prep work exercises - carahsoft...how do i fix sql injection? input validation –yes detect...
TRANSCRIPT
Prep Work Exercises
▪ Open Your VM c:\VM Images\2017\windows 10 x64 (2).vmx
▪ UID: Admin
▪ PWD: P@ssword1
▪ Check Access to http://6.94.185.35.bc.googleusercontent.com:8080/ssc/#/
▪ UID: Admin
▪ PWD: Fortify@01
▪ Command Line Scan – open a dos prompt
▪ cd c:\share\Trainer Material\Code\Java\riches_java_src
▪ sourceanalyzer -b riches-class –clean
▪ sourceanalyzer -b riches-class -sql-language PL/SQL -source 1.6 -cp ./WEB-INF/lib/*.jar;./lib/*.jar ./**/*java ./**/*jsp ./**/*sql ./**/*xml ./**/*js./**/*html
▪ sourceanalyzer -b riches-class -source 1.6 -Xmx3200M -64 –scan –f richesresults.fpr
Application SecurityFortify-On-Demand | Application Defender | Fortify | WebInspect
Sameer Kamani
Security Solutions Architect
Jeffrey Hsiao
Security Solutions Architect
Agenda
▪ Prep Work Exercises
▪ Introductions
▪ Application Security Overview
▪ Fortify SCA Overview and Exercises
▪ Fortify SSC Overview and Exercises
▪ DevOps and Solution Architecture
▪ Putting It All Together – Team Exercise
▪ Wrap-Up
LaptopsPrinters
EnterpriseServices
ServersNetworkStorage
HPE Software is now Micro Focus!
EnterpriseSoftware
1 2 3 4 5 6 7 8
Existing network and perimeter based security is insufficient
84% of breaches exploit vulnerabilities in the application layerYet the ratio of spending between perimeter security and application security is 23-to-1
- Gartner Maverick Research: Stop Protecting Your Apps; It’s Time for Apps to Protect Themselves (2014)
Vulnerabilities in SoftwareWhat is a software or application vulnerability?
A vulnerability is a hole or a weakness in the application, which can be a design flaw or an implementation bug, that allows an attacker to cause harm to the stakeholders of an application.
Vulnerabilities in SoftwareOWASP
▪ The Open Web Application Security Project is a worldwide free and open community focused on improving the security of application software.
www.owasp.org
▪ This community routinely publishes a list of the top-10 application security vulnerabilities.
▪ New list published in 2017.
▪ Previous list was published in 2013.
OWASP Top 10As of 2017, OWASP lists the following top-10 categories:
1) Injection2) Broken Authentication3) Sensitive Data Exposure4) XML External Entities (XXE) 5) Broken Access Control 6) Security Misconfiguration7) Cross-Site Scripting (XSS)8) Insecure Deserialization 9) Using Components with Known Vulnerabilities10) Insufficient Logging & Monitoring
OWASP A1 – Injection Flaws
• Multiple Types of Vulnerabilities
• SQL Injection
• LDAP Injection
• XPath Injection
• XSLT Injection
• HTML Injection
• OS Command Injection
• Basic Definition: Interpreters execute unintended commands on a server
OWASP A1 – Injection Flaws
• SQL Injection – The Worst of the Worst
• Has been on the top of the OWASP Top 10 since the beginning
• The favorite vulnerability of Anonymous, LulzSec, and Black Hats
• Pretty easy to detect and exploit
• Easy access to your data
• What is it?
• Data from an untrusted source is mixed into a SQL query allowing an attacker to change the query.
Injection AttackGeneral Algorithm
1. Generate dynamic string to be used by an interpreter
– Append raw data to string
– Raw data is unexpected
2. Pass string to interpreter to be executed
3. Interpreter performs some other operation as a result of unexpected data
SQL Injection AttackConceptual Example and Flow
1. dynamic query against a SQL database such as:
Select * from USERS where name = ‘+userName+’
2. User sets userName = x'; drop table members; --
3. SQL database query has now changed meaning:
Select * from USERS where name = ‘x'; drop table members; --’
4. Database will now delete the members table instead of querying user table
Perform a
Preventing SQL InjectionsAnother Exploit - incorrect filtered escape character
String query = "SELECT * FROM acct_trans WHERE acct_num = ‘" +
request.getParameter(“AcctNum") + “’";
…
1) SQL Statement intended to retrieve the user’s account transactions:
2) Exploit: AcctNum = ‘12345’ or ‘1’ = ‘1’ --
3) Result: SELECT * FROM acct_trans
WHERE acct_num = ‘12345’ or ‘1’ = ‘1’ --
How Do I Fix SQL Injection?
▪ Input Validation – Yes
▪ Detect unauthorized input before processed by application
▪ Parameterized Queries (prepared stmt) – Even Better
▪ Define SQL code and then pass in each parameter to the query later
▪ Parameters are placeholders for values
Injection Attack Costly ExampleHeartland Payment Systems – Jan, 2009
HRMAC III(cmd_procEnabled)
PaymentProcessingMAC I
Jan. 200994M records stolen$130M +
SQL Injection
One Vulnerability To Rule Them AllHeartland Payment Systems
The method used to compromise Heartland’s network was ultimately determined to be SQL injection. Code written eight years ago for a web form allowed access to Heartland’s corporate network. This code had a vulnerability that (1) was not identified through annual internal and external audits of Heartland’s systems or through continuous internal system-monitoring procedures, and (2) provided a means to extend the compromise from the corporate network to the separate payment processing network. Although the vulnerability existed for several years, SQL injection didn’t occur until late 2007…. the intruders spent almost six months and many hours hiding their activities while attempting to access the processing network, bypassing different anti-virus packages used by Heartland. After accessing the corporate network, the fraudsters installed sniffer software that was able to capture payment card data, including card numbers, card expiration dates, and, in some cases, cardholder names as the data moved within Heartland’s processing system.
Heartland Payment Systems: Lessons Learned from a Data Breach Julia S. Cheney, January 2010 Federal Reserve Bank of Philadelphia
Injection Attack – Government ExampleIllinois State Election Board
“The successful hack of the Illinois system began with a scan of the state election board's site with Acunetix, a commercial vulnerability scanning tool used to discover SQL injection vulnerabilities and other site weaknesses. The attacker used information on an SQL injection bug to then use SqlMap, an open source tool, to access user credentials and data, and the DirBuster tool to discover hidden files and directories on the Web server. Yahoo reports that officials suspected "foreign hackers" for the attack.”
After Illinois hack, FBI warns of more attacks on state election board systems
ARS Technica
Reported on 8/29/2016
https://arstechnica.com/security/2016/08/after-illinois-hack-fbi-warns-of-more-attacks-on-state-election-board-systems/
21
Exercise 1: Start the Fortify DemoEnvironment Setup
▪ Start the Fortify Demo Server
▪ There’s a “Launch the Riches Demo App” Shortcut on your desktop
▪ **It should already be started. You Should see some Command Prompt Windows.
Demo: SQL Injection
▪ Open Internet Explorer and browse to http://localhost:8080/riches(there should also be a shortcut)
▪ Click the Locations Button at the top.
▪ There is SQL Injection in this form. See if you can find it!
▪ Valid Zip Codes (94404, 10005, 94123)
Demo: SQL Injection
▪ Open Internet Explorer and browse to http://localhost:8080/riches(there should also be a shortcut)
▪ Click the Locations Button at the top.
▪ There is SQL Injection in this form. See if you can find it!
▪ Valid Zip Codes (94404, 10005, 94123)
Try entering
' or '1'='1in the Find ATMs/Locations field
OWASP A7 – Cross Site Scripting (XSS)
• The Most Prevalent Vulnerability on the OWASP Top 10
• Was at the top until the ranking methodology changed
• Very easy to detect and exploit
• What is it?
• Your application is used as a platform to attack your users.
• Allows an attacker to insert malicious code into the user’s session
• Used to deface web sites, hijack sessions, steal credentials, and install malware
OWASP A7 – Cross Site Scripting (XSS)
• Reflected XSS
• Requires a user to execute an action that contains the attack payload. (Such as clicking a link in a phishing email)
• The attack only affects the user that executes the action
• Persistent XSS
• Attack payload is injected into a data store, such as a database.
• The attack affects every user that uses the application.
• The most impactful variant of XSS
Preventing XSS – Input/Output Validation
• Blacklisting – Developing a naughty list of characters/tags
• Nearly impossible to write black lists that cover all attack vectors
• Many ways to obfuscate attack payloads
• Using case, null characters, and flaws in browser rendering
• Using alternate tags, such as IMG, IFRAME, links, body, etc
• Using alternate encodings and languages
• Check out: https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
• Whitelisting – Using regular expressions
• [A-Za-z0-9]{5,25} – Possible regex for a username
Preventing XSS – Output Encoding
• Encoding – Making Malicious Code Unexecutable
• <script> becomes <script>
• HTML Encoding for all data rendered in plain HTML
• Special care should be taken for data inserted into JavaScript and as tag attributes
• Many Standard Encoding Libraries are not sufficient
• Use the AntiXSS Library from Microsoft for .NET (now included in 4.5)
• OWASP Enterprise Security API (ESAPI)
Cross Site Scripting Famous ExamplePayPal, circa 2004 - 2006
▪ Steal credit card numbers
1. Users access URL on genuine PayPal site
2. Page modified via XSS attack to silently redirect user to external server
3. Fake PayPal Member log-in page
4. User supplies login credentials to fake site
▪ Exploitable for two years
Exercise 2: XSS Injection
▪ Click the submit button on the login form.
▪ Open Internet Explorer and browse to http://localhost:8080/riches(there should also be a shortcut)
▪ There is Cross Site Scripting in the login page. See it?
▪ Valid Login (eddie/eddie)
Exercise 2: XSS Injection
▪ Click the submit button on the login form.
▪ Open Internet Explorer and browse to http://localhost:8080/riches(there should also be a shortcut)
▪ There is Cross Site Scripting in the login page. See it?
▪ Valid Login (eddie/eddie)
Try entering
';</script><script>alert('XSS');</script>In the login field
Software Security Assurance (SSA & SDLC)
Design Code TestIntegration
- StagingOperate
Security
ProductionSystem
Testing
Integration/ Component
Testing
CodingRequirements
30X
15X
10X
5X
1X
Co
st
30x more costly to secure in Production
Source: NIST
Security Gate
Remediation +
Secure SDLC
Monitoring + Protection
Secure DevelopmentContinuous feedback on the developer’s desktop at DevOps speed
1
Security TestingEmbed scalable security into the development tool chain
2
Continuous Monitoring and ProtectionMonitor and protect software running in Production
3
Improve SDLC Policies
The right approach for the new SDLC – Build it in
This is application security for the new SDLC
Software Security Analysis and Defense• Static Analysis (Fortify): analysis of computer software that is performed without actually executing programs
(i.e. run on source code)
• Dynamic Analysis (WebInspect): analysis of computer software that is performed by executing programs on a real or virtual processor (Pentesting against a running web application)
• RASP (Application Defender): software agent protects and monitors production systems.
Static Dynamic RASP
Requires source code Only Web Applications and services
Only Web Applications and services
Finds most issues Finds fewer issues Protects and monitors applications
Provides line of code level detail
Provides request and response
Requires a software agent to be installed
Preferred by developers Preferred by security and SOC Can protects against zero days
Secure DevelopmentContinuous feedback on the developer’s desktop at DevOps speed
1
Security TestingEmbed scalable security into the development tool chain
2
Continuous Monitoring and ProtectionMonitor and protect software running in Production
3
Improve SDLC Policies
The right approach for the new SDLC – Build it in
This is application security for the new SDLC
Fortify SCASAST
WebInspectDAST
App DefenderRASP
WI AgentIAST
Security solutions backed by MF Security Research
Ecosystem Partner
FSRG ESS
• SANS, CERT, NIST, OSVDB, software & reputation vendors
• 3000+ Researchers
• 2000+ Customers sharing data
• Largest commercial IT security research group
• Continuously finds more vulnerabilities than the rest of the market combined (50-75% of publicly reported critical vulnerabilities)
• Frost & Sullivan winner for vulnerability research last four years
• Collaborative effort of market leading teams: ArcSight, Fortify, MF Labs, Application Security Center
• Collect network and security data from around the globe
MF Security Research
Fortify On Demand (FOD) / Vendor Management Application Defender
Software Security Assurance (SSA & SDLC)
Design Code TestIntegration
- StagingOperate
Security
Development
Static Code Analyzer (SCA)
Fortify Static Suite
Audit Workbench (AWB)
IDE Plugin
Software Security Center (SSC)
Testing
Web Inspect (WI)
Fortify Dynamic Suite
WebInspect Enterprise (WIE)Continuous Web Monitoring (CM)
On-demand Web Scans
Software Security Center (SSC)
Application Defender
Visibility & Defense
/ Operations
Hybrid
Software Security Assurance – Top 2 for WebInspect
Secure Development
Continuous Integration
Assessment
Security Acceptance
Testing
Monitoring
Continuous Monitoring
Protection
Realtime Application Self
Protection
Remediation
Process Driven Triage
MF Fortify Static Code Analyzer (SCA)
Features:
• Automate static application security testing to identify security vulnerabilities in application source code during development
• Pinpoint the root cause of vulnerabilities with line of code details and remediation guidance
• Prioritize all application vulnerabilities by severity and importance
• Supports 24 languages, > 750 vulnerability categories, 840,000 APIs
Benefits:
• Reduces the cost of identifying and fixing vulnerabilities
• Reduces risk that a vulnerability will slip by and cause a
problem later
• Saves valuable development time and effort
Problem it solves:
• Identifies all risks in the source code for applications in development
Securing your application code in development
MF Fortify SCA Process Flow
Translation
Source Code
to
Fortify
Intermediate
Model
Analysis
Fortify Intermediate Model to List of
Possible Vulnerabilities
Audit
Vulnerability
Verification,
Triage
and
Remediation
▪ All Languages
▪ Source code needs to be in a buildable state
▪ C, C++, Objective C
▪ compiler is required to run SCA translator
▪ C#, VB.Net
▪ solutions must be compiled to create pdb files
▪ Java, JavaScript, SQL, PHP, ColdFusion, APEX, . . .
▪ translated directly by the SCA translator
MF Fortify SCA Process FlowTranslation requirements
Analysis
MF Fortify SCA Process Flow
Translation Audit
Source Code to
MF Fortify Intermediate
Model
MF Fortify Intermediate
Model toList of
PossibleVulnerabilities
VulnerabilityVerification,
Triageand
Remediation
Each analyzer has corresponding rule types. MF Security Fortify SCA – Analysis
ScanData flow
Control flow
Structural
Semantic
Configuration
Buffer
ContentNon-trusted input can potentially
control application operation.
Detects potentially dangerous execution sequences
Detects potentially dangerous flaws in the structure or definition of a program
Looks for unsafe function calls
based on their signature
Uses XPath queries and name-
value matching to identify issues
in application’s configuration files
Buffer analyzer detect access to
buffer beyond its boundaries
Searches for security issues
and policy violations in HTML
SCA Analysis
Static Application Security TestingAccurately identify root cause and remediate underlying security flaw
XML
Java
JSP
T-SQL
Results
T-SQL
Java
XML
JSP
User Input
SQL Injection22+ Languages
VBScript
HTML ASP
XMLPL/SQL
Java
C#.NETCOBOL
PHP
PythonVisual Basic
ABAP
T-SQL
C/C++
Classic ASP
CFML
VB.NET
JavaScript/AJAX
SCA Frontend
MF Fortify SCA Process Flow
Translation Analysis Audit
Source Code to
MF Fortify Intermediate
Model
VulnerabilityVerification,
Triage,and
Remediation
MF Fortify Intermediate
Model toList of
PossibleVulnerabilities
MF Fortify SCA Process Flow
MF Fortify Utilities
Audit Workbench (AWB)
An MF Fortify Graphical User Interface (GUI) utility
Rich features to review results from MF Fortify SCA analysis
Secure Coding Plug-ins
Very similar functionalities to AWB
Eclipse, Visual Studio
Software Security Center (SSC)
Contains a collaboration module with similar functionalities to AWB
Has a rich reporting interface and stores all findings in the DB
You
Verify and remediate issues found by MF Fortify SCA
Secure Coding PluginsVisual Studio, Eclipse, …
Audit Workbench(AWB)
Software Security Center (SSC)
FPR
Audit Phase = MF Fortify Utilities + You
Audit Phase = MF Fortify Utilities + You
▪ MF Fortify Utilities▪ Audit Workbench (AWB)
▪ An MF Fortify Graphical User Interface (GUI) utility
▪ Rich features to review results from MF Fortify SCA analysis
▪ Secure Coding Plug-ins
▪ Very similar functionalities to AWB
▪ Eclipse, Visual Studio
▪ Software Security Center (SSC)
▪ Contains a collaboration module with similar functionalities to AWB
▪ Has a rich reporting interface and stores all findings in the DB
▪ You▪ Verify and remediate issues found by MF Fortify SCA
MF Fortify Software Security Center
Features:
▪ Specify, communicate and track security activities performed on projects
▪ Role-based, process-driven management of software security program
▪ Flexible repository and exporting platform for security status, trending and compliance
▪ Integrates with Audit Assistant
Benefits:
• Provides a clear, accurate picture of software risk across the
enterprise
• Lowers cost of resolving vulnerabilities
• Identify areas of improvement for accelerated reduction of risk
and costs
Problem it solves:
• Provides visibility into security activities within development
Management, tracking and remediation of enterprise software risk
Static Software Scanning Process
Developers
Security/Tech Lead
Continuous
Integration
Jenkins, TFS,
etc.
Code Repository
Issue Tracking
Check in Code
Scheduled or Triggered
Check-out and Build
(Auto) Deliver
for Analysis
Submit Findings
to Bug Tracker
Developer Fixes
Bug / Finding
REPEAT
AS NECESSARY
Vulnerability
Findings
Integrations
SonarQube, Archer, etc.
Mgmt Portal
(SSC)
Scanning Engine
(SCA)
Scrum
Fortify SCA Suite
• Static source code analysis.Fortify SCA
• Visual interface for analysis of software vulnerabilities.Audit WorkBench (AWB)
• Integrated vulnerability detection into Integrated Development Environments (IDEs).
Secure Coding Plug-ins
• Management for multiple audit projects from a single centralized console.Fortify SSC Server
Fortify scanningMultiple ways to scan a project
• IDE Plug-ins
• Build integration (Ant, maven, make, Jenkins,…)
• Command Line
• Audit WorkBench (AWB)
• Scan Wizard
SCA Command Line Interface
▪ Command Line Interface Help
sourceanalyzer -h
▪ Java Command Line Syntax
sourceanalyzer -b <build_id> -cp <classpath> <file_list>
▪ .NET Command Line Syntax
sourceanalyzer -vsversion 9.0 -b MyBuild -libdirs
ProjOne/Lib;ProjTwo/Lib ProjOne/bin/Debug ProjTwo/bin/Debug
▪ C/C++ Command Line Syntax
sourceanalyzer -b <build_id> <compiler> [<compiler options>]
Java Source CodeCD C:\Program Files\HPE_Security\Fortify_SCA_and_Apps_17.10\Samples\basic\eightball
Commands
sourceanalyzer -b EightBall -clean
sourceanalyzer -b EightBall –source 1.6 EightBall.java
sourceanalyzer -b EightBall -source 1.6 -Xmx3200M –scan –f EightBall.fpr
sourceanalyzer -b EightBall -show-files
sourceanalyzer -b EightBall -show-build-warnings
Translation Exercise
Exercise 3: Command-Line Scan
Exercise 4: Audit Workbench Scan Exercise
▪ Start Audit Workbench
▪ Select “Advanced Scan…”
▪ Navigate toC:\Users\Workshop\Desktop\Trainer_Materials\ri
ches_wealth_src
▪ Click OK
▪ Specify Java Version 1.6
▪ Click Next >
▪ Add ”-Xmx2700M” to translation and scan command line options
▪ Click Next > then click Scan
If you have an SSC instance then rulepacks
can be downloaded from it.
Can automatically check for rulepack updates.
Server Configuration
Typical Configuration – download rulepack
Corporate Network
Software Security CenterInternet
FromUpdate.fortify.com
FromSSC
Typical Configuration – upload scan results
Corporate Network
Software Security Center
Upload scan results to SSC
instance
Security Content Version
Click to manually check for new
security content
Click to import security content (custom rules)
Security Content Management
Control Issue Display
Tweak Issue Summary Display
Merge comments with analysis tag
changes
Audit Configuration - Appearance
Override default Filter Set
Set attribute to use for quick audit
feature
Configure how issues are copied
Audit Configuration - Configuration
Project Save Options
Memory Considerations
▪ SCA is a java application
Can be set using the –Xmx command line option-Xmx10800M
-Xmx8G
▪ You can set the maximum java heap space via environment variableSCA_VM_OPTS=-Xmx4G –used for SCAAWB_VM_OPTS=-Xmx2G –used for Audit Workbench
▪ Value should not be greater that two thirds of total system memory
Fortify SCA – Eclipse IDE Plug-in
Noted: you should make sure all libraries are included, and source codes are compliable before you scan.
MF Fortify SCA – Eclipse IDE Plug-in
AnalysisResult
AnalysisTrace
Source Code
Summary and details
Package Explorer
Exercise 5: Eclipse IDE Plugin Scan
▪ In Package Explorer Open Project Riches
▪ Fortify Analyze Project
▪ Start Scan
Exercise 6: Remediate SQLI and Rescan
▪ SCA Analysis Result Find SQL Injection
▪ Expand SQL Injection Choose
LocationService.Java:121
▪ Determine if the SQLI is exploitable or not
▪ Make change to the code
▪ Rescan
Exercise 6: Remediate SQLI
// String queryStr = "SELECT * FROM location WHERE zip = '" + zip + "'";String queryStr = "SELECT * FROM location WHERE zip = ?";statement = conn.prepareStatement(queryStr);
statement.setString(1, zip);
Exercise 7: Visual Studio IDE Plugin Scan
▪ In Solution Explorer Open Project Riches
▪ Fortify Analyze Project
▪ Start Scan
Exercise 8: Remediate SQLI and Rescan
▪ SCA Analysis Result Find SQL Injection
▪ Expand SQL Injection Choose LocationDB.cs:30
▪ Determine if the SQLI is exploitable or not
▪ Make change to the code
▪ Rescan
Exercise 8: Remediate SQLI
//SqlCeCommand query = new SqlCeCommand("SELECT * FROM [location] where atm = 'Yes' and zip = '" + zip + "'", connection);SqlCeCommand query = new SqlCeCommand("SELECT * FROM [location] where atm = 'Yes' and zip = @postalcode", connection);//query.Parameters.AddWithValue("@postalcode", zip);
Issues Panel
Folders: One tab for each folder. The default folders are one for each Fortify Priority and one for all issues.
Critical, High, Medium, Low, ALL
Group By: How the issues are grouped together. The default grouping is by Category.
Group Counts: This shows how many issues have been audited and how many total issues for the group. 0/5 means a total of 5 issues with 0 (zero) issues audited.
My Issues: Filter issues to only display issues assigned to current user.
Filter Set: Current Filter being used to display issues.
Issues Panel
Folder Name: Name of the currently selected folder.
Group Icon: A folder graphic is used as the group icon. This should not be confused with the Folders that are represented by the tabs.
Search: Used to search issues. Advanced searching capabilities are available.
Issue Icon: Represents the auditing that has been done for the issue.
Folder Dialog Shortcut: Clicking the … will open the dialog to edit folders.
Issues Panel – analysis tag icons
Not an Issue
Reliability Issue
Bad Practice
Suspicious
Exploitable
Not Audited
Previously Audited
Trace of analysis evidence usedin identifying the issue.
From source to sink.
Icons are meaningful and documented in the “About the Analysis Evidence Panel”
section of theAudit Workbench User Guide.
Analysis Evidence Panel
source
sink
Analysis Evidence PanelShared Sink
Sub-group title is the first lineof the Analysis Evidence (source)
Submit to bug tracking system
Set the analysis tagShort description ofthe selected issue
Commit or cancelcurrent commentSuppress the issue
List of saved comments
Enter comments here
Issue Auditing Panel - Summary
Edit tags
Code specific abstract of selected issue.
Detailed description ofthe selected issue.
Issue Auditing Panel - Details
Suggestions and examples of how to secure the vulnerability or remedy the bad practice.
Issue Auditing Panel - Recommendations
Scroll down to see mappings and external research references.
Issue Auditing Panel - Recommendations
Activities such as changing the analysis tag and suppressing an issue are logged.
Comment history.
Issue Auditing Panel - History
Standard UML call graph of the
Analysis Evidence
Red lines in the diagram are the flow of tainted data
Issue Auditing Panel - Diagram
Displays warnings/errors that occurred during the scan.
Issue Auditing Panel - Warnings
Can export individual entries or all entries to a text file.
Source Code Panel Clicking an issue syncs the source code panel to the file and line
number of the sink.
Source Code Panel
Clicking on a trace node syncs the
source code panel to node’s file and
line number.
If someone tries to tamper with the FPR file directly,
result certification will become invalid
Source Code Panel - Project Summary
Source Code Panel - Project Summary
The list of all scanned files. Same as # sourceanalyzer -b build_id -show-files
Executable LOC: SCA doesn’t count blank lines and comments
Total LOC: SCA doesn’t include HTML, XML and properties files
Package
Class
Search packages, classes and functions
Lists all functions that were declared or called in the source
code scanned.
Function Name
Show all functions or only those not covered by rules.
Group by package, class or just list functions.
Include internal, external, and/or superclass API’s used in the source
code scanned.
Functions Panel
Legend…
Suppression
A way to hide an issue from view and consider it audited.
What might be suppressed?
▪ Issues that you are certain will not be of concern.
▪ Issues that you plan to never fix.
▪ Issues that are warnings concerning code quality or correctness (lower priority).
Suppression
Right clickon an issue
Right clickon a group of issues
Suppress the currentlyselected issue
Three ways to suppress
Suppression
Toggles showing suppressed issues
How to view suppressed issues
Interface will display suppressed issues by default when set.
Suppression
Viewing suppressed issues
The icon for suppressed issue
Total suppressed issues in current folder
Exercise 10: Audit and Suppress
▪ Audit all insecure randomness issues
▪ Add a comment to all issues related to:
▪ Suppress all Dead Code
MF Fortify Software Security CenterManagement, tracking and remediation of enterprise software risk
Problem it solves:
Provides visibility into security activities within development
Features:
▪ Specify, communicate and track security activities performed on projects
▪ Role-based, process-driven management of software security program
▪ Flexible repository and exporting platform for security status, trending and compliance
Benefits:
• Provides a clear, accurate picture of software risk
across the enterprise
• Lowers cost of resolving vulnerabilities
• Identify areas of improvement for accelerated
reduction of risk and costs
MF Security Fortify Software Security CenterVulnerability detail
Remediation explanation and advice
Line of code vulnerability detail
Vulnerabilities identified
in the scan
SSC Functional Areas
▪ SSC Administration
▪ User Access
▪ System Configuration
▪ Issue Template (Project Template)
▪ Application (Project) Administration
▪ Application Management
▪ Attributes Assignment
▪ Program Management
▪ Audit Page (Collaboration Module)
▪ Reporting
Exercise 11: Software Security Center Walk Through
1. Click on “Launch the Fortify SSC Server”
2. Open a web browser
3. Navigate to http://localhost:8180/ssc
4. Login information is in student_logins.txt on your Desktop. Log in as admin.
5. Password is Workshop2017!
Exercise 12: Create a New Application
Create a New Application
▪ Click on “Launch the Fortify SSC Server”
▪ Open a web browser
▪ Navigate to http://localhost:8180/ssc
▪ Login information is in student_logins.txt on your Desktop. Log in as admin.
▪ Password is Workshop2017!
▪ Click Application
▪ Click New Application
New Application
▪ Name: Riches2
▪ Version: v9
▪ Development Phase: New
Exercise 13: Upload FPR
Upload FPR
▪ Launch AWB
▪ Click Tools
▪ Click Configure Upload
▪ Enter SSC Login Credentials
▪ Click Upload Audit Project
Login
▪ SSC URL: http://localhost:8180/ssc
▪ Username: admin
▪ Password: Workshop2017!
▪ Application: Riches2, V9
Upload FPR
▪ You need to setup Server Configuration Upload FPR Configurationbefore you can upload FPR
Select the appropriate project and version
Click Tools then Upload Audit Project.
Enter SSC user and password.
Scan analyticsMachine learning to make AppSec more efficient
152
• Identify true vulnerabilities and prioritize them for remediation faster
• Focus on triaging and investigating high priority vulnerabilities.
• Return value-added time to your developers and auditors
Fortify Scan Analytics
Potent ial
Vulns.
Not an Issue
Exploitable
Indeterminate
Return value-added time to auditors and developersWithout sacrificing scan integrity
False negative
<1%
Non-issue reduction
25% – 90% 80%-98%
Accuracy
Results obtained are based on real world applications and scenarios. Results vary based on training and customization. They are not guarantees of future performance.
Data VisualizationDashboards and Reports
Vulnerability status by application
Global dashboard highlights risk across
software portfolio
Reporting Features
AWB/Plugins SSC
BIRT Reporting X X
BIRT Customization X
Simple Layout Configuration X X
PDF X X
HTML X X
DOC X
XLS X
Asynchronous X
Synchronous X
Issues Reports X X
Portfolio Reports X
Application Reports X
Dashboards X
Report Type
▪ CWE/SANS Top 25
▪ DISA STIG
▪ Developer Workbook
▪ FISMA Compliance: FIPS-200
▪ OWASP Mobile Top 10
▪ OWASP Top 10
▪ PCI DSS Compliance Application Security Requirements
Layout
▪ Default Report Layout
▪ Title Page
▪ Table Of Contents
▪ Executive Summary
▪ Project Description
▪ Issue Breakdown
▪ Issue Detail/Summary
Exercise 14: Generate AWB Reports
Generate AWB Reports
▪ Launch AWB
▪ Click Reports
▪ Generate BIRT Report - Security Auditor View
▪ Click Reports
▪ Generate BIRT Report – Quick View
▪ Click Reports
▪ Click Tools->Generate Legacy Report
Features
▪ New BIRT Reporting Engine
▪ Simple Layout Configuration
▪ Saves as DOC,HTML, PDF
▪ Synchronous
Exercise 15: Generate SSC Reports
Generate SSC Reports
▪ Click on “Launch the Fortify SSC Server”
▪ Open a web browser
▪ Navigate to http://localhost:8180/ssc
▪ Login information is in student_logins.txt on your Desktop. Log in as admin.
▪ Password is HPpass2017!
▪ Click Reports
▪ Click New Report
Features
▪ New BIRT Reporting Engine
▪ BIRT Customizations
▪ Simple Layout Configuration
▪ Saves as XLS,HTML, PDF
▪ Asynchronous
▪ Dashboard Portfolio and Application Reports
DevOps – Definition, Principles and Benefits
164
DevOps- A practice that emphasizes the collaboration and communication between
software developers and IT professionals, with the goal of automating the process of
software delivery and infrastructure changes.
Principles• Develop and test in an environment similar to production• Deploy builds frequently• Automate the process of delivering software• Validate quality continuously
Benefits • Faster time to value • Faster time to market with higher quality• Stay ahead in a competitive environment
Static Code Security Analysis for the EnterpriseStart with Assessment, Visibility, and Own the Debt First / DevOps Second
167
Effective / High Velocity DevSecOps
168
Developer
Source Code Mgmt System
Defect Mgmt System
Vulnerability Mngt Platform
Lead Developer New / Critical Issues Exist Alert
1
23
4
5
IDE Security PluginLocal Remediation ScanLight Weight Static Scan
Repair MYIssues
6
8 Check in Secure Code
SecurityAnalysis
Prerequisites:1) Base line scan / audit
performed2) Confidence threshold
defined3) Audit Filters or Rules from
previous scans applied via vuln mngt platform
Static Scan Servers Cluster
Translated Files sent to
available scan server
Upload New Scan
Merged with
Existing
Triage &Assign to Defect Tracking System
Developer is sent ticket with embedded link to issues
7
Build / Translation Job
Time to Value
1
Workstation w/ SCA
Scanning Server
Workstation w/ SCA
Fortify SSC
Scanning Server
Workstation w/ SCA
Fortify SSC
Mobile Build Analyzer
Scanning Server
Workstation w/ SCA
Fortify SSC
Controller
Sensors
Cloud Scan
Scanning Server
Workstation w/ SCA
365 365+Days
Exp
ert
ise
Basic
Advanced
Enterprise
5 Executive ManagementCISO/PM’s and others can view metrics, generate reports and better manage risk
Build / ScanMachine
Build and Scancould be differentphysical machines
Build Manager
3
SCA scan is executed as part of the build process, and all static code analysis results can be uploaded into SSC
Software Security Center (SSC)•Rights and roles•Project Templates•Applications and Versions•Dynamic and Static Scan Results
Code RepositoryConfiguration Management
Check-out, remediate& check-in
SSC Administrator
1Manage users, roles, access, project templates,filters, . . .
MF Fortify Static Code Analyzer (SCA),IDE Plugins,Audit Workbench (AWB)
2 DevelopersWrite Code
SCA Scan on Desktop
Remediate
Development Manager and IA Team4Triage results (as part of the IA review process) and assign tasks via Change Management process
Software Security Assurance – Roles & Workflow
Dynamic scan results published to SSC
Enterprise process where developers have SCA and a build/scan server is in place –
❖ Step 1: All policy, governance (Mitre/CWE (Common Weakness Enumeration), FISMA, etc), roles and responsibilities will be established in the SSC. Including process flow, and use cases, and other “know how” to help each participant understand their role in the process.
❖ Step 2: As Developers go about their “day to day” development tasks, they will scan their code for the Application Security policies established by the IA team. Once the Developer has “checked their code in”, it will uploaded the build server. Developers will have access the SSC server to view activities assigned to them, and to better understand their role, and other helpful tips/techniques.
❖ Step 3: Once the code has been promoted by the developers, an entire scan will be conducted on the application as a whole as part of the build process, and the results file will be uploaded to the SSC.
❖ Step 4: Results from the scans will be triaged/audited by IA, Testers or others, and any issue which needs to be address will be assigned to the appropriate development manager. The development manager will follow the established company Change Control process and assign the work to a developer for remediation (back to step 2).
❖ Step 5: Project Managers, Executives, and others will have access to the HP Fortify SSC server to generate reports, review project metrics; essentially managing risk and activities
User 1
▪ Task 1
▪ Create Users
▪ Create Projects
▪ Task 2
▪ Open Collaborative audit
▪ Audit
User 2
▪ Task 1
▪ Scan Sample Code
▪ Upload
▪ Task 2
▪ Open Collaborative Audit
▪ Review Comments
Group Exercise – Life CycleBreak up into Pairs
Log in SSC• http://6.94.185.35.bc.googleusercontent.com:8080/ssc/#/• Admin/Fortify@01
Enterprise Adoption Success ScorecardThe Only Questions You Really Need to Ask
1. Do you have SSC stood-up and operating properly?
2. Are the FPRs of record for active development teams loaded at least once per week?
3. Does your CISO and/or Application Development Director have a login?
4. Does your CISO and/or Application Development Director login to SSC and review the portfolio results at least once per month?
5. Has your CISO and/or Application Development Director specified a remediation policy for Fortify findings?
175