hp fortify process designer user guide 3.70
DESCRIPTION
HP Fortify Process Designer User Guide 3.70TRANSCRIPT
HP Fortify Software Security CenterSoftware Version 3.70
HP Fortify Software Security Center Process Designer User Guide
Document Release Date: November 2012Software Release Date: November 2012
Legal Notices
WarrantyThe only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.The information contained herein is subject to change without notice.Restricted Rights LegendConfidential computer software. Valid license from HP required for possession, use, or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license.Copyright Notice© Copyright 2012 Hewlett-Packard Development Company, L.P.Documentation UpdatesThe title page of this document contains the following identifying information:• Software version number
• Document release date, which changes each time the document is updated
• Software release date, which indicates the release date of this version of the softwareTo check for recent updates or to verify that you are using the most recent edition of a document, go to:http://h20230.www2.hp.com/selfsolve/manualsThis site requires that you register for an HP Passport and sign in. To register for an HP Passport ID, go to:http://h20229.www2.hp.com/passport-registration.htmlYou will also receive updated or new editions if you subscribe to the appropriate product support service. Contact your HP sales representative for details.Part Number: 1-1b3-2012-11-370-01
HP Fortify Software Security Center Process Designer User Guide iii
ContentsPreface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .viContacting HP Fortify. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viTechnical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viCorporate Headquarters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viWebsite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viAbout the Software Security Center Documentation Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viChapter 1: Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Typographic Conventions Used in This Document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Chapter 2: Getting Started with Software Security Center Process Designer . . . . . . . . . . . . . . . . . . . . . . . . . . . 9About This Chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Starting Process Designer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Process Designer Account Permission Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Permissions for Template Assignment Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Configuring the Connection to Software Security Center. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Creating and Editing Software Security Center Process Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Downloading Software Security Center Process Templates from Software Security Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Loading a Process Template from Disk. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Committing and Saving Edited Process Templates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Committing a Process Template to Software Security Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Saving Process Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Process Template Display Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Changing the Display Name of a Process Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Customizing the Process Designer View. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Restoring the Default Process Designer View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22Basic Software Security Center Process Designer Workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22Summary of Requirements and Activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22Demonstration Work Flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Chapter 3: Customizing Software Security Center Process Templates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26About This Chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Overview of Customizing a New Process Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Using Global Design Elements in New Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Choosing a Baseline Process Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Process Template Assessment Criteria. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Selecting a Baseline Process Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Global Design Elements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
HP Fortify Software Security Center Process Designer User Guide iv
Managing Global Design Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Synchronizing Global Design Elements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Process Template Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Defining New Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Process Template Activities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Process Template Activity Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Time Lapse Activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Creating a Time Lapse Activity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Document Activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Constructing Document Activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Creating a Document Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34Creating a Document Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34Project State Activities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35Overview of Constructing a Project State Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35Software Security Center Equation Variables. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35Creating an Equation Variable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37Creating Performance Indicators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38Creating a Project State Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39Adding an Activity to a Requirement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39Creating and Managing Sign-Off Personas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40Default Personas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40Creating a Persona . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40Adding a Persona to a Requirement or Activity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41Default Work Owners. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41Adding a Default Work Owner to a Requirement or Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41Software Security Center Project Templates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42Assigning a Project Template to a Process Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42Chapter 4: Working with Software Security Center Template Assignment Policies . . . . . . . . . . . . . . . . . . . . 43About This Chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Overview of the Software Security Center Center Template Assignment Policy Operation . . . . . . . . . . . . . . 43Getting Started with Software Security Center Template Assignment Policy Editor. . . . . . . . . . . . . . . . . . . . . 43Downloading Software Security Center Template Assignment Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Uploading Edited Template Assignment Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44Saving Software Security Center Template Assignment Policies to Disk . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44Working With Template Assignment Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45Overview of Template Assignment Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45Overview of Assignment Rule Elements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45Overview of Constructing Template Assignment Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45An Example Software Security Center Template Assignment Policy Editing Session . . . . . . . . . . . . . . . . . . . . 46Overview of Example Editing Session Tasks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
HP Fortify Software Security Center Process Designer User Guide v
Creating a New Template Assignment Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46Specifying a Policy’s Assignment Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47Raising or Lowering the Runtime Order of a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48Removing a Software Security CenterTemplate Assignment Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
HP Fortify Software Security Center Process Designer User Guide vi
Preface
Contacting HP FortifyIf you have questions or comments about any part of this guide, contact one of the HP Fortify resources listed in this section.Technical [email protected] HeadquartersMoffett Towers 1140 Enterprise Way Sunnyvale, CA [email protected]://www.hpenterprisesecurity.com
About the Software Security Center Documentation SetThe HP Fortify Software Security Center documentation set contains installation, user, and deployment guides for all HP Fortify Software Security Center products and components. It also includes technical notes and release notes that describe new features, known issues, and last-minute updates. The latest versions of these documents are available on the HP Software Product Manuals site:http://h20230.www2.hp.com/selfsolve/manuals
HP Fortify Software Security Center Process Designer User Guide 7
Chapter 1: IntroductionThis document contains information about how to use Process Designer to create and edit process templates for your HP Fortify Software Security Center projects.Note: Process Designer is installed by default during HP Fortify Source Code Analyzer installation. To use it, you need only configure the connection to Software Security Center.Typographic Conventions Used in This DocumentThis document contains three categories of typographic conventions:• Conventions used to describe graphical user interface (GUI) elements• Conventions used to describe command line syntax• Conventions used in samples of program code, configuration files, XML, SQL, and all other text-based examplesTable 1 lists the typographic conventions used in this document.Table 1: Typographic conventions used in this document
Convention Description On the File menu, click Open. In procedure steps, bold indicates items that appear in the user interface.expr, path • In command lines, italics indicate placeholders for information you supply. • In documentation, italic letters indicate terms that the document uses in specific ways, usually the first time a term occurs in a topic.• Italics also denote emphasis.ReadOnly, FileName In text and command lines, the use of bold and italic together indicates named arguments.[ expressionlist ]HP Fortify Real-Time Analyzer: Microsoft .NET Edition In command lines, square brackets contain optional choices.{ While | Until} In command lines, terms enclosed in braces and separate by a vertical bar indicate a choice between two or more items. You must choose one of the items unless all of the items are enclosed in square brackets.Dim rstCust As ADODB.Recordset In command lines, monospace font indicates code.Copy Code Sub StockSale() . . . End Sub
In code examples, a column of three periods indicates that part of an example has been omitted intentionally.
HP Fortify Software Security Center Process Designer User Guide 8
backslash \ In code examples, the backslash character is used to continue command examples that are too long to fit on a single line.For example:dd if=/dev/rdsk/c0t1d0s6 \
of=/dev/rst0 bs=10b count=10000In Unix-like systems, you can type command lines that contain the line continuation character:• As displayed (with a backslash) • On a single line without a backslashbraces { } In code examples, braces indicate required items:.DEFINE {macro1}ellipses … In code examples, ellipses indicate an arbitrary number of similar items:CHKVAL fieldname val1 val2 … valN
Table 1: Typographic conventions used in this document (Continued)
Convention Description
HP Fortify Software Security Center Installation and Configuration Guide 9
Chapter 2: Getting Started with Software Security Center Process Designer
About This ChapterUse this chapter to learn how to start the Process Designer, configure its connection to your Software Security Center instance, and then use Process Designer to work with Software Security Center process templates.This chapter contains the following topics:• Starting Process Designer• Configuring the Connection to Software Security Center• Creating and Editing Software Security Center Process Templates• Committing and Saving Edited Process Templates• Changing the Display Name of a Process Template• Customizing the Process Designer View• Basic Software Security Center Process Designer Workflow
HP Fortify Software Security Center Installation and Configuration Guide 10
Starting Process DesignerTo start Process Designer, do one of the following:• If you are running Process Designer on a UNIX-based system, open a command prompt, change to the <install_dir>/bin directory, and then run ProcessDesigner.• If you are running Process Designer on a Windows system, select Start → All Programs → HP Fortify Software → HP Fortify <Version_Number> → Process Designer.
Process Designer Account Permission RequirementsTo work with Software Security Center process templates from Process Designer, you must have a Software Security Center user account. Table 1 lists the Software Security Center account types and shows which of these have permission to download process templates from or upload templates to Software Security Center.
Permissions for Template Assignment PoliciesTo view and download template assignment policies in Template Assignment Policies (TAP), you must have the following permissions:• View project templates, process templates, and template assignment policies• View attribute definitionsTo upload assignment rules via TAP to Software Security Center you must have the following permissions:• Manage project templates, process templates, and template assignment policies• View attribute definitions
Table 2: Process template permissions for Software Security Center accounts
Software Security Center Account Type
Download Process Templates from Software Security Center
Upload Process Templates to Software Security CenterAdministrator X XSecurity Lead X XManager XDeveloper X
HP Fortify Software Security Center Installation and Configuration Guide 11
Configuring the Connection to Software Security CenterTo enable Process Designer to download working copies of Software Security Center process templates from a running instance of Software Security Center, you must specify the network location of that server instance.Note: To perform the procedure in this section, you must have the URL for a running instance of Software Security Center, and information about any proxy server used to connect to that server instance.To configure the connection between Process Designer and Software Security Center:1. In Process Designer, select Options → Options.The Options dialog box opens.
2. In the Server URL box, type the network location for your Software Security Center instance.3. In the Proxy Server and Port boxes, type any proxy information required to connect to your Software Security Center server.4. Click OK.
HP Fortify Software Security Center Installation and Configuration Guide 12
Creating and Editing Software Security Center Process TemplatesBefore you can use Process Designer edit a Software Security Center process template, you must download a working copy of that template. Process Designer can download copies of process templates from either a running instance of Software Security Center or from disk (as an FPD file).Downloading Software Security Center Process Templates from Software Security CenterThis section provides instructions on how to download a process template from Software Security Center.Note: To download a working copy of a process template from Software Security Center, you must have a user account for the Software Security Center instance associated with Process Designer (see Configuring the Connection to Software Security Center on page 11).Choosing to Create a New, or Edit an Existing, Process TemplateWhen you use Process Designer to download a working copy of a process template from Software Security Center, you can choose to do one of the following:• Edit the copy of the template under a new name (Create New).If you modify a working copy of a process template under a new name, when you upload that template to Software Security Center, the server leaves the original template unchanged.• Edit the copy of the template under its existing name (Edit Existing).If you modify a working copy of a process template under its existing name, when you upload that template to Software Security Center, the server overwrites the original template with the modified version.If you decide to edit a working copy of an existing process template from Software Security Center, and you then decide to instead create a new template with a different name, you can rename that working copy.Table 3 lists descriptions of all of the Software Security Center process templates. Table 3: Process templates available in Software Security Center
Template Name DescriptionCommercial Off the Shelf Prescribes the minimal risk mitigation activities for an external component that your organization cannot directly control. Use only for projects that have limited exposure to external systems and not for projects that interact with sensitive data or high-risk applications.Fortify Basic Template Prescribes the minimal risk mitigation activities for an application. Use only for projects that have limited exposure to external systems and not for projects that interact with sensitive data or high-risk applications.High Risk 3rd Party Development Prescribes the minimal risk mitigation activities for high-risk applications that your organization cannot directly control (for example, provider-supplied software, open source software, and so on). Use this template for an externally-developed application that is to be used with other high-risk applications or that is to interact with sensitive information. High Risk Active Development Prescribes risk mitigation activities for high-risk applications that have already undergone (or are well into) one production release. Use this for projects that, if compromised, would result in significant business exposure.High Risk New Development The most comprehensive prescription of risk mitigation activities for a high-risk application that is still in the project planning phase. Use this for projects that, if compromised, would result in significant business exposure.
HP Fortify Software Security Center Installation and Configuration Guide 13
Low Risk 3rd Party Development Prescribes the minimal risk mitigation activities for low-risk applications that your organization cannot directly control (for example, provider-supplied software, open-source software, commercial off-the-shelf software, and so on). Use only for projects that have minimum exposure to external systems and not for projects that interact with sensitive data or high-risk applications.Low Risk Active Development Prescribes risk mitigation activities for low-risk applications that have already undergone (or are well into) one production release. Use this for projects that have limited exposure to external systems. Do not use for projects that interact with sensitive data or high-risk applications.Low Risk New Development Prescribes the minimal risk mitigation activities for low risk applications that is still in the project planning phase. Use this for projects that have limited exposure to external systems. Do not use for projects (can't display the rest in the UI) that interact with sensitive data or high-risk applications.Open Source Prescribes the minimal risk mitigation activities for an externally-developed open-source component that your organization does not directly control. Use this for projects that have limited exposure to external systems. Do not use this for projects that interact with sensitive data or high-risk applications.PCI-DSS v2.0 Application Security Requirements Template Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. This template provides guidance on the application secretaryships activities that must be completed in order to comply with the PCI-DSS v2.0 standard as of June 2012.
Table 3: Process templates available in Software Security Center
Template Name Description
HP Fortify Software Security Center Installation and Configuration Guide 14
Creating Process Templates (Based on Existing Templates)To create a process template based on a working copy from Software Security Center:1. Log on to Process Designer, and then select Server → Create New Template.The Software Security Center Login dialog box opens.2. Enter your Software Security Center user name and password, and then click OK.Process Designer downloads the current set of process templates from Software Security Center.Note: If Process Designer displays an error message during the templates download, verify the Process Designer connection settings using the procedure in Configuring the Connection to Software Security Center on page 11.The Create Template dialog box opens and lists the available Software Security Center process templates.
Note: By default, the dialog box displays the message “2 errors detected.” After you specify the template name and select an existing process template to copy, Process Designer no longer displays this message.3. In the Template name box, type a name for the template.4. In the Template column, select a process template.5. Click OK.
HP Fortify Software Security Center Installation and Configuration Guide 15
Process Designer downloads the data for the process template you selected and displays it in a new <Template_Name> page.
For information about how to customize your Process Designer view, see Customizing the Process Designer View on page 21.6. To save the new process template, select File → Save, and then browse to the directory in which you want to save it.Process Designer saves the template as an FPD file (with the fpd file extension) in the specified directory.7. To close the process template, select File → Close.
HP Fortify Software Security Center Installation and Configuration Guide 16
Editing Software Security Center Process Templates To edit a working copy of a process template in Software Security Center:1. Log on to Process Designer, and then select Server → Edit Existing Template.The Software Security Center Login dialog box opens.2. Enter your Software Security Center user name and password, and then click OK.Process Designer downloads the current set of process templates from Software Security Center.Note: If Process Designer displays an error message during the templates download, verify the Process Designer connection settings using the procedure in Configuring the Connection to Software Security Center on page 11.The Edit Template dialog box lists all of the process templates in the Software Security Center system.
3. In the Template column, select the process template to edit.4. Click OK.
HP Fortify Software Security Center Installation and Configuration Guide 17
Process Designer downloads the data for the process template you selected and displays it on a new <Template_Name> page.
For information about how to customize your Process Designer view, see Customizing the Process Designer View on page 21.5. Make any necessary changes to the template.For information about what you can modify and how to modify it, see Chapter 3: Customizing Software Security Center Process Templates on page 26.6. To save the modified process template, select File → Save.Process Designer saves the template as an FPD file (with the fpd file extension) in the directory you specify.7. To close the template, select File → Close.
HP Fortify Software Security Center Installation and Configuration Guide 18
Loading a Process Template from DiskTo load a process template file into Process Designer:1. In Process Designer, select File → Open.The File Open dialog box opens.2. Browse to and select the process template file (with the fpd file extension) to open in Process Designer.Process Designer loads a working copy of the process template.Committing and Saving Edited Process TemplatesThis section provides information about how to commit process templates to Software Security Center and how the save your edited process templates.Committing a Process Template to Software Security CenterWhen you use Process Designer to commit a process template to Software Security Center, you upload the template from the active Process Designer page to the server.Because Software Security Center permits you to hide, but not delete, process templates, it is important that you carefully review each process template you modify for completeness and accuracy before you commit it to Software Security Center.If you try to commit a process template, and a process template with the same name already exists on Software Security Center, then you must either add the process template under a new name, or overwrite the existing instance of the process template.Committing Process Templates to Software Security CenterThe procedure in this section assumes that you have used Process Designer to modify a process template.To commit the edited process template currently displayed in Process Designer to Software Security Center:1. If more than one process template page is open, check to make sure that you have selected the page tab for the template you want to commit.2. Select Server → Commit Changes.If you try to commit a process template that has the same name as a template that already exists in Software Security Center, Process Designer displays a warning and prompts you to indicate whether you want to overwrite the existing template or commit your template as a new template.
If you choose to create a new process template, Process Designer prompts you to type a name for the new template instance. Process Designer uploads the process template to Software Security Center, which now displays the template name in its Process Templates list.
HP Fortify Software Security Center Installation and Configuration Guide 19
Viewing Committed Process Templates in Software Security CenterTo check the Process Templates list in Software Security Center for templates you have committed:1. Log on to Software Security Center, and then click the Administration tab.2. In the Process Management section of the Administration panel (on the left), click Process Templates.Software Security Center lists all of the committed process templates in the system in the right pane.Saving Process TemplatesProcess Designer enables you to save a process template to disk as a Fortify Process Designer file (FPD) file. This means that you can save copies of incompletely customized process templates that you or another team member can complete later.• Package completely customized process templates to share with other security teams or to archive.A process template’s FPD file name may or may not correspond to the display name for the process template, which HP Fortify products use to manage templates. For information about how to change the display name of a process template, see Changing the Display Name of a Process Template on page 20.Saving an FPD FileTo save an open process template as an FPD file:1. Process Designer saves the contents of the selected template. If you have more than one template open, verify that the one you want to save is selected.2. Save the process template either under its current name (select File → Save), or under a new name (select
File → Save As).If you use Save As to save an FPD file with a new name, Process Designer does not change the display name of the process template. For information about display names, see Process Template Display Names on page 20.
HP Fortify Software Security Center Installation and Configuration Guide 20
Process Template Display NamesProcess templates have a display name, which may or may not match the name of the corresponding FPD file that contains the template. HP Fortify products use display names to manage templates. For example, Process Designer lists template display names in its Create Template and Edit Template dialog boxes.To change the display name of a process template, you must use Process Designer. After you change a process template display name, Process Designer uploads the new display name to Software Security Center.Changing the Display Name of a Process TemplateTo rename a process template:1. From Process Designer, open the FPD or TAP file for the process template for which you want to specify a new display name.2. Select File → Rename.The Rename Template dialog box opens.
3. In the Template name box, type the new display name.Note: If you type a template name that already exists on Software Security Center, the Rename Template dialog box displays an error message.4. Click OK.
HP Fortify Software Security Center Installation and Configuration Guide 21
Customizing the Process Designer ViewThe default Process Designer view, which is shown in Figure 1, consists of an upper, requirements panel and a lower, global elements panel. The requirements panel displays the requirements and requirement details of the open process template, as well as the process template description, owner, assigned personas, and due date. The global elements panel displays several tabs that you can use to view and configure the global design elements of the process template. For information about the categories of global design elements, see Global Design Elements on page 31.Figure 1: Default Process Designer view
You can change the Process Designer view in the following ways:• To toggle between a horizontal (default) and a vertical orientation of fields in the upper panel use the Horizontal orientation ( ) and Vertical orientation ( ) buttons.• In the lower panel, drag a tab up to display it in its own panel.
HP Fortify Software Security Center Installation and Configuration Guide 22
Restoring the Default Process Designer ViewTo restore the default Process Designer view:1. Select View → Reset.Process Designer prompts you to confirm that you wan to restore the default view.2. Click OK.Basic Software Security Center Process Designer WorkflowThis section describes how Process Designer is typically used and provides an example exercise that takes you through the steps of the workflow that results in a new process template.Use this section to edit a temporary copy of a Software Security Center process template.The procedure in this section does not direct you to commit (upload) the edited template to Software Security Center. This enables you to perform the editing tasks without modifying an existing process template or adding the modified template to Software Security Center’s list of templates.Summary of Requirements and ActivitiesThe essential elements of a process template are its requirements and activities.• Requirements comprise the set of high-level objectives that a Software Security Analysis (SSA) project version must meet in order to achieve secure development.• Activities are the individual tasks that must be performed in order to fulfill the SSA project version’s requirements. Each requirement must have at least one associated activity.The demonstration workflow illustrates the creation and relationship of the requirements and activities process template design elements.
HP Fortify Software Security Center Installation and Configuration Guide 23
Demonstration Work FlowPerform the procedure in this section to demonstrate process template customization.The procedure in this section does not direct you to commit or save the modified template. This enables you to perform a demonstration customization without overwriting an existing process template or adding the modified template to Software Security Center’s list of templates.Before you BeginThe procedure in this section assumes that you have used the information in this chapter to:• Start Process Designer• Connect Process Designer to a running instance of Software Security Center• Familiarize yourself with the essential process template editing toolsTo perform a simple Process Designer customization workflow:1. Create a new process template. (See Creating Process Templates (Based on Existing Templates) on page 14.) Name the template “EXAMPLE High Risk 3rd Party Development” and select the High Risk 3rd Party Development template to base it on.
Note: Do not commit the template to Software Security Center. Committing a template adds the modified copy of the template you created for this demonstration to Software Security Center.
HP Fortify Software Security Center Installation and Configuration Guide 24
2. Add a new requirement to the working copy of the EXAMPLE High Risk 3rd Party Development Software Security Center process template.a. In the Requirements section, click Add.The Add Requirement dialog box opens.
Process Designer displays an error message next to the Name box to remind you to type a name for the new activity.b. In the Name box, type EXAMPLE REQUIREMENT.c. (Optional) From the Default Work Owner list, select the persona to which you want to assign responsibility for the requirement.d. From the Persona list, select the persona for the user who is to sign off on the completed requirement.e. In the Description box, type Example requirement.f. (Optional) In the Due Date box, specify the number of days or weeks after which the requirement must be signed off on, and then select Days or Weeks from the list on the right.g. Click OK.3. Create a new activity in the working copy of the EXAMPLE High Risk 3rd Party Development Software Security Center process template.a. In the global elements area (lower pane), select the Activities tab, and then click Add.The Add Activity dialog box opens.b. In the Name box, type EXAMPLE PROJECT STATE ACTIVITY.c. From the Type list, select Project State.For more information about activity types, see Process Template Activity Types on page 32.d. From the Default Work Owner list, select the persona to which you want to assign responsibility for the activity.e. From the Persona list, select the persona for the user who is to sign off on the completed activity.f. In the Description box, type Example project state activity.g. Click OK.Process Designer adds EXAMPLE PROJECT STATE ACTIVITY to the Activities list. To the right, in the activities detail area for the new activity, Process Designer displays a red x next to the Indicator list. The x reminds you that you must choose an indicator type.
HP Fortify Software Security Center Installation and Configuration Guide 25
h. From the Indicator list, select Total Issues.You can now add the new activity to the EXAMPLE REQUIREMENT requirement.4. In the Requirements list, select EXAMPLE REQUIREMENT.5. To the right of the Activities box, click Add.The Add Activity dialog box opens.
Because an activity can be used only once in a process template, Process Designer lists activities that have not been added to any other requirement in this process template.a. From the list of activities, select EXAMPLE PROJECT STATE ACTIVITY.b. Click OK.6. Delete EXAMPLE PROJECT STATE ACTIVITY.a. In the global elements area, select Abuse Case Creation.Process Designer does not enable the Remove button. Because global element definitions downloaded from Software Security Center exist outside of a process template, the activity cannot be deleted.b. Select EXAMPLE PROJECT STATE ACTIVITY.Process Designer enables the Remove button. Because global element definitions that have not been uploaded to Software Security Center exist only within the working copy of the process template being edited, the activity can be deleted.c. Click Remove.Process Designer deletes EXAMPLE PROJECT STATE ACTIVITY.7. Delete EXAMPLE REQUIREMENT.a. In the Requirements area, select Threat Model.b. Select EXAMPLE REQUIREMENT, and then click Remove.Process Designer removes EXAMPLE REQUIREMENT.8. Discard the High Risk 3rd Party Development template created for this demonstration.On the High Risk 3rd Party Development Edit tab, click the X to close the tab, and then click No to discard the modified template.
HP Fortify Software Security Center Process Designer User Guide 26
Chapter 3: Customizing Software Security Center Process Templates
About This ChapterThis chapter provides information about how to customize process templates. It begins with an overview and then presents a strategy for choosing a template to serve as the starting point for a new process template. Subsequent sections describe process template activities, which determine the tasks the project team must complete in order to fulfill the Secure Software Assurance (SSA) requirements for a project version. The final sections of this chapter describe how to create and manage the personas and work owners that you assign to requirements and their associated activities.This chapter covers the following topics:• Overview of Customizing a New Process Template• Using Global Design Elements in New Requirements• Choosing a Baseline Process Template• Global Design Elements• Process Template Requirements• Process Template Activities• Time Lapse Activities• Document Activities• Project State Activities• Adding an Activity to a Requirement• Creating and Managing Sign-Off Personas• Default Work Owners• Software Security Center Project Templates
HP Fortify Software Security Center Process Designer User Guide 27
Overview of Customizing a New Process TemplateA process template contains multiple template design elements. As a process template designer, you must have both a “top down” and a “bottom up” overview of template design elements. As you acquire more experience with process templates and Process Designer, you can develop your own refinements to template design.Using Global Design Elements in New RequirementsBefore you can add activities to a requirement, you must first determine whether the hierarchy of global design element definitions that the activity requires already exist. If the elements do not exist, you must define those global elements from the “bottom up.”Choosing a Baseline Process TemplateThis section presents an overview of process template assessment criteria and then provides guidance on how to select the process template on which to base a new template.Process Template Assessment CriteriaA process template contains a set of risk mitigation activities for a project. A process template’s activities define the complete set of tasks that must be performed in order to minimize the risks the project introduces.When you customize a project template, you use a given project version’s risk profile to determine that project’s risk mitigation activities. Table 4 lists the criteria you can use to determine a project version’s risk profile. Use these criteria to guide your selection of a baseline process template.Table 4: Template assessment criteria
Criteria Description
Data Sensitivity of the data processed by the applicationBusiness Risk Aggregate risk to the business, including, but not limited to, disruption of activity, property loss, and damage to reputationAccess Security risks presented by external entities’ malicious interactions with any portion of the applicationAccess can be broadly categorized as follows: • Human interactions via input devices• Network interactions with network systems of variable trustworthiness (external internet being least trustworthy and internal corporate network being the most trustworthy)• External program or application program interface (API) interactionsOrigin Source of program componentsIf an SSA project version incorporates any components provided by a third party, then use a process template that includes risk mitigation activities for outsourced components.
HP Fortify Software Security Center Process Designer User Guide 28
Selecting a Baseline Process TemplateWhen you use Process Designer to customize a process template, you begin by selecting a working copy of an existing process template to use as the baseline for a customized instance of that template. HP Fortify’s has designed a default set of process templates for the most common varieties of secure development objectives. Table 5 summarizes the key characteristics of these process templates.Table 5: Default process template set
Process Template Name SSA Project Version Characteristics
Third-Party Development: Low Risk, High Risk Defines risk mitigation activities for projects that contain at least one component supplied by an external third party operating under the control of the enterpriseData: • For projects that do not interact with sensitive data, select Low Risk.• For projects that interact with sensitive data, select High Risk.Business Risk: • For projects with low business risk, select Low Risk.• For projects with high business risk, select High Risk.Access: • For projects that do not interact with other high-risk, applications, select
Low Risk.• For projects that interact with other high-risk, applications, select High Risk.Origin:For either high or low risk, contains one or more components developed by third parties operating under the direction of the enterpriseActive Development:Low Risk, High Risk Defines risk mitigation activities for projects that have undergone at least one production releaseData:• For projects that do not interact with sensitive data, select Low Risk.• For projects that interact with sensitive data, select High Risk.Business Risk:• For projects with low business risk, select Low Risk.• For projects with high business risk, select High Risk.Access: • For projects that do not interact with other high-risk, applications, select
Low Risk.• For projects that interact with other high-risk, applications, select High Risk.Origin: For either high or low risk, contains no components developed by third parties
HP Fortify Software Security Center Process Designer User Guide 29
Commercial Off The Shelf Defines risk mitigation activities for projects that contain at least one component supplied by a third party operating outside the control of the enterpriseData:For projects that do not interact with sensitive dataBusiness Risk:Projects that present low riskAccess:Projects that do not interact with other high-risk applicationsOrigin:For either high or low risk, contains one or more components developed by third parties operating outside of the control of the enterpriseHP Fortify Basic Template Defines risk mitigation activities for projects that present only minimal riskData:For projects that do not interact with sensitive dataBusiness Risk:Projects that present low riskAccess:For projects that do not interact with other high-risk applicationsOrigin:Contains no components developed by third partiesNew Development: Low Risk, High Risk Defines risk mitigation activities for projects in the design phase, or that have yet to undergo a production releaseData: • For projects that do not interact with sensitive data, select Low Risk.• For projects that interact with sensitive data, select High Risk.Business Risk: • For projects with low business risk, select Low Risk.• For projects with high business risk, select High Risk.
Access:• For projects that do not interact with other high-risk, applications, select Low Risk.• For projects that interact with other high-risk, applications, select High Risk
Origin:Project does not contain any components developed by a third party
Table 5: Default process template set (Continued)
Process Template Name SSA Project Version Characteristics
HP Fortify Software Security Center Process Designer User Guide 30
Open Source Defines risk mitigation activities for projects developed by third parties operating outside the control of the enterpriseData: Project does not interact with sensitive data, choose Low Risk.Business Risk: • For projects with low business risk, select Low Risk.• For projects with high business risk, select High Risk.Access:Project does not interact with other high-risk applicationsOrigin:For either high or low risk, contains one or more components developed by third partiesPCI-DSS Application Security Requirements Defines risk mitigation activities for projects that must perform the activities specific to Payment Card Industry-Data Security Standard (PCI-DSS v2.0 standard as of June 2012)Data:For projects that interact with sensitive dataBusiness Risk:Specific to PCI-DSSAccess:For projects that interact with applications as defined by the applicable PCI-DSS standardsOrigin:Contains no components developed by third parties
Table 5: Default process template set (Continued)
Process Template Name SSA Project Version Characteristics
HP Fortify Software Security Center Process Designer User Guide 31
Global Design ElementsGlobal design elements form an essential part of all Software Security Center process templates and exist outside the boundaries of any given process template. Process Designer can access all the global elements defined in Software Security Center, regardless of which process template or templates you download to edit. Table 6 lists the six default global design elements represented in the global elements (lower) panel of the Process Designer view.
For a seventh type of global entity, “HP Fortify Software Security Center template assignment policies,” Process Designer provides a separate editing environment.Managing Global Design ElementsIf you add a new design element to a working copy of a process template, and do not use Commit to Server to upload the process template that contains that element to Software Security Center, then the design element exists only in Process Designer and is not global. Process Designer lists the names of these new elements in italic font. After you use Commit to Server to upload the process template that contains the new element, Software Security Center adds that element to its list of global design elements. The next time a Process Designer user downloads process templates from Software Security Center, the new element is listed on the Global Elements tab.Note: You can delete new design elements that have not been committed in Software Security Center. However, after a design element has become global, you cannot delete it.Synchronizing Global Design ElementsIf you use Process Designer to load an FPD file that contains a template, the template may not include the latest set of global design elements. To acquire the current set of global design elements, use Process Designer’s synchronization feature.To acquire the current set of global design elements:• After you open a process template in Process Designer, select Server → Synchronize.
Table 6: Global process template design elements
Global Design Element DescriptionActivities Tasks that must be performed to fulfill a process template requirementDocument definitions External process documents required to define a document activityPersonas Specify the default work owner and sign-off responsibilities for process template activities and requirementsFor information about work owners, see Default Work Owners on page 41.Performance indicators Performance indicators use formulas constructed from equation variables to provide project state activities a numeric or percentage metric for a specific aspect of a Secure Software Assurance project versionEquation variables Equation variables use formulas constructed from search strings and search targets to provide performance indicators with the formulas used to calculate a numeric or percentage metricProject templates Determine how HP Fortify products prioritize issues
HP Fortify Software Security Center Process Designer User Guide 32
Process Template RequirementsThe design of a process template begins with the template’s requirements and activities.Process template requirements:• Specify the set of high-level secure development objectives of a particular SSA project version.• Contain one or more activitiesTypically, most process template contain a similar set of requirements. It is the activities contained within those broadly similar requirements sets that determine the shape and texture of a given process template.Defining New RequirementsThe default set of Process Designer process template contain similar sets of requirements. The number and type of activities those requirements contain characterize a given type of process template.Before you create a new process template requirement, consider whether an existing requirement can simply be supplemented with one or more new activities. If you decide to create a new process template requirement, define the requirement in strategic terms. You can then populate that requirement with the activities necessary to coordinate your security team’s fulfillment of that strategic security objective.Process Template ActivitiesProcess template activities define the tasks the security team must perform to fulfill an SSA project version’s requirements. All other process template design elements serve to add management and collaboration capabilities to these activities.Process Template Activity TypesSoftware Security Center supports the three process template activity types listed in Table 7.
Time Lapse ActivitiesTime lapse activities reference a system-defined event that determines how often (in days) the activity must be performed.The two categories of system-defined time lapse activity events are:• Collaboration module (CM) audit events• Upload events for files from a particular HP Fortify client product, a source code upload, or the upload of some other type of external fileYou cannot use Process Designer or Software Security Center to create or modify time lapse activity events.
Table 7: Software Security Center activity types
Icon Type DescriptionTime Lapse Defines an operation, such as the upload of a measurement file, that must occur at certain times during the SSA project version’s lifecycleDocument References an external document that must be completed by one or more members of the SSA secure development teamProject State Specifies the value of a process template performance indicator
HP Fortify Software Security Center Process Designer User Guide 33
Creating a Time Lapse ActivityTo define a new time lapse activity:1. On the Activities tab in the global elements panel, click Add.The Add Activity dialog box opens.2. In the Name box, type the name for the new activity.3. From the Type list, select Time Lapse.4. (Optional) Provide a description of the activity.5. (Optional) Assign a default work owner.6. (Optional) In the Due Date box, specify the frequency (type the number of days or weeks) with which the activity is to be performed. 7. From the Sign Off Personas list, select one or more personas to be responsible for signing off on this activity.8. Click OK.Process Designer adds the new activity to the Activities list and displays the details of the activity on the right side of the Activities tab.9. On the Activities tab, in the Event Type list, select an event type.For more information about personas, see Creating and Managing Sign-Off Personas on page 40.For more information about default work owners, see Default Work Owners on page 41.For instructions on how to add an activity to a process template requirement, see Adding an Activity to a Requirement on page 39.Document ActivitiesA a document activity in a Software Security Center SSA project version references an external document that must be exported from Software Security Center for completion by one or more members of the project team. In Process Designer, you can choose to reference an existing document, or you can reference a placeholder for a document that the project team is to add to the activity sometime later in the project.Regardless of how the document activity references its external document, in Software Security Center the project team must access the document from a centrally accessible external location; Software Security Center does not provide version control or document management capabilities.After the project team has completed the external process document, the activity’s work owner imports the completed document back into the Software Security Center document activity. The sign-off persona or personas assigned to the activity then review the completed document, and either sign off on the document activity, or sign off on it with exception.Constructing Document ActivitiesAdding a document activity to a process template requirement requires that the template designer think from the “bottom up.” When you add a document activity to a requirement, you use Process Designer to select an existing document activity definition, or more specifically, a global activities definition of type document. A document activity, in turn, references a global document definition. A document definition references an external process document or document placeholder for the document that must be completed to fulfill the document activity.This means that before you can add a document activity to a requirement, you must determine whether the hierarchy of global design element definitions required by that activity already exist. If the elements do not exist, you must create those global element definitions before you add the activity to a requirement.
HP Fortify Software Security Center Process Designer User Guide 34
Creating a Document DefinitionProcess template document definitions reference an external an external process document or document placeholder. The referenced document must be completed to fulfill the document activity.Perform the procedure in this section to create a new global document definition.Understanding Document Location SpecifiersDocument definitions reference an external process document. • If the document already exists, you can choose to import the document from disk into the document definition or reference the document by its URL.• If the document does not yet exist, you can configure the document definition to provide a placeholder for an external document that is to be created and referenced later during the secure development lifecycle.Whenever possible, reference external documents by URL. Documents referenced by URL helps ensure that the project team accesses the current version of the process document from its shared network location.To create a new document definition:1. In the global elements panel, click the Document Definitions tab, and then click Add.The Add Document Definition dialog box opens.2. Specify the new document definition details:• In the Name box, type a name for the new document definition.• If the document referenced by this definition already exists, select either File or URL to specify whether the document is to be imported from disk or referenced by a URL.• (Optional) If the existing document referenced by this definition is to be imported from disk, click
Import, and then browse to and select the referenced file. If the document is to reference a URL, then type the URL in the text box.• (Optional) Type a description of the document.3. Click OK.Process Designer adds the new document definition to the list of definitions.Creating a Document ActivityTo define a new document activity:1. On the Activities tab in the global elements panel, click Add.The Add Activity dialog box opens.2. In the Name box, type a name for the new document activity3. Click OK.Process Designer adds the new document activity to the Activities list. To the right, Process Designer displays the details about the activity.4. On the Activities tab, from the Document Definition list, select a document definition.For information about how to create document definitions, see Creating a Document Definition on page 34.5. Assign an optional sign-off persona or default work owner to the new document activity.For more information about personas, see Creating and Managing Sign-Off Personas on page 40.For more information about default work owners, see Default Work Owners on page 41.6. To add the new document activity to a requirement, see Adding an Activity to a Requirement on page 39.
HP Fortify Software Security Center Process Designer User Guide 35
Project State ActivitiesProject State activities provide a way to quantify some aspect of an SSA project version’s completion status. The quantitative value of that activity can then be viewed in one or more Software Security Center summary displays and used to generate email alerts to one or more members of the project team.Overview of Constructing a Project State ActivityAdding a project state activity to a process template requirement requires the template designer to think “bottom up.”A Project State activity references a global Performance Indicator definition.The Performance Indicator in turn references a global Equation Variable definition. An Equation Variable returns either an integer or percentage measurement of some aspect of an SSA project version.When you add a project state activity to a requirement, you use Process Designer to select an existing project state activity definition, or more specifically, a global activities definition of type Project State.This means that before you can add a project state activity to a requirement, you will need to determine whether the hierarchy of global design element definitions required by that activity already exist. If the elements do not exist, you will need to create those global element definitions from the “bottom up” before adding the activity to a requirement.Software Security Center Equation VariablesThis section provides an overview of Software Security Center equation variables.Variable Syntactic ElementsSoftware Security Center variables have the following format:modifier:searchstring
Variable Search Strings
Table 8 lists the Software Security Center variable search strings.Table 8: Software Security Center variables, relational operators
Relational operator Description
Search String Searches for the specified search string without qualification"Search_String" Searches for an exact match of the term wrapped in quotation marks (" ")Regex Searches for values that match a Java-style regular expression delimited by slash marks (“/”)For example, /eas.+?/Number range Comma-separated pair of numbers that specifies the beginning and end of the number range• Use a left or right bracket (“[ ]”) to specify that the range includes the adjoining number• Use a left or right parentheses (“( )”) to specify that the range excludes (is greater than or less than) the adjoining numberFor example, (2,4] means greater than two, less than or equal to 4.! (not equal) Negate a statement with an exclamation character (“!”)For example, !file:Main.java returns all issues that are not in Main.java
HP Fortify Software Security Center Process Designer User Guide 36
Variable Search Targets
Table 9 lists some commonly used Software Security Center search-string targets.Table 9: Software Security Center variables, search-string targets
Search-string modifier Description
[issue age] Searches for the issue age, which is either removed, existing, or new<custom_tagname> Searches the specified custom tag analysis is the default name for Primary Custom Tag which searches the issue analysis field<metagroupings> Searches the issues metagrouping field. The default metagroups are:• [OWASP Top Ten 2004]• [OWASP Top Ten 2007]analyzer Searches the issues for the specified analyzerAnalysis Type Searches the issues for type of analysis (runtime, configuration, data flow)Any Attribute Searches the issue attributes using the specified stringaudience Searches the issues for the specified audienceaudited Searches the issues to find true if Primary Custom Tag is set and false if not setcategory (cat) Searches for the given category or substring of a categorycomments (comment, com) Searches in the comments entered on the issuecomment user Searches for issues with comments from user
confidence (con) Searches for issues with the specified confidence valuefile Searches for the file the issue is inHP Fortify Priority Order
High, Medium, and Low issues based on the combined values of HP Fortify SCA confidence and severityhistoryuser Searches the issues for a user name in the historykingdom Searches for all issues in the specified kingdommaxconf Searches for all issues with confidence up to and including the number specified as the search termminconf Searches for all issues with confidence lower than and including the number specified as the search termpackage Searches for issues in the specified packageprimary context Returns the issues containing the context of the sink nodeprimaryrule (rule) Searches for all issues related to the specified sink ruleseverity (sev) Searches for all issues with the specified severity ratingsink Returns the issues that have the specified string in the sink functionsource Returns the issues that have the specified string in the source function
HP Fortify Software Security Center Process Designer User Guide 37
Variable ExamplesSoftware Security Center search-string syntax is similar to that of the Google search engine. Table 10 illustrates some common Software Security Center variable search strings.
Creating an Equation VariableTo create an equation variable:1. In the global elements panel, click the Equation Variable tab, and then click Add.The Add Equation Variable dialog box opens.2. In the Name box, type a name for the variable.Note: The first character in the variable name must not be a numeric character (0-9 ). The rest of the name can consist of alphanumeric characters and the underscore character.
source context Returns the issues containing the context of the source nodesourcefile Returns the issues containing the file the source node is in.status Searches the “status” of issues reviewed, not reviewed, or under reviewsuppressed Searches for issues that have been suppressedtaint Searches for issues that have the specified taint flag
Table 10: Software Security Center variables, common search strings
Search-string target Example search stringAll issues that contain cleanse as part of any modifier cleanse
Categories except for SQL Injection category:!SQL Injection injection
Filenames containing com/fortify/awb
file:"com/fortify/awb"
Paths that contain traces with cleanse as part of the name trace:cleanse
Paths that contain traces with mydbcode.sqlcleanse as part of the name trace:mydbcode.sqlcleanse
Privacy violations in filenames that contain jsp with getSSN() as a source. category:"privacy violation" source:getssn file:jsp
Suppressed vulnerabilities with asdf in the comments suppressed:true comments:asdf
Two (or more) queries use the same modifier to create a logical OR category:sql injection category:privacy violation(Category equals sql injection OR privacy violation)
Table 9: Software Security Center variables, search-string targets (Continued)
Search-string modifier Description
HP Fortify Software Security Center Process Designer User Guide 38
3. Click Advanced.The Search Query dialog box opens.
4. Define the equation variable, as follows:a. From the list on the left, select a modifier.b. From the center list, select an operator.c. In the box on the right, type a search string.d. Click OK.The Add Equation Variable dialog box opens. The Search string box displays the search string you specified.5. Click OK.Process Designer adds the new equation variable to the Equation Variables list and displays the details of the activity on the right side of the Activities tab.Creating Performance IndicatorsProject state activities define an equation constructed from global equation variable definitions. That equation returns an integer or percentage result about some aspect of project status. You can then use that status metric in Software Security Center Dashboard or project version displays, or to send an email alert to members of the project team.To create a performance indicator:1. In the global elements panel, click the Performance Indicator tab, and then click Add.The Add Performance Indicator dialog box opens.2. In the text box, type a name for the performance indicator.3. Click OK.Process Designer adds the new performance indicator to the Performance Indicators list and displays the details about the performance indicator on the right side of the tab. 4. In the Equation box, construct a valid equation using global equation variables.5. Click OK.
HP Fortify Software Security Center Process Designer User Guide 39
Creating a Project State ActivityTo define a new project state activity:1. In the global elements panel, click the Activities tab, and then click Add.The Add Activities dialog box opens.2. Specify the details for the activity as follows:a. In the Name box, type the name for the project state activity.b. In the Type list, choose Project State.c. (Optional) Type a description of the activity.d. (Optional) Assign a default work owner.e. (Optional) In the Due Date box, specify the frequency (type the number of days or weeks) with which the activity is to be performed. f. From the Sign Off Personas list, select one or more personas to be responsible for signing off on this activity.g. Click OK.Process Designer adds the new project state activity to the Activities list and displays its details to the right of the list.3. Select and configure the indicator for the project state activity as follows: a. From the Indicator list, select a performance indicator.For information about how to create performance indicators, see Creating Performance Indicators on page 38.b. From the list of operators, select an operator.c. In the text box to the right of the operators list, type a value that corresponds to the integer or percentage value returned by the selected performance indicator.For more information about personas, see Creating and Managing Sign-Off Personas on page 40.For more information about default work owners, see Default Work Owners on page 41.For instructions on how to add an activity to a requirement, see Adding an Activity to a Requirement on page 39.Adding an Activity to a RequirementThe procedure in this section describes how to add a new activity to an existing process template requirement.To add an activity to a process template requirement:1. In the requirements panel of Process Designer, from the Requirements list, select a requirement.The Activities box on the right lists the activities defined for the selected requirement.2. To add the new activity to the selected requirement:a. To the right of the Activities box, click Add.The Add Activity dialog box opens.b. From the list of activities, select an activity.c. Click OK.Process Designer adds the activity to the requirement.
HP Fortify Software Security Center Process Designer User Guide 40
Creating and Managing Sign-Off PersonasIn Software Security Center, one or more personas have sign-off responsibility for process template requirements and activities.Personas enable the process template designer to:• Assign sign-off responsibility for process template requirements and activities to organizational units or job titles (rather than Software Security Center user account privilege levels)• Require that more than one persona sign off a particular process template requirement or activity• Achieve a high level of accountability with regard to task assignments and completion• Efficiently manage changing personnel resources throughout a Software Security Center SSA project version’s complete development lifecycleFor more information about working with personas in Software Security Center, see the HP Fortify Software Security Center User Guide.
Default PersonasSoftware Security Center includes a default set of global persona definitions, which are listed in Table 11.
Creating a PersonaThe procedure in this section describes how to define a new persona. More specifically, the procedure describes how to create a new global activity definition of type Document.To define a new persona:1. In the global elements panel, click the Personas tab, and then click Add.The Add Persona Definition dialog box opens.2. Supply the persona details as follows:a. In the Name box, type a name for the persona.b. (Optional) Type a description of the persona.
Table 11: Software Security Center default personas
Default Persona Example responsibilitiesArchitect High-level design and system engineeringBusiness Risk Owner Sign off on the complete set of business and technological risks for the applicationDeveloper Design and implement code, scan that code for vulnerabilities, and address security issues contained in that codeOperations and Build Teams Deploy and maintain applications in production settings.Project Manager Ensure that all project milestones are enumerated and completedQA Testers Test and verify software throughout the secure development processSecurity Expert/Champion Define and ensure compliance with the SSA project version’s security strategy and deliverySupport Operations Internal and external customer support and technical operations support
HP Fortify Software Security Center Process Designer User Guide 41
c. Click OK.Process Designer adds the persona to the Personas list.For instructions on how to add a persona to a process template requirement or activity, see Adding a Persona to a Requirement or Activity.Adding a Persona to a Requirement or ActivityThe procedure in this section describes how to add a new persona to an existing process template requirement or activity.1. To add a persona to a requirement:a. From the Requirements list in the Requirements panel, select a requirement.b. On the right side of the Requirements panel, from the Requirement Sign Off Personas list, select one or more sign-off personas.2. To add a persona to an activity:a. On the Activities tab in the global elements panel, select a listed activity.b. On the right side of the Activities tab, from the Activity Sign Off Personas list, select one or more sign-off personas.Default Work OwnersIn Software Security Center, work owners are users whose Software Security Center accounts have permission to perform certain activities and requirements in a given SSA project version. You can assign work owners to activities and requirements. If you assign a work owner to a process template requirement, neither Process Designer nor Software Security Center automatically assigns that work owners to any requirement activities.Software Security Center assigns work owners on the basis of server account name. But when you use Process Designer to customize a process template, you may not be able to compile—or maintain—a complete and accurate list of the server account names for all Software Security Center instances that will use the process template. Therefore, Process Designer allows you to assign personas as a requirement or activity’s default work owner. When a member of the project team assigns a Software Security Center user account name to that persona, Software Security Center replaces the persona name with the user account name.Adding a Default Work Owner to a Requirement or ActivityTo add a new persona to an existing process template requirement or activity:1. To add a persona to a requirement:a. From the Requirements list in the Requirements panel, select a requirement.b. On the right side of the Requirements panel, from the Requirement Default Work Owner list, select a work owner.2. To add a persona to an activity.a. On the Activities tab, from the Activities list, select an activity.b. To the right side of the Activities list, from the Default Work Owner list, select a work owner.
HP Fortify Software Security Center Process Designer User Guide 42
Software Security Center Project TemplatesProject templates determine how HP Fortify products prioritize issues. When you create an SSA project version, Software Security Center uses the new project version’s attributes to recommend a process template. Each Software Security Center process template includes a project template that corresponds to the project version’s SSA and security requirements.In addition to its default set of project templates, Software Security Center enables customized project templates to be imported into the server. An imported project template then becomes an additional global design element. To learn more about importing project templates into Software Security Center, see the HP Fortify Software Security Center User Guide.Assigning a Project Template to a Process TemplateThe procedure in this section describes how to use Process Designer to assign a globally-defined project template definition to a process template.To assign a project template to a process template:• In the Requirements panel, from the Project Template list, select a project template to assign to the open process template.
HP Fortify Software Security Center Process Designer User Guide 43
Chapter 4: Working with Software Security Center Template Assignment Policies
About This ChapterThis chapter provides details about the Process Designer’s Template Assignment Editor. This chapter contains the following topics:• Overview of the Software Security Center Center Template Assignment Policy Operation• Getting Started with Software Security Center Template Assignment Policy Editor• Working With Template Assignment Policies• An Example Software Security Center Template Assignment Policy Editing Session
Overview of the Software Security Center Center Template Assignment Policy OperationIn Software Security Center, you must select a process template before you can finish creating a new SSA project version. When you select a process template, Software Security Center uses the server’s template assignment policies to recommend a process template that corresponds to the project version’s attributes.To determine which process template to recommend, Software Security Center sequentially evaluates its list of template assignment policies until it finds the first policy with assignment rules that matches the SSA project version’s attributes. Software Security Center then stops scanning the list of Template Assignment Policies and places the process template specified by the matching policy in the process template panel’s Template list. (Software Security Center permits you to override that recommendation and choose another process template if desired.)Getting Started with Software Security Center Template Assignment Policy EditorThis section contains the following topics:• Downloading Software Security Center Template Assignment Policies• Uploading Edited Template Assignment Policies• Saving Software Security Center Template Assignment Policies to Disk
Downloading Software Security Center Template Assignment PoliciesBefore you can perform the procedure described in this section, you must first start Software Security Center Process Designer and configure the connection between Process Designer and a running instance of Software Security Center (see Chapter 4, Getting Started with Software Security Center Process Designer on page 9). To download template assignment policies from Software Security Center:1. In Process Designer, select Server → Edit Template Assignment Policies.Process Designer downloads the template assignment policy definitions from Software Security Center.(Process Designer also acquires the current values for the process template project attributes and project attribute values).2. From the Template Assignment Policies list, select a template assignment policy.
HP Fortify Software Security Center Process Designer User Guide 44
Process Designer updates the right-side details pane with the template assignment policy rules.
For more information about template assignment policy rules, see Overview of Assignment Rule Elements on page 45.Uploading Edited Template Assignment PoliciesTo upload new or edited template assignment policies to Software Security Center, perform the procedure in this section.To upload modified template assignment policies to Software Security Center:1. In Server, choose Upload Template Assignment Policies.Process Designer displays the Upload Template Assignment Policies confirmation dialog box.2. Click Yes.Process Designer uploads the template assignment policies to Software Security Center.Saving Software Security Center Template Assignment Policies to DiskPerform the procedure in this section to save the current Template Assignment Policies editing tab to disk as a template assignment policy file (.tap filename extension).To save the Template Assignment Policies editing tab to disk as a TAP file:1. Select File → Save.The Template Assignment Policies editor does not enable the File → Save option if the policies set is unchanged. To save an unmodified template assignment policy, choose Save As.Process Designer prompts you for the location of the template assignment policy file.2. Choose the location to save the TAP file, and then click Save.
HP Fortify Software Security Center Process Designer User Guide 45
Working With Template Assignment PoliciesThis section contains the following topics:• Overview of Template Assignment Rules• Overview of Assignment Rule Elements• Overview of Constructing Template Assignment Rules
Overview of Template Assignment RulesThe following two criteria determine which template assignment policy Software Security Center uses to recommend a new SSA project version process template:• The template assignment policy’s position in the list of policy definitions• The template assignment policy’s assignment rulesOverview of Assignment Rule ElementsThe template assignment policy editor supports three types of rule element: Type, Project Attribute, and Project Attribute Value. The Type rules in turn consists of two categories: Logical operators or Project Attribute Definitions.Table 12 lists the three categories of template assignment policy assignment rules.
Overview of Constructing Template Assignment RulesWhen you specify a template assignment policy’s rules, Process Designer guides you through the rules-creation process by enabling and disabling certain selections in the Add Child dialog box.The following rules govern the creation of nodes in an assignment policy’s rule definition:• No node can be changed to a project attribute node if it contains any children• No node can be changed to a NOT if it contains more than one childAdditionally, the following governs how you can add a child to a node:• You cannot add a child to a Project Attribute type• You cannot add a NOT as a child to a parent NOT
Table 12: Template assignment policy assignment rules
Assignment criterion Description
Type, logical operator Use the And, Or, and Not logical operators to create Boolean expressions that provide container elements for Project Attribute elementsType, Project Attribute Definition Select Project Attribute Definition to enable the Project Attribute and Project
Attribute Value lists, described later in this tableProject Attribute When Type equals Project Attribute Definition, use the Project Attribute list to choose an existing global project attribute definitionThe choice of project attribute determines the values listed in the Project
Attribute Value list, described next Project Attribute Value When Type equals Project Attribute Definition, use the Project Attribute Value list to choose the value of the project attribute selected in the Project Attribute list
HP Fortify Software Security Center Process Designer User Guide 46
An Example Software Security Center Template Assignment Policy Editing SessionThis section contains the following topics:• Overview of Example Editing Session Tasks• Creating a New Template Assignment Policy• Specifying a Policy’s Assignment Rules• Raising or Lowering the Runtime Order of a Policy• Removing a Software Security CenterTemplate Assignment Policy
Overview of Example Editing Session TasksThe procedures in this section illustrate how to create and configure a new template assignment policy.To create and configure a new template assignment policy, you must first create the policy definition. You must then define the new policy’s assignment rules. Finally, you can increase or decrease the policy’s likelihood of being selected for a given SSA project version by moving the policy up or down in the list of policies.The procedures in this section assumes you have performed the procedure in Downloading Software Security Center Template Assignment Policies on page 43.Creating a New Template Assignment PolicyTo perform an example template assignment policy editing session:1. On the Process Designer Template Assignment Policies tab, in the list of template assignment policies, click
Add.The Add Template Assignment Policy dialog box opens.
2. In the Name text entry area, type EXAMPLE Template Assignment Policy.3. From the Process Template list, select Low Risk 3rd Party Development.If Software Security Center selects EXAMPLE Template Assignment Policy during the creation of a new SSA project version, the policy will recommend the Low Risk 3rd Party Development process template.4. In the Description box, type Example of a new template assignment policy.5. Click OK.Process Designer adds the new definition to the list of definitions.
HP Fortify Software Security Center Process Designer User Guide 47
Specifying a Policy’s Assignment RulesPerform the procedure in this section to configure EXAMPLE Template Assignment Policy to apply to any SSA project version where Project Attribute Value specifies that some portion of the project includes code developed by a third party.To add assignment rules to EXAMPLE Template Assignment Policy:1. Define a logical Or to contain multiple project attribute specifiers.a. In the left-side list of policy definitions, select EXAMPLE Template Assignment Policy, from the list of assignment rules on the right, select EXAMPLE Template Assignment Policy.b. Click Add Child.The Add Child dialog box opens.
c. From the Type list, select Or.d. Click OK.Process Designer displays the Or operator as a child of the EXAMPLE template assignment policy.2. Add the first Project Attribute specifier to EXAMPLE Template Assignment Policy.a. From the list of assignment rules on the right, select the Or operator you created in the preceding step, b. Click Add Child.The Add Child dialog box opens.c. Select the Or.Note: If you select an element that cannot support a child element, Process Designer does not enable the Add Child button. This Process Designer feature helps you construct well-formed template assignment rules.d. From the Project Attribute list, select Development Strategy.Process Designer updates the Project Attribute Value List with the valid values for the Development Strategy attribute.e. From the Project Attribute Value list, select Fully Outsourced.f. Click OK.Process Designer adds the new Project Attribute child to the Or logical operator.3. Repeat step 2, but this time, from the Project Attribute Value list, select Partially Outsourced.4. Repeat step 2, but this time, from the Project Attribute Value list, select Open Source.The policy now specifies assignment rules for any SSA project version that contains any code developed by a third party.
HP Fortify Software Security Center Process Designer User Guide 48
Raising or Lowering the Runtime Order of a PolicyYou can raise or lower a given template assignment policy’s likelihood of being selected by moving the policy’s position upward or downward in the list of policies.In Software Security Center, when you create a new SSA project version, the final step in the project creation process is to select the process template used by the new project version: You cannot complete the project creation process until you select a process template.To recommend a process template, Software Security Center sequentially evaluates its list of template assignment policies until it finds the first template assignment policy with assignment rules that match the new project version’s attributes; Software Security Center then stops evaluating policies and recommends the process template specified by the matching policy.Because Software Security Center stops evaluating the list of policies after it detects a match, the position of a given template assignment policy in the list of policies affects the likelihood of that policy, and the process template specified by that policy, becoming the recommended process template for a new SSA project version.To position a template assignment policy in the list of policies:1. From the Template Assignment Policies list, select EXAMPLE Template Assignment Policy.2. To change the position of in the list of policies, use the Up and Down buttons to the right of the list.Removing a Software Security CenterTemplate Assignment PolicyPerform the procedure in this section to remove (delete) EXAMPLE Template Assignment Policy.You can also use the template assignment policy editor to remove assignment policies that were previously uploaded to Software Security Center. To completely remove a template assignment policy, you must use the Process Designer Template Assignment Editor to remove the policy from the list, then upload the revised list of policies to Software Security Center.To delete a template assignment policy from the list of policies:1. From the Template Assignment Policies list, select EXAMPLE Template Assignment Policy.2. Click Remove.If you had deleted a non-demonstration template assignment policy, in Save you would use Upload to upload the revised list of policies to Software Security Center.In Software Security Center, the list of template assignment policies no longer includes the abridged list.