HPE Product Overview and Workflow

HPE Product Overview and Workflow

Table of Contents

AppSec with HPE Fortify SCA .......................................................................................................... 2

Agenda ............................................................................................................................................ 3

HPE Security Fortify Application Security Solutions ....................................................................... 5

HPE Fortify Suite ............................................................................................................................. 6

HPE Fortify SCA and Applications ................................................................................................... 9

Support.......................................................................................................................................... 11

User Community ........................................................................................................................... 12

Static Software Scanning Process ................................................................................................. 13

Static Analysis Program (Use Case #1) .......................................................................................... 16

Static Analysis Program (Use Case #3) .......................................................................................... 17

of 18

AppSec with HPE Fortify SCA

James RabonFortify Services [email protected] +1 334 730 5337

AppSec with HPE Fortify SCAHPE Fortify SCA Training

**001 James Rabon: Welcome to Application Security with HPE Fortify SCA. That stands for Static Code Analyzer. My name is James Rabon. Everybody calls me Jimmy, and I run the Fortify Professional Services team. We do both long-term and short-term application security engagements.

of 18

Agenda

© Copyright 2015 HPE Development Company, L.P. The information contained herein is subject to change without notice. HPE Sales Compensation Operations Policy and legal disclaimer apply. HPE Confidential.

Agenda

2

• HPE Fortify Product Overview and Workflow• HPE Fortify Static Code Analyzer Suite Overview• Using HPE Fortify Static Code Analyzer Suite

• Sourceanalyzer• AuditWorkBench• Secure Coding Plugins• Software Security Center

**002 So, the agenda for today. I thought I'd start with a quick Fortify product overview. So there's really a process behind integrating static analysis into the development process, much more so, probably, than WebInspect, which is primarily a testing tool that's later in the software development lifecycle. As you'll see in the workflow examples, Fortify can be used much earlier in the software development lifecycle by both developers and security professionals. We'll go through a detailed dive of the Static Code Analyzer suite and all

of 18

the tools that come with that, including Source Analyzer, Audit Workbench, the secure coding plugins, which include plugins for popular integrated development environments, like Eclipse or Visual Studio, Android Studio, IntelliJ, and Software Security Center, which is the web application that consumes all of these scanned files and provides an aggregation and a place to do enterprise-wide reporting as well as governance, and I'll show you that as well. And we'll be very hands-on. We're going to pop back and forth from the slides to show you the tool, and please ask any questions as we go along.

of 18

HPE Security Fortify Application Security Solutions


HPE Security Fortify Application Security SolutionsOn premise and on demand

Static Analysis – SCA

Source Code Mgt. System

Static Analysis Via Build Integration

Dynamic Analysis – WebInspect

Dynamic Testing in QA or Production

Application Protection –App Defender

Real-time Protection of Running Application

Vulnerability Management

Normalization(Scoring, Guidance)

Vulnerability Database

RemediationIDE Plug-ins (Eclipse,

Visual Studio, etc.)

Developers (onshore or offshore)

Correlate Target Vulnerabilities with Common Guidance

and Scoring

Defects, Metrics and KPIs Used to Measure Risk

Application Lifecycle

Development, Project and Management

Stakeholders

Software Security CenterFortify on Demand

Hackers & Actual Attacks

Correlation(Static, Dynamic, Runtime)

Threat Intelligence Rules Management

**003 So here's the overall tool suite that you saw earlier. I'm not going to go through all of this because we saw it before, but we are focused on the top left with the static analysis suite. So we are dealing with source code. Down there in the middle is the Vulnerability Management. That's where Software Security Center fits. So Static Code Analyzer does all the scanning, the Software Security Center does the consuming of those results and provides a centralized portal where you can access the results and run reports, as well as the IDE plugins that I mentioned here, which would allow a developer to use our static

of 18

analysis tool inside of their IDE, which is very important, because when you're looking at software vulnerabilities, they're going to have to fix those issues in code, so we might as well show them the vulnerabilities where they will have to fix. So most developers who use our product, when they think of Fortify, they think of the IDE plugins, and we'll go through all of those in depth.

HPE Fortify Suite


HPE Fortify Suite

Threat Intelligence– Knowledge of Secure Software

Vulnerability Identification– Static Code Analyzer (SCA)

– WebInspect

– Application Defender

Remediation– Audit Workbench

– Standalone or Collaborative

– IDE Plugins for Visual Studio, Eclipse, …– Standalone or Collaborative

– Web Interface– accessing SSC

Governance– Software Security Center (SSC)

**004 So the Fortify suite is all about threat intelligence. So we want to have knowledge of secure software. We want to find vulnerabilities-- that's the Static Code

of 18

Analyzer in development. WebInspect would be in the test/QA phase of the software development lifecycle. Application Defender, which we're not covering, would be in production. Remediation-- right? So the fixing of those vulnerabilities, we would use a tool called Audit Workbench that we'll take you through. That is a graphical user interface that Fortify provides you that allows you to either run an SCA scan or view results locally on your desktop. For any security professional who uses Fortify, they would typically use Audit Workbench, and we'll show you guys how to use that tool. The IDE plugins can also be used for remediation. Myself, as a developer, I often prefer to audit code in the secure coding plugin because of all the additional features an integrated development environment gives you in terms of being able to explore code and triage complicated static analysis findings. You'll find kind of-- when you're comparing the difference between dynamic and static-- that static, being a white box test, there's a lot more findings, and they require more skill to triage those findings and assign a priority. So it is a noisier scan. There is going to be more to suppress, but it is much more in depth and nothing is left out. We don't have to crawl a website, we don't have to discover it, we don't have to see a response come back. We build an entire model of your

of 18

source code and so we know everything about the application. Governance would be handled in Software Security Center. That's keeping track of project milestones, allowing people to log in and view their results, as well as serving as a place to merge all of these scans. And over the life of a project, you're going to see 10, 20, 30, 40, 50 different scan files generated over the life of a software development project. Those need to be merged, and the audit comments and triage that you've done before needs to be remembered, and we do that through Software Security Center. And that's for all software, whether it's outsourced, open source, commercial off-the-shelf, developed in house-- all types of software. The only requirement to use the Fortify SCA suite is that we have source code. We're not scanning compiled binaries. We need source code. So if you're familiar with Java, we need .java files, not .class files. Right? We're not going to be decompiling your binaries; we are going to be building a model from source along with the libraries or dependencies that you provide.

of 18

HPE Fortify SCA and Applications


HPE Fortify SCA and ApplicationsWhat’s Installed?

• Analyzes the source codeStatic Code Analyzer (SCA)

• Visual interface for analysis of software vulnerabilities

Audit Workbench (AWB)

• Integrated analysis of software vulnerabilities into IDEsIDE Plugins

• Uses the information you provide to create a script that translates and analyzes source code using SCA

Scan Wizard

• Used to simplify the process of creating custom rules.

Custom Rules Editor

**005 So let's look through Fortify SCA and the applications that it includes. At the root of all this is the Static Code Analyzer. It lives in the bin directory where Fortify is installed. It's called Source Analyzer. It does all of the scanning. Regardless of whatever GUI tool you use to kick off a scan, in the background, Static Code Analyzer or Source Analyzer is running. That's what does the scan. Audit Workbench is the graphical user interface for looking at results, or kicking off a Static Code Analyzer scan. You'll see that Audit Workbench is kind of like the

of 18

autofocus camera of scanning source code. You can point it at a folder of source code and libraries and it will attempt to generate a static analysis scan for you. There are many ways to generate a static analysis scan, because the idea is to integrate it into the software build of a regularly developed application. So Audit Workbench is a great way of scanning an application once, but if you're building static analysis into the software development lifecycle, we would probably want to integrate that into the build process of the software, and I'll show you an example of how we do that. The IDE plugins are basically Audit Workbench but for Eclipse and Visual Studio-- I'll show you those-- but they have almost the exact same functionality as Audit Workbench. You do have to provide your own IDE. So in order to use the IDE plugin, you have to download Eclipse, or you have to buy Visual Studio from Microsoft. The Scan Wizard is a utility that will help you create a script that would enable you to automate a static analysis scan. I'm going to show you the building blocks of how to generate a static analysis scan, but the Scan Wizard utility will allow you to point at a folder of source code and it will automatically generate either a Windows or a Linux shell script to allow you to automate the scan. I typically use it kind of as a learning tool. I personally would rather create a lighter-weight script to automate the build and scan, but

of 18

Scan Wizard, if you don't know all of our command-line interfaces, is a great first tool to use and see how we're actually automating the scan. And the Custom Rules Editor is a utility in which we use to create custom static analysis rules, and we'll talk about the rules more in depth later. Custom rules are a little outside of the scope of what we can cover in two hours, but we'll touch on them, what they're used for and how you would go about writing them.

Support


Support

– E-Mail (Preferred Method)Send an e-mail to [email protected] describing your issue. Be sure to include the product name. A customer support representative will contact you.

– TelephoneCall our automated case processing service at (650) 735-2215. Please clearly provide your product name and phone number, along with a brief description of your problem. A customer support representative will contact you.

– OnlineAccess your account at the HPE Fortify Support Portal (https://support.fortify.com). If you do not yet have an account, have forgotten your username, or need any assistance regarding your account information, please contact us at [email protected] or (650) 735-2215.

– Three things to remember:Email: [email protected]: (650) 735-2215Online: https://support.fortify.com

– Supplemental DocumentHPE-Fortify-Support-Playbook.pdf

Details about communicating with HPE Fortify Technical Support

**006 And these are a few informational slides I threw in there

of 18

so we can have them. These are ways in which to contact our technical support team.

User Community


User Community

Protect724Good resource for HPE Fortify information.

http://www.protect724.hpe.com

You will see posts from HPE Fortify about things such as announcements when new versions of the tools are release and

when new security content is released.

**007 Our user community.

of 18

Static Software Scanning Process


**008 Okay. So let's look at a typical recommended static analysis scanning process. So you have a code repository in the top, and at some point-- and any kind of software development program, they are going to check code out of that code repository in order to compile it. So when that compilation happens on the build server, that's where we want to do our SCA scan. Why do you think we want to do it on the build server as opposed to relying upon a scan in the IDE or something else? Student: It can be built faster, I guess.

of 18

James Rabon: And everything's there. So think about the modern- day web applications and embedded systems. These are very complicated pieces of software. You have multiple developers working on one project, and oftentimes teams of developers who only work on one part of the software. They make work on the user interface but they don't work on the backend. Or they may work on the database tier but they don't work on the business logic tier. So by getting in at the build server, we know the entire application. Because in order to deploy it, they have to compile the whole project. So when I'm building a static analysis scan into any program, I want to understand how they compile that project. If I can understand that, then I can recommend where we can get one complete scan and automate that so they can run that scan whenever they'd like. Once we run the scan on the build server, we would upload the results to Software Security Center, which I'll show you. So we're going to move a Fortify project report scan file to Software Security Center at this point, and we're going to notify the auditor, or the person in information assurance or a lead developer, that there is new results to be reviewed, and then because we put the issues in the Software Security Center, we have the ability to move all those defects to a bug-tracking solution, if they have one, or we can have them manually log into Software Security

of 18

Center to view the results, and at that point the developers can either go to their bug-tracking solution to find their issues, or they could download the scan file directly from Software Security Center and open it up in their IDE plugin. They're going to have to scan and fix, scan and fix. So even while we're doing a scan here on the build server, the developers also have the IDE plugin, and the reason why they have it, so they could view the results in their IDE, but also so when you make a change to a piece of code, you want to see if what you did actually fixed it, and there's no guarantee that the entire application will be built and this whole process will repeat while you're immediately fixing those issues. So being able to scan the code in a microcosm on your own IDE is a really effective way to run through system defects. The goal is to just create something that is repeatable and takes the burden off of the software developer and allows them to focus on audited issues that they can fix. If you can implement this, you can use static analysis effectively early in the development lifecycle all through the lifecycle of the software.

of 18

Static Analysis Program (Use Case #1)

**009 So here's an example of one of my actual static analysis programs I assisted in setting up. Number one, they have a source code management system. Number two-- how many of you are familiar with continuous integration? So in terms of CI systems, have you guys heard of Jenkins or these types of products? The whole goal is to continuously build software. We have a Jenkins plugin that makes it very easy to add a Fortify scan to a software build. So they had a large Jenkins instance that had 50 applications. So I said, "Okay, that's great. We can install the Fortify plugin there, and now we have

of 18

access to scan any of their 50 applications whenever we choose from the Jenkins console." James Rabon: Once we generate the scan, we move it to Software Security Center. We send out a critical alert to the application security team to triage or audit those issues, and then we move the issues down to the developer in the IDE.




Developer

Source Code Mgmt System

CI / Automated Build / Fortify Scan / Upload

HP Fortify SoftwareSecurity Center

Application Security TeamTriage Baseline Scan

Issue PrioritizationAudit Filters Created

1

2

3

4

5

HP Fortify SCAIDE Plug-in

Repair MYIssues

6

7

Place secure code in SCMBuild, Scan

Code

Fortify Project Report

Baseline Audited Scan

Notes:1) Applications need to compile2) Build System Access Required for

Automation3) Source Code and Libraries can be

delivered in VMs (preferred)4) App Sec SME audits baseline

application5) Filters created in project templates to be

applied for future audits (applied by SSC)

6) App Sec Team audits future scans as per policy but the dev team continues to scan in between

Fortify Plugin for Developers

Internal or Network Accessible Build

Servers

External Software Factories

Source CodeLibraries

Internal Scan Servers

Fortify Scan

**010 Use case number three is similar, except for it has one twist, which is often the case in the federal world or Department of Defense world, and I wanted to bring it to

of 18

your attention. Can anybody spot the difference between the use case we just showed you and this use case? It's almost identical. Student: I'm not sure it has internal-- James Rabon: Yeah, external software factories are the difference between this one and the other one. So we're still doing the scan at the continuous integration layer there where the build servers are, but look at those external software factories. Think of federal or system integrators who develop software for you that may be outside of your network. We had to come up with a process for them to move source code from their external network into our internal network and run the scan outside of the build process. So we created both an internal scanning process and an external software development factory process so that we could scan all code throughout their enterprise. This is pretty much the most common method for static analysis programs in the federal government that I've seen, because you have multiple contractors with multiple networks that may or may not be on the same network where we can install Software Security Center.

of 18

HPE Product Overview and Workflow

Documents

Transcript of HPE Product Overview and Workflow