HP Fortify SSC User Guide 3.90

HP Fortify Software Security CenterSoftware Version 3.90

User Guide

Document Release Date: June 2013Software Release Date: June 2013

Legal Notices

Warranty

The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.The information contained herein is subject to change without notice.

Restricted Rights Legend

Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license.

Copyright Notice

Copyright 2013 Hew lett-Packard Development Company, L.P.

Documentation Updates

The title page of this document contains the following identifying information: Software Version number, which indicates the software version

Document Release Date, which changes each time the document is updated

Software Release Date, which indicates the release date of this version of the software

To check for recent updates or to verify that you are using the most recent edition of a document, go to:http://h20230.www2.hp.com/selfsolve/manuals

This site requires that you register for an HP Passport and sign in. To register for an HP Passport ID, go to:http://h20229.www2.hp.com/passport-registration.html

You will also receive updated or new editions if you subscribe to the appropriate product support service. Contact your HP sales representative for details.Part Number:1-153-2013-06-390-01

Contents iii

ContentsPreface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii

Contacting HP Fortify. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .viiTechnical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .viiCorporate Headquarters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .viiHP Corporate Website . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .vii

About the HP Fortify Software Security Center Documentation Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .viiHP Fortify Assistive Technologies (Section 508). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .vii

Chapter 1: Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Intended Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Related Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Chapter 2: Getting Started with Software Security Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

About the The Central Role of Software Security Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Security Management Workflow. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

About User Accounts and Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10About Active Directory/LDAP Integration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Logging on to Software Security Center for the First Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Requesting Access to HP Fortify Software Security Center. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Accessing Process Guidance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13About the Software Security Center Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Changing Your Account Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Configuring Dashboard Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Accessing HP Fortify Training Content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

About the Runtime Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Runtime Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Chapter 3: Managing User Accounts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

About Software Security Center User Account Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20About Administrator Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20About Security Lead Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Manager Accounts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Developer Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Modifying Your User Own Account Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Customizing User Account Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Tracking Teams . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Creating Custom Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Contents iv

About Software Security Center Account Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29Creating Local User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29Registering LDAP Entities with Software Security Center. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Chapter 4: Software Security Center Projects and Project Versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

About Tracking Development Teams. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Projects and Project Versions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32About Strategies for Creating Project Versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33About Annotating Project Versions for Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Displaying the Projects Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34Project Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

About the Project Creation Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36About Project Version Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36About Project Dependencies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36About Project Version Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36About Project Template Selection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37About Process Templates for SSA Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

About Creating Project Versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39Adding Project Versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

About Using Bug Tracking Systems to Help Manage Security Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Configuring Access to a Bug Tracker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Configuring Bug Tracking for a Project Version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43About Using State Management to File Many Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Changing the Project Template Associated with a Project Version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46Project On-Boarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Requesting Project Attribute Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48Setting Analysis Result Processing Rules for Project Versions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53About Custom Tags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Defining Custom Tags in Software Security Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55Adding a Custom Tag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56Modifying Custom Tag Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57Globally Hiding a Custom Tag. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58Deleting Custom Tags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58Adding a Value for a Custom Tag. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59Changing a Value for a Custom Tag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59Deleting a Value for a Custom Tag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60Associating a Custom Tag with a Project Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60Viewing the Custom Tags Associated with a Project Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61Disassociating a Custom Tag from a Project Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62Associating a Custom Tag with a Project Version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63Disassociating a Custom Tag from a Project Version. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64Adding a Custom Tag Value While Auditing an Issue . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

Contents v

Managing Custom Tags Through Project Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65Managing Custom Tags Through a Project Template in an FPR File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

About CloudScan in Software Security Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66Chapter 5: SSA Project Version Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

About the Requirements Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68Displaying the Requirements Detail Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68About Process Requirements and Activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69About Activities, Requirements, and Process Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

About SSA Project Sign Offs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70About Sign-Off Personas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70About Signing Off Activities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70About Multi-Persona Sign Offs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70About Signing Off Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71Overview of Sign Off Process Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Assigning User Accounts to Personas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71Assigning a Power User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

About Process Template Work Owners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72About Assignment of Work Owners to Personas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

About Software Security Center Persona Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73Viewing and Editing Personas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74Deleting Personas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

Adding Tasks to Activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75About Adding Status Alerts to Requirements and Activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75About Working with Document Artifacts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

Chapter 6: Variables, Performance Indicators, and Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

About Working with Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77About Variable Syntax and Search Strings and Search String Modifiers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77Creating Variables. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

About Performance Indicators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81Creating Performance Indicators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

About Alert Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83Creating Alert Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83Setting Alert Notification Preferences. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

Chapter 7: Collaborative Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

About Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85About Current Issues State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85About Audit Conflicts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

Starting the Collaboration Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86About Collaboration Module Display Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Contents vi

Auditing Issues with Collaboration Module. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88About Searching Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

About Search Modifiers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90Search Query Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

About HP Fortify Software Security Center and WebInspect Enterprise Integration . . . . . . . . . . . . . . . . . . . . 93Viewing WebInspect Scan Results in Software Security Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93About WebInspect Audit Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96About False Positives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96Requesting Dynamic Scans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97Viewing the Status of the Last Dynamic Scan Request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

Mapping Scan Results to External Lists. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101Chapter 8: Software Security Center Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .102

Generating and Viewing Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102About Software Security Center Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103About Software Security Center Issue Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

OWASP 2004, 2007, 2010 Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105PCI Compliance: Application Security Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105Penetration Testing Correlation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106Seven Pernicious Kingdoms Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

Understanding Software Security Center Portfolio Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106Hierarchical Summary Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106Hierarchical Trending Report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106Issue Trending Report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106Key Performance Indicators Report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106Security at a Glance Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

About HP Fortify Software Security Center Project Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107Overview of the Project Summary Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

About Software Security Center SSA Portfolio Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107About the SSA Progress Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

About Software Security Center SSA Project Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107About the SSA Project Summary Report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

About BIRT Reports in Software Security Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108About BIRT Libraries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108About BIRT Report Customization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108Acquiring the BIRT Report Designer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

Exporting Report Definitions from Software Security Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109Importing Report Definitions into Software Security Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109About Authorization Tokens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

Advanced Authorization Tokens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

Preface vii

PrefaceContacting HP FortifyIf you have questions or comments about any part of this guide, use the HP Fortify contact information provided in the following sections.

Technical [email protected]

Corporate HeadquartersMoffett Towers 1140 Enterprise Way Sunnyvale, CA [email protected]

HP Corporate Websitehttp://www.hpenterprisesecurity.com

About the HP Fortify Software Security Center Documentation SetThe HP Fortify Software Security Center documentation set contains installation, user, and deployment guides for all HP Fortify Software Security Center products and components. It also includes technical notes and release notes that describe new features, known issues, and last-minute updates. The latest versions of these documents are available on the HP Software Product Manuals site (http://h20230.www2.hp.com/selfsolve/manuals).

HP Fortify Assistive Technologies (Section 508)In accordance with Section 508 of the U.S. Rehabilitation Act, HP Fortify Software Security Center, HP Fortify Audit Workbench, HP Fortify Plug-in for Eclipse, and HP Fortify Package for Microsoft Visual Studio have been engineered to work with the JAWS screen-reading software package from Freedom Scientific. JAWS provides text-to-speech support for use by the visually impaired. With JAWS, labels, text boxes, and other textual components can be read aloud, providing greater access to the information therein.For information about how to use JAWS, see the HP Fortify Software Security Center System Requirements document. For additional information or assistance, visit HP Accessibility at http://www.hp.com/accessibility.

Chapter 1: Introduction 8

Chapter 1: IntroductionThis document contains information and procedures that enable you to install HP Fortify Software Security Center and perform the post-installation configuration tasks required to prepare the product for use.

Intended AudienceThis guide is intended for use by enterprise security leads, development team managers, and developers. Software Security Center provide security team leads with a high-level overview of the history and current status of a project. Your security team can then ensure that both developers and auditors work effectively together to provide the best response to project issues.Software Security Center provides auditors with a centralized facility for managing issues. If the manager needs to work offline or with the advanced tools that HP Fortify Audit Workbench offers, current project state and up-to-date auditing information are made available for download.Managers can use Software Security Center to prioritize issues to reflect the needs of the enterprise. That prioritization can then be used to prioritize the activities of the project development team.Developers are responsible for creating and maintaining one or more code bases that conform to secure coding practices. Software Security Center provides a focal point for managing and transmitting information about specific issues received from analysis agents to supported Integrated Development Environments (IDEs), or to standalone clients such as HP Fortify Audit Workbench. Developers can then use the project snapshots produced by Software Security Center to measure their progress through the Secure Development life cycle.

Related DocumentsThe following documents provide additional information about Software Security Center: HP Fortify Software Security Center Installation and Configuration Guide

This document provides system and database administrators with complete instructions on how to install and configure Software Security Center server software.

HP Fortify Software Security Center System RequirementsThis document provides system and database administrators with the minimum and recommended requirements for installing and using Software Security Center server software.

Software Security Center online Process GuideSoftware Security Centers online Process Guide provides information about how to use Software Security Center based on the role you play on your team. For information about how to access the Process Guide, see Accessing Process Guidance on page 13.

Chapter 2: Getting Started with Software Security Center 9

Chapter 2: Getting Started with Software Security Center

Software Security Center is a browser-based product that provides a set of capabilities across the software development lifecycle to automate detection of security vulnerabilities in applications. It helps your security and development teams work together to resolve security flaws quickly and accurately by making correlated data from HP Fortify Static Code Analyzer (SCA), HP WebInspect, and HP Fortify Runtime Application Protection available through its online collaboration environment.

About the The Central Role of Software Security CenterSoftware Security Center provides a location for collecting, correlating, and exporting security analysis results. The Software Security Center server resides in a central location and receives results from different security activities, such as static, dynamic, and real-time analyses.Software Security Center is designed to help you: Identify and prioritize a baseline of existing vulnerabilities Prevent new vulnerabilities from being introduced Remediate existing vulnerabilities and lower the baseline Ensure that your code is in compliance with internal and external security mandatesSoftware Security Center works within your organization to answer the following questions: How do we drive the adoption of good application security practices? How do we get actionable results to development teams? Do we measure application teams on a team-by-team basis or as a unit? How do we track results over time?


Security Management WorkflowThe following figure illustrates the flow of security management processes within Software Security Center.Figure 1: Security Management Workflow in Software Security Center

As scans are performed during development sprints, development teams submit periodic scan results from a continuous integration server into Software Security Center. Security teams submit periodic results of a dynamic assessment into Software Security Center.Software Security Center correlates and tracks the scan results and assessment results over time, and makes the information available to developers through the Audit Workbench web interface, or through IDE plug-ins such as the HP Fortify Plug-in for Eclipse, the HP Fortify Package for Microsoft Visual Studio, and others. Users can also push issues into defect tracking systems, including HP ALM, JIRA, and Bugzilla.

About User Accounts and AccessSoftware Security Center supports two methods of authentication: Local user accounts created within the interface Active Directory/LDAP accounts associated with standard corporate authentication (Active Directory/

LDAP integration supports user assignment by group or organizational unit.)

About Active Directory/LDAP IntegrationActive Directory/LDAP integration enables Software Security Center to authorize users based on their existing corporate credentials. In addition, assignment by group or organizational unit enables Software Security Center to take advantage of the existing joiners/leavers processes. A new person who joins a group automatically has access to Software Security Center. A person who leaves a group automatically loses access.The Software Security Center installer must configure the integration with the Active Directory/LDAP during Software Security Center installation. For detailed information, see the HP Fortify Software Security Center Installation and Configuration Guide.


Logging on to Software Security Center for the First TimeTo log on to Software Security Center, your Software Security Center Administrator must provide you with the URL for Software Security Center, a username, and a password.Note: If you do not yet have a Software Security Center user account, you can request one from the administrator. For information, see Requesting Access to HP Fortify Software Security Center.To log on to Software Security Center for the first time:1. To make sure that you access the newest version of the Software Security Center user interface, clear your

web browsers cache.2. In a web browser, type the URL for your Software Security Center instance, as follows:

If Software Security Center is configured to use secure HTTP protocol, type the following URL:https://[host_IP]:[port]/ssc/where [port] represents the port number used by your application server.

If Software Security Center is configured to use insecure HTTP protocol (not recommended), type the following URL:http://[host_IP]:[port]/ssc/where [port] represents the port number used by your application server.

The default logon credentials for a new Software Security Center installation are username admin and password admin. You must change your credentials at your first logon.

3. In both the Username and Password boxes, type admin.4. Change your credentials when Software Security Center prompts you to do so.


Requesting Access to HP Fortify Software Security CenterIf you do not yet have a Software Security Center user account, you can request one from the administrator.To request a Software Security Center user account:1. At the bottom of the Software Security Center logon screen, click the Request Access link.

Note: The Request Access link is available only if your Software Security Center administrator has enabled email notification.The Account Request screen opens.

2. Complete the required fields, and then click Send.3. After you see the message indicating your request was successfully sent, click OK.The account creation request is sent to your Software Security Administrator.


Accessing Process GuidanceSoftware Security Centers online Process Guide provides information about how on how you can most effectively use SSC based on the role you play on your team. You can access the Process Guide from the SSC logon screen.To access the process guide: Go to the HP Fortify Software Security Center logon screen, as described in Logging on to Software Security

Center for the First Time on page 11, and then click the Learn About link.

The Software Security Center Process Guide opens in your browser. Review the steps detailed on the Process Guide pages.


About the Software Security Center DashboardAfter you log on to Software Security Center, the Dashboard is displayed.

By default, the Software Security Center Dashboard displays four panels or pods, which summarize various aspects of the Software Security Center project versions and features that you can access.

Pod Description

Alert Notifications A list of alert notifications that the user has chosen to receive.Assigned Activities Activities that the logged in user needs to perform.Issues A graph that depicts the status of issues in the system. The user can choose

either Trend or Current Issues.Audit Status Shows the audit status which includes a count of issues that have been audited

and a measure of the activity level during the last seven days.Project Inventory Graphical display of project inventory grouped by specified attribute.Project Security State Graphical display of the state of projects (Not Started, In Progress, Awaiting Sign

Off).Requirement State Graphical display of signed off project requirements.Runtime Host Status List of runtime hosts with their status.Runtime Events Graphical display of runtime events. The user can choose from Trend, Pie, and

Column graphs.


Changing Your Account InformationAfter you log on to Software Security Center, you can change your account information, including your password.To change your account information:1. On the right side of the Software Security Center banner, click the Account link.

The Modify Account dialog box opens.

2. To change your first name, your last name, or your email address, select the default value in the corresponding box, and then type a new value.

3. To change your password:a. Click Change Password.

The Change Password dialog box opens.b. In the Password box, type your existing password.c. In the New Password box, type a new password.d. In the Confirm Password box, re-type the new password.e. Click Save.

4. To save all changes to your account, in the Modify Account dialog box, click Save.

Configuring Dashboard PreferencesThe Software Security Center Dashboard provides a paging configuration that allows a high degree of customizability. Methods of customizing the Dashboard include the following: After Software Security Center starts, new pages are created for the pods. These are named Page 1

through Page n, where n is the number of pages required to hold all of the pods. To switch to a different page, click its page button. To change the name of a page, double-click the page button. To add new pods, use the preferences as before. These pods are allocated to the pages as space is available.

So, if a slot is open on the first page, the pod is added to that page. To move a pod to a specific page, click the down arrow button in the pod title bar. This presents a menu of

the pages that have open slots for pods. In addition, a Create New Page option that brings up a dialog where you can specify the name for a new page for the pod.


If a page displays only one pod, and you move the pod off that page, the page is deleted. If a page displays only one pod, the create page option is not available. Simply rename the page.The following limitations apply to the Software Security Center Dashboard paging configuration: You cannot arbitrarily remove a page of pods. You can only maximize one pod across the entire set of pages. You cannot change the order of the pages.Customizing the Dashboard Appearance

To customize the appearance of the Software Security Center Dashboard:1. In the top right of the Dashboard, click Preferences.

The Modify Preferences dialog box opens to the Dashboard tab.


2. Perform one or more of the tasks listed in the following table:

Customization Steps

Specify the pods to display

1. On the Dashboard tab, click Pods.2. In the Pods Displayed section, select the check boxes for the pods to

display in your Dashboard view.Change the names of Dashboard pages

1. On the Dashboard tab, click Pods.2. In the Tab Names section of the Dashboard tab, select a page name, and

then type a new page name to replace it.Specify the project versions to display

1. On the Dashboard tab, click Project Versions.2. Under Project Versions Displayed, select one of the following options:

To display the last ten project versions, based on recent activity, leave Default selected.

To open a list of the project versions currently displayed so that you can then modify that list, select Custom.

Select All to display all project versions.Remove a project version from the list of projects displayed

1. On the Dashboard tab, click Project Versions.2. Under Project Versions Displayed, select the Custom option.3. Select the project version name or names to remove, and then click

Remove.Add a specific project version that is not displayed to the list

1. On the Dashboard tab, click Project Versions.2. Under Project Versions Displayed, select the Custom option.3. Click Add.

The Select Project Versions dialog box opens.4. To display all versions of a project, select the check box next to the project

name.Alternatively, to display specific project versions, select the check boxes next to the project version names.

Enable or disable email alertsAlert notifications are visible (by default) on the Dashboard of all recipients

1. Click the Alert Notifications tab.2. Select the Email Alert Notifications check box to send email alerts in

addition to the alerts visible on the Dashboard.

Configure runtime notification options

If runtime is enabled on your Software Security Center installation, do the following:To receive runtime notifications of security events flagged by the runtime system as alerts, on the Alert Notifications tab, click Runtime Alerts, and then select the Receive Runtime Alert Notifications check box.

Specify date and time formatting

1. Click the Display tab.2. From the Date Format list, select a format for dates displayed in Software

Security Center.3. From the Time Format list, select the format for times displayed in

Software Security Center.


3. Click Save.Software Security Center saves the settings and displays your customized Dashboard.Software Security Center Dashboard pods display the same information as that displayed on the Software Security Center Project details pages.

Accessing HP Fortify Training ContentYou can access HP Fortifys self-paced training modules from the Software Security Center Dashboard.To go to the training site for HP Fortify products:1. On the right side of the Software Security Center banner, click the eLearning link.

The HP Fortify eLearning logon screen opens.

2. If you have an account for the eLearning site, submit your credentials and log on to the site.If you do not have logon credentials for the eLearning site, request access to the site, as follows:a. Under Is this your first time here?, click [email protected].

An email template opens.b. Type a request for a new eLearning site account, and send the email.

Although it might take a day or so, a Fortify Technical Support team member will send you account information.

After you log on, the site lists the training module available for products in the HP Fortify suite.3. Select a training module to open and complete at your own pace.


About the Runtime TabHP Fortify Runtime Application Protection (Runtime Application Protection) is built on top of the HP Fortify runtime platform. Runtime Application Protection can run in either stand-alone or federated mode. In federated mode, multiple Runtime Application Protection hosts may be connected to Software Security Center, which acts as the runtime controller. The Runtime Application Protection hosts send runtime events and logs to Software Security Center, and Software Security Center sends configuration and Rulepacks to the Runtime Application Protection hosts. This facilitates central configuration management. It also enables you to conduct performance event analysis across multiple Runtime Application Protection hosts, which you cannot do in stand-alone mode. For example, say you have multiple hosts serving up a single application, and you want to set up an alert that gets triggered after a given number of invalid logins are detected across the Runtime Application Protection hosts. Because the events are all federated across Software Security Center, Software Security Center can track the invalid logins across all Runtime Application Protection hosts.Users who focus on the Runtime tab differ from those concerned with the Projects tab. Typically, the Development and the Security teams focus on the Projects tab because they are concerned with a project during its development. Operations teams focus on the Runtime tab because they are concerned with a product in deployment.If both of the following are true, then your installation of Software Security Center includes a Runtime tab: Your HP Fortify license file enables you to run Runtime Application Protection. The system administrator who installed Software Security Center explicitly enabled Software Security

Center to display communicate with Runtime Application Protection.For information about how to use the Runtime tab, see the HP Fortify Runtime Application Protection Operator Guide.

Runtime EventsEvents are occurrences in the system that are of particular interest. As events are tracked, they are displayed on the Runtime tab in Software Security Center, which is automatically refreshed as events occur. You can view events in different ways in the several charts available in Software Security Center. You can search on any event attribute. For example, if you specify the search criterion Category Contains SQL, the Runtime tab lists all events in the SQL injection category.You can also export events resulting from a search as an event log in the same format that you would get from a stand-alone Runtime Application Protection instance. You could then import that event log into a project version where the events become Runtime Application Protection issues.

Chapter 3: Managing User Accounts 20

Chapter 3: Managing User Accounts

About Software Security Center User Account ManagementIn accordance with secure deployment guidelines, the HP Fortify Software Security Center Installation and Configuration Guide directs the primary system administrator of a new installation of Software Security Center to create a non-default Administrator-level account, and then to delete the default admin account. The non-default Software Security Center Administrator account is used to create additional Software Security Center user accounts.Software Security Center supports the following four default user accounts, in order of descending level of privilege: Administrator Security Lead Manager DeveloperThe following sections provide information about each of these account types.For information about managing Software Security Center personas, see About Software Security Center Persona Management on page 73.This section contains information about Software Security Center roles, user account administration, and how to register AD/LDAP entities with Software Security Center.

About Administrator AccountsUsers who have Administrator accounts have complete access to all Software Security Center user and project version data and can manage the entire Software Security Center system. Only users who have Administrator accounts can create, edit, or delete other user accounts.HP Fortify recommends that you create only the Administrator-level accounts necessary to create and edit local or LDAP Software Security Center user accounts. The Security Lead and lesser accounts can perform all other project-related activity.Software Security Center permits the explicit addition of Administrator-level accounts to project versions. This enables Administrator users to be assigned issues from the Software Security Center Collaboration Module.

About Security Lead AccountsUse Security Lead accounts to perform overall administration of one or more project versions, including the Managers and Developers assigned to collaborate on those project versions. Table 1 summarizes the read (view) and write (create or modify) privileges available to a Security Lead account.Table 1: Summary of Security Lead Account Read (R) and Write (W) Privileges

Functional Area R W Comments

Access, to project versions X X Project versions the Security Lead created or to which the Security Lead account is assigned

Alerts X XArtifact, Documents X X


Manager AccountsWith a Manager accounts, you can manage the secure development of the Software Security Center project versions to which you are assigned and perform tasks such as the assigning one or more Developer accounts to the project version. Table 2 summarizes the read (view) and write (create or modify) privileges for a Manager account.

Artifact, FPR X XEvent Log X View all event logsPerformance Indicators X XPersonas X XProcess templates X X Create, update, and re-sortProject templates X X Upload, download, and deleteProject versions X X Create, manage assignedReports X X Add, edit, or delete report definitionsRulepacks X X Import or deleteTemplate Assignment Policies X XUsers: local and LDAP X Only Administrator accounts can create or edit usersVariables X X

Table 2: Summary of Manager Account Read (R) and Write (W) Privileges


Access, to project versions X X Project versions they are assignedAlerts X X Create for assigned project versionsArtifact, Documents X XArtifact, FPR X XEvent Log X View events for assigned project versions onlyPerformance Indicators XPersonas XProcess templates X

X View all, update for assigned project versionsProject templates XProject versions X X Delete or retire only assigned project versionsReports X X View or generate reports

Table 1: Summary of Security Lead Account Read (R) and Write (W) Privileges (Continued)



Developer AccountsWith a Developer account, you can perform secure development tasks for the Software Security Center project versions to which you are assigned. Table 3 summarizes the read (view) and write (create or modify) privileges for a Developer account.

Rulepacks X X ExportTemplate Assignment Policies XUsers, local and LDAP X Only Admin accounts can create or edit usersVariables X X

Table 3: Summary of Developer Account Read (R) and Write (W) Privileges


Access, to project versions X For project versions they have been assignedAlerts X X Create for assigned project versionsArtifact, Documents X XArtifact, FPR X X View, comment, auditEvent Log X View events associated with assigned project

versionsPerformance Indicators XPersonas XProcess templates X

X View all, update for assigned project versionsProject templates XProject versions X View only assignedReports X View or generate reportsRulepacks XTemplate Assignment Policies XUsers, local and LDAP (Administrator accounts only)Variables X Validate variable search strings

Table 2: Summary of Manager Account Read (R) and Write (W) Privileges (Continued)



Modifying Your User Own Account InformationAny Software Security Center user can modify all of his own account settings, except his assigned role.To modify your Software Security Center account settings:1. In the upper right of any Software Security Center window, click Account.

The Modify Account dialog box opens.2. Modify your account information, and then click Save.

Customizing User Account PreferencesYou can use the Software Security Center Dashboard Preferences dialog box to customize some user account preferences, such as the format for displaying dates in Software Security Center. For more information about how to customize user preferences, see Configuring Dashboard Preferences on page 15.

Tracking TeamsAs an administrator or security lead, you need access to information that enables you to track and monitor your teams progress and ensure that good application security practices are in place and followed. Software Security Center provides a central point for guiding the adoption of good security practices. By understanding how information is tracked and reported, you can accurately measure development team progress based on application security standards.


RolesRoles determine the actions a user can perform in Software Security Center. Table 4 lists the pre-configured roles you can assign to users in Software Security Center.

For more fine-grained control over user access to Software Security Center functionality, you can create custom roles and assign them permissions within the Software Security Center interface. For instructions on how to create a role, see Creating Custom Roles.

Table 4: Software Security Center Roles

Role Description

Administrator Has full access to the system and all resultsApplication Security Tester Can perform tasks that pertain to executing dynamic scan requests,

including: View project versions View and generate reports Process dynamic scans Upload scan results Audit issues

Developer Developer responsible for producing security results and taking action to triage or remediate any security issuesFor a complete list of Developer permissions, see Table 3.

Manager Responsible for guiding developers to work on results.Managers cannot create projects but can grant or revoke access to members of their teamFor a complete list of Manager permissions, see Table 2.

Security Lead Security team member who can create project versions and usersFor a complete list of Security Lead permissions, see Table 1.

View Only Can view results, but cannot interfere with the issue triage or remediation process. Example users: system automation account or temporary auditor

WebInspect Enterprise System Can connect a WebInspect Enterprise instance to Software Security Center and retrieve issue audit information.This role is intended for use only by a WebInspect Enterprise instance.


Creating Custom RolesUse the procedure in the following section to define roles of your own and assign them permissions.To define and configure permissions for a new role:1. Log on to Software Security Center as an Administrator.2. Click the Administration tab.3. In the Administration panel on the left, under System, click Roles.4. In the Roles panel on the right, click Add.

The Create Role dialog box opens.

5. Provide the information described in the following table.

6. To add permissions, click Add. (Permissions determine the functional areas available to Software Security Center users.)

Field(*Required field) Description

*Name Role nameDescription Role descriptionUniversal Access To assign the new role access to all project versions and runtime applications,

select this check box.Note: HP Fortify strongly recommends that you select universal access only for administrator-level users.


The Add Permissions dialog box opens.

7. Select the check boxes that correspond to the permission that you want to assign to the new role.Note: The Add Permissions dialog box provides a search feature that you can use to search for permissions based on search conditions that you specify.

8. Click OK.9. In the Create Role dialog box, click Save.

If the role and permissions you selected do not conflict, then you are returned to Software Security Center.


Software Security Center checks permissions to guard against states that are known to be incompatible.

10. Click Save.


The Role: screen opens and displays detailed information about the new role.


About Software Security Center Account AdministrationUsers who have Administrator accounts are the only users who can create new user accounts and edit information for existing accounts.Use Administrator accounts to manage the Software Security Center system. HP Fortify recommends that you create only the Administrator-level accounts necessary to create and edit local or LDAP Software Security Center user accounts. The Security Lead and lesser accounts can perform all other project-related activity.Software Security Center permits the explicit addition of Administrator-level accounts to project versions. This enables Administrator users to be assigned issues from the Software Security Center Collaboration Module.

Creating Local User AccountsSoftware Security Center Administrator-level accounts can add new local user accounts to the list of Software Security Center users.To create a Software Security Center user account:1. Log on to Software Security Center as an Administrator.2. Click the Administration tab.3. In the Administration panel on the left, under System, click Users. 4. In the Local Users panel on the right, click Add.

Software Security Center displays the Create User panel.

5. Provide the information listed in the following table.

Field or Check Box Description

Username Username for Software Security Center logon.First Name First name of user.Last Name Last name of user.Email Email address of user.


6. Do one of the following: To save your settings and exit the Create User panel, click Save. To save your settings and display a new instance of the Create User panel, click Save and Create

Another.Software Security Center adds the user account to the list of users.

Role(s) To select the role or roles to assign to the user, click Add, and then select the check boxes that correspond to the roles you want to assign.

Suspended User is not authorized to use Software Security Center.Password Default password for the new user.Confirm Password Default password for the new user.User must change password at next login

Select this check box to require the user to change the password at the next log-on to Software Security Center.

Password never expires Select this check box to allow the user to use the originally assigned password until he wants to change it.To require the user to change his or her password every thirty days, leave this check box cleared.

Field or Check Box Description


Registering LDAP Entities with Software Security CenterSoftware Security Center Administrator-level accounts can add LDAP groups, organizational units, and users to Software Security Centers list of users. Software Security Center automatically updates access control as users join and leave groups.To register an LDAP organizational unit, group, or user with Software Security Center:1. Log on to Software Security Center as an Administrator, and then click the Administration tab.2. In the Administration panel, under System, click LDAP.3. In the LDAP Entities panel, click Add.

Software Security Center displays the Register LDAP Entity panel.

4. In the Register LDAP Entity panel, in LDAP Entity list, choose the type of LDAP entity to register.5. In the Name box, type the Software Security Center account name, then click the Search icon to validate that

the entry exists in the LDAP server.To search for a name, in the Name box, type a search string, and then click the search tool.

6. In the Role(s) box, you can assign a role predefined by Software Security Center or a role you have already created for the selected LDAP entity.

7. Click Add.8. Select Role(s) from the Select Role dialog box, and then click OK.9. Click Save.Software Security Center adds the entity to its list of users. To learn how to specify the LDAP server, see the HP Fortify Security Center Installation and Configuration Guide.

Chapter 4: Software Security Center Projects and Project Versions 32

Chapter 4: Software Security Center Projects and Project Versions

This chapter provides information about projects and project versions. It contains instructions for viewing and creating projects, configuring project attributes, assigning project templates, and more.

About Tracking Development TeamsAs an administrator or security lead, you need access to information that enables you to track and monitor your teams progress and ensure that good application security practices are in place and followed. Software Security Center provides a central point for guiding the adoption of good security practices. By understanding how information is tracked and reported through projects and project versions, you can accurately assess development team progress based on application security standards.

Projects and Project VersionsTo obtain consistent measurement results in Software Security Center, you define a project for a single code base. Software Security Center organizes the iterative development and remediation of code bases into projects and project versions. A project is an application or code base that serves as a container for one or more project versions.

If you are working with a new code base, you create a new Software Security Center project. Software Security Center automatically creates the first version of that project.

A project version is an instance of the application or code base that will eventually be deployed. It contains the data, auditing, and project attributes for a particular version of the project code base. If you are working with an existing project code base, you create new project versions rather than new projects.

A project version is the base unit for team tracking. It provides a destination for security results that is useful for getting information in front of developers and producing reports and performance indicators. Code analysis results for a project version are tracked as follows:

Software Security Center analysis processing rules verify that the new scan is comparable to the older scan.

Existing analysis results + New scan results = Trending results

Results of any previous security analysis from HP Fortify Static Code Analyzer, WebInspect, or other analyzer

Merge with the existing results (from the same analyzer used to perform this scan)Mark resolved issuesIdentify new issuesKeep unchanged issues

Identify which security issues have been fixed, and which issues remain.


About Strategies for Creating Project VersionsAs a Security Lead or Development Manager, you might choose to create a project version that allows you to track vulnerabilities within deployed applications. Security vulnerabilities often occur in areas of code where different components come together. Although teams may work on different components, it is a good practice to track the entire software component as one piece. As an example, suppose that a text manipulation library is safe on its own, and a file access library is safe on its own. The combination of the text manipulation library and file access library is not necessarily safe, because one may not know the origin of the text being processed.

About Strategies for Packaged Software

For software that ships or is deployed as a concrete version, you might use the following strategies: If you are creating a brand new application, start a new project. Create a single project version for each release. For example, the Security Lead or Development Manager

may mark past versions as inactive within Software Security Center to archive results and remove them from the basic view.

If you are working on an existing application with an evolving code base, create a project version based on an existing version. For example, Project A has several versions. Each new version is initiated based on the results of the previous version. Each successive version is just evolved code (versus a complete rewrite).

About Strategies for Continuous Deployment

For applications using continual deployment, running HP Fortify scans with the -build-label xxxx flag enables you to identify which source control checkout was scanned (where xxxx represents the ID from your version control system). Relating scans to source control checkout improves your ability to determine when individual issues were introduced and remediated.

About Annotating Project Versions for ReportingSoftware Security Center provides a set of project attributes that you can apply to individual project versions. You can use these project attributes to group project versions for reporting, or to associate project versions with external systems.A base set of project attributes is provided within the Software Security Center system. Administrators can customize the attribute set for the organization. Sample customizations can help organizations track onboarding progress by application ID, line of business, business unit, or regulatory compliance obligations.


Displaying the Projects PageSoftware Security Center projects are at the center of Software Security Centers powerful cross-project analysis and reporting capabilities.To view a list of all Software Security Center projects: From the Software Security Center dashboard, click the Projects tab.


Project IconsTable 5 lists the icons used to show project status on the Software Security Center Projects tab.

For a conceptual orientation to the creation of a new Software Security Center project, proceed to About the Project Creation Process on page 36.

Table 5: List of Projects Type and Status Icons

Icon Icon Category Description

Project type Project version is of type Basic Remediation

Project type Project version is of type SSA

Project state Project version not started: No activities completed

Project state Project version in progress: At least one activity has been completed

Project state Project version is unfinished

Project state Project version requires attention: An activity must be performed

Sign-off state Awaiting sign-off

Sign-off state Signed off with exemption

Sign-off state Signed off


About the Project Creation ProcessAfter you log on to Software Security Center and start to add a new project (see About Creating Project Versions on page 39), the Create Project Version wizard displays the following sequence of steps: Project Version page Dependencies page Business Attributes page (customizable) Technical Attributes page (customizable) Project Template page (or Process Template, depending on the type of project version you create)Each step presents the team members responsible for creating a Software Security Center project version with one or more strategic choices. After the team agrees upon and makes their selections, the security lead can click Finish to complete the project creation process.Typically, the security team evaluates and decides on all the project options before they actually start to create the project. The following sections describe the options displayed on the five project creation wizard screens.

About Project Version TypesSoftware Security Center supports the following two types of project versions: Basic remediation project versions require you to select a project template but do not support process

templates. Process templates are hierarchical constructions of requirements and activities that help you to manage and track risk mitigation activities performed during project development.

SSA project versions differ from basic remediation project versions in that they support process templates. (When you create a new SSA project version, Software Security Center suggests a process template.)

About Project DependenciesProject dependencies are optional project attributes that you can edit after a project version is finished. Use the Project Dependencies panel to do the following: Identify previously created project versions that affect the completion or status of this project Enable interdependent projects to be grouped, managed, and reported across project boundaries on the

basis of dependencies

About Project Version AttributesBasic remediation and SSA project version types have both business attributes and technical attributes.The business and technical project attributes are metadata that Software Security Center uses to: Perform cross-project comparisons and reporting Assign process templates to SSA projectsWhen you create a new project version, the Create Project Version wizard guides you through the selection of required and optional business and technical project attributes. Neither the basic remediation nor the SSA project version type can be finished until you select values for all required attributes. For example, to create a project version, you must specify values for the following attributes: Business unit Development phase Development strategy Accessibility


Table 6 lists the default set of Software Security Center project version attributes for basic remediation and SSA project version types. Note that this list does not include custom attributes that a Software Security Center administrator may have added to the system.

About Project Template SelectionSoftware Security Center project templates provide HP Fortify client and server products an optimal means of categorizing, summarizing, and reporting project data. Project templates also enable the application of customized project settings at the enterprise level and not just at the project level.Both basic remediation and SSA project versions support project templates, but differ in their support of project templates. Basic remediation projects require that you choose a project template, but do not support process templates. SSA projects require that you select a process template. Based on the process template you select, Software Security Center then assigns the optimal project template to the SSA project.Although you change the project template for a basic remediation project after you finish creating the project, your security team must carefully consider its choice of project template before competing the project creation process.For SSA projects, there is a direct connection between the process template selected and the project template Software Security Center assigns to the project. You can only modify that process-project template relationship using the HP Fortify Software Security Center Process Designer. For information about how to use the Process Designer, see the HP Fortify Software Security Center Process Designer User Guide.

Table 6: Default Software Security Center Project Version Attributes

Attribute Category and Attributes (default set)*Required

Basic Remediation SSA

Business Attributes Business Risk Known Compliance Obligations Data Classification Project Classification *Business Unit

XXXXX

XXXXX

Technical Attributes *Development Phase *Development Strategy *Accessibility Project Type Target Deployment Platform Interfaces Development Languages Authentication System

XXXXXXXX

XXXXXXXX

*Project template X Assigned by the process template

Process template Not available in basic remediation projects

X


About Process Templates for SSA ProjectsOne of the most important steps in creation of that project version is the choice of a process template.Only Software Security Center SSA projects support process templates. Process templates guide the Secure Development team through the various requirements and activities needed to fulfill the enterprises secure development standards. The requirements and activities must be completed, or exempted from completion, in order to fulfill the secure development process.If you prefer to use a non-default process template, a good strategy is to choose a template that has stricter requirements than are actually required, then exempt those activities that are not applicable to that projects security requirements.Software Security Center uses the choice of process template to determine the best project template to assign to the project version. The project template optimizes the categorization, summarization, and reporting of the project versions data.Regardless of which process template you choose, you cannot change that choice after the project creation process is completed. For that reason, the security team should carefully consider its choice of process template before finishing the project creation process.The following sections provide instructions for performing the following tasks: Creating projects and project versions Specifying dependent project versions Selecting a project version type Configuring project version attributes Assigning project and process templates to a project version


About Creating Project VersionsYou can create a new Software Security Center project version that is based on an existing project or on a new project. This section provides instructions for each method. Before you start to create the Software Security Center project version, review the information under About the Project Creation Process on page 36.

Adding Project VersionsTo create a project version based on an existing project:1. Log on to Software Security Center as either an Administrator or Security Lead.2. To open the Create Project Version wizard, click the Projects tab, and then click Add.

3. On the Project Version page, provide the information listed in the following table.

Field Description

Use Existing Since you are working with a logical continuation of an existing code base, leave this option selected.

Project From this list, select the name of an existing project.


4. To finalize the project definition later, click Finish Later. To continue, click Next.The Dependencies page opens.

5. To specify optional dependent project versions to the new project version: a. Click Add.

The Add Dependent Project Version dialog box lists list all Software Security Center project versions.

Copy From Select this check box to copy settings and data from the previous version of the selected project. In addition to the project version attributes, you can copy the custom tags, analysis processing rules, user assignment, bug tracker or current state HP Fortify project results.

After you select the check box, this section expands to reveal a project version list and the categories of information to be copied.From the list to the right of the Copy From check box, select the project version that has the attributes you want to copy to the new project version.To exclude a category of information from being copied to the new version, clear its check box.

Name In this box, type the version name. The wizard uses the project name and appends the version number to it automatically.

Description In this box, type a description of the new project version. (Optional)Basic Remediation Project

Select this option to create a Basic Remediation Project type project version. For information about how to select a project version type, see About Project Version Types on page 36.

SSA Project Select this option to create an SSA type project version. For information about how to select a project version type, see About Project Version Types on page 36.

Field Description


b. Select one or more project versions that affect the secure development of the project, and then click Save. (Use the CTRL and SHIFT keys to select multiple versions.)

6. Click Next.

7. On the Business Attributes page, do the following:a. If email notification has been configured for your Software Security Center instance, and you want to

request attribute information for the project from another team member, click Send Attribute Information Request. Software Security Center prompts you to supply the email address for the individual to whom the request is to be sent.

b. Configure the business attributes for the project version.Note: Because default values are selected for each list on the Business Attributes page, make sure that you actively select the values for each field.

8. Click Next.


The Technical Attributes panel opens.

9. Configure the technical attributes for the project.10. Click Next.11. On the Project Template (or Process Template) page, do one of the following:

If you are creating a new basic remediation project version, from the Template list, select a project template.

If you are creating a new SSA project version, select a process template. Software Security Center uses the project attributes to recommend a process template, and then displays the recommended choice as the default selection in the list of process templates.

Software Security Center assigns a project template to the new project version based on your choice of process template.

12. Click Finish.If you created a new project, Software Security Center adds the new project to the list of projects; the new project contains its initial project version. If you created a new project version, Software Security Center adds the new project version to its parent project.To display unfinished or inactive project versions, on the Projects tab, select the Show Inactive Versions check box. The default is to display all active project versions. To designate a project version as inactive, clear the Active check box in the Edit Project Versions dialog box.


About Using Bug Tracking Systems to Help Manage Security VulnerabilitiesDevelopers fixing software defects often use a bug tracking system to help manage their workload. Security vulnerabilities are a type of bug, and getting vulnerability information into the bug tracking system helps developers take appropriate remediation measures, in line with other development activities. The result is more security awareness and faster remediation of security issues.From Software Security Center, you can map to several bug tracking systems, so that your development team can file bugs into the bug tracking system already in use.When a developer files a bug, Software Security Center populates bug tickets with the following basic vulnerability information: Details that describe the type of issue uncovered Remediation guidance, with instructions on the action to take A link back to Software Security Center for complete issue details

Configuring Access to a Bug TrackerTo enable a team to access and use a bug tracking system from Software Security Center, a security lead or development manager must configure Software Security Center to connect to a bug tracker instance. Either the developer or security lead can then submit tickets to address important security issues.To enable team access to bug tracking system, a security lead or development manager does the following: Edit the project version details Configure the bug tracker

Configuring Bug Tracking for a Project VersionFor a given project version, you can specify a bug tracker to use to submit bugs against the version and, optionally, enable batch bug submission and bug state management.The batch bug submission feature allows you to filter issues for a given project version based on selection criteria and attribute groupings, and then file a bug for the entire group of issues instead of filing a bug for each individual issue.If batch bug submission is enabled for a project version, you can also enable bug state management. Bug state management allows Software Security Center to make specific updates to bugs as the states of the issues within those bugs change. (For information about batch bug submission, see About Using State Management to File Many Issues.)To configure bug tracking for a project version:1. Log on to Software Security Center as an administrator, a security lead, manager, or a developer.2. Click the Projects tab.3. From the list of project versions on the left, select the project version for which you want to configure bug

tracking.4. Click Edit.

The Edit Project Version dialog box opens.


5. Click the Bug Tracker tab.

6. From the Bug Tracker list, select the bug tracker to use to file bugs against the project version.7. Complete any required fields.8. To test the bug tracker connection to Software Security Center:

a. Click Test.b. In the Test Bug Tracker Configuration dialog box, type your bug tracker authentication credentials, and

then click Test.9. If you do not want to enable batch bug submission and possibly bug state management for this project

version, click Save. If you want to enable batch bug submission and possibly bug state management, see About Using State Management to File Many Issues.

About Using State Management to File Many IssuesThe combined analysis techniques of HP Fortify Static Code Analyzer and HP WebInspect can produce a high volume of issues that can be assigned and tracked in aggregate. Filing issues in bulk enables developers or security leads to group issues into closeable units to avoid overloading the bug tracking system.Your selection criteria for batch bug tracking specify how the system is to determines which security to file and manage as bugs. The default selection criterion is Analysis: Exploitable (issues with the custom tag Analysis value set to Exploitable) to focus on issues that have been manually reviewed and prioritized.Decide upon a grouping strategy. For all issues matching your selection criteria, decide how issues are to be grouped together to prevent a potentially large number of issues becoming individual (granular) bugs. The default grouping strategy of Category, File enables teams to assign and track bugs such as Fix all in instead of tracking groups that are too general (such as Fix all security issues) or too granular (Fix the line of code at ##).After filing the issues, development teams typically run scans through Static Code Analyzer and WebInspect. Software Security Center merges the scan results (as described in Projects and Project Versions on page 32) and updates the bug, as follows:


If the scan result indicate that one of more security issues associated with the bug are still present (and match the selection criteria), Software Security Center checks the bug tracking system to ensure that the bug is in a valid open state and, if necessary, re-opens the bug.

If all issues associated with a bug are removed (either because the issues were remediated or no longer match the selection criteria), Software Security Center updates the bug to indicate that stakeholders may resolve or close this ticket. To enable auditing and traceability, Software Security Center does not automatically resolve or close bugs.

Enabling Batch Bug Submission

After you specify the bug tracker to use to submit bugs against a project version, you can enable batch bug submission for the project version. To enable batch bug submission for a project version:1. After you specify the bug tracker to use to submit bugs against a project version (see Configuring Bug

Tracking for a Project Version), on the Bug Tracker tab, select the Enable Batch Bug Submission check box.The Selection Criteria box displays the default value [Analysis]:exploitable. Issues that match this criterion are selected for batch bug submission.The Grouping Strategy box lists the attributes used to group selected issues together before they are submitted as a batch. The defaults attributes listed are Category and File Name.

2. To include additional attributes on which to base issue groups: a. Click Add.

The Add Attribute dialog box opens.b. From the Name list, select an attribute to add to the Grouping Strategy list. (Although you can only select

one attribute at a time, you can repeat Step 2 multiple times to add more attributes.)c. Click Save.d. To validate your selection criteria, click Validate.

3. If you want to enable bug state management, follow the procedure described in Enabling Bug State Management. Otherwise, to save your current bug tracker settings, click Save.

Enabling Bug State Management

If batch bug submission is enabled for a project version, you can enable bug state management. Bug state management enables Software Security Center to make specific updates to bugs as the states of the issues within those bugs change. Software Security Center checks new security scans to determine whether filed bugs are to remain open, or can be closed.To enable bug state management for a project version:1. After you enable batch bug submission for a project version, on the Bug Tracker tab, select the Enable Bug

State Management check box.2. Scroll down so that you can see the Username and Password boxes.3. In the Username and Password boxes, type your username and password for the bug tracking application

specified for the project version.4. Click Test.5. After Software Security Center displays the Connection Successful message, click OK.6. Click Save.

Chapter 4: Software Security Center Projects