes within Software Security Center.
Figure 1: Security Management Workflow in Software Security Center
As scans are performed during development sprints, development teams submit periodic scan results from a continuous integration server into Software Security Center. Security teams submit periodic results of a dynamic assessment into Software Security Center. Software Security Center correlates and tracks the scan results and assessment results over time, and makes the information available to developers through the Audit Workbench web interface, or through IDE plug-ins such as the HP Fortify Plug-in for Eclipse, the HP Fortify Package for Microsoft Visual Studio, and others. Users can also push issues into defect tracking systems, including HP ALM, JIRA, and Bugzilla.
About User Accounts and Access

Software Security Center supports two methods of authentication: Local user accounts created within the interface Active Directory/LDAP accounts associated with standard corporate authentication (Active Directory/ LDAP integration supports user assignment by group or organizational unit.)
About Active Directory/LDAP Integration

Active Directory/LDAP integration enables Software Security Center to authorize users based on their existing corporate credentials. In addition, assignment by group or organizational unit enables Software Security Center to take advantage of the existing joiners/leavers processes. A new person who joins a group automatically has access to Software Security Center. A person who leaves a group automatically loses access. The Software Security Center installer must configure the integration with the Active Directory/LDAP during Software Security Center installation. For detailed information, see the HP Fortify Software Security Center Installation and Configuration Guide.
10
Logging on to Software Security Center for the First Time

To log on to Software Security Center, your Software Security Center Administrator must provide you with the URL for Software Security Center, a username, and a password. Note: If you do not yet have a Software Security Center user account, you can request one from the administrator. For information, see Requesting Access to HP Fortify Software Security Center. To log on to Software Security Center for the first time: 1. To make sure that you access the newest version of the Software Security Center user interface, clear your web browsers cache. 2. In a web browser, type the URL for your Software Security Center instance, as follows: If Software Security Center is configured to use secure HTTP protocol, type the following URL:
https://[host_IP]:[port]/ssc/ where [port] represents the port number used by your application server.
If Software Security Center is configured to use insecure HTTP protocol (not recommended), type the following URL:
http://[host_IP]:[port]/ssc/ where [port] represents the port number used by your application server.
The default logon credentials for a new Software Security Center installation are username admin and password admin. You must change your credentials at your first logon. 3. In both the Username and Password boxes, type admin. 4. Change your credentials when Software Security Center prompts you to do so.
11
Requesting Access to HP Fortify Software Security Center

If you do not yet have a Software Security Center user account, you can request one from the administrator. To request a Software Security Center user account: 1. At the bottom of the Software Security Center logon screen, click the Request Access link. Note: The Request Access link is available only if your Software Security Center administrator has enabled email notification. The Account Request screen opens.
2. Complete the required fields, and then click Send. 3. After you see the message indicating your request was successfully sent, click OK. The account creation request is sent to your Software Security Administrator.
12
Accessing Process Guidance

Software Security Centers online Process Guide provides information about how on how you can most effectively use SSC based on the role you play on your team. You can access the Process Guide from the SSC logon screen. To access the process guide: Go to the HP Fortify Software Security Center logon screen, as described in Logging on to Software Security Center for the First Time on page 11, and then click the Learn About link.
The Software Security Center Process Guide opens in your browser. Review the steps detailed on the Process Guide pages.
13
About the Software Security Center Dashboard

After you log on to Software Security Center, the Dashboard is displayed.
By default, the Software Security Center Dashboard displays four panels or pods, which summarize various aspects of the Software Security Center project versions and features that you can access. Pod Alert Notifications Assigned Activities Issues Audit Status Project Inventory Project Security State Requirement State Runtime Host Status Runtime Events Description A list of alert notifications that the user has chosen to receive. Activities that the logged in user needs to perform. A graph that depicts the status of issues in the system. The user can choose either Trend or Current Issues. Shows the audit status which includes a count of issues that have been audited and a measure of the activity level during the last seven days. Graphical display of project inventory grouped by specified attribute. Graphical display of the state of projects (Not Started, In Progress, Awaiting Sign Off). Graphical display of signed off project requirements. List of runtime hosts with their status. Graphical display of runtime events. The user can choose from Trend, Pie, and Column graphs.
14
Changing Your Account Information

After you log on to Software Security Center, you can change your account information, including your password. To change your account information: 1. On the right side of the Software Security Center banner, click the Account link.
The Modify Account dialog box opens.
2. To change your first name, your last name, or your email address, select the default value in the corresponding box, and then type a new value. 3. To change your password: a. Click Change Password. The Change Password dialog box opens. b. In the Password box, type your existing password. c. In the New Password box, type a new password. d. In the Confirm Password box, re-type the new password. e. Click Save. 4. To save all changes to your account, in the Modify Account dialog box, click Save.
Configuring Dashboard Preferences

The Software Security Center Dashboard provides a paging configuration that allows a high degree of customizability. Methods of customizing the Dashboard include the following: After Software Security Center starts, new pages are created for the pods. These are named Page 1 through Page n, where n is the number of pages required to hold all of the pods. To switch to a different page, click its page button. To change the name of a page, double-click the page button. To add new pods, use the preferences as before. These pods are allocated to the pages as space is available. So, if a slot is open on the first page, the pod is added to that page. To move a pod to a specific page, click the down arrow button in the pod title bar. This presents a menu of the pages that have open slots for pods. In addition, a Create New Page option that brings up a dialog where you can specify the name for a new page for the pod.
Chapter 2: Getting Started with Software Security Center 15
If a page displays only one pod, and you move the pod off that page, the page is deleted. If a page displays only one pod, the create page option is not available. Simply rename the page. You cannot arbitrarily remove a page of pods. You can only maximize one pod across the entire set of pages. You cannot change the order of the pages.
The following limitations apply to the Software Security Center Dashboard paging configuration:
Customizing the Dashboard Appearance

To customize the appearance of the Software Security Center Dashboard: 1. In the top right of the Dashboard, click Preferences. The Modify Preferences dialog box opens to the Dashboard tab.
16
2. Perform one or more of the tasks listed in the following table: Customization Specify the pods to display Change the names of Dashboard pages Specify the project versions to display Steps 1. On the Dashboard tab, click Pods. 2. In the Pods Displayed section, select the check boxes for the pods to display in your Dashboard view. 1. On the Dashboard tab, click Pods. 2. In the Tab Names section of the Dashboard tab, select a page name, and then type a new page name to replace it. 1. On the Dashboard tab, click Project Versions. 2. Under Project Versions Displayed, select one of the following options: Remove a project version from the list of projects displayed To display the last ten project versions, based on recent activity, leave Default selected. To open a list of the project versions currently displayed so that you can then modify that list, select Custom. Select All to display all project versions.
1. On the Dashboard tab, click Project Versions. 2. Under Project Versions Displayed, select the Custom option. 3. Select the project version name or names to remove, and then click Remove. 1. On the Dashboard tab, click Project Versions. 2. Under Project Versions Displayed, select the Custom option. 3. Click Add. The Select Project Versions dialog box opens. 4. To display all versions of a project, select the check box next to the project name. Alternatively, to display specific project versions, select the check boxes next to the project version names.
Add a specific project version that is not displayed to the list
Enable or disable email alerts Alert notifications are visible (by default) on the Dashboard of all recipients Configure runtime notification options
1. Click the Alert Notifications tab. 2. Select the Email Alert Notifications check box to send email alerts in addition to the alerts visible on the Dashboard.
If runtime is enabled on your Software Security Center installation, do the following: To receive runtime notifications of security events flagged by the runtime system as alerts, on the Alert Notifications tab, click Runtime Alerts, and then select the Receive Runtime Alert Notifications check box.
Specify date and time formatting
1. Click the Display tab. 2. From the Date Format list, select a format for dates displayed in Software Security Center. 3. From the Time Format list, select the format for times displayed in Software Security Center.
17
3. Click Save. Software Security Center saves the settings and displays your customized Dashboard. Software Security Center Dashboard pods display the same information as that displayed on the Software Security Center Project details pages.
Accessing HP Fortify Training Content

You can access HP Fortifys self-paced training modules from the Software Security Center Dashboard. To go to the training site for HP Fortify products: 1. On the right side of the Software Security Center banner, click the eLearning link.
The HP Fortify eLearning logon screen opens.
2. If you have an account for the eLearning site, submit your credentials and log on to the site. If you do not have logon credentials for the eLearning site, request access to the site, as follows: a. Under Is this your first time here?, click Fortify-Education@HP.com. An email template opens. b. Type a request for a new eLearning site account, and send the email. Although it might take a day or so, a Fortify Technical Support team member will send you account information. After you log on, the site lists the training module available for products in the HP Fortify suite. 3. Select a training module to open and complete at your own pace.
18
About the Runtime Tab

HP Fortify Runtime Application Protection (Runtime Application Protection) is built on top of the HP Fortify runtime platform. Runtime Application Protection can run in either stand-alone or federated mode. In federated mode, multiple Runtime Application Protection hosts may be connected to Software Security Center, which acts as the runtime controller. The Runtime Application Protection hosts send runtime events and logs to Software Security Center, and Software Security Center sends configuration and Rulepacks to the Runtime Application Protection hosts. This facilitates central configuration management. It also enables you to conduct performance event analysis across multiple Runtime Application Protection hosts, which you cannot do in stand-alone mode. For example, say you have multiple hosts serving up a single application, and you want to set up an alert that gets triggered after a given number of invalid logins are detected across the Runtime Application Protection hosts. Because the events are all federated across Software Security Center, Software Security Center can track the invalid logins across all Runtime Application Protection hosts. Users who focus on the Runtime tab differ from those concerned with the Projects tab. Typically, the Development and the Security teams focus on the Projects tab because they are concerned with a project during its development. Operations teams focus on the Runtime tab because they are concerned with a product in deployment. If both of the following are true, then your installation of Software Security Center includes a Runtime tab: Your HP Fortify license file enables you to run Runtime Application Protection. The system administrator who installed Software Security Center explicitly enabled Software Security Center to display communicate with Runtime Application Protection.
For information about how to use the Runtime tab, see the HP Fortify Runtime Application Protection Operator Guide.
Runtime Events
Events are occurrences in the system that are of particular interest. As events are tracked, they are displayed on the Runtime tab in Software Security Center, which is automatically refreshed as events occur. You can view events in different ways in the several charts available in Software Security Center. You can search on any event attribute. For example, if you specify the search criterion Category Contains SQL, the Runtime tab lists all events in the SQL injection category. You can also export events resulting from a search as an event log in the same format that you would get from a stand-alone Runtime Application Protection instance. You could then import that event log into a project version where the events become Runtime Application Protection issues.
19
Chapter 3: Managing User Accounts

About Software Security Center User Account Management
In accordance with secure deployment guidelines, the HP Fortify Software Security Center Installation and Configuration Guide directs the primary system administrator of a new installation of Software Security Center to create a non-default Administrator-level account, and then to delete the default admin account. The non-default Software Security Center Administrator account is used to create additional Software Security Center user accounts. Software Security Center supports the following four default user accounts, in order of descending level of privilege: Administrator Security Lead Manager Developer
The following sections provide information about each of these account types. For information about managing Software Security Center personas, see About Software Security Center Persona Management on page 73. This section contains information about Software Security Center roles, user account administration, and how to register AD/LDAP entities with Software Security Center.
About Administrator Accounts

Users who have Administrator accounts have complete access to all Software Security Center user and project version data and can manage the entire Software Security Center system. Only users who have Administrator accounts can create, edit, or delete other user accounts. HP Fortify recommends that you create only the Administrator-level accounts necessary to create and edit local or LDAP Software Security Center user accounts. The Security Lead and lesser accounts can perform all other project-related activity. Software Security Center permits the explicit addition of Administrator-level accounts to project versions. This enables Administrator users to be assigned issues from the Software Security Center Collaboration Module.
About Security Lead Accounts

Use Security Lead accounts to perform overall administration of one or more project versions, including the Managers and Developers assigned to collaborate on those project versions. Table 1 summarizes the read (view) and write (create or modify) privileges available to a Security Lead account.
Table 1: Summary of Security Lead Account Read (R) and Write (W) Privileges
Functional Area Access, to project versions Alerts Artifact, Documents
R X X X
W X X X
Comments Project versions the Security Lead created or to which the Security Lead account is assigned
20
Table 1: Summary of Security Lead Account Read (R) and Write (W) Privileges (Continued)
Functional Area Artifact, FPR Event Log Performance Indicators Personas Process templates Project templates Project versions Reports Rulepacks Template Assignment Policies Users: local and LDAP Variables
R X X X X X X X X X X X X
W X
Comments
View all event logs X X X X X X X X Only Administrator accounts can create or edit users X Create, update, and re-sort Upload, download, and delete Create, manage assigned Add, edit, or delete report definitions Import or delete
Manager Accounts
With a Manager accounts, you can manage the secure development of the Software Security Center project versions to which you are assigned and perform tasks such as the assigning one or more Developer accounts to the project version. Table 2 summarizes the read (view) and write (create or modify) privileges for a Manager account.
Table 2: Summary of Manager Account Read (R) and Write (W) Privileges
Functional Area Access, to project versions Alerts Artifact, Documents Artifact, FPR Event Log Performance Indicators Personas Process templates
R X X X X X X X X X
W X X X X
Comments Project versions they are assigned Create for assigned project versions
View events for assigned project versions only
View all, update for assigned project versions
Project templates Project versions Reports
X X X X X Delete or retire only assigned project versions View or generate reports

21
Table 2: Summary of Manager Account Read (R) and Write (W) Privileges (Continued)
Functional Area Rulepacks Template Assignment Policies Users, local and LDAP Variables
R X X X X
W X
Comments Export
Only Admin accounts can create or edit users X
Developer Accounts
With a Developer account, you can perform secure development tasks for the Software Security Center project versions to which you are assigned. Table 3 summarizes the read (view) and write (create or modify) privileges for a Developer account.
Table 3: Summary of Developer Account Read (R) and Write (W) Privileges
Functional Area Access, to project versions Alerts Artifact, Documents Artifact, FPR Event Log Performance Indicators Personas Process templates
R X X X X X X X X X
Comments For project versions they have been assigned
X X X
Create for assigned project versions
View, comment, audit View events associated with assigned project versions
View all, update for assigned project versions
Project templates Project versions Reports Rulepacks Template Assignment Policies Users, local and LDAP Variables
X X X X X (Administrator accounts only) X Validate variable search strings View only assigned View or generate reports
22
Modifying Your User Own Account Information

Any Software Security Center user can modify all of his own account settings, except his assigned role. To modify your Software Security Center account settings: 1. In the upper right of any Software Security Center window, click Account. The Modify Account dialog box opens. 2. Modify your account information, and then click Save.
Customizing User Account Preferences

You can use the Software Security Center Dashboard Preferences dialog box to customize some user account preferences, such as the format for displaying dates in Software Security Center. For more information about how to customize user preferences, see Configuring Dashboard Preferences on page 15.
Tracking Teams
As an administrator or security lead, you need access to information that enables you to track and monitor your teams progress and ensure that good application security practices are in place and followed. Software Security Center provides a central point for guiding the adoption of good security practices. By understanding how information is tracked and reported, you can accurately measure development team progress based on application security standards.
23
Roles
Roles determine the actions a user can perform in Software Security Center. Table 4 lists the pre-configured roles you can assign to users in Software Security Center.
Table 4: Software Security Center Roles
Role Administrator Application Security Tester
Description Has full access to the system and all results Can perform tasks that pertain to executing dynamic scan requests, including:
View project versions View and generate reports Process dynamic scans Upload scan results Audit issues
Developer
Developer responsible for producing security results and taking action to triage or remediate any security issues For a complete list of Developer permissions, see Table 3. Responsible for guiding developers to work on results. Managers cannot create projects but can grant or revoke access to members of their team For a complete list of Manager permissions, see Table 2.
Manager
Security Lead View Only
Security team member who can create project versions and users For a complete list of Security Lead permissions, see Table 1. Can view results, but cannot interfere with the issue triage or remediation process. Example users: system automation account or temporary auditor Can connect a WebInspect Enterprise instance to Software Security Center and retrieve issue audit information. This role is intended for use only by a WebInspect Enterprise instance.
WebInspect Enterprise System
For more fine-grained control over user access to Software Security Center functionality, you can create custom roles and assign them permissions within the Software Security Center interface. For instructions on how to create a role, see Creating Custom Roles.
24
Creating Custom Roles

Use the procedure in the following section to define roles of your own and assign them permissions. To define and configure permissions for a new role: 1. Log on to Software Security Center as an Administrator. 2. Click the Administration tab. 3. In the Administration panel on the left, under System, click Roles. 4. In the Roles panel on the right, click Add. The Create Role dialog box opens.
5. Provide the information described in the following table. Field (*Required field) *Name Description Universal Access
Description Role name Role description To assign the new role access to all project versions and runtime applications, select this check box. Note: HP Fortify strongly recommends that you select universal access only for administrator-level users.
6. To add permissions, click Add. (Permissions determine the functional areas available to Software Security Center users.)
25
The Add Permissions dialog box opens.
7. Select the check boxes that correspond to the permission that you want to assign to the new role. Note: The Add Permissions dialog box provides a search feature that you can use to search for permissions based on search conditions that you specify. 8. Click OK. 9. In the Create Role dialog box, click Save. If the role and permissions you selected do not conflict, then you are returned to Software Security Center.
26
Software Security Center checks permissions to guard against states that are known to be incompatible.
10. Click Save.
27
The Role: <Role_Name> screen opens and displays detailed information about the new role.
28
About Software Security Center Account Administration

Users who have Administrator accounts are the only users who can create new user accounts and edit information for existing accounts. Use Administrator accounts to manage the Software Security Center system. HP Fortify recommends that you create only the Administrator-level accounts necessary to create and edit local or LDAP Software Security Center user accounts. The Security Lead and lesser accounts can perform all other project-related activity. Software Security Center permits the explicit addition of Administrator-level accounts to project versions. This enables Administrator users to be assigned issues from the Software Security Center Collaboration Module.
Creating Local User Accounts

Software Security Center Administrator-level accounts can add new local user accounts to the list of Software Security Center users. To create a Software Security Center user account: 1. Log on to Software Security Center as an Administrator. 2. Click the Administration tab. 3. In the Administration panel on the left, under System, click Users. 4. In the Local Users panel on the right, click Add. Software Security Center displays the Create User panel.
5. Provide the information listed in the following table. Field or Check Box Username First Name Last Name Email Description Username for Software Security Center logon. First name of user. Last name of user. Email address of user.
29
Field or Check Box Role(s)
Description To select the role or roles to assign to the user, click Add, and then select the check boxes that correspond to the roles you want to assign.
Suspended Password Confirm Password User must change password at next login Password never expires
User is not authorized to use Software Security Center. Default password for the new user. Default password for the new user. Select this check box to require the user to change the password at the next log-on to Software Security Center. Select this check box to allow the user to use the originally assigned password until he wants to change it. To require the user to change his or her password every thirty days, leave this check box cleared.
6. Do one of the following: To save your settings and exit the Create User panel, click Save. To save your settings and display a new instance of the Create User panel, click Save and Create Another.
Software Security Center adds the user account to the list of users.
30
Registering LDAP Entities with Software Security Center

Software Security Center Administrator-level accounts can add LDAP groups, organizational units, and users to Software Security Centers list of users. Software Security Center automatically updates access control as users join and leave groups. To register an LDAP organizational unit, group, or user with Software Security Center: 1. Log on to Software Security Center as an Administrator, and then click the Administration tab. 2. In the Administration panel, under System, click LDAP. 3. In the LDAP Entities panel, click Add. Software Security Center displays the Register LDAP Entity panel.
4. In the Register LDAP Entity panel, in LDAP Entity list, choose the type of LDAP entity to register. 5. In the Name box, type the Software Security Center account name, then click the Search icon to validate that the entry exists in the LDAP server. To search for a name, in the Name box, type a search string, and then click the search tool. 6. In the Role(s) box, you can assign a role predefined by Software Security Center or a role you have already created for the selected LDAP entity. 7. Click Add. 8. Select Role(s) from the Select Role dialog box, and then click OK. 9. Click Save. Software Security Center adds the entity to its list of users. To learn how to specify the LDAP server, see the HP Fortify Security Center Installation and Configuration Guide.
31
Chapter 4: Software Security Center Projects and Project Versions

This chapter provides information about projects and project versions. It contains instructions for viewing and creating projects, configuring project attributes, assigning project templates, and more.
About Tracking Development Teams

As an administrator or security lead, you need access to information that enables you to track and monitor your teams progress and ensure that good application security practices are in place and followed. Software Security Center provides a central point for guiding the adoption of good security practices. By understanding how information is tracked and reported through projects and project versions, you can accurately assess development team progress based on application security standards.
Projects and Project Versions

To obtain consistent measurement results in Software Security Center, you define a project for a single code base. Software Security Center organizes the iterative development and remediation of code bases into projects and project versions. A project is an application or code base that serves as a container for one or more project versions. If you are working with a new code base, you create a new Software Security Center project. Software Security Center automatically creates the first version of that project. A project version is an instance of the application or code base that will eventually be deployed. It contains the data, auditing, and project attributes for a particular version of the project code base. If you are working with an existing project code base, you create new project versions rather than new projects.
A project version is the base unit for team tracking. It provides a destination for security results that is useful for getting information in front of developers and producing reports and performance indicators. Code analysis results for a project version are tracked as follows: Existing analysis results Results of any previous security analysis from HP Fortify Static Code Analyzer, WebInspect, or other analyzer + New scan results Merge with the existing results (from the same analyzer used to perform this scan) Mark resolved issues Identify new issues Keep unchanged issues Software Security Center analysis processing rules verify that the new scan is comparable to the older scan. = Trending results
Identify which security issues have been fixed, and which issues remain.
32
About Strategies for Creating Project Versions

As a Security Lead or Development Manager, you might choose to create a project version that allows you to track vulnerabilities within deployed applications. Security vulnerabilities often occur in areas of code where different components come together. Although teams may work on different components, it is a good practice to track the entire software component as one piece. As an example, suppose that a text manipulation library is safe on its own, and a file access library is safe on its own. The combination of the text manipulation library and file access library is not necessarily safe, because one may not know the origin of the text being processed.
About Strategies for Packaged Software

For software that ships or is deployed as a concrete version, you might use the following strategies: If you are creating a brand new application, start a new project. Create a single project version for each release. For example, the Security Lead or Development Manager may mark past versions as inactive within Software Security Center to archive results and remove them from the basic view. If you are working on an existing application with an evolving code base, create a project version based on an existing version. For example, Project A has several versions. Each new version is initiated based on the results of the previous version. Each successive version is just evolved code (versus a complete rewrite).
About Strategies for Continuous Deployment

For applications using continual deployment, running HP Fortify scans with the -build-label xxxx flag enables you to identify which source control checkout was scanned (where xxxx represents the ID from your version control system). Relating scans to source control checkout improves your ability to determine when individual issues were introduced and remediated.
About Annotating Project Versions for Reporting

Software Security Center provides a set of project attributes that you can apply to individual project versions. You can use these project attributes to group project versions for reporting, or to associate project versions with external systems. A base set of project attributes is provided within the Software Security Center system. Administrators can customize the attribute set for the organization. Sample customizations can help organizations track onboarding progress by application ID, line of business, business unit, or regulatory compliance obligations.
33
Displaying the Projects Page

Software Security Center projects are at the center of Software Security Centers powerful cross-project analysis and reporting capabilities. To view a list of all Software Security Center projects: From the Software Security Center dashboard, click the Projects tab.
34
Project Icons
Table 5 lists the icons used to show project status on the Software Security Center Projects tab.
Table 5: List of Projects Type and Status Icons
Icon
Icon Category Project type Project type Project state Project state Project state Project state Sign-off state Sign-off state Sign-off state
Description Project version is of type Basic Remediation Project version is of type SSA Project version not started: No activities completed Project version in progress: At least one activity has been completed Project version is unfinished Project version requires attention: An activity must be performed Awaiting sign-off Signed off with exemption Signed off
For a conceptual orientation to the creation of a new Software Security Center project, proceed to About the Project Creation Process on page 36.
35
About the Project Creation Process

After you log on to Software Security Center and start to add a new project (see About Creating Project Versions on page 39), the Create Project Version wizard displays the following sequence of steps: Project Version page Dependencies page Business Attributes page (customizable) Technical Attributes page (customizable) Project Template page (or Process Template, depending on the type of project version you create)
Each step presents the team members responsible for creating a Software Security Center project version with one or more strategic choices. After the team agrees upon and makes their selections, the security lead can click Finish to complete the project creation process. Typically, the security team evaluates and decides on all the project options before they actually start to create the project. The following sections describe the options displayed on the five project creation wizard screens.
About Project Version Types

Software Security Center supports the following two types of project versions: Basic remediation project versions require you to select a project template but do not support process templates. Process templates are hierarchical constructions of requirements and activities that help you to manage and track risk mitigation activities performed during project development. SSA project versions differ from basic remediation project versions in that they support process templates. (When you create a new SSA project version, Software Security Center suggests a process template.)
About Project Dependencies

Project dependencies are optional project attributes that you can edit after a project version is finished. Use the Project Dependencies panel to do the following: Identify previously created project versions that affect the completion or status of this project Enable interdependent projects to be grouped, managed, and reported across project boundaries on the basis of dependencies
About Project Version Attributes

Basic remediation and SSA project version types have both business attributes and technical attributes. The business and technical project attributes are metadata that Software Security Center uses to: Perform cross-project comparisons and reporting Assign process templates to SSA projects
When you create a new project version, the Create Project Version wizard guides you through the selection of required and optional business and technical project attributes. Neither the basic remediation nor the SSA project version type can be finished until you select values for all required attributes. For example, to create a project version, you must specify values for the following attributes: Business unit Development phase Development strategy Accessibility
Chapter 4: Software Security Center Projects and Project Versions 36
Table 6 lists the default set of Software Security Center project version attributes for basic remediation and SSA project version types. Note that this list does not include custom attributes that a Software Security Center administrator may have added to the system.
Table 6: Default Software Security Center Project Version Attributes
Attribute Category and Attributes (default set) *Required Business Attributes Business Risk Known Compliance Obligations Data Classification Project Classification *Business Unit
Basic Remediation
SSA
X X X X X X X X X X X X X X Not available in basic remediation projects
X X X X X X X X X X X X X Assigned by the process template X
Technical Attributes *Development Phase *Development Strategy *Accessibility Project Type Target Deployment Platform Interfaces Development Languages Authentication System
*Project template Process template
About Project Template Selection

Software Security Center project templates provide HP Fortify client and server products an optimal means of categorizing, summarizing, and reporting project data. Project templates also enable the application of customized project settings at the enterprise level and not just at the project level. Both basic remediation and SSA project versions support project templates, but differ in their support of project templates. Basic remediation projects require that you choose a project template, but do not support process templates. SSA projects require that you select a process template. Based on the process template you select, Software Security Center then assigns the optimal project template to the SSA project. Although you change the project template for a basic remediation project after you finish creating the project, your security team must carefully consider its choice of project template before competing the project creation process. For SSA projects, there is a direct connection between the process template selected and the project template Software Security Center assigns to the project. You can only modify that process-project template relationship using the HP Fortify Software Security Center Process Designer. For information about how to use the Process Designer, see the HP Fortify Software Security Center Process Designer User Guide.
37
About Process Templates for SSA Projects

One of the most important steps in creation of that project version is the choice of a process template. Only Software Security Center SSA projects support process templates. Process templates guide the Secure Development team through the various requirements and activities needed to fulfill the enterprises secure development standards. The requirements and activities must be completed, or exempted from completion, in order to fulfill the secure development process. If you prefer to use a non-default process template, a good strategy is to choose a template that has stricter requirements than are actually required, then exempt those activities that are not applicable to that projects security requirements. Software Security Center uses the choice of process template to determine the best project template to assign to the project version. The project template optimizes the categorization, summarization, and reporting of the project versions data. Regardless of which process template you choose, you cannot change that choice after the project creation process is completed. For that reason, the security team should carefully consider its choice of process template before finishing the project creation process. The following sections provide instructions for performing the following tasks: Creating projects and project versions Specifying dependent project versions Selecting a project version type Configuring project version attributes Assigning project and process templates to a project version
38
About Creating Project Versions

You can create a new Software Security Center project version that is based on an existing project or on a new project. This section provides instructions for each method. Before you start to create the Software Security Center project version, review the information under About the Project Creation Process on page 36.
Adding Project Versions

To create a project version based on an existing project: 1. Log on to Software Security Center as either an Administrator or Security Lead. 2. To open the Create Project Version wizard, click the Projects tab, and then click Add.
3. On the Project Version page, provide the information listed in the following table. Field Use Existing Project Description Since you are working with a logical continuation of an existing code base, leave this option selected. From this list, select the name of an existing project.
39
Field Copy From
Description Select this check box to copy settings and data from the previous version of the selected project. In addition to the project version attributes, you can copy the custom tags, analysis processing rules, user assignment, bug tracker or current state HP Fortify project results.
After you select the check box, this section expands to reveal a project version list and the categories of information to be copied. From the list to the right of the Copy From check box, select the project version that has the attributes you want to copy to the new project version. To exclude a category of information from being copied to the new version, clear its check box. Name In this box, type the version name. The wizard uses the project name and appends the version number to it automatically. Description Basic Remediation Project SSA Project In this box, type a description of the new project version. (Optional) Select this option to create a Basic Remediation Project type project version. For information about how to select a project version type, see About Project Version Types on page 36. Select this option to create an SSA type project version. For information about how to select a project version type, see About Project Version Types on page 36.
4. To finalize the project definition later, click Finish Later. To continue, click Next. The Dependencies page opens. 5. To specify optional dependent project versions to the new project version: a. Click Add. The Add Dependent Project Version dialog box lists list all Software Security Center project versions.
40
b. Select one or more project versions that affect the secure development of the project, and then click Save. (Use the CTRL and SHIFT keys to select multiple versions.) 6. Click Next.
7. On the Business Attributes page, do the following: a. If email notification has been configured for your Software Security Center instance, and you want to request attribute information for the project from another team member, click Send Attribute Information Request. Software Security Center prompts you to supply the email address for the individual to whom the request is to be sent. b. Configure the business attributes for the project version. Note: Because default values are selected for each list on the Business Attributes page, make sure that you actively select the values for each field. 8. Click Next.
41
The Technical Attributes panel opens.
9. Configure the technical attributes for the project. 10. Click Next. 11. On the Project Template (or Process Template) page, do one of the following: If you are creating a new basic remediation project version, from the Template list, select a project template. If you are creating a new SSA project version, select a process template. Software Security Center uses the project attributes to recommend a process template, and then displays the recommended choice as the default selection in the list of process templates.
Software Security Center assigns a project template to the new project version based on your choice of process template. 12. Click Finish. If you created a new project, Software Security Center adds the new project to the list of projects; the new project contains its initial project version. If you created a new project version, Software Security Center adds the new project version to its parent project. To display unfinished or inactive project versions, on the Projects tab, select the Show Inactive Versions check box. The default is to display all active project versions. To designate a project version as inactive, clear the Active check box in the Edit Project Versions dialog box.
42
About Using Bug Tracking Systems to Help Manage Security Vulnerabilities

Developers fixing software defects often use a bug tracking system to help manage their workload. Security vulnerabilities are a type of bug, and getting vulnerability information into the bug tracking system helps developers take appropriate remediation measures, in line with other development activities. The result is more security awareness and faster remediation of security issues. From Software Security Center, you can map to several bug tracking systems, so that your development team can file bugs into the bug tracking system already in use. When a developer files a bug, Software Security Center populates bug tickets with the following basic vulnerability information: Details that describe the type of issue uncovered Remediation guidance, with instructions on the action to take A link back to Software Security Center for complete issue details
Configuring Access to a Bug Tracker

To enable a team to access and use a bug tracking system from Software Security Center, a security lead or development manager must configure Software Security Center to connect to a bug tracker instance. Either the developer or security lead can then submit tickets to address important security issues. To enable team access to bug tracking system, a security lead or development manager does the following: Edit the project version details Configure the bug tracker
Configuring Bug Tracking for a Project Version

For a given project version, you can specify a bug tracker to use to submit bugs against the version and, optionally, enable batch bug submission and bug state management. The batch bug submission feature allows you to filter issues for a given project version based on selection criteria and attribute groupings, and then file a bug for the entire group of issues instead of filing a bug for each individual issue. If batch bug submission is enabled for a project version, you can also enable bug state management. Bug state management allows Software Security Center to make specific updates to bugs as the states of the issues within those bugs change. (For information about batch bug submission, see About Using State Management to File Many Issues.) To configure bug tracking for a project version: 1. Log on to Software Security Center as an administrator, a security lead, manager, or a developer. 2. Click the Projects tab. 3. From the list of project versions on the left, select the project version for which you want to configure bug tracking. 4. Click Edit. The Edit Project Version dialog box opens.
43
5. Click the Bug Tracker tab.
6. From the Bug Tracker list, select the bug tracker to use to file bugs against the project version. 7. Complete any required fields. 8. To test the bug tracker connection to Software Security Center: a. Click Test. b. In the Test Bug Tracker Configuration dialog box, type your bug tracker authentication credentials, and then click Test. 9. If you do not want to enable batch bug submission and possibly bug state management for this project version, click Save. If you want to enable batch bug submission and possibly bug state management, see About Using State Management to File Many Issues.
About Using State Management to File Many Issues

The combined analysis techniques of HP Fortify Static Code Analyzer and HP WebInspect can produce a high volume of issues that can be assigned and tracked in aggregate. Filing issues in bulk enables developers or security leads to group issues into closeable units to avoid overloading the bug tracking system. Your selection criteria for batch bug tracking specify how the system is to determines which security to file and manage as bugs. The default selection criterion is Analysis: Exploitable (issues with the custom tag Analysis value set to Exploitable) to focus on issues that have been manually reviewed and prioritized. Decide upon a grouping strategy. For all issues matching your selection criteria, decide how issues are to be grouped together to prevent a potentially large number of issues becoming individual (granular) bugs. The default grouping strategy of Category, File enables teams to assign and track bugs such as Fix all <vulnerability_name> in <file_name> instead of tracking groups that are too general (such as Fix all security issues) or too granular (Fix the line of code at ##). After filing the issues, development teams typically run scans through Static Code Analyzer and WebInspect. Software Security Center merges the scan results (as described in Projects and Project Versions on page 32) and updates the bug, as follows:
44
If the scan result indicate that one of more security issues associated with the bug are still present (and match the selection criteria), Software Security Center checks the bug tracking system to ensure that the bug is in a valid open state and, if necessary, re-opens the bug. If all issues associated with a bug are removed (either because the issues were remediated or no longer match the selection criteria), Software Security Center updates the bug to indicate that stakeholders may resolve or close this ticket. To enable auditing and traceability, Software Security Center does not automatically resolve or close bugs.
Enabling Batch Bug Submission

After you specify the bug tracker to use to submit bugs against a project version, you can enable batch bug submission for the project version. To enable batch bug submission for a project version: 1. After you specify the bug tracker to use to submit bugs against a project version (see Configuring Bug Tracking for a Project Version), on the Bug Tracker tab, select the Enable Batch Bug Submission check box. The Selection Criteria box displays the default value [Analysis]:exploitable. Issues that match this criterion are selected for batch bug submission. The Grouping Strategy box lists the attributes used to group selected issues together before they are submitted as a batch. The defaults attributes listed are Category and File Name. 2. To include additional attributes on which to base issue groups: a. Click Add. The Add Attribute dialog box opens. b. From the Name list, select an attribute to add to the Grouping Strategy list. (Although you can only select one attribute at a time, you can repeat Step 2 multiple times to add more attributes.) c. Click Save. d. To validate your selection criteria, click Validate. 3. If you want to enable bug state management, follow the procedure described in Enabling Bug State Management. Otherwise, to save your current bug tracker settings, click Save.
Enabling Bug State Management

If batch bug submission is enabled for a project version, you can enable bug state management. Bug state management enables Software Security Center to make specific updates to bugs as the states of the issues within those bugs change. Software Security Center checks new security scans to determine whether filed bugs are to remain open, or can be closed. To enable bug state management for a project version: 1. After you enable batch bug submission for a project version, on the Bug Tracker tab, select the Enable Bug State Management check box. 2. Scroll down so that you can see the Username and Password boxes. 3. In the Username and Password boxes, type your username and password for the bug tracking application specified for the project version. 4. Click Test. 5. After Software Security Center displays the Connection Successful message, click OK. 6. Click Save.
45
Changing the Project Template Associated with a Project Version

You can modify many settings for an existing project version, including its project template. However, keep in mind that assigning a different project template to a project version or updating a project template on the Software Security Center server results in loss of synchronization between the database cache and existing audit sessions. After you assign a project version a different template, Software Security Center calculates metrics based on the new project template. Any in-progress audits are saved and then restarted with the new project template. To edit a project version: 1. Log on to Software Security Center as either an Administrator or Security Lead. 2. Click the Projects tab. 3. From the list of project versions on the left, select the project version you want to modify. 4. Click Edit. The Edit Project Version dialog box opens.
5. From the Project Template list, select a different project template to apply to the project version.
46
Software Security Center displays a warning message to advise you that changing the template can alter the metrics calculated for the project, and that existing metrics will not be recalculated.
6. To continue with the change, click Yes. After you change the project template, Software Security Center invalidates any auditing session of the affected project version (for example, by a different user) and displays an error message to advise you that the project version audit session must be restarted.
Note: An HP Fortify Audit Workbench user auditing the affected project version does not see this information. 7. Click OK.
47
Project On-Boarding
A security team that creates a project version may not always know what the business and technical attributes of the project are. Software Security Centers project on-boarding feature provides the project version creator a mechanism for requesting that information from the development team. It also provides the development team a way to provide that information to the system. Typical scenarios for implementing the project on-boarding feature are: A development group new to the Software Security Assurance program can easily understand what is expected of them. They may identify and plan for key users to participate in the security effort. A development group new to the Software Security Assurance program can easily supply the information necessary to start a project version within Software Security Center.
Requesting Project Attribute Information

As you create a new project version, you can request information about the project attributes from others working on the project. To submit a request for business attribute information: 1. In the process of creating a project version (see About Creating Project Versions on page 39), after you reach the Business Attributes panel, click Send Attribute Information Request.
48
The Send Attribute Information Request dialog box opens.
2. In the Recipient Email box, type the email address of the person to whom you want to send this email. 3. Click Send. The form contains pre-populated fields and links to forms that external users can use to specify project attributes. To continue the project version creation process after you send the request, click the links provided on the Projects page.
Note: Typically, you wait for the development team to provide the technical and business attributes, and then return to finish creating the project version. The value in the State column on the Project list page indicates that the development team has provided the requested attributes.
The panel to the right of the Projects panel shows that the project version is unfinished and you can continue the project version creation process to create it using the links provided.
The email notification sent in response to your request for attribute information contains links to information request forms, which the recipient can use to provide the requested attribute information. Another link takes the recipient to the Software Security Center Process Guide, which presents an overview of the software security assurance process.
The last link takes the recipient to the Account Request form, in case the recipient does not yet have a Software Security Center user account and wants to request one.
50
The second link takes you to the Business Attributes step of the Create Project Version wizard, where you can configure the business attributes for your project. For descriptions of each business attribute, see Adding Project Versions on page 39.
51
The third link takes you to the Technical Attributes step of the Create Project Version wizard, where you can configure the technical attributes of your project.
The fourth link takes you to the Account Request step, from which you can request a Software Security Center account.
52
Setting Analysis Result Processing Rules for Project Versions

Analysis results processing rules allow for management approval and oversight of code scans. You can configure the rules to be followed when analysis results for a project version are processed. To configure the analysis results processing rules for a project version: 1. Log on to Software Security Center as an administrator and click the Projects tab. 2. Click the project version for which you want to configure the analysis results processing rules. 3. Click View Details. 4. Click the General tab. 5. Click the Analysis Result Processing Rules sub-tab, which shows the default processing rules for the project version. 6. In the upper right corner of the sub-tab, click Edit. The Edit Project Version dialog box opens.
53
7. Select or clear the check boxes for the rules listed in the following table, and then click Save. Rule Require approval if the Build Project is different between scans Check external metadata file versions in scan against versions on server Require approval if file count differs by more than 10% Require approval if result has analysis warnings Require approval if the Rulepacks used in the scan do not match the Rulepacks used in the previous scan Software Security Center checks to see whether you have added or removed a Rulepack, and whether a version of a Rulepack has changed. If it detects that a Rulepack has been added, removed, or updated, it flags the upload for management approval. Software Security Center checks to see whether any scan engine (SCA, WebInspect, SecurityScope) version is newer than the one already used in the project. If it detects newer versions, it flags the upload for management approval. A newer version of SCA or a Rulepack can change an instance ID from an instance ID created in a previous scan by an older version of SCA or a Rulepack. In reality, both instance IDs identify the same issue. When enabled, this rule automatically migrates old instance IDs to the corresponding new instance IDs to preserve the history of the issues. It is sometimes useful to disable this rule a troubleshooting measure for customer support. Software Security Center compares the line count for the scan and the scan that preceded it. If the count differs by more than ten percent, management approval is required. Blocks the processing of SCA scans done in Quick Scan Mode, which searches for high-confidence, high-severity issues. Software Security Center checks to see that a SCA or SecurityScope scan has valid certification. If the certification is not valid, then someone may have tampered with the results in the upload. If the certification is missing, it is not possible to detect tampering. If certification is missing or is not valid, the rule requires management approval. If audit information includes an unknown custom tag, the rule requires management approval. If an analysis result still requires approval, this rule blocks its upload. Software Security Center compares the file count for the scan and the scan that preceded it. If the count differs by more than ten percent, management approval is required. Description Software Security Center compares the Build Project for the scan and the scan that preceded it. If the Build Projects differ, management approval is required.
Require approval if the engine version of a scan is newer than the engine version of the previous scan Automatically perform Instance ID migration on upload
Require approval if line count differs by more than 10% Ignore SCA scans performed in Quick Scan mode Require approval if SCA or SecurityScope scan does not have valid certification
Warn if audit information includes unknown custom tag Disallow upload of analysis results if there is one pending approval
54
About Custom Tags

In Software Security Center, code auditing involves the security teams examining HP Fortify project results (FPR) and assigning values to tags that are associated with project issues. The development team can then use these tag values to determine which issues they must address and in what order. Software Security Center provides a single default tag named Analysis to enable project auditing out of the box. Valid values for the Analysis tag are Exploitable, Not an Issue, Suspicious, Reliability Issue, and Bad Practice. You can modify the Analysis tag attributes, revise the tag values, or add new tag values based on your auditing needs. To refine your auditing process, you can define your own custom tags. Like the Analysis tag, your custom tag definitions are stored in a project template that can be associated with a project version in Software Security Center. For example, you could create a custom tag that can be used to track the sign-off process for an issue. After a developer audits his own issues, a security expert can review those same issues and mark each as approved or not approved. You can define custom tags in real time in Software Security Center, directly with project template uploads through Software Security Center, or through project templates in FPR files. Note: You can use the client tool HP Fortify Audit Workbench (AWB) to add custom tags to a project while you are auditing it. However, if you have not defined these custom tags in Software Security Center for the project template associated with the project version, then the new custom tags are lost when you upload the FPR file back to Software Security Center.
Defining Custom Tags in Software Security Center

You manage custom tags in Software Security Center from the Custom Tags panel. To view the Custom Tags panel: 1. Click the Administration tab. 2. In the Administration panel, under Projects click Custom Tags.
55
Adding a Custom Tag

To add a custom tag: 1. In the Custom Tags panel, click Add.
2. Type the name (required) and a description (optional) of the new tag. 3. To specify a value for the new tag: a. Click Add.
b. In the Name box, type a value. A value can be a discrete attribute for the issue that this tag addresses. For example, you might specify that this custom tag addresses a due date or server quality issue. c. (Optional) In the Description box, type a description of what the value represents.
d. To prevent the tag from being displayed in Collaboration Module or HP Fortify Audit Workbench (AWB), select the Hidden check box. e. Click Save. 4. From the Default Value list, select the default value for the tag. If the custom tag has a default value, then issues with no value set for the tag acquire that default value. If no default value is defined, then the tag value becomes Not Set. To allow only users with specific permission (managers, security leads, administrators) to modify the tag, select the Restricted check box. To enable the addition of new values to the tag during audits, select the Extensible check box. To prevent the display of the tab in Collaboration Module or HP Fortify Audit Workbench (AWB), select the Hidden check box.
5. Select any or all of the following optional tag features:
6. Click Save.
Modifying Custom Tag Attributes

To modify the attributes of a custom tag: 1. Select Administration Projects Custom Tags. 2. Select the custom tag to modify. 3. Click Edit.
4. Modify the tag attributes and save your changes.
57
Globally Hiding a Custom Tag

To globally hide a custom tag: 1. Navigate to Administration Projects Custom Tags. 2. Select the custom tag to modify. 3. Click Edit.
4. Select the Hidden check box. 5. Click Save.
Deleting Custom Tags

To delete a custom tag, use the following procedure. Note: You cannot delete a custom tag if the tag is associated with a project version, project template, or if an issue is audited with the custom tag. 1. Navigate to Administration Projects Custom Tags. 2. In the Name column, select the custom tag to delete. 3. Click Delete.
58
Adding a Value for a Custom Tag

To add a value to a custom tag: 1. Navigate to Administration Projects Custom Tags. 2. Select the custom tag to which you want to add a value. 3. Click Edit. 4. In the Update Custom Tag dialog box, click Add. 5. Type a name and, optionally, a description for the new value. 6. To hide the value, select the Hidden check box. 7. Click Save. 8. In the Update Custom Tag dialog box, click Save.
Changing a Value for a Custom Tag

To change a value for a custom tag, use the following procedure. 1. Navigate to Administration Projects Custom Tags. 2. Select the custom tag whose value you wish to change. 3. Click Edit. 4. In the Update Custom Tag dialog, select the value to change. 5. Click Edit. 6. Change the name or description, and then click Save. 7. In the Update Custom Tag dialog box, click Save.
59
Deleting a Value for a Custom Tag

To delete a value for a custom tag, use the following procedure. 1. From the Software Security Center Dashboard page, select Administration Projects Custom Tags. 2. Select the custom tag. 3. Click Edit. 4. In the Update Custom Tag dialog box, select the value to delete, and then click Delete.
5. Click Save.
Associating a Custom Tag with a Project Template

After you first create a project template and you upload a project template file, the custom tags defined in that project template file are the custom tags that are initially associated with the project template. Updates to existing custom tags are ignored because they are meant to be updated using the procedures described in previous sections, but newly defined custom tags in that project template file are added to the system and associated with the project template. Note: The custom tags associated with a project template are the default tag set assigned to a project version when it is first created using that project template. To associate a custom tag with a project template: 1. Navigate to Administration Projects Project Templates. 2. Select the project template to associate with the custom tag. 3. Click Edit. The Edit Project Template dialog box opens.
60
4. Click Add. The Add Custom Tags To Project Template dialog box opens.
5. Select the check box for the custom tag to associate with the project template.
Viewing the Custom Tags Associated with a Project Template

To see which custom tags are associated with a project template: 1. Navigate to Administration Projects Project Templates. 2. Select the project template. 3. Click View Details. 4. Click the Custom Tags tab.
You can also edit or delete a custom tag from this project template from the Custom Tags tab.
61
Disassociating a Custom Tag from a Project Template

To disassociate a custom tag from a project template: 1. Select to Administration Projects Project Templates. 2. Select the project template. 3. Click Edit. The Edit Project Template dialog box opens.
4. Select the custom tag to disassociate from the project template, and then click Remove.
62
Associating a Custom Tag with a Project Version

When you create a project version, the custom tags associated with that project template are initially associated with the project version. You can go back and change these associations after you create the project version. For more information, see Managing Custom Tags Through Project Templates on page 65. To associate a custom tag with a project version, do the following: 1. From the Software Security Center Dashboard, click the Projects tab. 2. Select the project version with which you want to associate a custom tag. 3. Click Edit. The Edit Project Version dialog box opens.
4. Click the Custom Tags tab.
5. Click Add.
63
6. Select the check box for the custom tag to associate with the project version.
7. Click OK. 8. In the Edit Project Version dialog box, click Save.
Disassociating a Custom Tag from a Project Version

To disassociate a custom tag from a project version: 1. From the Software Security Center Dashboard, click the Projects tab. 2. Select the project version associated with the custom tag. 3. Click Edit. 4. In the Edit Project Version dialog box, click the Custom Tags tab. 5. Select the custom tag to disassociate from the project version. 6. Click Remove. 7. Click Save.
Adding a Custom Tag Value While Auditing an Issue

To add a value for a custom tag while auditing an issue, do the following. Note: The custom tag that you add a value for in the following procedure must be assigned the Extensible attribute. Otherwise you cannot add a value while auditing an issue in Collaboration Module. 1. From the Software Security Center Dashboard, click the Projects tab. 2. Select the project version to audit. 3. Click Audit Issues.
64
4. On the left side of the Summary panel, expand the list for the custom tag to which you want to add a value, and select Create New.
5. Type a name and, optionally, a description for the new value. 6. Click Save.
Managing Custom Tags Through Project Templates

Custom tags defined in a project template file are assigned to that specific project template. You cannot update existing custom tags through direct project template upload. If Software Security Center detects an updated custom tag, it displays a warning and prompts you to confirm that you want to continue.
You must update existing custom tags through the custom tag administration section of Software Security Center. From the Software Security Center Dashboard, select Administration Projects Custom Tags and complete the update. You can add a new custom tag through a project template upload. This could, for example, allow a member of a security team who is not part of a software audit to define the project template and the custom tags in the project template.
Managing Custom Tags Through a Project Template in an FPR File

FPR files typically contain a project template. If an FPR file uploaded to Software Security Center contains a project template with a custom tag that has been set as editable, you can add a value to the tag.
65
About CloudScan in Software Security Center

HP Fortify CloudScan (CloudScan) software enables HP Fortify Static Code Analysis users to better manage their resources by offloading the processor-intensive scanning phase of analysis from their build machines to a cloud of machines provided for this purpose. If your administrator has set up CloudScan, you can use Software Security Center to monitor or troubleshoot the CloudScan Controller component of CloudScan or to view scan results. (The CloudScan Controller is the server that receives the SCA mobile build session and scan instructions from the CloudScan CLI and routes the information to the CloudScan Cloud.) Note: Enabling this functionality involves configuration of both Software Security Center and HP Fortify CloudScan. For instructions on how to configure Software Security Center for this, see the HP Fortify Software Security Center Installation and Configuration Guide. For information about the configuration steps required in HP Fortify CloudScan, see the HP Fortify CloudScan Installation, Configuration, and Usage Guide. To monitor or troubleshoot the CloudScan Controller, or to view the results of a scan, navigate to the CloudScan tab in Software Security Center.
From the Jobs panel, you can view running scans and scans completed within the last seven days. CloudScan permissions determine what jobs you can see in the left panel based on the project version associated with the job. CloudScan permissions are described in the following table. Field
Download CloudScan Artifacts Manage CloudScan View CloudScan
Description
User can view and download CloudScan data User can view, download, and manage CloudScan data User can view CloudScan data
The right panel includes the General and Task Details tabs. The information on the General tab displays summary information about the scan such as when it started, when it was completed, and so on. The Task Details tab displays specific information about Static Code Analyzer and the status of the FPR upload to Software Security Center. You can download a log file or analysis results file from the Task Details tab.
With the Controller feature section selected, two tabs are provided for closer inspection of the CloudScan infrastructure used and what the current status is of the CloudScan Controller. The information presented in the Statistics tab can be useful to determine why you do not see a job represented in the Jobs panel. The information displayed on the Settings tab reflects the content of two properties files. The information included under the General, Tasks Interval, and Email headings reflects config.properties file content. The information provided under the Cloud and Software Security Center headings reflects content in the hadoop.properties file. For more information about these files, see the HP Fortify CloudScan Installation, Configuration, and Usage Guide.
67
Chapter 5: SSA Project Version Requirements

The following sections provide information about the Requirements page for SSA project versions and instructions on how to use the page.
About the Requirements Page

Use the Requirements page to manage the requirements, activities, personas and work owners for an SSA project version. The information in this chapter is provided on the assumption that you have already created a Software Security Center SSA project version. To learn more about creating project versions, see Chapter 4, Software Security Center Projects and Project Versions on page 32.
Displaying the Requirements Detail Page

Software Security Center project details pages provide access to various types of project information or utilities. To display the Requirements details pages: 1. Log on to Software Security Center with sufficient privileges to perform the task you want to perform. For more information about Software Security Center account privileges, see Chapter 3, Managing User Accounts on page 20 and About Software Security Center Persona Management on page 73. 2. Click the Projects tab. Software Security Center displays a list of projects and project versions. 3. From the list of projects, select the project version of interest, and then click View Details. 4. Click the Requirements tab. Software Security Center displays the Requirements details page.
Chapter 5: Using the Requirements Page
68
About Process Requirements and Activities

When you create a new SSA project version, Software Security Center uses the project version attributes to recommend the optimal process template. You can override that recommendation, but you must choose a process template before you can finish the project creation process and put a new SSA project version into service. Software Security Center process templates are hierarchically constructions of requirements and activities. The requirements and activities define a hierarchy of primary and constituent tasks that must be signed off to complete the secure development of a particular project version. Table 7 summarizes the Software Security Center icons used to designate activity type, project version state, and sign-off status.
Table 7: Activity Type, State, and Sign-off Icons
Icon
Icon category Activity type
Description Time lapse activity: Activities that must be performed within a specific time period. For example, uploading an SCA scan within the preceding 14 days. Project state activity: Activities that ensure the project conforms to applicable measurement guidelines. For example, auditing 100 percent of all High Priority Issues. Document activity: Activities that require the submission of an external process document. An example of a document activity is the completion and sign off of a peer review checklist.
Activity type
Activity type
Project state Project state Sign Off state Sign Off state Sign Off state Sign Off state
Project version not started: No activities completed. Project version in progress: At least one activity has been completed Awaiting sign off Signed Off with exemption Signed Off Document rejected
69
About Activities, Requirements, and Process Templates

This section contains information about SSA project sign, including sign-off activities, multi-persona sign offs, sign-off requirements, and sign-off templates.
About SSA Project Sign Offs

Software Security Center SSA process templates contain multiple requirements, which in turn contain multiple activities. In general, the secure development team completes and signs off on all of a given requirements constituent activities before signing off on the requirement. In some cases, however, the security team may permit a requirement to be signed off on before all that requirements activities have been completed. When this occurs, Software Security Center permits activities and requirements to be signed off with exemption. In Software Security Center, the work owner assigned to an activity can use tasks to help them manage that activity. For more information about Software Security Center Tasks, including the sign off of those tasks, see Adding Tasks to Activities on page 75.
About Sign-Off Personas

In Software Security Center, personas have sign-off responsibility for requirements and activities. For more information about Software Security Center personas, see Chapter 3, Managing User Accounts on page 20, and About Software Security Center Persona Management on page 73. If a persona has no user account assigned to it, and that persona is assigned to a particular process template activity or requirement, then in the Sign Off panel, in the User column, Software Security Center displays the value Not Assigned. For information about how to assign a Software Security Center user account to a persona, see Assigning User Accounts to Personas on page 71.
About Signing Off Activities

As the security team progresses through the secure development process, the Software Security Center persona or personas assigned to an activity must sign off that activity. If multiple personas are assigned to a requirement or activity, then all personas must sign off on the activity in one of the following two ways: If an activity has been completed successfully, then the persona signs off on the activity without an exemption. If an activity was not completed or does not apply to the SSA project version, then the persona signs off on the activity with an exemption.
About Multi-Persona Sign Offs

If multiple personas are assigned to an activity, and one of those personas signs off on the activity with an exemption, then Software Security Center marks the activity as signed off with an exemption. If the Software Security Center Power User signs off on an activity, then the Power Users sign-off overrides the sign-offs (or absence thereof) of any other personas assigned to that activity.
70
About Signing Off Requirements

Typically, a security team prefers to sign off on all of a given requirements activities before signing off on the requirement. The following describes how Software Security Center processes the sign off of complete and incomplete requirements: If signing off a completed requirement (all activities in the requirement have been signed off or signed off with exemption), then Software Security Center allows the requirement to be signed off or signed off with exemption. When signing off on a completed requirement, Software Security Center does not modify any activitys sign-off state. If signing off an incomplete requirement (one or more activities in the requirement have neither been signed off nor signed off with exemption), then Software Security Center only permits the requirement to be signed off with exemption. When signing off an incomplete requirement, Software Security Center sets the sign off state activities that have no sign off status (indicated by a Status value of In Progress) to Signed Off With Exemption.
About Due Dates

In the process template definition, you can specify due dates for process templates, requirements, and activities in units of days or weeks. When the project version gets created or is finished, those days or weeks are added onto the current day to calculate an absolute due date, which you can see on the Requirements tab in the Project Version details. Tasks do not have a due date by default, but you can set one after the task is created. Due dates can be changed after the project version is created. Only a user who can sign off on the process template, requirement, activity or task can change the due date. If a due date passes and it is not signed off, a system event is created, which can be examined in the event log.
Overview of Sign Off Process Templates

Software Security Center process templates can be signed off normally or with exemption. In this regard, the sign-off behavior for Software Security Center process templates is identical to the sign-off behavior for requirements.
Assigning User Accounts to Personas

Personas provide the core functionality of Software Security Centers Governance features. In Software Security Center, personas have sign off responsibilities for process template requirements and activities. For more information about managing Software Security Center personas, see Chapter 3, Managing User Accounts on page 20. Before a persona can sign off a process template requirement or activity, on the Requirements page you must use the Personas tab to assign a Software Security Center User Account to that persona. To assign a Software Security Center user account to a persona: 1. On the Requirements details page, click Personas. Software Security Center displays the Personas page. The page lists the personas defined in the selected SSA project versions process template. For information about listing all personas defined to Software Security Center, see Viewing and Editing Personas on page 74. 2. On the Personas page, in the list of personas choose a persona then click Assign User. Software Security Center displays the Assign User to Persona dialog box.
Chapter 5: Using the Requirements Page 71
3. From the User list, select a Software Security Center user account name. 4. Click Save. Software Security Center saves the change then displays the list of personas. The list includes the Software Security Center user account assigned to the persona.
Assigning a Power User

The Power User persona provides a way to sign off on a process template requirement or activity if the assigned persona cannot do it. To assign the Power User persona to a Software Security Center user: 1. On the Requirements details page, click Personas. Software Security Center displays the Personas panel, which lists the personas defined in the process template for the selected SSA project version. For information about listing all personas defined throughout the complete set of Software Security Center process templates, see Viewing and Editing Personas on page 74. 2. On the Personas page, click Advanced. Software Security Center displays the Assign User to Persona dialog box. 3. From the User list choose a Software Security Center user account name. 4. Click Save. Software Security Center saves the change and displays the list of personas. The list includes the Software Security Center user account assigned to the persona.
About Process Template Work Owners

In Software Security Center, work owners are individual Software Security Center user accounts tasked with performing a given SSA project versions activities and requirements. You can assign work owners to either requirements or activities. If you assign a work owner to a process template requirement, Software Security Center does not automatically assign that work owner to any of the activities contained within that requirement. To assign a work owner to a process template requirement or activity: 1. On the Requirements page, on the Requirements sub-tab, select a requirement or activity. Software Security Center updates the right side information panel with details about the selected activity or requirement. 2. Assign a work owner to the selected activity or requirement. a. In the right-side information panel, select the General tab. b. In the Work Owner row, click the assignment icon. Software Security Center displays the Work Owner Assign dialog box. c. In the User list, choose a Software Security Center user account then click Save. Software Security Center adds the assigned work owner to the requirement or activities information panel. To specify default work owners in a customized process template, you must use the external Process Designer client tool.
72
About Assignment of Work Owners to Personas

The Process Designer client tool permits default work owners to be assigned to process template requirements and activities. Because there is no way to predict what Software Security Center user account names may be assigned as work owners, Process Designer assigns work owners to requirements and activities by persona. If you use the Requirements page to view a process template that includes default work owner definitions, and you have not yet performed the procedure in Assigning User Accounts to Personas on page 71 to assign a Software Security Center user account to the default work owner persona, then Software Security Center reports the work owner status as unassigned. The first time you assign a user account to a persona specified as a default work owner, Software Security Center updates all work owner fields with the user account name assigned to that persona.
About Software Security Center Persona Management

In the Software Security Center governance module, personas provide enhanced management of the requirements and activities defined in the process templates for SSA project versions. Personas enable a security manager to: Assign sign-off responsibility for process template requirements and activities to organizational units or job titles Require that more than one persona sign off on a particular process template requirement or activity Achieve a high level of accountability on task assignment and completion Efficiently manage changing personnel resources throughout the entire development life cycle of a Software Security Center SSA project version.
Table 8 provides descriptions of the default personas that you can add to your process template activities or requirements in Software Security Center. To add personas to process template activities or requirements, you must use the Software Security Center Process Designer client tool. For information about how to incorporate personas into your process templates, see the HP Fortify Software Security Center Process Designer User Guide.
Table 8: HP Fortify Software Security Center Personas
Persona Name Architect Business Risk Owner Developer Operations and Build Teams Project Manager QA Tester Security Expert/Champion Support Operations
Example Responsibilities High-level design and system engineering Sign off on the complete set of business and technological risks for an application Design and implement code, scan the code for vulnerabilities, and address any security issues in the code Deploy and maintain applications in production settings Ensure that all project milestones are enumerated and completed Test and verify software throughout the secure development process Define and ensure compliance with the security strategy and delivery of an SSA project version Internal and external customer support and technical operations support
73
Viewing and Editing Personas

All Software Security Center account levels can view personas, but you must log on as an Administrator or Security Lead to edit or create personas. To view and edit a Software Security Center persona: 1. Log on to Software Security Center and click the Administration tab. 2. In the left panel, under Process Management, click Personas. The Personas page in the right panel lists all personas in the system. 3. From the list, select a persona, and then click View Details. The details panel for the persona opens in the right pane. The panel includes the Is Power User check box, which is a status indicator. For information about the Power User persona, see Assigning a Power User on page 72. 4. If you are an Administrator or Security Lead, click Edit. The Edit Persona dialog box opens.
5. Modify the persona name or description, and then click Save.
Creating a Persona
To create a persona: 1. Log on to Software Security Center and click the Administration tab. 2. In the Administration panel on the left, under Process Management, click Personas. 3. Click Add. The Create Persona dialog box opens. 4. In the Name box, type a descriptive name for a job title that is to have responsibility for one or more portions of a Software Security Center SSA project version. 5. (Optional) In the Description box, type a description of the responsibilities or functions the persona is to assume. 6. Click Save. The Personas page lists the new persona. For information about how to incorporate a persona into a Software Security Center process template, see the HP Fortify Software Security Center Process Designer User Guide.
74
Deleting Personas
If a persona listed on the Personas page has no user accounts assigned to it, you can delete that persona. To delete a persona: 1. Log on to Software Security Center as an Administrator or Security Lead and click the Administration tab. 2. In the Administration panel on the left, under Process Management, click Personas. 3. In the Name column in the Personas panel, select the persona you want to delete. 4. Click Delete. A warning dialog box opens and prompts you to confirm that you want to delete the persona. 5. Click Yes.
Adding Tasks to Activities

The work owner assigned to a process template activity can add tasks to that activity. Tasks enable the work owner to enumerate and manage the individual work items that must be performed to complete a given activity. Only the work owner assigned to an activity can sign off the tasks associated with that activity. The work owner who creates a task can also assign that task to a different work owner. After the work owner assigned to the task completes that task, only the work owner who created the task can sign off on that task. To add a task to an assigned activity: 1. On the Requirements page, on the Requirements sub-tab, select an activity for which you are the assigned Software Security Center work owner. Software Security Center updates the right-side information panel with details about the selected activity. If you are the work owner assigned to the selected activity, Software Security Center enables the Add Task button on the General tab. 2. To add a task to the selected activity. a. In the right-side information panel, click Add Task. The Create Task dialog box opens. b. Type the name and description of the new task, and then click Save. Software Security Center adds the task to the activity.
About Adding Status Alerts to Requirements and Activities

Software Security Center can use changes in requirement and activity status to send email notifications to team members. For information about how to configure alerts, see About Alert Definitions and Creating Alert Definitions on page 83.
75
About Working with Document Artifacts

Use the Requirements page to view, upload, and manage the document artifacts for an SSA project version. (Although you can use the Documents tab on the Artifacts page to work with document artifacts, the Requirements page provides a better contextual framework for working with Software Security Center process documents.) HP Fortify provides a default set of document artifact templates with Software Security Center. Most of these templates are Microsoft Word documents, although you can incorporate any type of file, including user-created files, into an SSA project version as a document artifact. Document artifact workflow is as follows: 1. Log on as a user who has access to the selected SSA project version. 2. Use the procedure described in Displaying the Requirements Detail Page on page 68 to display the Requirements page for the SSA project. 3. On the Requirements page, locate an activity that includes a documentation artifact. While browsing the list of activities, in the right-side details area look for a downloadable documentation artifact template. Software Security Center supports the use of any type of file as a document artifact. In some cases the security team may choose to use the document artifact templates included in Software Security Centers default set. In other cases, the security team may prefer to develop and submit customized, project-specific process documents. 4. Place a working copy of a document artifact template where the appropriate members of the security team can access it as a working process document. Only after a process document is completed should a document artifact be submitted for review: Software Security Center does not perform version control or release management of incomplete document artifacts. 5. Click Submit For Review. The Submit Document For Review dialog box opens. When using the Requirements page to submit a document artifact, Software Security Center uses the activity type to automatically identify the type of process document being submitted. To specify additional process document types (for example, for process documents that contain multiple chapters that correspond to other SSA project version activities), in the Additional Document Types area choose one ore more document types. (To submit a document artifact, you must select at least one document type when using the Artifacts page.) 6. To approve the submitted document artifact: a. Log on as an Administrator, as the Security Lead account that created the project, or as a Security Lead, Manager, or Developer with access to the selected SSA project version. b. Select the activity that contains the completed document artifact, then click Sign Off.
76
Chapter 6: Variables, Performance Indicators, and Alerts

Software Security Center lets you store measured values and event conditions for project versions as variables. A Software Security Center variable is a definition of a metric that is to be evaluated periodically for each project version. Variables count issues, conditions, and other categories of numeric data. Performance indicators combine variables into metrics that are normalized across project version boundaries, and that can represent complex higher-level abstractions such as monetary costs. Software Security Center variables and performance indicators provide the building blocks that you can use to create customized metrics, which you can then incorporate into customized alert definitions. You can use the values of variables to trigger alerts, which Software Security Center then displays on the dashboard of recipients specified in the alert definitions. Software Security Center can also email alert notifications to members of a project version team.
About Working with Variables

If you have a Manager-level or higher user account, you can define variables for your projects. This section provides information about Software Security Center variable syntax and search strings, and includes instructions on how to create variables.
About Variable Syntax and Search Strings and Search String Modifiers
The format of a Software Security Center variable is as follows: modifier:searchstring Table 9 lists the Software Security Center relational operators.
Table 9: HP Fortify Software Security Center Relational Operators
Relational Operator
Search String
Description Searches for string without qualification Searches for an exact match of the term enclosed in quotation marks (" ") A comma-separated pair of numbers used to specify the beginning and end of a range of numbers. Use a left or right bracket ([ ]) to specify that the range includes the adjoining number. Use a begin or end parenthesis (( )) to specify that the range excludes (is greater than or less than) the adjoining number.
Example
"Search String"
Number range
(2,4]
Indicates a range of greater than two, and less than or equal to four
! (not equal)
Negate a modifier with an exclamation character (!).
!file:Main.java
Returns all issues that are not in

Main.java.
77
Variable Search Targets

Table 10 lists the Software Security Center search string modifiers.
Table 10: Search String Modifiers
Modifier
[issue age] <custom_tagname>
Description Searches for the issue age, which is either removed, existing, or new Searches the specified custom tag. Note that tag names that contain spaces must be delimited by square brackets. Example: [my tag]:value Searches for issues that have the specified audit analysis value (such as exploitable, not an issue, and so on) Searches the issues for the specified analyzer Searches for issues by intended audience. Valid values are targeted, medium, and broad Searches the issues to find true if Primary Custom Tag is set and false if Primary Custom Tag is not set Searches for the given category or category substring Searches the comments submitted on the issue Searches for issues with comments from a specified user Searches for issues that have the specified confidence value. Fortify Source Code Analyzer calculates the confidence value based on the number of assumptions made in code analysis. The more assumptions made, the lower the confidence value. Searches for issues with the specified dynamic hot spot ranking value Searches for issues where the primary location or sink node function call occurs in the specified file. Searches for issues that have a priority level that matches the specified priority determined by the HP Fortify analyzers. Valid values are critical, high, medium, and low, based on the expected impact and likelihood of exploitation. The impact value indicates the potential damage that might result if an issue is successfully exploited. The likelihood value is a combination of confidence, accuracy of the rule, and probability that the issue can be exploited. Audit Workbench groups issues into folders based on the four priority values (critical, high, medium, and low) by default.
analysis
analyzer audience
audited
category (cat) comments (comment, com) commentuser confidence (con)
dynamic
file
[fortify priority order]
historyuser kingdom maxconf
Searches for issues with audit data modified by the specified user. Searches for all issues in the specified kingdom Searches for all issues that have a confidence value up to and including the number specified as the search term Searches the specified metagroup. Metagroups include [OWASP Top 10 2010], [sans top 25 2010], and [pci 2.1], and others. Square braces delimit field names that include spaces.
Chapter 6: Variables, Performance Indicators, and Alerts 78
metagroup
Table 10: Search String Modifiers
Modifier
minconf
Description Searches for all issues that have a confidence value equal to or lower than the number specified as the search term Searches for issues where the primary location occurs in the specified package or namespace. (For data flow issues, the primary location is the sink function.) Searches for issues where the primary location or sink node function call occurs in the specified code context. Also see sink, [source context]. Searches for all issues related to the specified sink rule Searches for all issues reported by the specified rule IDs used to generate the issue source, sink and all passthroughs Searches for issues with the specified sink function name. Also see [primary context]. Searches for data flow issues with the specified source function name. Also see [source context]. Searches for data flow issues with the source function call contained in the specified code context Also see source, [primary context]. Searches issues that have the status reviewed, not reviewed, or under review Searches for suppressed issues Searches for issues that have the specified taint flag Searches for issues that have any of the most common attributes that match the specified string
package
[primary context]
primaryrule (rule) ruleid
sink
source
[source context]
status suppressed taint [no attribute]
Note: Software Security Center does not recognize the following Audit Workbench search modifiers:
ruleid trace tracenode
Software Security Center search-string syntax is identical to that used with HP Fortify Audit Workbench. Table 11 lists common Software Security Center variable search strings.
Table 11: Software Security Center Variables, Common Search Strings
Search String Target All issues that contain cleanse as part of any modifier Categories other than SQL injection File names that contain the string com/fortify/awb Paths that contain traces with cleanse as part of the name Paths that contain traces with mydbcode.sqlcleanse as part of the name
Example Search String

cleanse category:!SQL Injection injection file:"com/fortify/awb" trace:cleanse trace:mydbcode.sqlcleanse
79
Table 11: Software Security Center Variables, Common Search Strings
Search String Target Privacy violations in filenames that contain jsp with getSSN() as a source Suppressed vulnerabilities with asdf in the comments
Example Search String

category:"privacy violation" source:getssn file:jsp suppressed:true comments:asdf
Creating Variables
To create a Software Security Center variable: 1. Log on as a Manager-level or higher user, and then click the Administration tab. Note: Users who have Developer accounts cannot create Software Security Center variables. 2. In the Administration panel on the left, under Projects, click Variables. 3. In the Variables panel on the right, click Add. The Create Variable dialog box opens.
4. Provide the information described in the following table. Field (*Required) *Name Description
Description Type a variable name that begins with a letter (a-z, A-Z), and that contains only letters, numerals (0-9), and the underscore character (_). Type a variable description so that other users can understand what the variable is used for.
80
Field (*Required) *Search String
Description Type a valid Software Security Center variable search string. (For information about how to construct search strings, see About Variable Syntax and Search Strings and Search String Modifiers on page 77.) From this list, select a folder from the default filter set to associate with the variable. The Folder list displays the unique folder names associated with all available project templates. (The folder names are configured in Software Security Center Process Designer.) The variable value is calculated if the folder name is associated with the project template for the project version.
*Folder
5. Click Validate. Software Security Center displays the variable validation result. 6. After you configure and validate the Software Security Center variable, click Save. Software Security Center displays details about the new variable.
About Performance Indicators

Software Security Center performance indicators enable you to combine variables into metrics that are normalized across project version boundaries, and that can represent complex, high-level abstractions such as monetary costs. This section provides information about performance indicator syntax and instructions on how to create performance indicators. The general format of a Software Security Center performance indicator is as follows:
Variable[operator]Variable
where operator is a standard mathematical operator (+, -, *, /)
Creating Performance Indicators

To create a Software Security Center performance indicator: 1. Log on to Software Security Center as a Security Lead, and then click the Administration tab. Note: Users who have Manager and Developer accounts cannot create Software Security Center performance indicators. 2. In the Administration panel on the left, under Process Management, click Performance Indicators. The Performance Indicators panel opens on the right. 3. Click Add.
81
The Create Performance Indicator dialog box opens.
4. Provide the information described in the following table. Field (*Required) *Name Description *Equation *Return Type 5. Click Validate. Software Security Center displays the performance indicator validation result. 6. After you configure and successfully validate the Software Security Center performance indicator, click Save. Software Security Center displays details about the new performance indicator.
Description Type a performance indicator name. Type a description so that other users can understand what the performance indicator is used for. Type a valid Software Security Center performance indicator equation. From this list, select the value type to return.
82
About Alert Definitions

Alert definitions can include variable, performance indicator, or SSA process conditions to determine when Software Security Center is to generate an alert notification in the Dashboards Alert Notifications pod. You can configure alert notifications to send email messages about one or more alert notifications to members of a given Software Security Center project version.
Creating Alert Definitions

You can create alerts definitions for any project versions to which you have been granted access. To create a Software Security Center alert definition: 1. Log on to Software Security Center, and then click the Administration tab. 2. In the Administration panel on the left, under General, select Alert Definitions. 3. In the Alert Definitions panel on the right, click Add. The Create Alert Definition dialog box opens. 4. In the General section, do the following: In the Name box, type a name for the alert. (Optional) In the Description box, type text that describes what the alert is for. To enable this alert definition, select the Enable check box.
5. In the Alert Definition section, next to Type, select the type of alert you want to create. 6. Provide the information for the alert type you selected, as shown in one of the following tables. Process Alert a. From the Alert When list on the left, select a process template, process requirement, or process activity for a Software Security Center SSA project version to which you have access. b. From the Alert When list on the right, select a process state. c. If the process state you selected enables the calendar box, specify a date. Note: If you choose a process state of if not signed off by or if not ready to be signed off by, then Software Security Center enables both the date and Remind Every boxes. d. To add a recurring email alert, select the Remind Every check box, and then in the Days box, specify the frequency for the alert by typing the number of days. Software Security Center continues to send recurring email alerts until the process state has been satisfied, or until you clear Remind Every. e. To apply the alert to the children of the process entity, select the Include Children check box. Performance Indicator Alert a. From the Alert When list on the left, select a performance indicator. b. From the list of operators, select an operator. c. Type a numeric value. The type of performance indicator you d. selected determines whether the value represents an integer or a percentage.
83
Variable Alert a. From the Alert When list on the left, select a variable. b. From the list of operators, select the appropriate operator. c. Type a numeric value. The type of performance indicator you selected determines whether the value represents an integer or a percentage. System Event Alert From the Alert When list on the left, select the Software Security Center system event to trigger the alert.
7. If you are creating a system event alert, click Save. Otherwise, proceed to the next step. 8. To specify the scope of the alert: a. In the Scope section, click Add. The Select Project Versions dialog box opens. b. Select the check boxes that correspond to the project versions to which your new alert applies, and then click OK. 9. In the Notification section, next to Recipient, select one of the following recipient preferences: Note: Regardless of the option you select, you will receive the notification. To have the notification sent only to you, select Me Only. If you are creating a process alert, and you want the notification sent to the process entity work owner and Software Security Center users who sign off on project version, select Process Entity Stakeholders. To have the notification sent to all Software Security Center users who have access to the project versions you specified (in the Scope section), select All Project Version Users.
10. Click Save. Software Security Center displays the details for your new alert.
Setting Alert Notification Preferences

By default, alerts are displayed on the Software Security Center dashboard of all specified recipients. You configure Software Security Center to send email notifications of alerts (in addition to displaying alerts on the dashboard) and to send you runtime alert notifications of the security events that the runtime system has flagged. To configure these settings, on the Alerts Definitions panel, click Preferences, and then make changes on the Alert Notifications tab of the Modify Preferences dialog box.
84
Chapter 7: Collaborative Auditing

Software Security Centers Collaboration Module is a web-based collaborative environment for auditing issues associated with Software Security Center projects. This chapter provides an overview of the auditing process and instructions on how to display and use the auditing interface that is the Collaboration Module. The information in this chapter is presented based on the assumption that you know how to create and configure Software Security Center project versions. (For information about Software Security Center projects and project versions, see Chapter 4, Software Security Center Projects and Project Versions on page 32.)
About Auditing
Issue audits, whether performed in Software Security Center or Audit Workbench accomplish the following: Condense and focus project information Enable the security team to collaboratively decide which issues represent real vulnerabilities Enable the security team to collaboratively prioritize issues based on vulnerability
Software Security Center uses project templates to categorize and display issues.
About Current Issues State

Software Security Center keeps track of which analysis engine uncovers each issue in a project version and merges any new information into the existing body of results for the project version. After new audit information is uploaded to the server or entered through the Collaboration Module, Software Security Center merges that information into any existing audit information for a given issue. Software Security Center also marks an issue as removed after the analysis engine no longer finds the issue.
About Audit Conflicts

If, as you audit an issue from the Collaboration Module, another user updates that issue before you submit your audit information, Software Security Center notifies you and prompts you to re-submit your audit.
85
Starting the Collaboration Module

To start the Software Security Center Collaboration Module: 1. Log on to Software Security Center as an Administrator, Manager, Auditor, or Developer, and then click Projects. Software Security Center displays a list of all projects and project versions. 2. From the list, select a project version, and then click Audit Issues. Note: If a project contains at least one artifact, and you do not see the Audit Issues button, you lack sufficient user privileges to perform an audit.
Software Security Center loads the analysis results for the project version. In the panel on the left, Software Security Center displays the Issue List. The Issue List summarizes the current audited state of all issues associated with the projects current snapshot. By default, the Issue List displays summary information for critical issues. The Issues panel on the right lists all of the issues included in the category selected in the Issue List panel. By default, the panel displays any and all critical issues.
86
About Collaboration Module Display Modes

As you audit issues, Software Security Center dynamically optimizes the screen area allocated to the tools and features you select. The following table lists the components displayed after you start the Collaboration Module for the first time during a Software Security Center session. Component Filter Set list Issues for check box Group by list Fortify priority tabs Description From this list, select the view (PCI Auditor View, Security Auditor View, Developer View, or Critical Exposure) that fits your auditing objectives Select this check box to display only those issues that are assigned to you. From this list, select the grouping for the issues to audit. (The default selection is Category.) Tabs for issues that have a specific HP Fortify priority level (Critical, High, Medium, Low) or all priority levels (All). The tab name is followed by a number that indicates the number of issues of that priority level. For example, Critical (110) indicates that 110 critical issues were uncovered in the selected project version. Clear the check boxes for the groups of issues you do not want to audit. (By default, the check boxes for all issue groups are selected.) Click this link to select your options for viewing issues.
Issue groups View Options link
The Issues panel on the right lists issues based on your selections in the left panel. After you select a listed issue, the panel displays the Summary, Details, Recommendations, and History tabs under the issue list.
87
Use the Summary tab to audit the selected issue. The History tab displays a summary of the auditing activities performed on the selected issue. In the Details tab presents the following information about the selected issue: The Abstract section provides a summary description of the issue, which may include abstracts defined by your organization. The Explanation section displays a description of the conditions under which this type of issue occurs. The description includes a discussion of the vulnerability, the constructs typically associated with it, how it can be exploited, and the potential impact of an attack. The Explanation section also includes any explanations defined by your organization. The Instance ID section shows the unique identifier for the issue. The Rule ID section displays the unique identifier for the rule that generated the issue. The SCA Confidence section displays the SCA-calculated number (ranging from 0.1 to 5.0) that represents the estimated likelihood that an issue represents a real vulnerability. The higher the number, the greater the confidence that the issue is valid. The more assumptions SCA has to make, the lower the confidence score. The Recommendation section provides recommendations on how you might fix the type of issue you selected. This section includes examples and any custom recommendations defined by your organization. The Tips section provides tips for the type of issue selected, including any custom tips defined by your organization. The References section lists the references on which the recommendations and tips are bases. It includes custom references defined by your organization.
The Recommendation tab displays the following sections:
Auditing Issues with Collaboration Module

The section provides information about how to audit Software Security Center project issues. To audit project issues: 1. From the HP Fortify Software Security Center Dashboard, click the Projects tab. 2. In the Projects panel on the left, click the project version of interest, and then click Audit Issues. Note: You can also access the Audit Issues button panels on the Issues tab for a selected project version. from both the Current State and Trending
Software Security Center displays the Collaboration Module. By default, the left-side panel of the Collaboration Module contains the Issue List. The Issues List includes folder tabs, Filter Set and Group By lists, and at the bottom a View Options link. Use these tools to customize the list of issues displayed in the Collaboration Module. 3. In the Issue List, choose an issue, then in the central Issues panel click View Details. The Collaboration Module updates the upper-left panel with issue details. The lower right panel displays tools you can use to audit the issue, suppress the issue, or to submit the issue to your secure deployment teams bug tracking server. If this is the first File Bug action for the current session and project, and if the bug tracker requires authentication, Software Security Center prompts you to provide log-on credentials.
If you log on successfully, Software Security Center maintains the connection state for the remainder of the current Software Security Center session. If you do not log on unsuccessfully, Software Security Center displays an error message and aborts the action.
88
Software Security Center displays a submit dialog box for the associated bug tracker. If default values are available, these are used in the dialog box. Required fields are marked as such. Software Security Center acquires the fields and corresponding values dynamically from the bug tracker associated with the selected Software Security Center project. Software Security Center submits the defect and logs the defect id within the HP Fortify database. If the submission succeeds, Software Security Center displays an message that states that the defect was successfully submitted. Software Security Center also sets the value of vulnerability attribute Defect Id to the defect ID returned by the bug tracker. If the submission fails, Software Security Center displays an error message. For information about configuring Software Security Center bug tracker integration, refer to the HP Fortify Software Security Center Installation and Configuration Guide. 4. To return to the Issue List page, click Issue List in the upper right part of the page.
About Searching Issues

You can selectively locate issues using the search box under the issues list. When you enter a search term, the label next to the folder name changes to indicate the number of issues that match the search as a subset of the total. You can wrap search terms with delimiters to indicate the type of comparison to be performed. Table 12 shows the syntax to use in the search string field.
Table 12: Search Comparison Syntax Comparison contains equals regex Description
Searches for a term without any qualifying delimiters Searches for an exact match if the term is wrapped in quotation marks ("") Searches for values that match a Java-style regular expression delimited by a forward slash (/) Example:/eas.+?/ Uses standard mathematical syntax, such as (and) for exclusive range, and [ and ] for inclusive range, where (2,4] represents the range of numbers greater than two, and less than or equal to four Excludes issues specified by the string by preceding the string with an exclamation character (!) For example, file:!Main.java returns all issues that are not in the Main.java file.
number range
not equals
Search terms can be further qualified with modifiers. For more information, see About Search Modifiers on page 90. The basic syntax for using a modifier is modifier:<search term>. A search string can contain multiple modifiers and search terms. If you specify more than one modifier, the search returns only issues that match all the modified search terms. For example, file:ApplicationContext.java category:SQL Injection returns only SQL injection issues found in ApplicationContext.java. If you use the same modifier more than once in a search string, then the search terms qualified by those modifiers are treated as an OR comparison. So, for example, file:ApplicationContext.java category:SQL Injection category:Cross-Site Scripting returns SQL injection issues and cross-site scripting issues found in ApplicationContext.java.
89
For complex searches, you can also insert the AND or the OR keyword between your search queries. (Note that AND and OR operations have the same priority in searches.) To search issues, do one of the following: Type a search string in the box and press ENTER.
Alternatively, To select a search term you used earlier during the current work session, click the arrow in the search box, and then select a search term from the list.
Note: After you log off of Software Security Center, all search terms are discarded.
About Search Modifiers

You can use a search modifier to specify which issue attribute the search term should apply to. To use a modifier that contains a space in the name, such as the name of the custom tag, you must delimit the modifier with brackets. For example, to search for issues that are new, type [issue age]:new. A search that is not qualified by a modifier matches the search string on the following attributes: kingdom, primary rule id, analyzer, filename, severity, class name, function name, instance id, package, confidence, type, subtype, taint flags, category, sink, and source. To apply the search to all modifiers, enter a string, such as control flow. This searches all of the modifiers and returns any results that contain the string control flow. To apply the search to a specific modifier, type the modifier name and the string as follows: analyzer:control flow. This returns all results with the analyzer control flow.
Table 13 describes the search modifiers.

Table 13: Search Modifiers
Modifier
[issue age] <custom_tagname>
Description Searches for the issue age, which is either removed, existing, or new Searches the specified custom tag. Note that tag names that contain spaces must be delimited by square brackets. Example: [my tag]:value Searches for issues that have the specified audit analysis value (such as exploitable, not an issue, and so on) Searches the issues for the specified analyzer Searches for issues by intended audience. Valid values are targeted, medium, and broad Searches the issues to find true if Primary Custom Tag is set and false if Primary Custom Tag is not set Searches for the given category or category substring Searches the comments submitted on the issue Searches for issues with comments from a specified user
Chapter 7: Collaborative Auditing 90
analysis
analyzer audience
audited
category (cat) comments (comment, com) commentuser
Table 13: Search Modifiers (Continued)
Modifier
confidence (con)
Description Searches for issues that have the specified confidence value. Fortify Source Code Analyzer calculates the confidence value based on the number of assumptions made in code analysis. The more assumptions made, the lower the confidence value. Searches for issues that have the specified dynamic hot spot ranking value Searches for issues where the primary location or sink node function call occurs in the specified file. Searches for issues that have a priority level that matches the specified priority determined by the HP Fortify analyzers. Valid values are critical, high, medium, and low, based on the expected impact and likelihood of exploitation. The impact value indicates the potential damage that might result if an issue is successfully exploited. The likelihood value is a combination of confidence, accuracy of the rule, and probability that the issue can be exploited. Software Security Center groups issues into folders based on the four priority values (critical, high, medium, and low) by default.
dynamic
file
[fortify priority order]
historyuser kingdom maxconf
Searches for issues that have audit data modified by the specified user Searches for all issues in the specified kingdom Searches for all issues that have a confidence value up to and including the number specified as the search term Searches the specified metagroup. Metagroups include [owasp top ten 2010], [sans top 25 2010], and [pci 2.1], and others. Square braces delimit field names that include spaces. Searches for all issues that have a confidence greater than or equal to the specified value. Searches for issues where the primary location occurs in the specified package or namespace. (For data flow issues, the primary location is the sink function.) Searches for issues where the primary location or sink node function call occurs in the specified code context. Also see sink, [source context]. Searches for all issues related to the specified sink rule Searches for all issues reported by the specified rule IDs used to generate the issue source, sink and all passthroughs Searches for issues that have the specified sink function name. Also see [primary context] Searches for data flow issues that have the specified source function name. Also see [source context] Searches for data flow issues that have the source function call contained in the specified code context Also see source, [primary context].
<metagroup_name>
minconf
package
[primary context]
primaryrule (rule) ruleid
sink
source
[source context]
91
Table 13: Search Modifiers (Continued)
Modifier sourcefile
Description Searches for data flow issues with the source function call that the specified file contains Also see: file Searches issues that have the status reviewed, not reviewed, or under review Searches for suppressed issues Searches for issues that have the specified taint flag Searches for issues that have the specified string in the data flow trace Enables you to search on the nodes within an issues analysis trace. Each tracenode search value is a concatenation of the tracenodes file path, line number, and additional information. Searches for issues that have any of the most common attributes that match the specified string
status suppressed taint trace tracenode
<no attribute>
Search Query Examples

Consider the following examples: To search for all privacy violations in file names that contain jsp with getSSN() as a source, type the following:
category:"privacy violation" source:getssn file:jsp
To search for all file names that contain com/fortify/awb, type the following:
file:"com/fortify/awb"
To search for all paths that contain traces with mydbcode.sqlcleanse as part of the name, type the following:
trace:mydbcode.sqlcleanse
To search for all paths that contain traces with cleanse as part of the name, type the following:
trace:cleanse
To search for all issues that contain cleanse as part of any modifier, type the following:
cleanse
To search for all suppressed vulnerabilities with asdf in the comments, type the following:
suppressed:true comments:asdf
To search for all categories except for SQL Injection, type the following:
category:!SQL Injection
92
About HP Fortify Software Security Center and WebInspect Enterprise Integration

Software Security Center and HP WebInspect are closely integrated and can share scan results. Administrators can also submit requests for WebInspect dynamic scans from the Software Security Center interface. This section describes how to view WebInspect results in Software Security Center and provides instructions for Software Security Center users on how to request scans.
Viewing WebInspect Scan Results in Software Security Center

WebInspect saves scan results (results data and audit data) in FPR format, which can be imported into Software Security Center. After you upload the WebInspect FPR to Software Security Center, you can display the data in Software Security Center by navigating to the issue list for a selected project version. The following screen capture shows WebInspect results and audit data displayed on a issues in Software Security Center.
The top right panel includes the following tabs: The Request tab displays the request of the issue highlighting the attack. The Response tab displays the response of the issue highlighting the trigger. The Stack Trace tab displays a SecurityScope stack trace. The Steps tab (visible only if the steps are included in the WebInspect results file) displays the workflow that led to the discovery of an issue. Select the Auto-scroll check box to bypass any header information to automatically jump to the first highlighted section of the response or request. Select the Wrap Text check box to format the text to fit within your current display area.
The top right panel includes the following two check boxes, which are selected by default:
93
The Information icon is displayed to the right of the Auto-scroll and Wrap Text check boxes. If you want to leave your workspace layout as is, you can click this icon and view the information presented in the Request and Response tabs in a separate window with a larger viewing area.
The top left panel displays a summary of the data displayed on the Details tab on the bottom right panel. You can use the arrows in this summary panel to go forward or backward in the issue list. To return to the full issue list display, click the Issue List link.
94
The bottom right panel also includes the Details tab, which displays a summary of the type of potential vulnerability posed by the selected issue. To read more about the issue, scroll to the Reference Info section of the Details tab, and then click a link to open a separate browser window.
The Steps tab displays the workflow that led to the discovery of an issue. WebInspect captures the sequence of actions that occurred between a clean state of the scanned application up until the vulnerability was discovered. These steps are helpful if the workflow for a particular issue is difficult to reproduce. Note: The Steps tab is available only if the steps are included in the WebInspect results file.
The Screenshots tab, shown in the following screen capture, displays any screenshots transferred from WebInspect. You can add, edit, delete, and download screenshots from the Screenshots tab.
95
About WebInspect Audit Data

In addition to screenshots, the following types of audit data are transferred from WebInspect to Software Security Center: Vulnerability Notes. Vulnerability notes in WebInspect are transferred to Software Security Center as issue comments. Ignored Vulnerabilities. Vulnerabilities marked as Ignored in WebInspect are marked Suppressed upon transfer to Software Security Center. False Positives. See About False Positives.
About False Positives

Software Security Center does not have a direct equivalent of the WebInspect false positive status. If a WebInspect user marks a vulnerability as a false positive, the vulnerability is hidden from the vulnerability lists and is removed from the vulnerability counts. To emulate the false positive status in Software Security Center, you can use the default Analysis custom tag. A WebInspect false positive is assigned the Analysis value Not an Issue in Software Security Center. To emulate the WebInspect behavior of hiding the issue from lists and counts, the issue is marked as Suppressed.
Note: If the selected value for Analysis has changed from Not an Issue or is missing, or if the Analysis list has been removed from your project version, then the false positive status of the issue is lost. The issue is marked as Suppressed.
96
Requesting Dynamic Scans

You can request WebInspect scans from Software Security Center if WebInspect is installed in your environment. To create a scan request for a project version: 1. Log on to Software Security Center. 2. Navigate to the Issues tab on the details page for the project version you want to have scanned.
3. From the Dynamic Scan Request list, select Create. The Dynamic Scan Request dialog box opens.
97
4. Provide values for the attributes listed in the following table. Note: The following table does not list custom dynamic scan attributes that you or another Software Security Center administrator may have added to the system. Dynamic Scan Attribute URL Site Login Site Passcode Network Login Network Passcode Related Host Name(s) Web Services Used Technologies Used Description URL of the site to scan Username required to log on to the site to scan Password to use to gain access to the site Username required for network authentication Password required for network authentication Allowable hosts for the application to scan Comma-delimited list of web services used by the application to scan Comma-delimited list of technologies used by the site to scan Examples: SSO, WebSphere, SharePoint, Flash, Silverlight, Catalog Site, Shopping Cart Compliance Implications Allowable Scan Times Provide information about any potential compliance implications Dates and times during which the tester can perform the scan Example: From 17:00 h to 06:00 h, Monday through Friday, from 09/03/12 to 11/30/12 Note: The dynamic tester who handles the scan request on WebInspect may be interested in additional project version attributes, such as business risk and compliance implications. The tester can use existing web services methods to retrieve those attributes for a project version. 5. Click Submit. Software Security Center displays a message to verify that the request submission was successful. Next, the WebInspect tester who monitors and responds to scan requests runs the scan during the hours you specified, and then uploads the results to Software Security Center.
Viewing the Status of the Last Dynamic Scan Request

To view the current status of the last dynamic scan request submitted for a project version: 1. Navigate to the Issues tab on the details page for the project version for which you submitted a scan request.
2. From the Dynamic Scan Request list, select Last Scan Status.
98
Software Security Center displays the date and time the scan request was submitted, and request status information.
Dynamic Scan Request States

After you submit a dynamic scan request, the request enters the PENDING state. As soon as the tester starts the scan from WebInspect, the request state is IN_PROGRESS. After the WebInspect tester completes the scan, the scan request enters the COMPLETED state. As long as a dynamic scan request is pending, you can edit or cancel it. As soon as the scan is started, however, you can no long edit or cancel it.
Editing and Cancelling Scan Requests

To edit a dynamic scan request, do the following: Note: You can only edit scan requests that you have submitted. 1. Navigate to the Issues tab on the details page for the project version for which you have requested a dynamic scan.
2. From the Dynamic Scan Request list, select Edit.
99
The Dynamic Scan Request dialog box opens.
3. Edit the values for the dynamic scan attributes, and then click Submit. To cancel a pending dynamic scan request, do the following: Note: You can only cancel scan requests that you have submitted. 1. Navigate to the Issues tab on the details page for the project version for which you have requested a dynamic scan.
2. From the Dynamic Scan Request list, select Cancel. Software Security Center prompts you to confirm that you want to cancel the last dynamic scan request. 3. Click Yes.
100
Mapping Scan Results to External Lists

HP Fortify distributes an external metadata document with Rulepacks that includes mappings from the HP Fortify categories to alternative categories (such as OWASP 2010, PCI 1.2, or CWE). Security leads can customize this mapping or create their own files to map HP Fortify issues to different taxonomies, such as internal application security standards or additional compliance obligations. You can either modify the existing external metadata document (externalmetadata.xml), or create your own document (recommended). The existing mapping file is located in the \Core\config\ExternalMetadata directory of Audit Workbench. Use any XML editor to make your changes or create a new document. HP Fortify recommends that you save your new or modified document to the \Core\config\ExternalMetadata directory with a new name so that your changes are not lost during Rulepack updates. To validate your modified or new mapping, use the externalmetadata.xsd file, which is located in the Core\config\schemas directory. To apply the modified or new external metadata document across all projects, you must first import it into Software Security Center. To import a new or modified external metadata document into Software Security Center: 1. Log on as Administrator, and then click the Administration tab. 2. In the Administration panel, under General, click Rulepacks. 3. In the Rulepacks panel on the right, click Import. The Import Rulepack dialog box opens. 4. Click Browse. 5. Navigate to and select your document, and then click Import. After you change your mapping document and import it into Software Security Center, you might want to open the FPR file in Audit Workbench to see how the mapping works with the scan results.
101
Chapter 8: Software Security Center Reports

This chapter contains information about Software Security Center reports, including descriptions of the project reports you can create, as well as instructions on how to generate, import and export, and customize reports.
Generating and Viewing Reports

To generate and view a Software Security Center report: 1. Log on to Software Security Center and click the Reports tab. The Saved Reports panel opens on the left and displays any saved reports. 2. Click Generate. The Generate Report dialog box opens and lists available report types. 3. From the list of reports, select the type of report that you want to create. The right panel displays the configuration fields for the report type you selected. 4. Specify the required report settings, including the report name, output format, and project versions to include in the report. Depending on the report type, additional settings may be required or available. 5. Click Generate. Software Security Center adds the report to the Saved Reports list. After the report generation is completed, the Status field displays the value Processing Complete. 6. To view the report select it from the reports list, and then click Download. 7. Save the report file. The following sections provide more information about available Software Security Center report categories and types.
102
About Software Security Center Reports

Table 14 summarizes the information that all Software Security Center report types contain.
Table 14: Overview of Software Security Center Reports
Seven Pernicious Kingdoms
PCI Compliance, App. Sec.
OWASP 2004, 2007,2010
Hierarchical Summary
Issue Trending
Summary Glossary Seven Pernicious Kingdoms Defs. Instance Details, as Appendix Category Descriptions, as Appendix Security Issues Projects in the System Project Type Details Enterprise Summary Vulnerabilities Per Line of Code Projects By Technical Risk OWASP Top 10 2004 Definition OWASP Top 10 2007 Definition Project Description Security Findings Summary Security Findings Details Instance Details (as Appendix) Category Descriptions (as Appendix) Technical Risk (as High, Medium, Low) Requirement State Requirement Progress Activity State by Requirement Project State, as icons
X X
X X X X
X X X
SSA Progress
Software Security Center Report Name, Report Section Headings
X X
X X X X X X X
X X X X X X
X X
X X X X X
SSA Project Summary

103
Security at a Glance
Key Perf. Indicators
Project Summary
Table 14: Overview of Software Security Center Reports (Continued)
OWASP 2004, 2007,2010
Issue Trending
Contributing Users Requirement Template Details (as Appendix) Top 5 Risky Projects Project Count By Technical Risk Most Frequent Issues by Category Top 10 Category Comparison Overall Project Security By Technical Risk Project Versions, list of Issues by Project Issues by Project, High Priority Issues by Project, Critical Exposure Issue Details Issues by OWASP Top 10 2004 Issues by OWASP Top 10 2007 Issues by Kingdom Issues by HP Fortify Priority Order Overview (Projects, Scans, Lines of Code, Files Project Summary by Dev. Strategy Reference (concise summary) Overview (Process / Project T-plates, activity) Details Activity Summary Issue Trending X X X X X X X X X X X X X X X
X X
SSA Progress
X X X X X X X
SSA Project Summary

104
Project Summary
Table 14: Overview of Software Security Center Reports (Continued)
OWASP 2004, 2007,2010
Issue Trending
Issue Breakdown, by categories Audited Issue Details Suppressed Issues Removed Issue Details Dependencies Vulnerability Categories Requirement Progress Requirement State Activity State by Requirement Project Version State Contributing Users Dependent Project Versions Process Template Details The following sections describe each type of report in greater detail.
SSA Progress
X X X X X X X X X X X X X
About Software Security Center Issue Reports

The Issue report group summarizes the presence of specific categories of vulnerabilities in a single Software Security Center project version.
OWASP 2004, 2007, 2010 Reports

Use the OWASP 2004, 2007, 2010 Reports to summarize the Top Ten OWASP issues for a single Software Security Center project version.
PCI Compliance: Application Security Report

Use the PCI Compliance: Application Security Report to provide detailed information about the completion status of the security requirements issues for a single Software Security Center project version.
SSA Project Summary

105
Project Summary
Penetration Testing Correlation

Use the Penetration Testing Correlation Report to correlate results from third-party penetration testing tools with issues detected by PTA, Runtime Application Protection, and SCA issues for a single Software Security Center project version.
Seven Pernicious Kingdoms Report

Use the Seven Pernicious Kingdoms Report to summarize the presence of several HP Fortify-defined issues for a single Software Security Center project version.
Understanding Software Security Center Portfolio Reports

The Portfolio report group contains reports that enable you to compare issues trends and indicators across multiple Software Security Center project versions.
Hierarchical Summary Report

Use the Hierarchical Summary report to create a three-level summarization of the selected project versions as: Overview statistics for all projects A selected project attribute Projects grouped by project owner
You can choose to exclude the project summary and owner details categories from the report.
Hierarchical Trending Report

Use the Hierarchical Trending report to create an historical summary of issues by: Software Security Center project version Issue categorization (HP Fortify Priority Order, Kingdom, or OWASP 2004 or 2007
Issue Trending Report

Use the Issue Trending report to create an historical summary of issues by: Software Security Center project version Issue categorization (HP Fortify Priority Order, Kingdom, or OWASP 2004 or 2007
Key Performance Indicators Report

Use the Key Performance Indicators report to summarize the current state and progress by project type. The Key Performance Indicators report permits indicators to be grouped by project type or other crossproject categories.
Security at a Glance Report

Use the Security at a Glance report to produce a high-level overview of the potential security risk and current security findings across the top five Software Security Center project versions.
106
About HP Fortify Software Security Center Project Reports

The project report group contains reports that enable you to summarize the following user-selectable categories of information for a single Software Security Center project version: OWASP 2007 Top Ten PCI DSS 1.2 Common Weakness Enumeration (CWE) Web Application Security Consortium (WASC) 24 Department of Defense - Security Technical Implementation Guides (DOD STIG) 2ri Audited issues details as a report appendix Suppressed issues summary as a report appendix Removed issues details as a report appendix High-level summary of dependent projects as a report appendix Descriptions of all pertinent vulnerability categories as a report appendix
Overview of the Project Summary Report

The project report group contains reports that enable you to summarize all aspects of a single Software Security Center project version.
About Software Security Center SSA Portfolio Reports

The SSA Portfolio report group contains one report that enables you to summarize the completion of Secure Software Assurance requirements and activities across one or more Software Security Center project versions.
About the SSA Progress Report

Use the SSA Progress report to summarize the Secure Software state of one or more projects requirements and activities.
About Software Security Center SSA Project Reports

The SSA Portfolio report group contains one report that enables you to summarize the completion of Secure Software Assurance requirements and activities across one or more Software Security Center project versions.
About the SSA Project Summary Report

Use the SSA Progress report to summarize the Secure Software state of one or more projects requirements and activities.
107
About BIRT Reports in Software Security Center

Software Security Center reports are based on the Business Intelligence and Reporting Technology (BIRT) system. BIRT is an open source reporting system based on Eclipse. For information about BIRT, see the following page on the Eclipse website:
http://www.eclipse.org/birt/phoenix/intro
About BIRT Libraries

With BIRT Libraries commonly required functions and report items can be encapsulated. These libraries can then be imported into any number of BIRT reports for reuse. In addition, the concept of libraries helps segment report development tasks, as opposed to requiring a single report developer to create all components for each report by themselves. Note: Before you use the BIRT report libraries, you must acquire the BIRT Report Designer. For instructions, see Acquiring the BIRT Report Designer on page 109. Reports that reference libraries are automatically updated when the report is executed. This is useful in cases where business or technical changes would otherwise require report rework. For example, if a library component such as a corporate logo is used in a large number of report designs, then a change to the logo would only require a change to the library. All referencing reports would reflect the change automatically. To add resources to a report library: 1. Log on to Software Security Center and then click the Reports tab. 2. Click Report Libraries. 3. Click Add. The Create Report Library dialog box opens. 4. Click Browse, and then navigate to and select the report library resource. 5. (Optional) Type a resource description. 6. Click Save. The Download All link creates a zip file of multiple library resources on your local machine.
About BIRT Report Customization

Customizing BIRT reports is not a beginner-level activity. Customizing Software Security Center reports requires an understanding of database operation and design, SQL syntax, and report design. To customize a Software Security Center BIRT report, do the following: 1. Acquire the Eclipse BIRT Report Designer version 2.6.2 (Report Designer). Other versions of BIRT Report Designer, including newer versions, are not compatible with Software Security Center reports. For information about downloading Eclipse BIRT Report Designer version 2.6.2, see Acquiring the BIRT Report Designer. 2. Load a Software Security Center report definition into Report Designer. You typically first export a report definition from Software Security Center, and then upload that report definition into Report Designer. For information about exporting a Software Security Center report definition, see Exporting Report Definitions from Software Security Center on page 109. 3. Connect Report Designer to a running instance of the Software Security Center database. Connecting Report Designer to the Software Security Center database enables you to load and verify the database queries you add to a BIRT report.
Chapter 8: Software Security Center Reports 108
4. Use the Report Designer to add report design elements to the report definition, and add database queries to those design elements. 5. Use a local instance of Software Security Center to test the operation of a customized BIRT report. 6. Import the customized report definition into Software Security Center. For information about importing report definitions into Software Security Center, see Importing Report Definitions into Software Security Center on page 109.
Acquiring the BIRT Report Designer

To customize Software Security Center reports, you must use Eclipse BIRT Report Designer version 2.6.2 (Report Designer). Other versions of BIRT Report Designer are not compatible with Software Security Center reports. To download the Report Designer: 1. Open a web browser window and go to the following downloads page:
http://download.eclipse.org/birt/downloads/index2.6.2.php
2. Download the Report Designer Full Eclipse Install for your operating system.
Exporting Report Definitions from Software Security Center

Perform the procedure in this section to export an existing Software Security Center report definition. To export a Software Security Center report definition: 1. Click Reports. 2. Click Report Definitions. Software Security Center displays the Reports Definition page, which lists all defined reports. 3. To export a report definition: a. On the Report Definitions page, select a report definition. In the right-side details panel, Software Security Center displays details about the selected report. The details include a link to the selected reports definition (rptdesign filename extension) b. In the right-side report details panel, click the selected reports download link to export the reports definition file. Software Security Center exports the report to the selected location.
Importing Report Definitions into Software Security Center

Software Security Center reports are based on the open-source Business Intelligence and Reporting Tools (BIRT) system. BIRT enables you to add import report definitions files to Software Security Center. To complete the procedure in this section, you will need a Software Security Center BIRT definition (with the rptdesign filename extension). To create a Software Security Center report definition: 1. Click Reports. 2. Click Report Definitions. Software Security Center displays the Reports Definition page. 3. Click Add.
Chapter 8: Software Security Center Reports 109
Software Security Center displays the Create Report Definition panel. 4. Configure the new report definition as follows: Type or choose the Name, Description, Report Engine, and Category settings. In the Template area, browse to the Software Security Center BIRT definition (with the rptdesign filename extension). In the Parameters area, click Add. Type or choose the Name, Description, Identifier, and Data Type settings that correspond to those values in the BIRT template you are uploading.
5. Add one or more optional parameters to the new Software Security Center report definition.
6. To add the new report definition to the list of definitions, click Save.
110
Appendix: Authorization Tokens

About Authorization Tokens
Authorization tokens are unique keys that enable users to automate actions within Software Security Center without using passwords. The user requests a token, authenticates to the Software Security Center, and receives back a string that is permissioned for a small set of time-limited actions. For example, the AnalysisUploadToken token does not allow the user to log on to the interface or view results. Common actions include uploading scan results and downloading reports. To generate a token, execute the following HP Fortify Static Code Analyzer command:
fortifyclient token -gettoken <TOKEN_NAME> -url SSC_URL -user USERNAME -password
Table 15 lists the TOKEN_NAME options available.

Table 15: TOKEN_NAME Options
Option
AnalysisUploadToken AuditToken AnalysisDownloadToken
Description
Upload scan results to Software Security Center and list projects Load details about current security issues and apply analysis tags Download merged result files
Authorization tokens are defined at runtime within WEB-INF/internal/serviceContext.xml.
Advanced Authorization Tokens

Advanced administrators can customize authorization tokens to extend the maximum token lifetime (set it and forget it) or create new tokens that work with Software Security Centers remoting API (integrating between two systems). Modifying maxDaysToLive affects only newly created tokens.
Appendix: Authorization Tokens
111

HP Fortify SSC User Guide 3.90

Enviado por

Dados do documento

Descrição original:

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

HP Fortify SSC User Guide 3.90

Enviado por

Direitos autorais:

Formatos disponíveis

HP Fortify Software Security Center

Software Version 3.90

About the HP Fortify Software Security Center Documentation Set

HP Fortify Assistive Technologies (Section 508)

Chapter 2: Getting Started with Software Security Center

About the The Central Role of Software Security Center

Chapter 2: Getting Started with Software Security Center

Security Management Workflow

About User Accounts and Access

About Active Directory/LDAP Integration

Chapter 2: Getting Started with Software Security Center

Logging on to Software Security Center for the First Time

Chapter 2: Getting Started with Software Security Center

Requesting Access to HP Fortify Software Security Center

Chapter 2: Getting Started with Software Security Center

Accessing Process Guidance

Chapter 2: Getting Started with Software Security Center

About the Software Security Center Dashboard

Chapter 2: Getting Started with Software Security Center

Changing Your Account Information

The Modify Account dialog box opens.

Configuring Dashboard Preferences

Customizing the Dashboard Appearance

Chapter 2: Getting Started with Software Security Center

Add a specific project version that is not displayed to the list

Specify date and time formatting

Chapter 2: Getting Started with Software Security Center

Accessing HP Fortify Training Content

The HP Fortify eLearning logon screen opens.

Chapter 2: Getting Started with Software Security Center

About the Runtime Tab

Chapter 2: Getting Started with Software Security Center

Chapter 3: Managing User Accounts

About Administrator Accounts

About Security Lead Accounts

Functional Area Access, to project versions Alerts Artifact, Documents

Chapter 3: Managing User Accounts

View events for assigned project versions only

View all, update for assigned project versions

Project templates Project versions Reports

X X X X X Delete or retire only assigned project versions View or generate reports

Chapter 3: Managing User Accounts

Only Admin accounts can create or edit users X

Comments For project versions they have been assigned

Create for assigned project versions

View all, update for assigned project versions

Chapter 3: Managing User Accounts

Modifying Your User Own Account Information

Customizing User Account Preferences

Chapter 3: Managing User Accounts

Role Administrator Application Security Tester

Security Lead View Only

WebInspect Enterprise System

Chapter 3: Managing User Accounts

Creating Custom Roles

Chapter 3: Managing User Accounts

The Add Permissions dialog box opens.

Chapter 3: Managing User Accounts

10. Click Save.

Chapter 3: Managing User Accounts

Chapter 3: Managing User Accounts

About Software Security Center Account Administration

Creating Local User Accounts