Fortify SCA Workshop ExercisesHaleh NematollahySr. Security Solutions Architect

Prep Work Exercises • Open Your VM c:\VM Images\2017\windows 10 x64 (2).vmx

UID: Admin PWD: P@ssword1

▪ Check Access to http://localhost:8180/sscUID: admin PWD: Workshop2017!

▪ Command Line Scan – open a dos prompt cd c:\users\workshop\desktop\TrainingMaterial\src\riches.java\riches_java_src

sourceanalyzer -b riches –clean

sourceanalyzer -b riches -sql-language PL/SQL -source 1.6 -cp ./WEB-INF/lib/*.jar;./lib/*.jar ./**/*java ./**/*jsp./**/*sql ./**/*xml ./**/*js ./**/*html

sourceanalyzer -b riches -source 1.6 -Xmx3200M –scan –f richesresults.fprauditworkbench richesresults.fpr

Exercise 1: Start the Fortify Demo Environment Setup

• Start the Fortify Demo Server There’s a “Launch the Riches Demo App” Shortcut on your desktopClick on it: You Should see some Command Prompt Windows.

Demo: SQL Injection • Open Internet Explorer and browse to:

http://localhost:8080/riches (there should also be a shortcut on desktop)

▪ Click the Locations Button at the top

▪ There is SQL Injection in this form. See if you can find it!

▪ Valid Zip Codes (94404, 10005, 94123)

Try entering: ' or '1'=‘1Same in the Find ATMs/Locations field

Exercise 2: XSS Injection • Click the submit button on the login form

▪ Open Internet Explorer and browse to http://localhost:8080/riches (there should also be a shortcut)

▪ There is Cross Site Scripting in the login page. See it?

▪ Valid Login (eddie/eddie)

Try entering <script>alert('XSS');</script> In the login field

Exercise 3: Command-Line Scan • Translation Exercise (Java Source Code)CD C:\Program Files\HPE_Security\Fortify_SCA_and_Apps_17.20\Samples\basic\eightball

Run Commands: (open cmd as Administrator)sourceanalyzer -b EightBall -clean

sourceanalyzer -b EightBall –source 1.6 EightBall.java

sourceanalyzer -b EightBall -source 1.6 -Xmx3200M –scan –f EightBall.fprAuditworkbench eightball.fpr

sourceanalyzer -b EightBall -show-files

sourceanalyzer -b EightBall -show-build-warnings

Exercise 4: Scanning With AuditWorkbenchin search box, type Auditworkbench

Exercise 4: Scanning With AuditWorkbench

Exercise 4: Scanning With AuditWorkbench

Exercise 4: Scanning With AuditWorkbench

Exercise 4: Scanning With Audit Workbench

Exercise 4: AuditWorkbench Scan Exercise

•Select “Advanced Scan...” •Navigate to C:\Users\Workshop\Desktop\TrainingMaterial\src\riches.java\riches_java_src•Click OK •Specify Java Version 1.6 •Start Audit Workbench •Click Next > •Click Next > then click Scan

Exercise 5: Eclipse IDE Plugin Scan

• In Package Explorer:Open Project Riches

• Fortify Drop Down: Analyze Project to Start Scan

Exercise 6: Remediate SQLI and Rescan • SCA Analysis Result

Find SQL Injection

• Expand SQL Injection Choose LocationService.Java:120

•LocationService.Java:120 Determine if the SQLI is exploitable or not Make change to the code

• Rescan

Exercise 6: Remediate SQLI

// String queryStr = "SELECT * FROM location WHERE zip = '" + zip + "'"; String queryStr = "SELECT * FROM location WHERE zip = ?"; statement = conn.prepareStatement(queryStr); statement.setString(1, zip);

Exercise 9: Issue Grouping

Create a 2-level grouping (AWB) FISMANIST 800-53

Exercise 10: Audit and Suppress

• Audit all insecure randomness issues▪ Add a comment to all issues related

• Suppress all Dead Code

Exercise 11: Software Security Center Walk Through

1.Click on “Launch the Fortify SSC Server” 2.Open a web browser 3.Navigate to http://localhost:8180/ssc4.Login information is in student_logins.txt on your Desktop.

Log in as adminPassword is Workshop2017!

Exercise 12: Create a New Application

Create a New Application • Click on “Launch the Fortify SSC Server” • Open a web browser • Navigate to http://localhost:8180/ssc• Login information is in student_logins.txt on your

Desktop. Log in as admin. Password is HPpass2017!

• Click Application • Click New Application

New Application • Name: Riches2

Version: v9Development Phase: New

Exercise 13: Upload FPR

Upload FPR • Launch AWB • Open Results: Riches• Click Tools

Upload Audit Project SSC URL: http://localhost:8180/sscUsername: adminPassword: Workshop2017!Application: Riches2Click: OK

Exercise 14: Generate AWB Reports

Generate AWB Reports • Launch AWB• Open Results: Riches• Click Tools• Generate BIRT Report – Developer

Workbook• Or:• Click Tools: Generate Legacy Report• Choose: Fortify Security Report

Features • New BIRT Reporting Engine• Simple Layout Configuration• Saves as DOC,HTML, PDF• Synchronous

Exercise 15: Generate SSC Reports

Generate SSC Reports • Click on “Launch the Fortify SSC Server” • Open a web browser • Navigate to http://localhost:8180/ssc• Login information is in student_logins.txt on your

Desktop. Log in as admin. Password is HPpass2017!

• Click Reports • Click New Report • Pick any Report and Generate

Features • New BIRT Reporting Engine• BIRT Customizations• Simple Layout Configuration• Saves as XLS,HTML, PDF • Asynchronous• Dashboard Portfolio and Application Reports

Enterprise Adoption Success Scorecard The Only Questions You Really Need to Ask

• Do you have SSC stood-up and operating properly? • Are the FPRs of record for active development teams loaded

at least once per week? • Does your CISO and/or Application Development Director

have a login? • Does your CISO and/or Application Development Director

login to SSC and review the portfolio results at least once per month?

• Has your CISO and/or Application Development Director specified a remediation policy for Fortify findings?