HP-FORTIFY SCASource Code
Analyzer
CONTENTS
• Use of it.• System Specifications.• Installation.• How it works.• Report generation.
USE OF FORTIFY
• HPE Security Fortify Static Code Analyzer (SCA) is used by development groups and security professionals to analyze the source code of an application for security issues.
• It identifies root causes of software security vulnerabilities.• It supports Java, .Net , Action script ,ABAP, Coldfusion,Ruby,Python,Php languages.• There are various types of filter sets ,based on it we can generate report.• There are 7 kingdoms associated with securtity defects in source code ,based on
those kingdoms it generates the security issues.• Input Validation, API abuse, Security Features , Time and state ,Errors, Code Quality
and Encapsulation.
SYSTEM SPECIFICATION
Size (LOC) <100k 100k to 500k 500k to 1M 1M+Java 32- bit machine
2GB RAM 32-bit machine4GB RAM
64- bit machine8GB RAM
64-bit machine16GB RAM
.Net 32- bit machine2GB RAM
32- bit machine2GB RAM
64- bit machine8GB RAM
64-bit machine16GB RAM
C/C++ 32- bit machine2GB RAM
64-bit machine16GB RAM
64-bit machine16GB RAM
64-bit machine16GB RAM
SYSTEM SPECIFICATIONApplicationComplexity
CPUCores
RAM AverageScan time
Notes
Simple 2 4 GB 0.5 hours A system that runs on a server or desktop in a standalone manner like a Batch job or a command line utility
Medium 4 16 GB 4 hours A standalone system, which works withComplex computer models like a taxCalculation system or a scheduling system
Complex 8 64 GB 2 days A three tiered business system with transactional data processing like aFinancial system or a commercial website
Very Complex
16 256 GB 4 days A application like a cms.
INSTALLATION
It is supported in windows and linux .Make sure you have jre installed.Windows :- 1.Extract the iso and install the HP_Fortify_SCA_and_Apps_16.11.exe2.During installation , in the update security configuration module give server url as https://update.fortify.com3.Give the path of license file fortify.license when prompted.4.In the plugin dialgox box ,check java ide and visual studio .net plugins.5.After Installation, fortify is ready to use in Graphical and CLI Mode.
INSTALLATION ….
Linux Installation :1.Download the fortify.xx.xx.tar.gz package from hp website.2.Extract it and run the installation file.3.While prompt give the fortify.license key for license version and https://update.fortify.com for security configuration update.4.After installation is done, Open the terminal and type sourceanalyzer to run fortify sca.
TIPS FOR HIGH PERFORMANCE
• Better Use SSD Disk for faster performance.• Increase Heap Size by <SCA Install Directory>\Core\config\fortify-
sca.properties Forexample com.fortify.sca.RmiWorkerMaxHeap=1G • In Scan option use the options –Xmx=1G and –j 4 (where enables the parallel
processing 4 is the no.of cores we want assign)• Increase the session file size <SCA Install Directory>\Core\config\fortify-
sca.properties Forexample com.fortify.sca.IncrementFileMaxSizeMB=1024 or 1G
HOW IT WORKS• It starts with a Command mode and Gui mode .• For small file size we use gui .• Start->Audit WorkBench->New Project->Locate the source code->Configure the rules-
>For java projects (select framework version).• We can remove the third party plugin codes for faster output.• Give the path to output file(Ex.sampleoutput.fpr)• At one point we can see one dialog box where it shows translation phase and scan phase.• At this we can give commands for log storage for separate phases, and commands to
increase the performance of tool (-Xmx,-Xss)
REPORT GENERATION
• After Completion we can see .fpr file opened in Audit workbench.• There are different types of templates 1)Owasp Top 10 2013 2)Sans top 25
3)Pci-Dss 4)Owasp Top 10 Mobile 5)Developer WorkBook etc.• Developer Workbook shows you the detailed report with every instance
reported.• You can customize the report template by adding workbook and owasp top
10 categories.• After selecting the template click on generate report.
FILTER SET
• Filter set is used to differentiate high , medium and low priority issues.• By Default fortify enables two filters for viewing the issues 1)Quick View
2)Security Audit View.• Quick View -> 1.Hide Issue if impact is not in range [2.5,5.0] 2.Hide Issue if Likelihood is not in range [1,5]• Security Audit View -> Show every issue based on category specified.• We can add our customized filter set
COMMAND SET
• Scan : sourceanalyzer –b <buildid> -scan –f results.fpr sourceanalyzer -b "Build ID" -Xmx1280M -Xss8M -debug -logfile scan.log -scan -f Results.fpr -html-report Parallel Processing : -j 4 (4 no.of cores) -Xmx heap size, -Xss Stack size