HP Fortify Software Security Center User Guide · The HP Fortify Software Security Center ... This guide provides all Software Security Center users with detailed ... This guide is

HP Fortify Software Security Center

User Guide

Document Release Date: April 2017 Software Release Date: April 2015

Legacy User Interface

Legal Notices

WarrantyThe only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.The information contained herein is subject to change without notice.Restricted Rights LegendConfidential computer software. Valid license from HP required for possession, use, or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license.Copyright Notice© Copyright 2015 Hewlett Packard Enterprise Development LPDocumentation UpdatesThe title page of this document contains the following identifying information:• Software Version number• Document Release Date, which changes each time the document is updated• Software Release Date, which indicates the release date of this version of the softwareTo check for recent updates or to verify that you are using the most recent edition of a document, go to:https://protect724.hp.com/welcomeYou will receive updated or new editions if you subscribe to the appropriate product support service. Contact your HP sales representative for details.

https://protect724.hp.com

Contents iii

ContentsPreface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viiiContacting HP Fortify Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viiiFor More Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viiiAbout the HP Fortify Software Security Center Documentation Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viiiChange Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .ix

Chapter 1: Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11About the Intended Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11About Related Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Chapter 2: Getting Started with Software Security Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12About the Central Role of Software Security Center. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Security Management Workflow. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13About User Accounts and Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13About Active Directory/LDAP Integration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Logging on to Software Security Center for the First Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Requesting Access to HP Fortify Software Security Center. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Changing Your Account Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14About the Software Security Center Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15About Configuring Dashboard Preferences. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Accessing HP Fortify Training Content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19About the Runtime Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19About Runtime Events. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Chapter 3: Managing User Accounts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21About Software Security Center User Account Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21About Administrator Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21About Security Lead Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22About Manager Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23About Developer Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Modifying Your User Account Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24About Customizing User Account Preferences. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24About Tracking Teams. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25About Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Creating Custom Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26About Software Security Center Account Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Creating Local User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Registering LDAP Entities with Software Security Center. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Contents iv

Chapter 4: Software Security Center Projects and Project Versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30About Tracking Development Teams. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30About Projects and Project Versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30About Strategies for Creating Project Versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31About Annotating Project Versions for Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Displaying the Projects Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32About Project Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33About the Project Creation Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34About Project Version Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34About Project Dependencies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34About Project Version Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34About Project Template Selection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35About Process Templates for SSA Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36About Creating Project Versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37Adding Project Versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37About Deleting Project Versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41About Using Bug Tracking Systems to Help Manage Security Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . 41About Bug Tracker Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41Configuring Bug Tracking for a Project Version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41About Using State Management to File Many Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42Submitting Exploitable Bugs in a Batch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Changing the Project Template Associated with a Project Version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44About Project On-Boarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45Requesting Project Attribute Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45Setting Analysis Result Processing Rules for Project Versions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47About Custom Tags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49Viewing Custom Tags in Software Security Center. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49Adding Custom Tags. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50Modifying Custom Tag Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51Globally Hiding a Custom Tag. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52Deleting Custom Tags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52Adding Custom Tag Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53Changing Custom Tag Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53Deleting Custom Tag Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53Associating Custom Tags with Project Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54Viewing the Custom Tags Associated with a Project Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54Disassociating a Custom Tag from a Project Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55Associating Custom Tags with Project Versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55Disassociating a Custom Tag from a Project Version. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57Adding Custom Tag Values During Audits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Contents v

Managing Custom Tags Through Project Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57Managing Custom Tags Through a Project Template in an FPR File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58About CloudScan in Software Security Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58Chapter 5: SSA Project Version Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60About the Requirements Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60Displaying the Requirements Detail Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60About Process Requirements and Activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61About Activities, Requirements, and Process Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62About SSA Project Sign Offs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62About Sign-Off Personas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62About Signing Off Activities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62About Multi-Persona Sign Offs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62About Signing Off Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63About Sign Off Process Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63Assigning User Accounts to Personas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63Assigning a Power User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64About Process Template Work Owners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64About Assigning Work Owners to Personas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65About Software Security Center Persona Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65Viewing and Editing Personas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66Creating Personas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66Deleting Personas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66Adding Tasks to Activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67About Adding Status Alerts to Requirements and Activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67About Working with Document Artifacts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68Chapter 6: Variables, Performance Indicators, and Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69About Working with Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69About Variable Syntax and Search Strings and Search String Modifiers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69Creating Variables. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72About Performance Indicators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73Creating Performance Indicators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73About Alert Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74Creating Alert Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74Setting Alert Notification Preferences. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75Chapter 7: Collaborative Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76About Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76About Current Issues State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76About Audit Conflicts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76Starting the Collaboration Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

Contents vi

About Collaboration Module Display Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78Auditing Issues with the Collaboration Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80About Searching Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81About Search Modifiers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82Search Query Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84About HP Fortify Software Security Center and WebInspect Enterprise Integration . . . . . . . . . . . . . . . . . . . . 85Viewing WebInspect Scan Results in Software Security Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85About WebInspect Audit Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88About False Positives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88Requesting Dynamic Scans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89Viewing the Status of the Last Dynamic Scan Request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90Uploading Third-Party Results to Software Security Center. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91Mapping Scan Results to External Lists. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91Chapter 8: Software Security Center Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93About Software Security Center Issue Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93About 2009, 2010, and 2011 CWE/SANS Top 25 Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93About the Developer Workbook Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93About the DISA STIG 3, 3.4, 3.5, 3.7, and 3.9 Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93About the FISMA Compliance: FIPS - 200 Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93About OWASP Mobile Top 10 Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93About OWASP Top 10 Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94About the PCI DSS Compliance: Application Security Report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94About the Penetration Testing Correlation Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94About the Seven Pernicious Kingdoms Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94About the Vulnerability Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94About Software Security Center Portfolio Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94About the Hierarchical Summary Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94About the Issue Trending Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95About the Key Performance Indicators Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95About the Security at a Glance Report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95About Software Security Center Project Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95About the Project Summary Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95About Software Security Center SSA Portfolio Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95About the SSA Progress Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95About Software Security Center SSA Project Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95About the SSA Project Summary Report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95Generating and Viewing Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96About BIRT Reports in Software Security Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96Preventing Destructive Libraries and Templates from being Uploaded to Software Security Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96About BIRT Libraries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

Contents vii

Adding Resources to a BIRT Report Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97Customizing Software Security Center BIRT Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97Acquiring the BIRT Report Designer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98Exporting Report Definitions from Software Security Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98Importing Report Definitions into Software Security Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98Appendix: Authentication Tokens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .100Generating Authentication Tokens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100About Advanced Authentication Tokens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

Preface viii

Preface

Contacting HP Fortify SupportIf you have questions or comments about using this product, contact HP Fortify Technical Support using one of the following options.To Manage Your Support Cases, Acquire Licenses, and Manage Your Accounthttps://support.fortify.comTo Email [email protected] Call Support650.735.2215For More InformationFor more information on HP Enterprise Security Software products: http://www.hpenterprisesecurity.comAbout the HP Fortify Software Security Center Documentation SetThe HP Fortify Software Security Center documentation set contains installation, user, and deployment guides for all HP Fortify Software Security Center products and components. In addition, you will find technical notes and release notes that describe new features, known issues, and last-minute updates. You can access the latest versions of these documents from the following HP ESP user community Protect724 website:https://protect724.hp.com/welcomeYou will need to register for an account.

http://www.hpenterprisesecurity.com

https://support.fortify.com

mailto:[email protected]

https://protect724.hp.com/welcome

Change Log ix

Change LogThe following table lists changes made to this guide. Software Release-Version Date Change

4.30-01 03/06/2015 • Added: A caution to Preventing Destructive Libraries andTemplates from being Uploaded to Software Security Center onpage 96.• Removed: References to the Software Security Center onlineProcess Guide from About Related Documentation on page 11 andAbout the Software Security Center Dashboard on page 15. TheProcess Guide is not included in this release.• Modified: Procedure described in Requesting Access to HP FortifySoftware Security Center on page 14.• Added: Several new reports to About Software Security CenterIssue Reports on page 93.• Added: Information about the Options field to Generating andViewing Reports on page 96.• Changed: The name of Appendix A: Authorization Tokens toAppendix: Authentication Tokens. Also changed all “authorization”token references to “authentication” token.• Removed: Appendix B: Software Security Center ReportSummaries.4.21-01 10/16/2014 • Modified: Procedure described in About the Software SecurityCenter Dashboard on page 15.• Modified: Procedure described in Accessing HP Fortify TrainingContent on page 19.• Added: Submitting Exploitable Bugs in a Batch on page 43.• Changed: Filter sets mentioned in About Collaboration ModuleDisplay Modes on page 78.

Change Log x

4.10-01 03/30/2014 • Changed: Validate button to Check button in the procedure described in Submitting Exploitable Bugs in a Batch on page 43.• Changed: In About Configuring Dashboard Preferences, the procedure described for renaming a Dashboard page.• Added: In Chapter 4, Software Security Center Projects and Project Versions, a note to the Adding Custom Tags and Modifying Custom Tag Attributes sections that advises against using database reserved words as custom tag names.• Added: In Chapter 4, Software Security Center Projects and Project Versions, a note to the About Bug Tracker Configuration section about the need to enable the “Accept remote API calls” option if you use JIRA for bug tracking.• Changed: All instances of “SecurityScope” to “WebInspect Agent.”• Added: Information about the ReportToken token to Appendix: Authorization Tokens.• Removed: Summary tables from Chapter 8, Software Security Center Reports and placed these in Software Security Center Report Summaries on page 104 (new appendix).

Software Release-Version Date Change

Chapter 1: Introduction 11

Chapter 1: IntroductionThis guide provides all Software Security Center users with detailed information about how to use Software Security Center.About the Intended AudienceThis guide is intended for use by enterprise security leads, development team managers, and developers. Software Security Center provide security team leads with a high-level overview of the history and current status of a project. Your security team can then ensure that both developers and auditors work effectively together to provide the best response to project issues.Software Security Center provides auditors with a centralized facility for managing issues. If the manager needs to work offline or with the advanced tools that HP Fortify Audit Workbench offers, current project state and up-to-date auditing information are made available for download.Managers can use Software Security Center to prioritize issues to reflect the needs of the enterprise. That prioritization can then be used to prioritize the activities of the project development team.Developers are responsible for creating and maintaining one or more code bases that conform to secure coding practices. Software Security Center provides a focal point for managing and transmitting information about specific issues received from analysis agents to supported Integrated Development Environments (IDEs), or to standalone clients such as HP Fortify Audit Workbench. Developers can then use the project snapshots produced by Software Security Center to measure their progress through the Secure Development life cycle.About Related DocumentationThe following documents provide additional information about Software Security Center:• HP Fortify Software Security Center Installation and Configuration Guide provides system and database administrators with complete instructions on how to install and configure Software Security Center server software.• HP Fortify Software Security Center System Requirements provides system and database administrators with the minimum and recommended hardware and software requirements for installing and using Software Security Center server software.• HP Fortify Software Security Center Release Notes document provides product information that is not included in the regular documentation set.• What's New In HP Fortify Software Security Center and HP WebInspect Products contains information about features added to Software Security Center and HP WebInspect since their previous release.• HP Fortify Software Security Center Process Designer User Guide contains information about how to use Process Designer to create and edit process templates for your HP Fortify Software Security Center projects.For information about all of the guides in the Software Security Center documentation suite, see HP Fortify Software Security Center and WebInspect Products Documentation Set.

Chapter 2: Getting Started with Software Security Center 12

Chapter 2: Getting Started with Software Security CenterSoftware Security Center (SSC) is a browser-based product that provides a set of capabilities across the software development lifecycle to automate detection of security vulnerabilities in applications. It helps your security and development teams work together to resolve security flaws quickly and accurately by making correlated data from HP Fortify Static Code Analyzer (SCA), HP WebInspect, and HP Fortify Runtime Application Protection available through its online collaboration environment.

About the Central Role of Software Security CenterSSC provides a location for collecting, correlating, and exporting security analysis results. The SSC server resides in a central location and receives results from different security activities, such as static, dynamic, and real-time analyses.SSC is designed to help you:• Identify and prioritize a baseline of existing vulnerabilities• Prevent new vulnerabilities from being introduced• Remediate existing vulnerabilities and lower the baseline• Ensure that your code is in compliance with internal and external security mandatesSSC works within your organization to answer the following questions:• How do we drive the adoption of good application security practices?• How do we get actionable results to development teams?• Do we measure application teams on a team-by-team basis or as a unit?• How do we track results over time?


Security Management WorkflowFigure 1 illustrates the flow of security management processes within SSC.Figure 1: Security Management Workflow in Software Security Center

As scans are performed during development sprints, development teams submit periodic scan results from a continuous integration server into SSC.Security teams submit periodic results of a dynamic assessment into SSC.SSC correlates and tracks the scan results and assessment results over time, and makes the information available to developers through the Audit Workbench web interface, or through IDE plugins such as the HP Fortify Plugin for Eclipse, the HP Fortify Package for Microsoft Visual Studio, and others. Users can also push issues into defect tracking systems, including HP ALM, JIRA, and Bugzilla.About User Accounts and AccessSSC supports two methods of authentication:• Local user accounts created within the interface• Active Directory/LDAP accounts associated with standard corporate authentication (Active Directory/LDAP integration supports user assignment by group or organizational unit)About Active Directory/LDAP IntegrationActive Directory/LDAP integration enables SSC to authorize users based on their existing corporate credentials. In addition, assignment by group or organizational unit enables SSC to take advantage of the existing joiners/leavers processes. A new person who joins a group automatically has access to SSC. A person who leaves a group automatically loses access.The SSC installer must configure the integration with the Active Directory/LDAP during installation. For detailed information, see the HP Fortify Software Security Center Installation and Configuration Guide.


Logging on to Software Security Center for the First TimeTo log on to SSC, your SSC administrator must provide you with the URL for your instance, a username, and a password.Note: If you do not yet have an SSC user account, you can request one from the administrator. For information, see Requesting Access to HP Fortify Software Security Center.To log on to SSC for the first time:1. To make sure that you access the newest version of the SSC user interface, clear your web browser’s cache.2. In a web browser, type the URL for your SSC instance, as follows:• If SSC is configured to use secure HTTP protocol, type the following URL:

https://<host_IP>:<port>/ssc/where [port] represents the port number used by your application server.• If SSC is configured to use insecure HTTP protocol (not recommended), type the following URL:http://<host_IP>:<port>/ssc/where [port] represents the port number used by your application server.The default logon credentials for a new SSC installation are username “admin” and password “admin.” You must change your credentials at your first logon.3. In both the Username and Password boxes, type admin.4. Click Log in.5. Change your credentials when SSC prompts you to do so.

Requesting Access to HP Fortify Software Security CenterIf you do not yet have an SSC user account or if you have forgotten your username or password, you can request assistance by clicking the link on the SSC Login page.To request access to SSC:1. At the top of the SSC logon screen, click the Can’t access or need an account? link.Note: The Can’t access or need an account? link is available only if your SSC administrator has enabled email notification.The Having trouble accessing your account? dialog box opens.2. Enter your email address and select one of the following options:• I don’t know my password• I don‘t know my username• I don’t have an account3. Click Submit.Your request is sent to the SSC administrator.

Changing Your Account InformationAfter you log on to Software Security Center, you can change your account information, including your password.To change your account information:1. On the right side of the Software Security Center banner, click the Account link.


The Modify Account dialog box opens.2. To change your first name, your last name, or your email address, select the default value in the corresponding box, and then type a new value.3. To change your password:a. Click Change Password.The Change Password dialog box opens.b. In the Password box, type your existing password.c. In the New Password box, type a new password.d. In the Confirm Password box, re-type the new password.e. Click Save.4. To save all changes to your account, in the Modify Account dialog box, click Save.About the Software Security Center DashboardAfter you log on to SSC, the Dashboard is displayed.


The SSC Dashboard pages display the pods listed in the following table (if corresponding data are available). These summarize various aspects of the SSC project versions and features to which you have access.

About Configuring Dashboard PreferencesAfter you log on to Software Security Center, the Dashboard displays pages that contain pods. The pages are named “Page 1” through “Page n,” where n is the number of pages required to hold all of the pods. To change to a given page, click the Page <n> button.

Software Security Center Dashboard pages and pods are customizable. The following sections describe several methods you can use to configure your Dashboard preferences.About Page Configuration LimitsThe following limitations apply to Software Security Center Dashboard page configuration:• If a page displays only one pod, and you move the pod off that page, the page is deleted.• You cannot arbitrarily remove a page of pods.• You can maximize only one pod across the entire set of pages.You cannot change page order.

Pod DescriptionAlert Notifications A list of alert notifications that the user has chosen to receive.Assigned Activities Activities that the logged in user needs to perform.Issues A graph that depicts the status of issues in the system. The user can choose either Trend or Current Issues.Audit Status Shows the audit status which includes a count of issues that have been audited and a measure of the activity level during the last seven days.Project Inventory Graphical display of project inventory grouped by specified attribute.Project Security State Graphical display of the state of projects (Not Started, In Progress, Awaiting Sign Off).Requirement State Graphical display of signed off project requirements.Runtime Host Status List of runtime hosts with their status.Runtime Events Graphical display of runtime events. The user can choose from Trend, Pie, and Column graphs.


Selecting the Pods to Display on the DashboardTo select the pods to display on the Software Security Center Dashboard:1. On the right side of the Software Security Center banner, click the Preferences link.The Modify Preferences dialog box opens to the Dashboard tab.2. In the Pods Displayed section, select check boxes for the pods you want to display and clear the check boxes for the pods you do not want to display.3. Click Save.Renaming a Dashboard PageTo rename a Dashboard page:1. On the right side of the Software Security Center banner, click the Preferences link.The Modify Preferences dialog box opens to the Dashboard tab.2. In the Tab Names section, select the button label text for the page you want to rename, and then type the new name.3. Click Save.Moving Pods Between PagesTo move a pod to a different Dashboard page:1. In the title bar of a pod, click the down arrow.

2. Select a page number or select Create New Page.Note: If a page displays only one pod, the Create New Page item is not available. In this case, simply rename the page.Selecting Project Versions to Display1. On the right side of the Software Security Center banner, click the Preferences link.The Modify Preferences dialog box opens to the Dashboard tab.2. Click Project Versions.3. Under Project Versions Displayed, select one of the following options:• To display the last ten project versions, based on recent activity, leave Default selected.• To open a list of the project versions currently displayed so that you can then modify that list, select

Custom.• To display all project versions, select All.4. Click Save.


Removing a Project Version from Display in the DashboardTo remove a project version from display in the Software Security Center Dashboard:1. In the top right of the Dashboard, click Preferences.The Modify Preferences dialog box opens to the Dashboard tab.2. Under Project Versions Displayed, select the Custom option.3. Select the project version name or names to remove, and then click Remove.Adding Unlisted Project Versions to the Project Versions ListIf a specific project version is not listed, and you want to add it to the project versions listed in the Modify Preferences dialog box:1. On the Dashboard tab, click Project Versions.2. Under Project Versions Displayed, select the Custom option.3. Click Add.The Select Project Versions dialog box opens.4. To display all versions of a project, select the check box next to the project name.Alternatively, to display specific project versions, select the check boxes next to the project version names.Enabling and Disabling Email AlertsTo enable or disable email alert notifications:1. In the top right of the Dashboard, click Preferences.The Modify Preferences dialog box opens to the Dashboard tab.2. Click the Alert Notifications tab. 3. Under Delivery Options, do one of the following:• To disable email alerts, clear the Email Alert Notifications check box.• To enable email alerts, select the Email Alert Notifications check box.4. Click Save.Receiving Runtime AlertsTo receive alert notifications of security events flagged by the runtime system as alerts:1. In the top right of the Dashboard, click Preferences.The Modify Preferences dialog box opens to the Dashboard tab.2. Click the Alert Notifications tab. 3. Click Runtime Alerts, and then select the Receive Runtime Alert Notifications check box.4. Click Save.Configuring Date and Time FormatTo specify the format of dates and times displayed in the Dashboard:1. In the top right of the Dashboard, click Preferences.The Modify Preferences dialog box opens to the Dashboard tab.2. Click the Display tab. 3. From the Date Format list, select a format.


4. From the Time Format list, select a format.5. Click Save.Accessing HP Fortify Training ContentIf your organization has licensed the use of content on the HP Fortify Enterprise Security University website, you can use the eLearning link in the Software Security Center Dashboard to access a library of self-paced application security training modules.To go to the training site for HP Fortify products:1. On the right side of the Software Security Center banner, click the eLearning link.

The HP Fortify Enterprise Security University website opens in a new browser tab.2. Click LOGIN / LOGOUT.3. If you have an account for the site, submit your credentials, and then follow the prompts to view and select courses of interest.If you do not have an account for the site, click the Customers and Partners: Click here to create a new account link, and then follow the prompts to create a new account.If you have an eLearning entitlement as part of your solution purchase, a Fortify Technical Support team member will send your account information to the contact provided in the request. If you do not have an eLearning entitlement, a Fortify Sales Representative will contact you.After you log in to the HP Fortify Enterprise Security University, the site lists the training modules available for products in the HP Fortify suite.4. Select a training module to open and complete it at your own pace.

About the Runtime TabHP Fortify Runtime Application Protection (Runtime Application Protection) is built on top of the HP Fortify runtime platform. Runtime Application Protection can run in either stand-alone or federated mode. In federated mode, multiple Runtime Application Protection hosts may be connected to Software Security Center, which acts as the runtime controller.The Runtime Application Protection hosts send runtime events and logs to SSC, and SSC sends configuration and Rulepacks to the Runtime Application Protection hosts. This facilitates central configuration management. It also enables you to conduct performance event analysis across multiple Runtime Application Protection hosts, which you cannot do in stand-alone mode. For example, say you have multiple hosts serving up a single application, and you want to set up an alert that gets triggered after a given number of invalid logins are detected across the Runtime Application Protection hosts. Because the events are all federated across SSC, SSC can track the invalid logins across all Runtime Application Protection hosts.Users who focus on the Runtime tab differ from those concerned with the Projects tab. Typically, the Development and the Security teams focus on the Projects tab because they are concerned with a project during its development. Operations teams focus on the Runtime tab because they are concerned with a product in deployment.


If both of the following are true, then your SSC installation includes a Runtime tab:• Your HP Fortify license file enables you to run Runtime Application Protection.• The system administrator who installed SSC explicitly enabled SSC to communicate with Runtime Application Protection.For information about how to use the Runtime tab, see the HP Fortify Runtime Application Protection Operator Guide.About Runtime EventsEvents are occurrences in the system that are of particular interest. As events are tracked, they are displayed on the Runtime tab in Software Security Center, which is automatically refreshed as events occur. You can view events in different ways in the several charts available in Software Security Center.You can search on any event attribute. For example, if you specify the search criterion “Category Contains SQL,” the Runtime tab lists all events in the SQL injection category.You can also export events resulting from a search as an event log in the same format that you would get from a stand-alone Runtime Application Protection instance. You can then import that event log into a project version where the events become Runtime Application Protection issues.

Chapter 3: Managing User Accounts 21

Chapter 3: Managing User Accounts

About Software Security Center User Account ManagementIn accordance with secure deployment guidelines, the HP Fortify Software Security Center Installation and Configuration Guide directs the primary system administrator of a new installation of Software Security Center to create a non-default Administrator-level account, and then to delete the default admin account. The non-default SSC Administrator account is used to create additional SSC user accounts.Software Security Center supports the following four default user accounts, in order of descending level of privilege:• Administrator• Security Lead• Manager• DeveloperThe following sections provide information about each of these account types.For information about managing Software Security Center personas, see About Software Security Center Persona Management on page 65.This section contains information about Software Security Center roles, user account administration, and how to register AD/LDAP entities with Software Security Center.About Administrator AccountsUsers who have Administrator accounts have complete access to all Software Security Center user and project version data and can manage the entire Software Security Center system. Only users who have Administrator accounts can create, edit, or delete other user accounts.HP Fortify recommends that you create only the Administrator-level accounts necessary to create and edit local or LDAP Software Security Center user accounts. The Security Lead and lesser accounts can perform all other project-related activity.Software Security Center permits the explicit addition of Administrator-level accounts to project versions. This enables Administrator users to be assigned issues from the Software Security Center Collaboration Module.


About Security Lead AccountsUse Security Lead accounts to perform overall administration of one or more project versions, including the Managers and Developers assigned to collaborate on those project versions. Table 1 summarizes the read (view) and write (create or modify) privileges available to a Security Lead account.Table 1: Summary of Security Lead Account Read (R) and Write (W) Privileges

Functional Area R W CommentsAccess, to project versions X X Project versions the Security Lead created or to which the Security Lead account is assignedAlerts X XArtifact, Documents X XArtifact, FPR X XEvent Log X View all event logsPerformance Indicators X XPersonas X XProcess templates X X Create, update, and re-sortProject templates X X Upload, download, and deleteProject versions X X Create, manage assignedReports X X Add, edit, or delete report definitionsRulepacks X X Import or deleteTemplate Assignment Policies X XUsers: local and LDAP X Only Administrator accounts can create or edit usersVariables X X


About Manager AccountsWith a Manager account, you can manage the secure development of the Software Security Center project versions to which you are assigned and perform tasks such as the assigning one or more Developer accounts to the project version. Table 2 summarizes the read (view) and write (create or modify) privileges for a Manager account.Table 2: Summary of Manager Account Read (R) and Write (W) Privileges

Functional Area R W CommentsAccess, to project versions X X Project versions to which the user is assignedAlerts X X Create for assigned project versionsArtifact, Documents X XArtifact, FPR X XEvent Log X View events for assigned project versions onlyPerformance Indicators XPersonas XProcess templates XX View all, update for assigned project versionsProject templates XProject versions X X Delete or retire only assigned project versionsReports X X View or generate reportsRulepacks X X ExportTemplate Assignment Policies XUsers: local and LDAP X Only Administrator accounts can create or edit usersVariables X X


About Developer AccountsWith a Developer account, you can perform secure development tasks for the Software Security Center project versions to which you are assigned. Table 3 summarizes the read (view) and write (create or modify) privileges for a Developer account.

Modifying Your User Account InformationAny Software Security Center user can modify all of his own account settings, except his assigned role.To modify your Software Security Center account settings:1. In the upper right of any Software Security Center window, click Account.The Modify Account dialog box opens.2. Modify your account information, and then click Save.About Customizing User Account PreferencesYou can use the Software Security Center Dashboard Preferences dialog box to customize some user account preferences, such as the format for displaying dates in Software Security Center. For more information about how to customize user preferences, see About Configuring Dashboard Preferences on page 16.

Table 3: Summary of Developer Account Read (R) and Write (W) Privileges

Functional Area R W CommentsAccess, to project versions X For project versions to which the user is assignedAlerts X X Create for assigned project versionsArtifact, Documents X XArtifact, FPR X X View, comment, auditEvent Log X View events associated with assigned project versionsPerformance Indicators XPersonas XProcess templates XX View all, update for assigned project versionsProject templates XProject versions X View only assignedReports X View or generate reportsRulepacks XTemplate Assignment Policies XUsers, local and LDAP (Administrator accounts only)Variables X Validate variable search strings


About Tracking TeamsAs an administrator or security lead, you need access to information that enables you to track and monitor your team’s progress and ensure that good application security practices are in place and followed. Software Security Center provides a central point for guiding the adoption of good security practices. By understanding how information is tracked and reported, you can accurately measure development team progress based on application security standards.About RolesRoles determine the actions a user can perform in Software Security Center. Table 4 lists the pre-configured roles you can assign to users in Software Security Center.

For more fine-grained control over user access to Software Security Center functionality, you can create custom roles and assign them permissions within the Software Security Center interface. For instructions on how to create a role, see Creating Custom Roles on page 26.

Table 4: Software Security Center Roles

Role DescriptionAdministrator Has full access to the system and all resultsApplication Security Tester Performs tasks required to execute dynamic scan requests, including:• View project versions• View and generate reports• Process dynamic scans• Upload scan results• Audit issuesDeveloper Developer responsible for producing security results and taking action to triage or remediate security issuesFor a complete list of Developer permissions, see Table 3.Manager Responsible for guiding developers to work on resultsManagers cannot create projects but can grant or revoke access to their team membersFor a complete list of Manager permissions, see Table 2.Security Lead Security team member who can create project versions and usersFor a complete list of Security Lead permissions, see Table 1.View Only Can view results, but cannot interfere with the issue triage or the remediation process. Example users: system automation account or temporary auditorWebInspect Enterprise System Can connect a WebInspect Enterprise instance to Software Security Center and retrieve issue audit information.This role is intended for use only by a WebInspect Enterprise instance.


Creating Custom RolesUse the procedure in the following section to define roles of your own and assign them permissions.To define and configure permissions for a new role:1. Log on to Software Security Center as an Administrator.2. Click the Administration tab.3. In the Administration panel on the left, under System, click Roles.4. In the Roles panel on the right, click Add.The Create Role dialog box opens.5. Provide the information described in the following table.

6. To add permissions (specify the functional areas available to users in that role), click Add.The Add Permissions dialog box opens.7. In the Name column, select the check boxes that correspond to the permissions that you want to grant to the new role.Note: The Add Permissions dialog box provides a search feature that you can use to search for permissions based on search conditions that you specify.8. Click OK.9. In the Create Role dialog box, click Save.If the role and permissions you selected do not conflict, then you are returned to Software Security Center.Software Security Center checks permissions to guard against states that are known to be incompatible.10. Click Save.The Role: <Role_Name> screen displays detailed information about the new role.

About Software Security Center Account AdministrationOnly users who have Administrator accounts can create new user accounts and edit information for existing accounts. Use Administrator accounts to manage the Software Security Center system. HP Fortify recommends that you create only the Administrator-level accounts necessary to create and edit local or LDAP Software Security Center user accounts. The Security Lead and lesser accounts can perform all other project-related activities.Software Security Center permits the explicit addition of Administrator-level accounts to project versions. This enables Administrator users to be assigned issues from the Software Security Center Collaboration Module.

Field(*Required field) Description

*Name Role nameDescription Role descriptionUniversal Access To assign the new role access to all project versions and runtime applications, select this check box.Note: HP Fortify strongly recommends that you select universal access only for administrator-level users.


Creating Local User AccountsSoftware Security Center Administrator-level accounts can add new local user accounts to the list of SSC users.To create a Software Security Center user account:1. Log on to Software Security Center as an Administrator.2. Click the Administration tab.3. In the Administration panel on the left, in the System section, click Users. 4. In the Local Users panel on the right, click Add.Software Security Center displays the Create User panel.5. Provide the information listed in the following table.Field or Check Box DescriptionUsername Username for Software Security Center logon.First Name First name of user.Last Name Last name of user.Email Email address of user.Role(s) To select the role or roles to assign to the user, click Add, and then select the check boxes that correspond to the roles you want to assign.

Suspended User is not authorized to use Software Security Center.Password Default password for the new user.Confirm Password Default password for the new user.User must change password at next login Select this check box to require the user to change the password at the next log-on to Software Security Center.Password never expires Select this check box to allow the user to use the originally assigned password until he wants to change it.To require the user to change his or her password every thirty days, leave this check box cleared.


6. Do one of the following:• To save your settings and exit the Create User panel, click Save.• To save your settings and display a new instance of the Create User panel, click Save and Create Another.Software Security Center adds the user account to the list of users.

Registering LDAP Entities with Software Security CenterUsers who have Administrator-level accounts can add LDAP groups, organizational units, and users to the list of Software Security Center users. Software Security Center automatically updates access control as users join and leave groups.To register an LDAP organizational unit, group, or user with Software Security Center:1. Log on to Software Security Center as an Administrator, and then click the Administration tab.2. In the Administration panel on the left, in the System section, click LDAP.3. In the LDAP Entities panel on the right, click Add.Software Security Center displays the Register LDAP Entity panel.

4. In the Register LDAP Entity panel, in the LDAP Entity list, select the type of LDAP entity to register.5. In the Name field, type the Software Security Center account name, then click the Search icon to validate that the entry exists in the LDAP server.To search for a name, in the Name box, type a search string, and then click the search tool.6. In the Role(s) box, you can assign a role predefined by Software Security Center or a role you have already created for the selected LDAP entity.


7. Click Add.8. Select Role(s) from the Select Role dialog box, and then click OK.9. Click Save.Software Security Center adds the entity to its list of users. To learn how to specify the LDAP server, see the HP Fortify Security Center Installation and Configuration Guide.

Chapter 4: Software Security Center Projects and Project Versions 30

Chapter 4: Software Security Center Projects and Project VersionsThis chapter provides information about projects and project versions. It contains instructions for viewing and creating projects, configuring project attributes, assigning project templates, and more.

About Tracking Development TeamsAs an administrator or security lead, you need access to information that enables you to track and monitor your team’s progress and ensure that good application security practices are in place and followed. Software Security Center provides a central point for guiding the adoption of good security practices. By understanding how information is tracked and reported through projects and project versions, you can accurately assess development team progress based on application security standards.About Projects and Project VersionsTo obtain consistent measurement results in Software Security Center, you define a project for a single code base. Software Security Center organizes the iterative development and remediation of code bases into projects and project versions.• A project is an application or code base that serves as a container for one or more project versions.If you are working with a new code base, you create a new SSC project. SSC automatically creates the first version of that project.• A project version is an instance of the application or code base that will eventually be deployed. It contains the data, auditing, and project attributes for a particular version of the project code base. If you are working with an existing project code base, you create new project versions rather than new projects.A project version is the base unit for team tracking. It provides a destination for security results that is useful for getting information in front of developers and producing reports and performance indicators. Code analysis results for a project version are tracked as follows:

Software Security Center analysis processing rules verify that the new scan is comparable to the older scan.

Existing analysis results + New scan results = Trending resultsResults of any previous security analysis from HP Fortify Static Code Analyzer, WebInspect, or other analyzerMerge with the existing results (from the same analyzer used to perform this scan)Mark resolved issuesIdentify new issuesKeep unchanged issues

Identify security issues that have been fixed, and those issues remain.


About Strategies for Creating Project VersionsAs a Security Lead or Development Manager, you might choose to create a project version that allows you to track vulnerabilities within deployed applications. Security vulnerabilities often occur in areas of code where different components come together. Although teams may work on different components, it is a good practice to track the entire software component as one piece. As an example, suppose that a text manipulation library is safe on its own, and a file access library is safe on its own. The combination of the text manipulation library and file access library is not necessarily safe, because one may not know the origin of the text being processed.About Strategies for Packaged SoftwareFor software that ships or is deployed as a concrete version, you might use the following strategies:• If you are creating a brand new application, start a new project.• Create a single project version for each release. For example, the Security Lead or Development Manager may mark past versions as inactive within Software Security Center to archive results and remove them from the basic view.• If you are working on an existing application with an evolving code base, create a project version based on an existing version. For example, Project A has several versions. Each new version is initiated based on the results of the previous version. Each successive version is just evolved code (versus a complete rewrite).About Strategies for Continuous DeploymentFor applications using continual deployment, running HP Fortify scans with the -build-label xxxx flag enables you to identify which source control checkout was scanned (where xxxx represents the ID from your version control system). Relating scans to source control checkout improves your ability to determine when individual issues were introduced and remediated.About Annotating Project Versions for ReportingSoftware Security Center provides a set of project attributes that you can apply to individual project versions. You can use these project attributes to group project versions for reporting, or to associate project versions with external systems.A base set of project attributes is provided within the Software Security Center system. Administrators can customize the attribute set for the organization. Sample customizations can help organizations track onboarding progress by application ID, line of business, business unit, or regulatory compliance obligations.


Displaying the Projects PageSoftware Security Center projects are at the center of the Software Security Center’s powerful cross-project analysis and reporting capabilities.To view a list of all SSC projects:• From the SSC dashboard, click the Projects tab.


About Project IconsTable 5 lists the icons used to show project status on the Software Security Center Projects tab.

For a conceptual orientation to the creation of a new Software Security Center project, proceed to About the Project Creation Process on page 34.

Table 5: List of Projects Type and Status Icons

Icon Icon Category DescriptionProject type Project version is of type Basic RemediationProject type Project version is of type SSAProject state Project version not started: No activities completedProject state Project version in progress: At least one activity has been completedProject state Project version is unfinishedProject state Project version requires attention: An activity must be performedSign-off state Awaiting sign-offSign-off state Signed off with exemptionSign-off state Signed off


About the Project Creation ProcessAfter you log on to Software Security Center and start to add a new project (see About Creating Project Versions on page 37), the Create Project Version wizard displays the following sequence of steps:• Project Version page• Dependencies page• Business Attributes page (customizable)• Technical Attributes page (customizable)• Project Template page (or Process Template, depending on the type of project version you create)Each step presents the team members responsible for creating a Software Security Center project version with one or more strategic choices. After the team agrees upon and makes their selections, the security lead can click Finish to complete the project creation process.Typically, the security team evaluates and decides on all the project options before they actually start to create the project. The following sections describe the options displayed on the five project creation wizard screens.About Project Version TypesSoftware Security Center supports the following two types of project versions:• Basic remediation project versions require you to select a project template but do not support process templates. Process templates are hierarchical constructions of requirements and activities that help you to manage and track risk mitigation activities performed during project development.• SSA project versions differ from basic remediation project versions in that they support process templates. (When you create a new SSA project version, Software Security Center suggests a process template.)About Project DependenciesProject dependencies are optional project attributes that you can edit after a project version is finished. Use the Project Dependencies panel to do the following:• Identify previously created project versions that affect the completion or status of this project• Enable interdependent projects to be grouped, managed, and reported across project boundaries on the basis of dependenciesAbout Project Version AttributesBasic remediation and SSA project version types have both business attributes and technical attributes.The business and technical project attributes are metadata that Software Security Center uses to:• Perform cross-project comparisons and reporting • Assign process templates to SSA projectsWhen you create a new project version, the Create Project Version wizard guides you through the selection of required and optional business and technical project attributes. Neither the basic remediation nor the SSA project version type can be finished until you select values for all required attributes. For example, to create a project version, you must specify values for the following attributes:• Business unit• Development phase• Development strategy• Accessibility


Table 6 lists the default set of Software Security Center project version attributes for basic remediation and SSA project version types. Note that this list does not include custom attributes that a Software Security Center administrator may have added to the system.

About Project Template SelectionSoftware Security Center project templates provide HP Fortify client and server products an optimal means of categorizing, summarizing, and reporting project data. Project templates also enable the application of customized project settings at the enterprise level and not just at the project level.Both basic remediation and SSA project versions support project templates, but differ in their support of project templates. Basic remediation projects require that you choose a project template, but do not support process templates. SSA projects require that you select a process template. Based on the process template you select, Software Security Center then assigns the optimal project template to the SSA project.Although you change the project template for a basic remediation project after you finish creating the project, your security team must carefully consider its choice of project template before completing the project creation process.For SSA projects, there is a direct connection between the process template selected and the project template Software Security Center assigns to the project. You can only modify that process-project template relationship using the HP Fortify Software Security Center Process Designer. For information about how to use the Process Designer, see the HP Fortify Software Security Center Process Designer User Guide.

Table 6: Default Software Security Center Project Version Attributes

Attribute Category and Attributes (default set)(*Required)

Basic Remediation SSA

Business Attributes• Business Risk• Known Compliance Obligations• Data Classification• Project Classification• *Business UnitXXXXX

XXXXX Technical Attributes• *Development Phase• *Development Strategy• *Accessibility• Project Type• Target Deployment Platform• Interfaces• Development Languages• Authentication System

XXXXXXXX

XXXXXXXX*Project template X Assigned by the process templateProcess template Not available in basic remediation projects X


About Process Templates for SSA ProjectsOne of the most important steps in creation of that project version is the choice of a process template.Only Software Security Center SSA projects support process templates. Process templates guide the Secure Development team through the various requirements and activities needed to fulfill the enterprise’s secure development standards. The requirements and activities must be completed, or exempted from completion, in order to fulfill the secure development process.If you prefer to use a non-default process template, a good strategy is to choose a template that has stricter requirements than are actually required, then exempt those activities that do not apply to that project’s security requirements.Software Security Center uses the choice of process template to determine the best project template to assign to the project version. The project template optimizes the categorization, summarization, and reporting of the project version’s data.Regardless of which process template you choose, you cannot change that choice after the project creation process is completed. For that reason, the security team should carefully consider its choice of process template before finishing the project creation process.The following sections provide instructions for performing the following tasks:• Creating projects and project versions• Specifying dependent project versions• Selecting a project version type• Configuring project version attributes• Assigning project and process templates to a project version


About Creating Project VersionsYou can create a new Software Security Center project version that is based on an existing project or on a new project. This section provides instructions for each method. Before you start to create the Software Security Center project version, review the information under About the Project Creation Process on page 34.Adding Project VersionsTo create a project version based on an existing project:1. Log on to Software Security Center as either an Administrator or Security Lead.2. To open the Create Project Version wizard, click the Projects tab, and then click Add.

3. On the Project Version page, provide the information listed in the following table.Field DescriptionUse Existing Since you are working with a logical continuation of an existing code base, leave this option selected.Project From this list, select the name of an existing project.


4. To finalize the project definition later, click Finish Later. To continue, click Next.The Dependencies page opens.5. To specify optional dependent project versions to the new project version: a. Click Add.The Add Dependent Project Version dialog box lists list all Software Security Center project versions.b. Select one or more project versions that affect the secure development of the project, and then click Save. (Use the CTRL and SHIFT keys to select multiple versions.)

Copy From Select this check box to copy settings and data from the previous version of the selected project. In addition to the project version attributes, you can copy the custom tags, analysis processing rules, user assignment, bug tracker or current state HP Fortify project results.

After you select the check box, this section expands to reveal a project version list and the categories of information to be copied.From the list to the right of the Copy From check box, select the project version that has the attributes you want to copy to the new project version.To exclude a category of information from being copied to the new version, clear its check box.Name In this box, type the version name. The wizard uses the project name and appends the version number to it automatically.Description (Optional) In this box, type a description of the new project version. Basic Remediation Project Select this option to create a Basic Remediation Project type project version. For information about how to select a project version type, see About Project Version Types on page 34.SSA Project Select this option to create an SSA type project version. For information about how to select a project version type, see About Project Version Types on page 34.

Field Description


6. Click Next.

7. On the Business Attributes page, do the following:a. If email notification has been configured for your Software Security Center instance, and you want to request attribute information for the project from another team member, click Send Attribute Information Request. Software Security Center prompts you to supply the email address for the individual to whom the request is to be sent.b. Configure the business attributes for the project version.Note: Because default values are selected for each list on the Business Attributes page, make sure that you actively select the values for each field.8. Click Next.


The Technical Attributes panel opens.

9. Configure the technical attributes for the project.10. Click Next.11. On the Project Template (or Process Template) page, do one of the following:• If you are creating a new basic remediation project version, from the Template list, select a project template.• If you are creating a new SSA project version, select a process template. Software Security Center uses the project attributes to recommend a process template, and then displays the recommended choice as the default selection in the list of process templates.Software Security Center assigns a project template to the new project version based on your choice of process template.12. Click Finish.If you created a new project, Software Security Center adds the new project to the list of projects; the new project contains its initial project version. If you created a new project version, Software Security Center adds the new project version to its parent project.To display unfinished or inactive project versions, on the Projects tab, select the Show Inactive Versions check box. The default is to display all active project versions. To designate a project version as inactive, clear the Active check box in the Edit Project Versions dialog box.


About Deleting Project VersionsYou cannot directly delete a project in Software Security Center. A project is removed automatically only after all of its versions are deleted.If you are assigned the Administrator role in Software Security Center, you can delete any project version. If you are in the Security Lead or Manager role, then you can delete any project version to which you are assigned.About Using Bug Tracking Systems to Help Manage Security VulnerabilitiesDevelopers fixing software defects often use a bug tracking system to help manage their workload. Security vulnerabilities are a type of bug, and getting vulnerability information into the bug tracking system helps developers take appropriate remediation measures, in line with other development activities. The result is more security awareness and faster remediation of security issues.From Software Security Center, you can map to any of several bug tracking systems, so that your development team can file bugs into the bug tracking system you already use.When a developer files a bug, Software Security Center populates bug tickets with the following basic vulnerability information:• Details that describe the type of issue uncovered• Remediation guidance, with instructions on the action to take• A link back to Software Security Center for complete issue detailsAbout Bug Tracker ConfigurationTo enable a team to access and use a bug tracking system from Software Security Center, a security lead or development manager must configure Software Security Center to connect to a bug tracker instance. Either the developer or security lead can then submit tickets to address important security issues.If you are a security lead or development manager, you can enable team access to your bug tracking system as follows:• Edit the project version details• Configure the bug tracker

Important: If you are using JIRA, you must make sure that the Accept remote API calls option is enabled.Configuring Bug Tracking for a Project VersionFor a given project version, you can specify a bug tracker to use to submit bugs against the version and, optionally, enable batch bug submission and bug state management.The batch bug submission feature allows you to filter issues for a given project version based on selection criteria and attribute groupings, and then file a bug for the entire group of issues instead of filing a bug for each individual issue.If batch bug submission is enabled for a project version, you can also enable bug state management. Bug state management allows Software Security Center to make specific updates to bugs as the states of the issues within those bugs change. (For information about batch bug submission, see About Using State Management to File Many Issues on page 42.)


To configure bug tracking for a project version:1. Log on to Software Security Center as an administrator, a security lead, manager, or a developer.2. Click the Projects tab.3. From the list of project versions on the left, select the project version for which you want to configure bug tracking.4. Click Edit.The Edit Project Version dialog box opens.5. Click the Bug Tracker tab.6. From the Bug Tracker list, select the bug tracker to use to file bugs against the project version.7. Complete any required fields.8. To test the bug tracker connection to Software Security Center:a. Click Test.b. In the Test Bug Tracker Configuration dialog box, type your bug tracker authentication credentials, and then click Test.9. If you do not want to enable batch bug submission and possibly bug state management for this project version, click Save. If you want to enable batch bug submission and possibly bug state management, see About Using State Management to File Many Issues.

About Using State Management to File Many IssuesThe combined analysis techniques of HP Fortify Static Code Analyzer and HP WebInspect can produce a high volume of issues that can be assigned and tracked in aggregate. Filing issues in batches enables developers or security leads to group issues into closeable units to avoid overloading the bug tracking system.Your selection criteria for batch bug tracking specify how the system determines which security findings to file and manage as bugs. The default selection criterion is “Analysis: Exploitable” (issues with the custom tag Analysis value set to Exploitable) to focus on issues that have been manually reviewed and prioritized.Decide upon a grouping strategy. Decide how all issues that match your selection criteria are to be grouped together to prevent a potentially large number of them becoming individual (granular) bugs. The default grouping strategy of “Category, File” enables teams to assign and track bugs such as “Fix all <vulnerability_name> in <file_name>” instead of tracking groups that are too general (such as “Fix all security issues”) or too granular (“Fix the line of code at ##”).After filing the issues, development teams typically run scans through Static Code Analyzer and WebInspect. Software Security Center merges the scan results (as described in About Projects and Project Versions on page 30) and updates the bug, as follows:• If the scan result indicate that one of more security issues associated with the bug are still present (and match the selection criteria), Software Security Center checks the bug tracking system to ensure that the bug is in a valid open state and, if necessary, reopens the bug.• If all issues associated with a bug are removed (either because the issues were remediated or no longer match the selection criteria), Software Security Center updates the bug to indicate that stakeholders may resolve or close this ticket. To enable auditing and traceability, Software Security Center does not automatically resolve or close bugs.


Submitting Exploitable Bugs in a BatchIf a bug tracker has been specified for a project version (Configuring Bug Tracking for a Project Version on page 41) you can submit a batch of issues as a bug to a supported bug tracker. To submit multiple issues for a project version:1. After you specify the bug tracker to use to submit bugs against a project version (see Configuring Bug Tracking for a Project Version), on the Bug Tracker tab, select the Enable Batch Bug Submission check box.2. The Selection Criteria box displays the default value [Analysis]:exploitable. You can edit this or specify additional search criteria.The Grouping Strategy box lists the attributes used to group submitted issues together. The default attributes listed are Category and File Name.3. To select an additional grouping attribute:a. Click Add.The Add Attribute dialog box opens.b. From the Name list, select an attribute to add to the Grouping Strategy list. (Although you can only select one attribute at a time, you can repeat Step 3 multiple times to add more attributes.)c. Click Save.4. To remove a grouping attribute, select it and then click Remove.5. To validate your selection criteria, click Check.6. If you want to enable bug state management, follow the procedure described in Enabling Bug State Management. Otherwise, to save your current bug tracker settings, click Save.7. Click the Issues tab.8. Click Batch Submit Bugs .9. In the Login to Bug Tracker dialog box, provide your credentials for your bug tracker, and then click Login.10. On the next step, provide the information required to submit bugs in your bug tracker, and then click Next.11. The next step lists the bugs that match the criteria you specified in the Selection Criteria and Grouping Strategy boxes.12. To complete the batch submission, click Batch Submit Bugs.

Enabling Bug State ManagementIf batch bug submission is enabled for a project version (see Submitting Exploitable Bugs in a Batch on page 43), you can enable bug state management. Bug state management enables Software Security Center to make specific updates to bugs as the states of the issues within those bugs change. Software Security Center checks new security scans to determine whether filed bugs are to remain open, or can be closed.To enable bug state management for a project version:1. After you enable batch bug submission for a project version, on the Bug Tracker tab, select the Enable Bug State Management check box.2. Scroll down so that you can see the Username and Password boxes.3. In the Username and Password boxes, type your username and password for the bug tracking application selected for the project version.4. Click Test.5. After Software Security Center displays the “Connection Successful” message, click OK.6. Click Save.


Changing the Project Template Associated with a Project VersionYou can modify many settings for an existing project version, including its project template. However, keep in mind that assigning a different project template to a project version or updating a project template on the Software Security Center server results in loss of synchronization between the database cache and existing audit sessions.After you assign a project version a different template, Software Security Center calculates metrics based on the new project template. Any in-progress audits are saved and then restarted with the new project template.To edit a project version:1. Log on to Software Security Center as either an Administrator or Security Lead.2. Click the Projects tab.3. From the list of project versions on the left, select the project version you want to modify.4. Click Edit.The Edit Project Version dialog box opens.

5. From the Project Template list, select a different project template to apply to the project version.SSC displays a warning message to advise you that changing the template can alter the metrics calculated for the project, and that existing metrics will not be recalculated.6. To continue with the change, click Yes.After you change the project template, SSC invalidates any auditing session of the affected project version (for example, by a different user) and displays an error message to advise you that the project version audit session must be restarted.Note: An HP Fortify Audit Workbench user auditing the affected project version does not see this information.7. Click OK.


About Project On-BoardingA security team that creates a project version may not always know what the business and technical attributes of the project are. Software Security Center’s project on-boarding feature provides a way for the project version creator to request that information from the development team and for the development team to provide that information to the system.Typical scenarios for implementing the project on-boarding feature are:• A development group new to the Software Security Assurance program can easily understand what is expected of them. They may identify and plan for key users to participate in the security effort.• A development group new to the Software Security Assurance program can easily supply the information necessary to start a project version within Software Security Center.Requesting Project Attribute InformationAs you create a new project version, you can request information about the project attributes from others working on the project.To submit a request for business attribute information:1. In the process of creating a project version (see About Creating Project Versions on page 37), after you reach the Business Attributes panel, click Send Attribute Information Request.

The Send Attribute Information Request dialog box opens.2. In the Recipient Email box, type the email address of the person to whom you want to send this email.3. Click Send.The form contains pre-populated fields and links to forms that external users can use to specify project attributes.


To continue the project version creation process after you send the request, click the links provided on the Projects page.

Note: Typically, you wait for the development team to provide the technical and business attributes, and then return to finish creating the project version. The value in the State column on the Project list page indicates that the development team has provided the requested attributes.The panel to the right of the Projects panel shows that the project version is unfinished and you can continue the project version creation process to create it using the links provided.

The email notification sent in response to your request for attribute information contains links to information request forms, which the recipient can use to provide the requested attribute information. Another link takes the recipient to the Software Security Center Process Guide, which presents an overview of the software security assurance process.The last link takes the recipient to the Account Request form, in case the recipient does not yet have a Software Security Center user account and wants to request one.The second link takes you to the Business Attributes step of the Create Project Version wizard, where you can configure the business attributes for your project. For descriptions of each business attribute, see Adding Project Versions on page 37.


The third link takes you to the Technical Attributes step of the Create Project Version wizard, where you can configure the technical attributes of your project.

The fourth link takes you to the Account Request step, from which you can request a Software Security Center account.Setting Analysis Result Processing Rules for Project VersionsAnalysis results processing rules allow for management approval and oversight of code scans. You can configure the rules to be followed when analysis results for a project version are processed.To configure the analysis results processing rules for a project version:1. Log on to Software Security Center as an administrator and click the Projects tab.2. Click the project version for which you want to configure the analysis results processing rules.3. Click View Details.4. Click the General tab.5. Click the Analysis Result Processing Rules sub-tab, which shows the default processing rules for the project version.


6. In the upper right corner of the sub-tab, click Edit.The Edit Project Version dialog box opens.7. Select or clear the check boxes for the rules listed in the following table, and then click Save.Rule DescriptionRequire approval if the Build Project is different between scans Software Security Center compares the Build Project for the scan and the scan that preceded it. If the Build Projects differ, management approval is required.Check external metadata file versions in scan against versions on serverRequire approval if file count differs by more than 10% Software Security Center compares the file count for the scan and the scan that preceded it. If the count differs by more than ten percent, management approval is required.Require approval if result has analysis warningsRequire approval if the Rulepacks used in the scan do not match the Rulepacks used in the previous scan Software Security Center checks to see whether you have added or removed a Rulepack, and whether a version of a Rulepack has changed. If it detects that a Rulepack has been added, removed, or updated, it flags the upload for management approval.Require approval if the engine version of a scan is newer than the engine version of the previous scan Software Security Center checks to see whether any scan engine (SCA, WebInspect, WebInspect Agent) version is newer than the one already used in the project. If it detects newer versions, it flags the upload for management approval. Automatically perform Instance ID migration on upload A newer version of SCA or a Rulepack can change an instance ID from an instance ID created in a previous scan by an older version of SCA or a Rulepack. In reality, both instance IDs identify the same issue. When enabled, this rule automatically migrates old instance IDs to the corresponding new instance IDs to preserve the history of the issues. It is sometimes useful to disable this rule a troubleshooting measure for customer support.Require approval if line count differs by more than 10% Software Security Center compares the line count for the scan and the scan that preceded it. If the count differs by more than ten percent, management approval is required.Ignore SCA scans performed in Quick Scan mode Blocks the processing of SCA scans done in Quick Scan Mode, which searches for high-confidence, high-severity issues.Require approval if SCA or WebInspect Agent scan does not have valid certification Software Security Center checks to see that a SCA or WebInspect Agent scan has valid certification. If the certification is not valid, then someone may have tampered with the results in the upload. If the certification is missing, it is not possible to detect tampering. If certification is missing or is not valid, the rule requires management approval.


About Custom TagsIn Software Security Center, code auditing involves the security team’s examining HP Fortify project results (FPR) and assigning values to “tags” that are associated with project issues. The development team can then use these tag values to determine which issues they must address and in what order. Software Security Center provides a single default tag named “Analysis” to enable project auditing out of the box. Valid values for the Analysis tag are Exploitable, Not an Issue, Suspicious, Reliability Issue, and Bad Practice. You can modify the Analysis tag attributes, revise the tag values, or add new tag values based on your auditing needs.To refine your auditing process, you can define your own custom tags. Like the Analysis tag, your custom tag definitions are stored in a project template that can be associated with a project version in Software Security Center. For example, you could create a custom tag that can be used to track the sign-off process for an issue. After a developer audits his own issues, a security expert can review those same issues and mark each as “approved” or “not approved.”You can define custom tags in real time in Software Security Center, directly with project template uploads through Software Security Center, or through project templates in FPR files.Note: You can use the client tool HP Fortify Audit Workbench (AWB) to add custom tags to a project as you audit it. However, if you have not defined these custom tags in Software Security Center for the project template associated with the project version, then the new custom tags are lost after you upload the FPR file to Software Security Center.Viewing Custom Tags in Software Security CenterYou manage custom tags in Software Security Center from the Custom Tags panel.To view the Custom Tags panel:1. Click the Administration tab.2. In the Administration panel, under Projects click Custom Tags.

Warn if audit information includes unknown custom tag If audit information includes an unknown custom tag, the rule requires management approval.Disallow upload of analysis results if there is one pending approval If an analysis result still requires approval, this rule blocks its upload.Rule Description


Adding Custom TagsTo add a custom tag:1. In the Custom Tags panel, click Add.

2. Type the name (required) and a description (optional) of the new tag.Important: Make sure that the name you specify for a custom tag is not a database reserved word.


3. To specify a value for the new tag:a. Click Add.b. In the Name box, type a value.A value can be a discrete attribute for the issue that this tag addresses. For example, you might specify that this custom tag addresses a due date or server quality issue.c. (Optional) In the Description box, type a description of what the value represents. d. To prevent the tag from being displayed in Collaboration Module or HP Fortify Audit Workbench (AWB), select the Hidden check box.e. Click Save.4. From the Default Value list, select the default value for the tag.If the custom tag has a default value, then issues with no value set for the tag acquire that default value. If no default value is defined, then the tag value becomes “Not Set.”5. Select any or all of the following optional tag features:• To allow only users with specific permission (managers, security leads, administrators) to modify the tag, select the Restricted check box. • To enable the addition of new values to the tag during audits, select the Extensible check box.• To prevent the display of the tab in Collaboration Module or HP Fortify Audit Workbench (AWB), select the Hidden check box.6. Click Save.Modifying Custom Tag AttributesTo modify the attributes of a custom tag:1. Select Administration → Projects → Custom Tags.2. Select the custom tag to modify.3. Click Edit.


4. Modify the tag attributes and save your changes.Important: Make sure that the name you specify for a custom tag is not a database reserved word.

Globally Hiding a Custom Tag To globally hide a custom tag:1. Navigate to Administration → Projects → Custom Tags.2. Select the custom tag to modify.3. Click Edit.4. Select the Hidden check box.5. Click Save.Deleting Custom TagsTo delete a custom tag, use the following procedure.Note: You cannot delete a custom tag if the tag is associated with a project version, project template, or if an issue is audited with the custom tag.1. Navigate to Administration → Projects → Custom Tags.2. In the Name column, select the custom tag to delete.3. Click Delete.


Adding Custom Tag ValuesTo add a value to a custom tag:1. Navigate to Administration → Projects → Custom Tags.2. Select the custom tag to which you want to add a value.3. Click Edit.4. In the Update Custom Tag dialog box, click Add.5. Type a name and, optionally, a description for the new value.6. To hide the value, select the Hidden check box.7. Click Save.8. In the Update Custom Tag dialog box, click Save.Changing Custom Tag ValuesTo change a value for a custom tag, use the following procedure.1. Navigate to Administration → Projects → Custom Tags.2. Select the custom tag whose value you wish to change.3. Click Edit.4. In the Update Custom Tag dialog, select the value to change.5. Click Edit.6. Change the name or description, and then click Save.7. In the Update Custom Tag dialog box, click Save.Deleting Custom Tag ValuesTo delete a value for a custom tag, use the following procedure.1. From the Software Security Center Dashboard page, select Administration → Projects → Custom Tags.2. Select the custom tag.3. Click Edit.4. In the Update Custom Tag dialog box, select the value to delete, and then click Delete.5. Click Save.


Associating Custom Tags with Project TemplatesAfter you first create a project template and upload a project template file, the custom tags defined in that project template file are the custom tags that are initially associated with the project template. Updates to existing custom tags are ignored because tags are designed to be updated using the procedures described in previous sections, but newly defined custom tags in that project template file are added to the system and associated with the project template.Note: The custom tags associated with a project template are the default tag set assigned to a project version when it is first created using that project template.To associate a custom tag with a project template:1. Navigate to Administration → Projects → Project Templates.2. Select the project template to associate with the custom tag.3. Click Edit.The Edit Project Template dialog box opens.

4. Click Add.The Add Custom Tags To Project Template dialog box opens.5. Select the check box for the custom tag to associate with the project template.Viewing the Custom Tags Associated with a Project TemplateTo see which custom tags are associated with a project template:1. Navigate to Administration → Projects → Project Templates.2. Select the project template.3. Click View Details.4. Click the Custom Tags tab.You can also edit or delete a custom tag from this project template from the Custom Tags tab.


Disassociating a Custom Tag from a Project TemplateTo disassociate a custom tag from a project template:1. Select to Administration → Projects → Project Templates.2. Select the project template.3. Click Edit.The Edit Project Template dialog box opens.

4. Select the custom tag to disassociate from the project template, and then click Remove. Associating Custom Tags with Project VersionsWhen you create a project version, the custom tags associated with that project template are initially associated with the project version. You can go back and change these associations after you create the project version. For more information, see Managing Custom Tags Through Project Templates on page 57.To associate a custom tag with a project version, do the following:1. From the Software Security Center Dashboard, click the Projects tab.2. Select the project version with which you want to associate a custom tag.3. Click Edit.


The Edit Project Version dialog box opens.

4. Click the Custom Tags tab.

5. Click Add.6. Select the check box for the custom tag to associate with the project version.


7. Click OK.8. In the Edit Project Version dialog box, click Save.Disassociating a Custom Tag from a Project VersionTo disassociate a custom tag from a project version:1. From the Software Security Center Dashboard, click the Projects tab.2. Select the project version associated with the custom tag.3. Click Edit.4. In the Edit Project Version dialog box, click the Custom Tags tab.5. Select the custom tag to disassociate from the project version.6. Click Remove.7. Click Save.Adding Custom Tag Values During AuditsTo add a value for a custom tag while auditing an issue, do the following.Note: The custom tag that you add a value for in the following procedure must be assigned the Extensible attribute. Otherwise you cannot add a value while auditing an issue in Collaboration Module.1. From the Software Security Center Dashboard, click the Projects tab.2. Select the project version to audit.3. Click Audit Issues.

4. On the left side of the Summary panel, expand the list for the custom tag to which you want to add a value, and select Create New.5. Type a name and, optionally, a description for the new value.Managing Custom Tags Through Project TemplatesCustom tags defined in a project template file are assigned to that specific project template. You cannot update existing custom tags through direct project template upload. If Software Security Center detects an updated custom tag, it displays a warning and prompts you to confirm that you want to continue.You must update existing custom tags through the custom tag administration section of Software Security Center. From the Software Security Center Dashboard, select Administration → Projects → Custom Tags and complete the update.You can add a new custom tag through a project template upload. This could, for example, allow a member of a security team who is not part of a software audit to define the project template and the custom tags in the project template.


Managing Custom Tags Through a Project Template in an FPR FileFPR files typically contain a project template. If an FPR file uploaded to Software Security Center contains a project template with a custom tag that has been set as editable, you can add a value to the tag.About CloudScan in Software Security CenterHP Fortify CloudScan (CloudScan) software enables HP Fortify Static Code Analysis users to better manage their resources by offloading the processor-intensive scanning phase of analysis from their build machines to a cloud of machines provided for this purpose. If your administrator has set up CloudScan, you can use Software Security Center to monitor or troubleshoot the CloudScan Controller component of CloudScan or to view scan results. (The CloudScan Controller is the server that receives the SCA mobile build session and scan instructions from the CloudScan CLI and routes the information to the CloudScan Cloud.)Note: Enabling this functionality involves configuration of both Software Security Center and HP Fortify CloudScan. For instructions on how to configure Software Security Center for this, see the HP Fortify Software Security Center Installation and Configuration Guide. For information about the configuration steps required in HP Fortify CloudScan, see the HP Fortify CloudScan Installation, Configuration, and Usage Guide.To monitor or troubleshoot the CloudScan Controller, or to view the results of a scan, navigate to the CloudScan tab in Software Security Center.

From the Jobs panel, you can view running scans and scans completed within the last seven days. CloudScan permissions determine what jobs you can see in the left panel based on the project version associated with the job.CloudScan permissions are described in the following table.Field DescriptionDownload CloudScan Artifacts User can view and download CloudScan dataManage CloudScan User can view, download, and manage CloudScan dataView CloudScan User can view CloudScan data


The right panel includes the General and Task Details tabs. The information on the General tab displays summary information about the scan such as when it started, when it was completed, and so on. The Task Details tab displays specific information about Static Code Analyzer and the status of the FPR upload to Software Security Center. You can download a log file or analysis results file from the Task Details tab.With the Controller feature section selected, two tabs are provided for closer inspection of the CloudScan infrastructure used and what the current status is of the CloudScan Controller. The information presented in the Statistics tab can be useful to determine why you do not see a job represented in the Jobs panel. The information displayed on the Settings tab reflects the content of two properties files. The information included under the General, Tasks Interval, and Email headings reflects config.properties file content. For more information, see the HP Fortify CloudScan Installation, Configuration, and Usage Guide.

Chapter 5: SSA Project Version Requirements 60

Chapter 5: SSA Project Version RequirementsThe following sections provide information about the Requirements page for SSA project versions and instructions on how to use the page.About the Requirements PageUse the Requirements page to manage the requirements, activities, personas and work owners for an SSA project version.The information in the following sections is provided based on the assumption that you have already created a Software Security Center SSA project version. To learn more about creating project versions, see Chapter 4, Software Security Center Projects and Project Versions on page 30.Displaying the Requirements Detail PageSoftware Security Center project details pages provide access to various types of project information or utilities.To display the Requirements details pages:1. Log on to Software Security Center with sufficient privileges to perform the task you want to perform.For more information about Software Security Center account privileges, see Chapter 3, Managing User

Accounts on page 21 and About Software Security Center Persona Management on page 65.2. Click the Projects tab.Software Security Center displays a list of projects and project versions.3. From the list of projects, select the project version of interest, and then click View Details.4. Click the Requirements tab.Software Security Center displays the Requirements details page.


About Process Requirements and ActivitiesWhen you create a new SSA project version, Software Security Center uses the project version attributes to recommend the optimal process template. You can override that recommendation, but you must choose a process template before you can finish the project creation process and put a new SSA project version into service.Software Security Center process templates are hierarchically constructions of requirements and activities. The requirements and activities define a hierarchy of primary and constituent tasks that must be signed off to complete the secure development of a particular project version.Table 7 summarizes the Software Security Center icons used to designate activity type, project version state, and sign-off status.Table 7: Activity Type, State, and Sign-off Icons

Icon Icon category DescriptionActivity type Time lapse activity: Activities that must be performed within a specific time period.For example, uploading an SCA scan within the preceding 14 days.Activity type Project state activity: Activities that ensure the project conforms to applicable measurement guidelines.For example, auditing 100 percent of all High Priority Issues.Activity type Document activity: Activities that require the submission of an external process document.An example of a document activity is the completion and sign off of a peer review checklist.Project state Project version not started: No activities completed.Project state Project version in progress: At least one activity has been completedSign Off state Awaiting sign offSign Off state Signed Off with exemptionSign Off state Signed OffSign Off state Document rejected


About Activities, Requirements, and Process TemplatesThis section contains information about SSA project sign, including sign-off activities, multi-persona sign offs, sign-off requirements, and sign-off templates.About SSA Project Sign OffsSoftware Security Center SSA process templates contain multiple requirements, which in turn contain multiple activities. In general, the secure development team completes and signs off on all of a given requirements constituent activities before signing off on the requirement. In some cases, however, the security team may permit a requirement to be signed off on before all that requirement’s activities have been completed. When this occurs, Software Security Center permits activities and requirements to be signed off with exemption.In Software Security Center, the work owner assigned to an activity can use tasks to help them manage that activity. For more information about Software Security Center Tasks, including the sign off of those tasks, see Adding Tasks to Activities on page 67.About Sign-Off PersonasIn Software Security Center, personas have sign-off responsibility for requirements and activities. For more information about Software Security Center personas, see Chapter 3, Managing User Accounts on page 21, and About Software Security Center Persona Management on page 65.If a persona has no user account assigned to it, and that persona is assigned to a particular process template activity or requirement, then in the Sign Off panel, in the User column, Software Security Center displays the value Not Assigned. For information about how to assign a Software Security Center user account to a persona, see Assigning User Accounts to Personas on page 63.About Signing Off ActivitiesAs the security team progresses through the secure development process, the Software Security Center persona or personas assigned to an activity must sign off that activity.If multiple personas are assigned to a requirement or activity, then all personas must sign off on the activity in one of the following two ways:• If an activity has been completed successfully, then the persona signs off on the activity without an exemption.• If an activity was not completed or does not apply to the SSA project version, then the persona signs off on the activity with an exemption.About Multi-Persona Sign OffsIf multiple personas are assigned to an activity, and one of those personas signs off on the activity with an exemption, then Software Security Center marks the activity as “signed off with an exemption.”If the Software Security Center Power User signs off on an activity, then the Power User’s sign-off overrides the sign-offs (or absence thereof) of any other personas assigned to that activity.


About Signing Off RequirementsTypically, a security team prefers to sign off on all of a given requirement’s activities before signing off on the requirement. The following describes how Software Security Center processes the sign off of complete and incomplete requirements:• If signing off a completed requirement (all activities in the requirement have been signed off or signed off with exemption), then Software Security Center allows the requirement to be signed off or signed off with exemption. When signing off on a completed requirement, Software Security Center does not modify any activity’s sign-off state.• If signing off an incomplete requirement (one or more activities in the requirement have neither been signed off nor signed off with exemption), then Software Security Center only permits the requirement to be signed off with exemption.When signing off an incomplete requirement, Software Security Center sets the sign off state activities that have no sign off status (indicated by a Status value of “In Progress”) to “Signed Off With Exemption.”About Due DatesIn the process template definition, you can specify due dates for process templates, requirements, and activities in units of days or weeks. When the project version gets created or is finished, those days or weeks are added onto the current day to calculate an absolute due date, which you can see on the Requirements tab in the Project Version details. Tasks do not have a due date by default, but you can set one after the task is created. Due dates can be changed after the project version is created. Only a user who can sign off on the process template, requirement, activity or task can change the due date. If a due date passes and it is not signed off, a system event is created, which can be examined in the event log.About Sign Off Process TemplatesSoftware Security Center process templates can be signed off normally or with exemption. In this regard, the sign-off behavior for Software Security Center process templates is identical to the sign-off behavior for requirements.Assigning User Accounts to PersonasPersonas provide the core functionality of Software Security Center’s Governance features.In Software Security Center, personas have sign off responsibilities for process template requirements and activities. For more information about managing Software Security Center personas, see Chapter 3, Managing User Accounts on page 21.Before a persona can sign off a process template requirement or activity, on the Requirements page you must use the Personas tab to assign a Software Security Center User Account to that persona.To assign a Software Security Center user account to a persona:1. On the Requirements details page, click Personas.Software Security Center displays the Personas page. The page lists the personas defined in the selected SSA project version’s process template.For information about listing all personas defined to Software Security Center, see Viewing and Editing

Personas on page 66.2. On the Personas page, in the list of personas choose a persona then click Assign User.Software Security Center displays the Assign User to Persona dialog box.


3. From the User list, select a Software Security Center user account name.4. Click Save.Software Security Center saves the change then displays the list of personas. The list includes the Software Security Center user account assigned to the persona.Assigning a Power UserThe Power User persona provides a way to sign off on a process template requirement or activity if the assigned persona cannot do it.To assign the Power User persona to a Software Security Center user:1. On the Requirements details page, click Personas.Software Security Center displays the Personas panel, which lists the personas defined in the process template for the selected SSA project version.For information about listing all personas defined throughout the complete set of Software Security Center process templates, see Viewing and Editing Personas on page 66.2. On the Personas page, click Advanced.Software Security Center displays the Assign User to Persona dialog box.3. From the User list choose a Software Security Center user account name.4. Click Save.Software Security Center saves the change and displays the list of personas. The list includes the Software Security Center user account assigned to the persona.About Process Template Work OwnersIn Software Security Center, work owners are individual Software Security Center user accounts tasked with performing a given SSA project versions activities and requirements.You can assign work owners to either requirements or activities. If you assign a work owner to a process template requirement, Software Security Center does not automatically assign that work owner to any of the activities contained within that requirement.To assign a work owner to a process template requirement or activity:1. On the Requirements page, on the Requirements sub-tab, select a requirement or activity.Software Security Center updates the right side information panel with details about the selected activity or requirement.2. Assign a work owner to the selected activity or requirement.a. In the right-side information panel, select the General tab.b. In the Work Owner row, click the assignment icon.Software Security Center displays the Work Owner Assign dialog box.c. In the User list, choose a Software Security Center user account then click Save.Software Security Center adds the assigned work owner to the requirement or activities information panel.To specify default work owners in a customized process template, you must use the external Process Designer client tool.


About Assigning Work Owners to PersonasThe Process Designer client tool permits default work owners to be assigned to process template requirements and activities.Because there is no way to predict what Software Security Center user account names may be assigned as work owners, Process Designer assigns work owners to requirements and activities by persona.If you use the Requirements page to view a process template that includes default work owner definitions, and you have not yet performed the procedure in Assigning User Accounts to Personas on page 63 to assign a Software Security Center user account to the default work owner persona, then Software Security Center reports the work owner status as unassigned.The first time you assign a user account to a persona specified as a default work owner, Software Security Center updates all work owner fields with the user account name assigned to that persona.About Software Security Center Persona ManagementIn the Software Security Center governance module, personas provide enhanced management of the requirements and activities defined in the process templates for SSA project versions.Personas enable a security manager to:• Assign sign-off responsibility for process template requirements and activities to organizational units or job titles• Require that more than one persona sign off on a particular process template requirement or activity• Achieve a high level of accountability on task assignment and completion• Efficiently manage changing personnel resources throughout the entire development life cycle of a Software Security Center SSA project version.Table 8 provides descriptions of the default personas that you can add to your process template activities or requirements in Software Security Center. To add personas to process template activities or requirements, you must use the Software Security Center Process Designer client tool. For information about how to incorporate personas into your process templates, see the HP Fortify Software Security Center Process Designer User Guide.

Table 8: HP Fortify Software Security Center Personas

Persona Name Example ResponsibilitiesArchitect High-level design and system engineeringBusiness Risk Owner Sign off on the complete set of business and technological risks for an applicationDeveloper Design and implement code, scan the code for vulnerabilities, and address any security issues in the code Operations and Build Teams Deploy and maintain applications in production settingsProject Manager Ensure that all project milestones are enumerated and completedQA Tester Test and verify software throughout the secure development processSecurity Expert/Champion Define and ensure compliance with the security strategy and delivery of an SSA project versionSupport Operations Internal and external customer support and technical operations support


Viewing and Editing PersonasAll Software Security Center account levels can view personas, but you must log on as an Administrator or Security Lead to edit or create personas.To view and edit a Software Security Center persona:1. Log on to Software Security Center and click the Administration tab.2. In the left panel, under Process Management, click Personas.The Personas page in the right panel lists all personas in the system.3. From the list, select a persona, and then click View Details.The details panel for the persona opens in the right pane. The panel includes the Is Power User check box, which is a status indicator. For information about the Power User persona, see Assigning a Power User on page 64.4. If you are an Administrator or Security Lead, click Edit.The Edit Persona dialog box opens. 5. Modify the persona name or description, and then click Save.Creating PersonasTo create a persona:1. Log on to Software Security Center and click the Administration tab.2. In the Administration panel on the left, under Process Management, click Personas.3. Click Add.The Create Persona dialog box opens.4. In the Name box, type a descriptive name for a job title that is to have responsibility for one or more portions of a Software Security Center SSA project version.5. (Optional) In the Description box, type a description of the responsibilities or functions the persona is to assume.6. Click Save.The Personas page lists the new persona.For information about how to incorporate a persona into a Software Security Center process template, see the HP Fortify Software Security Center Process Designer User Guide.

Deleting PersonasIf a persona listed on the Personas page has no user accounts assigned to it, you can delete that persona.To delete a persona:1. Log on to Software Security Center as an Administrator or Security Lead and click the Administration tab.2. In the Administration panel on the left, under Process Management, click Personas.3. In the Name column in the Personas panel, select the persona you want to delete.4. Click Delete.A warning dialog box opens and prompts you to confirm that you want to delete the persona.5. Click Yes.


Adding Tasks to ActivitiesThe work owner assigned to a process template activity can add tasks to that activity. Tasks enable the work owner to enumerate and manage the individual work items that must be performed to complete a given activity.Only the work owner assigned to an activity can sign off the tasks associated with that activity.The work owner who creates a task can also assign that task to a different work owner. After the work owner assigned to the task completes that task, only the work owner who created the task can sign off on that task.To add a task to an assigned activity:1. On the Requirements page, on the Requirements sub-tab, select an activity for which you are the assigned Software Security Center work owner.Software Security Center updates the right-side information panel with details about the selected activity.If you are the work owner assigned to the selected activity, Software Security Center enables the Add Task button on the General tab.2. To add a task to the selected activity.a. In the right-side information panel, click Add Task.The Create Task dialog box opens.b. Type the name and description of the new task, and then click Save.Software Security Center adds the task to the activity.About Adding Status Alerts to Requirements and ActivitiesSoftware Security Center can use changes in requirement and activity status to send email notifications to team members. For information about how to configure alerts, see About Alert Definitions and Creating Alert Definitions on page 74.


About Working with Document ArtifactsUse the Requirements page to view, upload, and manage the document artifacts for an SSA project version. (Although you can use the Documents tab on the Artifacts page to work with document artifacts, the Requirements page provides a better contextual framework for working with Software Security Center process documents.)HP Fortify provides a default set of document artifact templates with Software Security Center. Most of these templates are Microsoft Word documents, although you can incorporate any type of file, including user-created files, into an SSA project version as a document artifact.Document artifact workflow is as follows:1. Log on as a user who has access to the selected SSA project version.2. Use the procedure described in Displaying the Requirements Detail Page on page 60 to display the Requirements page for the SSA project.3. On the Requirements page, locate an activity that includes a documentation artifact. While browsing the list of activities, in the right-side details area look for a downloadable documentation artifact template.Software Security Center supports the use of any type of file as a document artifact. In some cases the security team may choose to use the document artifact templates included in Software Security Center’s default set. In other cases, the security team may prefer to develop and submit customized, project-specific process documents.4. Place a working copy of a document artifact template where the appropriate members of the security team can access it as a working process document.Only after a process document is completed should a document artifact be submitted for review: Software Security Center does not perform version control or release management of incomplete document artifacts.5. Click Submit For Review.The Submit Document For Review dialog box opens.When using the Requirements page to submit a document artifact, Software Security Center uses the activity type to automatically identify the type of process document being submitted.To specify additional process document types (for example, for process documents that contain multiple chapters that correspond to other SSA project version activities), in the Additional Document Types area choose one or more document types. (To submit a document artifact, you must select at least one document type when using the Artifacts page.)6. To approve the submitted document artifact:a. Log on as an Administrator, as the Security Lead account that created the project, or as a Security Lead, Manager, or Developer with access to the selected SSA project version.b. Select the activity that contains the completed document artifact, then click Sign Off.

Chapter 6: Variables, Performance Indicators, and Alerts 69

Chapter 6: Variables, Performance Indicators, and AlertsSoftware Security Center lets you store measured values and event conditions for project versions as variables. A Software Security Center variable is a definition of a metric that is to be evaluated periodically for each project version. Variables count issues, conditions, and other categories of numeric data.Performance indicators combine variables into metrics that are normalized across project version boundaries, and that can represent complex higher-level abstractions such as monetary costs. Software Security Center variables and performance indicators provide the building blocks that you can use to create customized metrics, which you can then incorporate into customized alert definitions. You can use the values of variables to trigger alerts, which Software Security Center then displays on the dashboard of users specified as recipients in the alert definitions. Software Security Center can also email alert notifications to members of a project version team.

About Working with VariablesIf you have a Manager-level or higher user account, you can define variables for your projects. The following topics provide information about Software Security Center variable syntax and search strings, and includes instructions on how to create variables.About Variable Syntax and Search Strings and Search String ModifiersThe format of a Software Security Center variable is as follows:modifier:searchstring

Table 9 lists the Software Security Center relational operators.Table 9: HP Fortify Software Security Center Relational Operators

Relational Operator Description Example

Search String Searches for string without qualification“Search String” Searches for an exact match of the string enclosed in quotation marks (" ")Number range A comma-separated pair of numbers used to specify the beginning and end of a range of numbers.Use a left or right bracket (“[ ]”) to specify that the range includes the adjoining number.Use a begin or end parenthesis (“( )”) to specify that the range excludes (is greater than or less than) the adjoining number.

(2,4]Indicates a range of greater than two, and less than or equal to four! (not equal) Negate a modifier with an exclamation character (!). !file:Main.javaReturns all issues that are not in

Main.java.


Variable Search Targets

Table 10 lists the Software Security Center search string modifiers.Table 10: Search String Modifiers

Modifier Description

[issue age] Searches for the issue age, which is either removed, existing, or new<custom_tagname> Searches the specified custom tag. Note that tag names that contain spaces must be delimited by square brackets.Example: [my tag]:valueanalysis Searches for issues that have the specified audit analysis value (such as “exploitable,” “not an issue,” and so on) analyzer Searches the issues for the specified analyzeraudience Searches for issues by intended audience. Valid values are “targeted,” “medium,” and “broad”audited Searches the issues to find true if Primary Custom Tag is set and false if Primary Custom Tag is not setcategory (cat) Searches for the given category or category substringcomments

(comment, com)

Searches the comments submitted on the issuecommentuser Searches for issues with comments from a specified userconfidence (con) Searches for issues that have the specified confidence value. Fortify Source Code Analyzer calculates the confidence value based on the number of assumptions made in code analysis. The more assumptions made, the lower the confidence value.dynamic Searches for issues with the specified dynamic hot spot ranking valuefile Searches for issues where the primary location or sink node function call occurs in the specified file.[fortify priority order]

Searches for issues that have a priority level that matches the specified priority determined by the HP Fortify analyzers. Valid values are critical, high, medium, and low, based on the expected impact and likelihood of exploitation.The impact value indicates the potential damage that might result if an issue is successfully exploited. The likelihood value is a combination of confidence, accuracy of the rule, and probability that the issue can be exploited.Audit Workbench groups issues into folders based on the four priority values (critical, high, medium, and low) by default.

historyuser Searches for issues with audit data modified by the specified user.kingdom Searches for all issues in the specified kingdommaxconf Searches for all issues that have a confidence value up to and including the number specified as the search term


Note: Software Security Center does not recognize the following Audit Workbench search modifiers:• ruleid• trace• tracenodeSoftware Security Center search-string syntax is identical to that used with HP Fortify Audit Workbench. Table 11 lists common Software Security Center variable search strings.

metagroup Searches the specified metagroup. Metagroups include [OWASP Top 10 2010], [sans top 25 2010], and [pci 2.1], and others. Square braces delimit field names that include spaces.minconf Searches for all issues that have a confidence value equal to or lower than the number specified as the search termpackage Searches for issues where the primary location occurs in the specified package or namespace. (For data flow issues, the primary location is the sink function.)[primary context] Searches for issues where the primary location or sink node function call occurs in the specified code context. Also see sink, [source context].primaryrule (rule) Searches for all issues related to the specified sink ruleruleid Searches for all issues reported by the specified rule IDs used to generate the issue source, sink and all passthroughssink Searches for issues with the specified sink function name. Also see [primary

context].source Searches for data flow issues with the specified source function name. Also see

[source context].[source context] Searches for data flow issues with the source function call contained in the specified code contextAlso see source, [primary context].status Searches issues that have the status reviewed, not reviewed, or under reviewsuppressed Searches for suppressed issuestaint Searches for issues that have the specified taint flag[no attribute] Searches for issues that have any of the most common attributes that match the specified string

Table 11: Software Security Center Variables, Common Search Strings

Search String Target Example Search StringAll issues that contain cleanse as part of any modifier cleanseCategories other than SQL injection category:!SQL Injection injection

Table 10: Search String Modifiers (Continued)



Creating VariablesTo create a Software Security Center variable:1. Log on as a Manager-level or higher user, and then click the Administration tab.Note: Users who have Developer accounts cannot create Software Security Center variables.2. In the Administration panel on the left, under Projects, click Variables.3. In the Variables panel on the right, click Add.The Create Variable dialog box opens.4. Provide the information described in the following table.

5. Click Validate.Software Security Center displays the variable validation result.6. After you configure and validate the Software Security Center variable, click Save.Software Security Center displays details about the new variable.

File names that contain the string com/fortify/awb file:"com/fortify/awb"Paths that contain traces with cleanse as part of the name trace:cleansePaths that contain traces with mydbcode.sqlcleanse as part of the name trace:mydbcode.sqlcleanse

Privacy violations in filenames that contain jsp with getSSN() as a source category:"privacy violation" source:getssn file:jspSuppressed vulnerabilities with asdf in the comments suppressed:true comments:asdf

Field(*Required) Description

*Name Type a variable name that begins with a letter (a-z, A-Z), and that contains only letters, numerals (0-9), and the underscore character (_).Description Type a variable description so that other users can understand what the variable is used for.*Search String Type a valid Software Security Center variable search string. (For information about how to construct search strings, see About Variable Syntax and Search Strings and Search String Modifiers on page 69.)*Folder From this list, select a folder from the default filter set to associate with the variable.The Folder list displays the unique folder names associated with all available project templates. (The folder names are configured in Software Security Center Process Designer.) The variable value is calculated if the folder name is associated with the project template for the project version.

Table 11: Software Security Center Variables, Common Search Strings (Continued)

Search String Target Example Search String


About Performance IndicatorsSoftware Security Center performance indicators enable you to combine variables into metrics that are normalized across project version boundaries, and that can represent complex, high-level abstractions such as monetary costs. This section provides information about performance indicator syntax and instructions on how to create performance indicators.The general format of a Software Security Center performance indicator is as follows:Variable[operator]Variablewhere operator is a standard mathematical operator (+, -, *, /)Creating Performance IndicatorsTo create a Software Security Center performance indicator:1. Log on to Software Security Center as a Security Lead, and then click the Administration tab.

Note: Users who have Manager and Developer accounts cannot create Software Security Center performance indicators.2. In the Administration panel on the left, under Process Management, click Performance Indicators.The Performance Indicators panel opens on the right.3. Click Add.The Create Performance Indicator dialog box opens.4. Provide the information described in the following table.

5. Click Validate.Software Security Center displays the performance indicator validation result.6. After you configure and successfully validate the Software Security Center performance indicator, click Save.Software Security Center displays details about the new performance indicator.

Field(*Required) Description

*Name Type a performance indicator name.Description Type a description so that other users can understand what the performance indicator is used for.*Equation Type a valid Software Security Center performance indicator equation.*Return Type From this list, select the value type to return.


About Alert DefinitionsAlert definitions can include variable, performance indicator, or SSA process conditions to determine when Software Security Center is to generate an alert notification in the Dashboard’s Alert Notifications pod.You can configure alert notifications to send email messages about one or more alert notifications to members of a given Software Security Center project version.Creating Alert DefinitionsYou can create alerts definitions for any project versions to which you have been granted access.To create a Software Security Center alert definition:1. Log on to Software Security Center, and then click the Administration tab.2. In the Administration panel on the left, under General, select Alert Definitions.3. In the Alert Definitions panel on the right, click Add.The Create Alert Definition dialog box opens.4. In the General section, do the following:• In the Name box, type a name for the alert.• (Optional) In the Description box, type text that describes what the alert is for.• To enable this alert definition, leave the Enabled check box selected.5. In the Alert Definition section, next to Type, select the type of alert you want to create.6. Provide the information for the alert type you selected, as shown in one of the following tables.

Process Alerta. From the Alert When list on the left, select a process template, process requirement, or process activity for the Software Security Center SSA project version.b. From the Alert When list on the right, select a process state.c. If the process state you selected enables the calendar box, specify a date.Note: If you choose a process state of if not signed off by or if not ready to be signed off by, then Software Security Center enables both the date and Remind Every boxes.d. To add a recurring email alert, select the Remind Every check box, and then in the Days box, specify the frequency for the alert by typing the number of days.Software Security Center continues to send recurring email alerts until the process state has been satisfied, or until you clear Remind Every.e. To apply the alert to the children of the process entity, select the Include Children check box.

Performance Indicator Alerta. From the Alert When list on the left, select a performance indicator.b. From the list of operators, select an operator.c. Type a numeric value. The type of performance indicator you selected determines whether the value represents an integer or a percentage.


7. If you are creating a system event alert, click Save. Otherwise, proceed to the next step.8. To specify the scope of the alert:a. In the Scope section, click Add.The Select Project Versions dialog box opens.b. Select the check boxes that correspond to the project versions to which your new alert applies, and then click OK.9. In the Notification section, next to Recipient, select one of the following recipient preferences:Note: Regardless of the option you select, you will receive the notification.• To have the notification sent only to you, select Me Only.• If you are creating a process alert, and you want the notification sent to the process entity work owner and Software Security Center users who sign off on project version, select Process Entity Stakeholders.• To have the notification sent to all Software Security Center users who have access to the project versions you specified (in the Scope section), select All Project Version Users.10. Click Save.Software Security Center displays the details for your new alert.

Setting Alert Notification PreferencesBy default, alerts are displayed on the Software Security Center dashboard of all specified recipients. You configure Software Security Center to send email notifications of alerts (in addition to displaying alerts on the dashboard) and to send you runtime alert notifications of the security events that the runtime system has flagged. To configure these settings, on the Alerts Definitions panel, click Preferences, and then make changes on the Alert Notifications tab of the Modify Preferences dialog box.

Variable Alerta. From the Alert When list on the left, select a variable.b. From the list of operators, select the appropriate operator.c. Type a numeric value. The type of performance indicator you selected determines whether the value represents an integer or a percentage.System Event Alert• From the Alert When list on the left, select the Software Security Center system event to trigger the alert.

Chapter 7: Collaborative Auditing 76

Chapter 7: Collaborative AuditingSoftware Security Center’s Collaboration Module is a web-based collaborative environment for auditing issues associated with Software Security Center projects. This chapter provides an overview of the auditing process and instructions on how to display and use the auditing interface that is the Collaboration Module.The information in this chapter is presented based on the assumption that you know how to create and configure Software Security Center project versions. (For information about Software Security Center projects and project versions, see Chapter 4, Software Security Center Projects and Project Versions on page 30.)About AuditingIssue audits, whether performed in Software Security Center or Audit Workbench accomplish the following:• Condense and focus project information• Enable the security team to collaboratively decide which issues represent real vulnerabilities• Enable the security team to collaboratively prioritize issues based on vulnerabilitySoftware Security Center uses project templates to categorize and display issues.About Current Issues StateSoftware Security Center keeps track of which analysis engine uncovers each issue in a project version and merges any new information into the existing body of results for the project version. After new audit information is uploaded to the server or entered through the Collaboration Module, Software Security Center merges that information into any existing audit information for a given issue. Software Security Center also marks an issue as removed after the analysis engine no longer finds the issue.About Audit ConflictsIf, as you audit an issue from the Collaboration Module, another user updates that issue before you submit your audit information, Software Security Center notifies you and prompts you to re-submit your audit.


Starting the Collaboration ModuleTo start the Software Security Center Collaboration Module:1. Log on to Software Security Center as an Administrator, Manager, Auditor, or Developer, and then click Projects.Software Security Center displays a list of all projects and project versions.2. From the list, select a project version, and then click Audit Issues.Note: If a project contains at least one artifact, and you do not see the Audit Issues button, you lack sufficient user privileges to perform an audit.

Software Security Center loads the analysis results for the project version. The issues list on the left summarizes the current audited state of all issues associated with the project’s current snapshot. By default, the issues list displays summary information for critical issues.The Issues panel on the right lists all of the issues included in the category selected in the issues list on the left. By default, the panel displays any and all critical issues.


About Collaboration Module Display ModesAs you audit issues, Software Security Center dynamically optimizes the screen area allocated to the tools and features you select. The following table lists the components displayed after you start the Collaboration Module for the first time during a Software Security Center session.Component Description

Filter Set list From this list, select the view that fits your auditing objectives.The Quick View filter set is the default filter set for new projects. It provides a view only of issues in the Critical folder (these have a potentially high impact and a high likelihood of occurring) and the High folder (these have a potentially high impact and a low likelihood of occurring). The Quick View filter set provides a useful first look at results that enables you to quickly address the most pressing issues.The Security Auditor View filter set is the default filter set for projects scanned in product versions earlier than 4.20. This view reveals a broad set of security issues to be audited. The Security Auditor View filter set contains no visibility filters, so all issues are shown.If you open the scan results for a project that you have previously worked on in an SSC version earlier than 4.20, you cannot see the Quick View filter set, but you might see the deprecated PCI Auditor View, Developer View, and Critical Exposure filter sets.If you open an FPR file that contains no custom filtertemplate.xml file or if you open an FVDL file or a webinspect.xml file, the project opens with the Quick View filter set selected.Issues for check box Select this check box to display only those issues that are assigned to you.Group by list From this list, select the grouping for the issues to audit. (The default selection is Category.)Fortify priority tabs Tabs for issues that have a specific HP Fortify priority level (Critical, High,

Medium, Low) or all priority levels (All). The tab name is followed by a number that indicates the number of issues of that priority level. For example, Critical (110) indicates that 110 critical issues were uncovered in the selected project version.Issue groups Clear the check boxes for the groups of issues you do not want to audit. (By default, the check boxes for all issue groups are selected.)

View Options link Click this link to select your options for viewing issues.


The Issues panel on the right lists issues based on your selections in the left panel. After you select a listed issue, the panel displays the Summary, Details, Recommendations, and History tabs under the issue list.

Use the Summary tab to audit the selected issue. The History tab displays a summary of the auditing activities performed on the selected issue. The following table lists the information displayed on the Details tab for a selected issue.Modifier Description

Abstract Provides a summary description of the issue, which may include abstracts defined by your organization.Explanation Displays a description of the conditions under which this type of issue occurs. The description includes a discussion of the vulnerability, the constructs typically associated with it, how it can be exploited, and the potential impact of an attack. This section also includes any explanations defined by your organization.Instance ID Unique identifier for the issue.Rule ID Unique identifier for the rule that generated the issue.


The following table lists the information displayed on the Recommendation tab for a selected issue

Auditing Issues with the Collaboration ModuleThe section provides information about how to audit Software Security Center project issues.To audit project issues:1. From the HP Fortify Software Security Center Dashboard, click the Projects tab.2. In the Projects panel on the left, click the project version of interest, and then click Audit Issues.Note: You can also access the Audit Issues button from both the Current State and Trending panels on the Issues tab for a selected project version.Software Security Center displays the Collaboration Module. By default, the left-side panel of the Collaboration Module contains the Issue List.The Issues List includes folder tabs, Filter Set and Group By lists, and at the bottom a View Options link. Use these tools to customize the list of issues displayed in the Collaboration Module.3. In the Issue List, choose an issue, then in the central Issues panel click View Details.• The Collaboration Module updates the upper-left panel with issue details.• The lower right panel displays tools you can use to audit the issue, suppress the issue, or to submit the issue to your secure deployment team’s bug tracking server.• If this is the first “File Bug” action for the current session and project, and if the bug tracker requires authentication, Software Security Center prompts you to provide log-on credentials.If you log on successfully, Software Security Center maintains the connection state for the remainder of the current Software Security Center session. If you do not log on unsuccessfully, Software Security Center displays an error message and aborts the action.Software Security Center displays a submit dialog box for the associated bug tracker. If default values are available, these are used in the dialog box. Required fields are marked as such. Software Security Center acquires the fields and corresponding values dynamically from the bug tracker associated with the selected Software Security Center project.

SCA Confidence SCA-calculated number (ranging from 0.1 to 5.0) that represents the estimated likelihood that a finding represents a real vulnerability. The higher the number, the greater the confidence that the finding is valid. The more assumptions SCA has to make, the lower the confidence score.Modifier Description

Recommendation Provides recommendations on how to fix the type of issue you selected. It includes examples and any custom recommendations defined by your organization.Tips Provides tips for the type of issue selected, including any custom tips defined by your organization.References Lists the references on which the recommendations and tips are based. It includes custom references defined by your organization.



Software Security Center submits the defect and logs the defect id within the HP Fortify database. If the submission succeeds, Software Security Center displays a message that states that the defect was successfully submitted. Software Security Center also sets the value of vulnerability attribute “Defect Id” to the defect ID returned by the bug tracker. If the submission fails, Software Security Center displays an error message.For information about configuring Software Security Center bug tracker integration, see the HP Fortify Software Security Center Installation and Configuration Guide.4. To return to the Issue List page, click Issue List in the upper right part of the page.

About Searching IssuesYou can selectively locate issues using the search box under the issues list. When you enter a search term, the label next to the folder name changes to indicate the number of issues that match the search as a subset of the total.You can wrap search terms with delimiters to indicate the type of comparison to be performed. Table 12 shows the syntax to use in the search string field.

Search terms can be further qualified with modifiers. For more information, see About Search Modifiers on page 82. The basic syntax for using a modifier is modifier:<search_term>. A search string can contain multiple modifiers and search terms. If you specify more than one modifier, the search returns only issues that match all the modified search terms. For example, file:ApplicationContext.java category:SQL Injection returns only SQL injection issues found in ApplicationContext.java. If you use the same modifier more than once in a search string, then the search terms qualified by those modifiers are treated as an OR comparison. So, for example, file:ApplicationContext.java category:SQL Injection category:Cross-Site Scripting returns SQL injection issues and cross-site scripting issues found in ApplicationContext.java.For complex searches, you can also insert the AND or the OR keyword between your search queries. (Note that AND and OR operations have the same priority in searches.)

Table 12: Search Comparison Syntax

Comparison Descriptioncontains Searches for a term without any qualifying delimitersequals Searches for an exact match if the term is wrapped in quotation marks ("")regex Searches for values that match a Java-style regular expression delimited by a forward slash (/)Example:/eas.+?/number range Uses standard mathematical syntax, such as “(“and”)” for exclusive range, and “[” and “]” for inclusive range, where (2,4] represents the range of numbers greater than two, and less than or equal to fournot equals Excludes issues specified by the string by preceding the string with an exclamation character (!)For example, file:!Main.java returns all issues that are not in the Main.java file.


To search issues, do one of the following:• Type a search string in the box, and then press ENTER.Alternatively,• To select a search term you used earlier during the current work session, click the arrow in the search box, and then select a search term from the list.

Note: After you log off of Software Security Center, all search terms are discarded.About Search ModifiersYou can use a search modifier to specify which issue attribute the search term should apply to. To use a modifier that contains a space in the name, such as the name of the custom tag, you must delimit the modifier with brackets. For example, to search for issues that are new, type [issue age]:new.A search that is not qualified by a modifier matches the search string on the following attributes: kingdom, primary rule id, analyzer, filename, severity, class name, function name, instance id, package, confidence, type, subtype, taint flags, category, sink, and source. • To apply the search to all modifiers, enter a string, such as control flow. This searches all of the modifiers and returns any results that contain the string “control flow.”• To apply the search to a specific modifier, type the modifier name and the string as follows:

analyzer:control flow. This returns all results with the analyzer “control flow.”Table 13 lists the search modifiers.Table 13: Search Modifiers


[issue age] Searches for the issue age, which is either removed, existing, or new<custom_tagname> Searches the specified custom tag. Note that tag names that contain spaces must be delimited by square brackets.Example: [my tag]:valueanalysis Searches for issues that have the specified audit analysis value (such as “exploitable,” “not an issue,” and so on) analyzer Searches the issues for the specified analyzeraudience Searches for issues by intended audience. Valid values are “targeted,” “medium,” and “broad”audited Searches the issues to find true if Primary Custom Tag is set and false if Primary Custom Tag is not setcategory (cat) Searches for the given category or category substringcomments

(comment, com)

Searches the comments submitted on the issuecommentuser Searches for issues with comments from a specified user


confidence (con) Searches for issues that have the specified confidence value. Fortify Source Code Analyzer calculates the confidence value based on the number of assumptions made in code analysis. The more assumptions made, the lower the confidence value.dynamic Searches for issues that have the specified dynamic hot spot ranking valuefile Searches for issues where the primary location or sink node function call occurs in the specified file.[fortify priority order]

Searches for issues that have a priority level that matches the specified priority determined by the HP Fortify analyzers. Valid values are critical, high, medium, and low, based on the expected impact and likelihood of exploitation.The impact value indicates the potential damage that might result if an issue is successfully exploited. The likelihood value is a combination of confidence, accuracy of the rule, and probability that the issue can be exploited.Software Security Center groups issues into folders based on the four priority values (critical, high, medium, and low) by default.

historyuser Searches for issues that have audit data modified by the specified userkingdom Searches for all issues in the specified kingdommaxconf Searches for all issues that have a confidence value up to and including the number specified as the search term<metagroup_name> Searches the specified metagroup. Metagroups include [owasp top ten 2010], [sans top 25 2010], and [pci 2.1], and others. Square braces delimit field names that include spaces.minconf Searches for all issues that have a confidence greater than or equal to the specified value.package Searches for issues where the primary location occurs in the specified package or namespace. (For data flow issues, the primary location is the sink function.)[primary context] Searches for issues where the primary location or sink node function call occurs in the specified code context. Also see sink, [source context].primaryrule (rule) Searches for all issues related to the specified sink ruleruleid Searches for all issues reported by the specified rule IDs used to generate the issue source, sink and all passthroughssink Searches for issues that have the specified sink function name. Also see

[primary context]

source Searches for data flow issues that have the specified source function name. Also see [source context][source context] Searches for data flow issues that have the source function call contained in the specified code contextAlso see source, [primary context].

Table 13: Search Modifiers (Continued)



Search Query Examples Consider the following examples:• To search for all privacy violations in file names that contain jsp with getSSN() as a source, type the following:category:"privacy violation" source:getssn file:jsp• To search for all file names that contain com/fortify/awb, type the following:file:"com/fortify/awb"• To search for all paths that contain traces with mydbcode.sqlcleanse as part of the name, type the following:trace:mydbcode.sqlcleanse• To search for all paths that contain traces with cleanse as part of the name, type the following:trace:cleanse• To search for all issues that contain cleanse as part of any modifier, type the following:cleanse• To search for all suppressed vulnerabilities with asdf in the comments, type the following:suppressed:true comments:asdf• To search for all categories except for SQL Injection, type the following:category:!SQL Injection

sourcefile Searches for data flow issues with the source function call that the specified file containsAlso see: filestatus Searches issues that have the status reviewed, not reviewed, or under reviewsuppressed Searches for suppressed issuestaint Searches for issues that have the specified taint flagtrace Searches for issues that have the specified string in the data flow tracetracenode Enables you to search on the nodes within an issue’s analysis trace. Each tracenode search value is a concatenation of the tracenode’s file path, line number, and additional information.<no attribute> Searches for issues that have any of the most common attributes that match the specified string

Table 13: Search Modifiers (Continued)



About HP Fortify Software Security Center and WebInspect Enterprise IntegrationSoftware Security Center and HP WebInspect are closely integrated and can share scan results. Administrators can also submit requests for WebInspect dynamic scans from the Software Security Center interface. This section describes how to view WebInspect results in Software Security Center and provides instructions for Software Security Center users on how to request scans.Viewing WebInspect Scan Results in Software Security CenterWebInspect saves scan results (results data and audit data) in FPR format, which can be imported into Software Security Center. After you upload the WebInspect FPR to Software Security Center, you can display the data in Software Security Center by navigating to the issue list for a selected project version.The following screen capture shows WebInspect results and audit data displayed on issues in Software Security Center.

The top right panel includes the following tabs: • The Request tab displays the request of the issue highlighting the attack.• The Response tab displays the response of the issue highlighting the trigger.• The Stack Trace tab displays a WebInspect Agent stack trace.• The Steps tab (visible only if the steps are included in the WebInspect results file) displays the workflow that led to the discovery of an issue.The top right panel includes the following two check boxes, which are selected by default:• Select the Auto-scroll check box to bypass any header information to automatically jump to the first highlighted section of the response or request.• Select the Wrap Text check box to format the text to fit within your current display area.


The Information icon is displayed to the right of the Auto-scroll and Wrap Text check boxes. If you want to leave your workspace layout as is, you can click this icon and view the information presented in the Request and Response tabs in a separate window with a larger viewing area.

The top left panel displays a summary of the data displayed on the Details tab on the bottom right panel. You can use the arrows in this summary panel to go forward or backward in the issue list. To return to the full issue list display, click the Issue List link.


The bottom right panel also includes the Details tab, which displays a summary of the type of potential vulnerability posed by the selected issue. To read more about the issue, scroll to the Reference Info section of the Details tab, and then click a link to open a separate browser window.

The Steps tab displays the workflow that led to the finding. WebInspect captures the sequence of actions that occurred between a clean state of the scanned application up until the vulnerability was discovered. These steps are helpful if the workflow for a particular issue is difficult to reproduce.Note: The Steps tab is available only if the steps are included in the WebInspect results file.

The Screenshots tab, shown in the following screen capture, displays any screenshots transferred from WebInspect. You can add, edit, delete, and download screenshots from the Screenshots tab.


About WebInspect Audit DataIn addition to screenshots, the following types of audit data are transferred from WebInspect to Software Security Center:• Vulnerability Notes. Vulnerability notes in WebInspect are transferred to Software Security Center as issue comments.• Ignored Vulnerabilities. Vulnerabilities marked as “Ignored” in WebInspect are marked “Suppressed” upon transfer to Software Security Center.• False Positives. See About False Positives.About False PositivesSoftware Security Center does not have a direct equivalent of the WebInspect “false positive” status. If a WebInspect user marks a vulnerability as a false positive, the vulnerability is hidden from the vulnerability lists and is removed from the vulnerability counts.To emulate the false positive status in Software Security Center, you can use the default Analysis custom tag. A WebInspect false positive is assigned the Analysis value “Not an Issue” in Software Security Center. To emulate the WebInspect behavior of hiding the issue from lists and counts, the issue is marked as Suppressed.

Note: If the selected value for Analysis has changed from “Not an Issue” or is missing, or if the Analysis list has been removed from your project version, then the false positive status of the issue is lost. The issue is marked as “Suppressed.”


Requesting Dynamic ScansYou can request WebInspect scans from Software Security Center if WebInspect is installed in your environment.To create a scan request for a project version:1. Log on to Software Security Center.2. Navigate to the Issues tab on the details page for the project version you want to have scanned.

3. From the Dynamic Scan Request list, select Create.The Dynamic Scan Request dialog box opens.4. Provide values for the attributes listed in the following table.Note: The following table does not list custom dynamic scan attributes that you or another Software Security Center administrator may have added to the system.

Note: The dynamic tester who handles the scan request on WebInspect may be interested in additional project version attributes, such as business risk and compliance implications. The tester can use existing web services methods to retrieve those attributes for a project version.

Dynamic Scan Attribute DescriptionURL URL of the site to scanSite Login Username required to log on to the site to scanSite Passcode Password to use to gain access to the siteNetwork Login Username required for network authenticationNetwork Passcode Password required for network authenticationRelated Host Name(s) Allowable hosts for the application to scanWeb Services Used Comma-delimited list of web services used by the application to scanTechnologies Used Comma-delimited list of technologies used by the site to scanExamples: SSO, WebSphere, SharePoint, Flash, Silverlight, Catalog Site, Shopping CartCompliance Implications Provide information about any potential compliance implicationsAllowable Scan Times Dates and times during which the tester can perform the scanExample: From 17:00 h to 06:00 h, Monday through Friday, from 09/03/13 to 11/30/13


5. Click Submit.Software Security Center displays a message to verify that the request submission was successful.Next, the WebInspect tester who monitors and responds to scan requests runs the scan during the hours you specified, and then uploads the results to Software Security Center.Viewing the Status of the Last Dynamic Scan RequestTo view the current status of the last dynamic scan request submitted for a project version:1. Navigate to the Issues tab on the details page for the project version for which you submitted a scan request.

2. From the Dynamic Scan Request list, select Last Scan Status.Software Security Center displays the date and time the scan request was submitted, and request status information.Dynamic Scan Request StatesAfter you submit a dynamic scan request, the request enters the PENDING state. As soon as the tester starts the scan from WebInspect, the request state is IN_PROGRESS. After the WebInspect tester completes the scan, the scan request enters the COMPLETED state.As long as a dynamic scan request is pending, you can edit or cancel it. As soon as the scan starts, however, you can no longer edit or cancel it.Editing Scan RequestsTo edit a dynamic scan request:Note: You can only edit scan requests that you yourself have submitted.1. Navigate to the Issues tab on the details page for the project version for which you have requested a dynamic scan.

2. From the Dynamic Scan Request list, select Edit.The Dynamic Scan Request dialog box opens.3. Edit the values for the dynamic scan attributes, and then click Submit.


Cancelling a Scan RequestTo cancel a pending dynamic scan request:Note: You can only cancel scan requests that you have submitted.1. Navigate to the Issues tab on the details page for the project version for which you have requested a dynamic scan.2. From the Dynamic Scan Request list, select Cancel.Software Security Center prompts you to confirm that you want to cancel the last dynamic scan request.3. Click Yes.Uploading Third-Party Results to Software Security CenterTo upload third-party results to SSC, you must implement a third-party parser. The HP Fortify Public API contains the com.fortify.pub.issueparsing package, which details all of the available interfaces to use in custom parser code.To upload third-party results to SSC:1. Implement your custom parser. The Fortify Public API (located in the <SCA_Install>/Samples/advanced/JavaDoc/public-api directory) contains the com.fortify.pub.issueparsing package. This package details all of the available interfaces to use in your custom parser code.2. Use the Java compiler to compile the custom parser code with the <ssc.war>/WEB-INF/lib/

fortifypublic.jar file in its classpath.3. Package the custom parser classes into a jar file, and then place that file in the <ssc.war>/WEB-INF/lib directory.4. Open the <ssc.war>/WEBINF/internal/serviceContext.xml file.5. Under the section , add a bean definition for the custom parser.6. Restart Software Security Center, and then upload the results file. Software Security Center goes through the list of parsers listed in the serviceContext.xml file until it finds the parser for your uploaded results.Mapping Scan Results to External ListsHP Fortify distributes an external metadata document with Rulepacks. This document includes mappings from the HP Fortify categories to alternative categories (such as OWASP 2010, PCI 1.2, or CWE). Security leads can customize this mapping or create their own files to map HP Fortify issues to different taxonomies, such as internal application security standards or additional compliance obligations.You can either modify the existing external metadata document (externalmetadata.xml), or create your own document (recommended). The existing mapping file is located in the \Core\config\ExternalMetadata directory of Audit Workbench.Use any XML editor to make your changes or create a new document. HP Fortify recommends that you save your new or modified document to the \Core\config\ExternalMetadata directory with a new name so that your changes are not lost during Rulepack updates.To validate your modified or new mapping, use the externalmetadata.xsd file, which is located in the Core\config\schemas directory.To apply the modified or new external metadata document across all projects, you must first import it into Software Security Center.


To import a new or modified external metadata document into Software Security Center:1. Log on as Administrator, and then click the Administration tab.2. In the Administration panel, under General, click Rulepacks.3. In the Rulepacks panel on the right, click Import.The Import Rulepack dialog box opens.4. Click Browse.5. Navigate to and select your document, and then click Import.After you change your mapping document and import it into Software Security Center, you might want to open the FPR file in Audit Workbench to see how the mapping works with the scan results.

Chapter 8: Software Security Center Reports 93

Chapter 8: Software Security Center ReportsThis chapter contains the following sections about Software Security Center reports and how to generate, import and export them: • About Software Security Center Issue Reports on page 93• About Software Security Center Portfolio Reports on page 94• About Software Security Center Project Reports on page 95• About Software Security Center SSA Portfolio Reports on page 95• About Software Security Center SSA Project Reports on page 95• Generating and Viewing Reports on page 96• About BIRT Reports in Software Security Center on page 96• Exporting Report Definitions from Software Security Center on page 98• Importing Report Definitions into Software Security Center on page 98About Software Security Center Issue ReportsThe Issue report group summarizes the presence of specific vulnerability categories in a single Software Security Center project version. About 2009, 2010, and 2011 CWE/SANS Top 25 ReportsThe CWE/SANS Top 25 reports detail findings related to the CWE/SANS top 25 most dangerous programming errors uncovered for a project version, and provide information about where and how to address the findings.About the Developer Workbook ReportThe Developer Workbook report, which is targeted at project managers and developers, contains all of the information needed to understand and fix issued discovered during a project version audit.About the DISA STIG 3, 3.4, 3.5, 3.7, and 3.9 ReportsThe DISA STIG 3, 3.4, 3.5, 3.7, and 3.9 reports, which are targeted at project managers, security auditors, and developers, address DISA compliance through STIG 3, 3.4, 3.5, 3.7, and 3.9 violations found in a project version. They provide information about where and how to fix the issues, and details about the technical risks posed by unremediated violations. The reports also include an estimate of the effort required to fix, verify, and test the findings.About the FISMA Compliance: FIPS - 200 ReportThe FISMA Compliance: FIPS - 200 report, which is targeted at project managers, security auditors, and developers, addresses FISMA compliance through FIPS-200 violations detected in a project version. It provides information about where and how to fix the issues, as well as details about the technical risks posed by unremediated violations. The report also includes an estimate of the effort required to fix, verify, and test the findings.About OWASP Mobile Top 10 ReportsThe OWASP Mobile Top 10 reports, which are targeted at project managers, security auditors, and software developers, detail the top ten OWASP mobile-related findings for a project version. They provide information on where and how to fix specific issues and on the technical risk posed by the unremediated findings


discovered during analysis. The reports also provide estimates of the effort required to fix, verify, and test the findings.About OWASP Top 10 ReportsThe OWASP 2004, 2007, 2010, and 2013 reports, which are targeted at project managers, security auditors, and developers, detail the top ten OWASP- related findings for a project version. They include information about where and how to fix the issues, as well as details about the technical risks posed by unremediated violations. The reports also provide estimates of the effort required to fix, verify, and test the findings.About the PCI DSS Compliance: Application Security ReportThe PCI Compliance: Application Security Requirements report is targeted at project managers, security auditors, and compliance auditors. It summarizes the application security portions of PCI DSS v2.0 and 3.0. Software Security Center tests for 21 application security-related requirements across sections 3, 4, 6, 7, 8, and 10 of PCI DSS and reports on whether each requirement is either “in place” or “not in place.”About the Penetration Testing Correlation ReportUse the Penetration Testing Correlation Report to correlate results from third-party penetration testing tools with issues detected by WebInspect Agent, Runtime Application Protection, and Source Code Analyzer issues for a Software Security Center project version.About the Seven Pernicious Kingdoms ReportThe Seven Pernicious Kingdoms Report is directed at project managers, security auditors, and developers. This report summarizes the findings related to the presence of several HP Fortify-defined issues (see http://www.fortify.com/vulncat/en/docs/Fortify_TaxonomyofSoftwareSecurityErrors.pdf) in a project version. It includes information about where and how to fix the issues, and details about the technical risks posed by unremediated issues. The report also provides estimates of the effort required to fix, verify, and test the findings.About the Vulnerability ReportThe Vulnerability Report provides an analysis of the security risk posed by a project version’s current status. It presents the vulnerability category and severity level distributions across the entire project. The report data enable project managers to evaluate the security posture of a project and prioritize outstanding issues that require immediate attention.About Software Security Center Portfolio ReportsThe Portfolio report group contains reports that enable you to compare issues trends and indicators across multiple Software Security Center project versions. About the Hierarchical Summary ReportThe Hierarchical Summary Report presents a three-level, hierarchical summary for all projects you select to include in the report. It provides the following information:• Overview statistics for all selected projects• A specific project attribute• Projects grouped by project ownerYou can choose to exclude the project summary and owner details from the report.

http://www.fortify.com/vulncat/en/docs/Fortify_TaxonomyofSoftwareSecurityErrors.pdf

http://www.fortify.com/vulncat/en/docs/Fortify_TaxonomyofSoftwareSecurityErrors.pdf


About the Issue Trending ReportUse the Issue Trending Report to create an historical summary of issues by:• Project version• Issue categorization (HP Fortify Priority Order, Kingdom, or OWASP 2004, 2007, 2010, or 2013)• Date rangeThe charts in this report show the number of issues found in each project you selected to include. They display the total number of issues, as well as a breakdown of High Priority and Critical Exposure issues per project.About the Key Performance Indicators ReportThe Key Performance Indicators Report summarizes multiple security performance indicators based on project attributes. Project managers and security officers can use this view of the project portfolio to perform basic comparisons between attribute groupings. This report permits indicators to be grouped by project type or other cross-project categories.About the Security at a Glance ReportUse the Security at a Glance Report to produce a high-level overview of the potential security risk and current security findings across the top five Software Security Center project versions.About Software Security Center Project ReportsThe Project report group contains the Project Summary report.About the Project Summary ReportUse the Project Summary report to summarize a single version of a project. This report includes a high-level look at the outstanding issues associated with the project and detailed information related to the risk profile. It also includes a summary of the user activities that were performed.About Software Security Center SSA Portfolio ReportsThe SSA Portfolio report group contains a single report that you can use to summarize the completion state of Secure Software Assurance requirements and activities across one or more Software Security Center project versions. About the SSA Progress ReportUse the SSA Progress report to summarize the Secure Software state of one or more projects’ requirements and activities. About Software Security Center SSA Project ReportsThe SSA Portfolio report group contains one report that enables you to summarize the completion of Secure Software Assurance requirements and activities across one or more Software Security Center project versions. About the SSA Project Summary ReportUse the SSA Project Summary report to summarize the Secure Software state of one or more projects’ requirements and activities.


Generating and Viewing ReportsTo generate and view a Software Security Center report:1. Log on to Software Security Center and click the Reports tab.The Saved Reports panel opens on the left and displays any saved reports.2. Click Generate.The Generate Report dialog box opens and lists available report types.3. From the list of reports, select the type of report that you want to create.The right panel displays the configuration fields for the report type you selected. 4. If multiple editions of the report are available, from the Options field, select the edition you want to generate.5. Specify the required report settings, including the report name, output format, and project versions to include in the report.Depending on the report type, additional settings may be required or available.6. Click Generate.Software Security Center adds the report to the Saved Reports list. After the report generation is completed, the Status field displays the value Processing Complete.7. To view the report select it from the reports list, and then click Download.8. Save the report file.About BIRT Reports in Software Security CenterSoftware Security Center reports are based on the Business Intelligence and Reporting Technology (BIRT) system. BIRT is an open source reporting system based on Eclipse.For information about BIRT, see the following page on the Eclipse website:http://www.eclipse.org/birt/phoenix/introPreventing Destructive Libraries and Templates from being Uploaded to Software Security Center

Only users with permission to manage report definitions and libraries can upload custom report libraries and templates to Software Security Center. To prevent templates that execute arbitrary and potentially destructive SQL queries and commands from being uploaded to Software Security Center:• Make sure to assign these permissions only to trusted users.• Make sure to check all custom templates for arbitrary SQL queries and commands before uploading them to Software Security Center.

Caution: A malicious user might modify a report library or template so that it contains arbitrary and potentially destructive SQL queries and commands. Only upload libraries and templates that have been written by a trusted user and that have been reviewed for malicious queries and commands.

http://www.eclipse.org/birt/phoenix/intro


About BIRT LibrariesWith BIRT Libraries commonly required functions and report items can be encapsulated. These libraries can then be imported into any number of BIRT reports for reuse. In addition, the concept of libraries helps segment report development tasks, as opposed to requiring a single report developer to create all components for each report by themselves. Note: Before you use the BIRT report libraries, you must acquire the BIRT Report Designer. For instructions, see Acquiring the BIRT Report Designer on page 98.Reports that reference libraries are automatically updated when the report is executed. This is useful in cases where business or technical changes would otherwise require report rework. For example, if a library component such as a corporate logo is used in a large number of report designs, then a change to the logo would only require a change to the library. All referencing reports would reflect the change automatically. Adding Resources to a BIRT Report LibraryTo add resources to a report library:1. Log on to Software Security Center and then click the Reports tab.2. Click Report Libraries.3. Click Add.The Create Report Library dialog box opens.4. Click Browse, and then navigate to and select the report library resource.5. (Optional) Type a resource description.6. Click Save.The Download All link creates a zip file of multiple library resources on your local machine.Customizing Software Security Center BIRT ReportsCustomizing BIRT reports is not a beginner-level activity. Customizing Software Security Center reports requires an understanding of database operation and design, SQL syntax, and report design.To customize a Software Security Center BIRT report, do the following:1. Acquire a supported version of Eclipse BIRT Report Designer (Report Designer).For information about the BIRT Report Designer versions supported for Software Security Center reports, see the HP Fortify Software Security Center System Requirements document.For information about downloading Eclipse BIRT Report Designer, see Acquiring the BIRT Report Designer.2. Load a Software Security Center report definition into Report Designer.You typically first export a report definition from Software Security Center, and then upload that report definition into Report Designer. For information about exporting a Software Security Center report definition, see Exporting Report Definitions from Software Security Center on page 98.3. Connect Report Designer to a running instance of the Software Security Center database.Connecting Report Designer to the Software Security Center database enables you to load and verify the database queries you add to a BIRT report.4. Use the Report Designer to add report design elements to the report definition, and add database queries to those design elements.


5. Use a local instance of Software Security Center to test the operation of a customized BIRT report.6. Import the customized report definition into Software Security Center.For information about importing report definitions into Software Security Center, see Importing Report Definitions into Software Security Center on page 98.Acquiring the BIRT Report DesignerTo customize Software Security Center reports, you must use a supported version of the Eclipse BIRT Report Designer (Report Designer). For information, see the HP Fortify Software Security Center System Requirements document.To download the Eclipse BIRT Report Designer:1. Open a web browser window and go to the following downloads page:http://download.eclipse.org/birt/downloads/build_list.php2. Download the Report Designer Full Eclipse Install for your operating system.Exporting Report Definitions from Software Security CenterPerform the procedure in this section to export an existing Software Security Center report definition.To export a Software Security Center report definition:1. Click Reports. 2. Click Report Definitions.Software Security Center displays the Reports Definition page, which lists all defined reports.3. To export a report definition:a. On the Report Definitions page, select a report definition.In the right-side details panel, Software Security Center displays details about the selected report. The details include a link to the selected report’s definition (rptdesign filename extension).b. In the right-side report details panel, click the download link for the selected report to export the report definition file.Software Security Center exports the report to the selected location.Importing Report Definitions into Software Security CenterSoftware Security Center reports are based on the open-source Business Intelligence and Reporting Tools (BIRT) system.BIRT enables you to add import report definitions files to Software Security Center.To complete the procedure in this section, you will need a Software Security Center BIRT definition (with the rptdesign filename extension).To create a Software Security Center report definition:1. Click Reports. 2. Click Report Definitions.Software Security Center displays the Reports Definition page.3. Click Add.Software Security Center displays the Create Report Definition panel.

http://download.eclipse.org/birt/downloads/build_list.php


4. Configure the new report definition as follows:• Type or choose the Name, Description, Report Engine, and Category settings.• In the Template area, browse to the Software Security Center BIRT definition (with the rptdesign filename extension).5. Add one or more optional parameters to the new Software Security Center report definition.• In the Parameters area, click Add.• Type or choose the Name, Description, Identifier, and Data Type settings that correspond to those values in the BIRT template you are uploading.6. To add the new report definition to the list of definitions, click Save.

Appendix: Authentication Tokens 100

Appendix: Authentication TokensAuthentication tokens are unique keys that enable users to automate actions within Software Security Center without using passwords. The user requests a token, authenticates to the Software Security Center, and receives back a string that is permissioned for a small set of time-limited actions.For example, the AnalysisUploadToken token does not allow the user to log on to the interface or view results.Common actions include uploading scan results and downloading reports.Generating Authentication TokensTo generate a token, run the following HP Fortify Static Code Analyzer command:fortifyclient token -gettoken <TOKEN_NAME> -url SSC_URL -user USERNAME -password

Table 14 lists the available TOKEN_NAME options.

Authentication tokens are defined at runtime within WEB-INF/internal/serviceContext.xml.About Advanced Authentication TokensAdvanced administrators can customize authentication tokens to extend the maximum token lifetime (set it and forget it) or create new tokens that work with Software Security Center’s remoting API (integrating between two systems).Modifying maxDaysToLive affects only newly created tokens.

Table 14: TOKEN_NAME Options

Option Description

AnalysisUploadToken Upload scan results to Software Security Center and list projectsAuditToken Load details about current security issues and apply analysis tagsAnalysisDownloadToken Download merged result filesReportToken Enables users to: Request list of saved reportsRequest saved report based on the report IDDelete saved reportsReturn list of saved reports associated with a specific project versionGenerate new reports