Hp fortify source code analyzer(sca)

HP-FORTIFY SCASource Code

Analyzer

CONTENTS

• Use of it.• System Specifications.• Installation.• How it works.• Report generation.

USE OF FORTIFY

• HPE Security Fortify Static Code Analyzer (SCA) is used by development groups and security professionals to analyze the source code of an application for security issues.

• It identifies root causes of software security vulnerabilities.• It supports Java, .Net , Action script ,ABAP, Coldfusion,Ruby,Python,Php languages.• There are various types of filter sets ,based on it we can generate report.• There are 7 kingdoms associated with securtity defects in source code ,based on

those kingdoms it generates the security issues.• Input Validation, API abuse, Security Features , Time and state ,Errors, Code Quality

and Encapsulation.

SYSTEM SPECIFICATION

Size (LOC) <100k 100k to 500k 500k to 1M 1M+Java 32- bit machine

2GB RAM 32-bit machine4GB RAM

64- bit machine8GB RAM

64-bit machine16GB RAM

.Net 32- bit machine2GB RAM




C/C++ 32- bit machine2GB RAM




SYSTEM SPECIFICATIONApplicationComplexity

CPUCores

RAM AverageScan time

Notes

Simple 2 4 GB 0.5 hours A system that runs on a server or desktop in a standalone manner like a Batch job or a command line utility

Medium 4 16 GB 4 hours A standalone system, which works withComplex computer models like a taxCalculation system or a scheduling system

Complex 8 64 GB 2 days A three tiered business system with transactional data processing like aFinancial system or a commercial website

Very Complex

16 256 GB 4 days A application like a cms.

INSTALLATION

It is supported in windows and linux .Make sure you have jre installed.Windows :- 1.Extract the iso and install the HP_Fortify_SCA_and_Apps_16.11.exe2.During installation , in the update security configuration module give server url as https://update.fortify.com3.Give the path of license file fortify.license when prompted.4.In the plugin dialgox box ,check java ide and visual studio .net plugins.5.After Installation, fortify is ready to use in Graphical and CLI Mode.

https://update.fortify.com/

INSTALLATION ….

Linux Installation :1.Download the fortify.xx.xx.tar.gz package from hp website.2.Extract it and run the installation file.3.While prompt give the fortify.license key for license version and https://update.fortify.com for security configuration update.4.After installation is done, Open the terminal and type sourceanalyzer to run fortify sca.

https://update.fortify.com/

TIPS FOR HIGH PERFORMANCE

• Better Use SSD Disk for faster performance.• Increase Heap Size by <SCA Install Directory>\Core\config\fortify-

sca.properties Forexample com.fortify.sca.RmiWorkerMaxHeap=1G • In Scan option use the options –Xmx=1G and –j 4 (where enables the parallel

processing 4 is the no.of cores we want assign)• Increase the session file size <SCA Install Directory>\Core\config\fortify-

sca.properties Forexample com.fortify.sca.IncrementFileMaxSizeMB=1024 or 1G

HOW IT WORKS• It starts with a Command mode and Gui mode .• For small file size we use gui .• Start->Audit WorkBench->New Project->Locate the source code->Configure the rules-

>For java projects (select framework version).• We can remove the third party plugin codes for faster output.• Give the path to output file(Ex.sampleoutput.fpr)• At one point we can see one dialog box where it shows translation phase and scan phase.• At this we can give commands for log storage for separate phases, and commands to

increase the performance of tool (-Xmx,-Xss)

REPORT GENERATION

• After Completion we can see .fpr file opened in Audit workbench.• There are different types of templates 1)Owasp Top 10 2013 2)Sans top 25

3)Pci-Dss 4)Owasp Top 10 Mobile 5)Developer WorkBook etc.• Developer Workbook shows you the detailed report with every instance

reported.• You can customize the report template by adding workbook and owasp top

10 categories.• After selecting the template click on generate report.

FILTER SET

• Filter set is used to differentiate high , medium and low priority issues.• By Default fortify enables two filters for viewing the issues 1)Quick View

2)Security Audit View.• Quick View -> 1.Hide Issue if impact is not in range [2.5,5.0] 2.Hide Issue if Likelihood is not in range [1,5]• Security Audit View -> Show every issue based on category specified.• We can add our customized filter set

COMMAND SET

• Scan : sourceanalyzer –b <buildid> -scan –f results.fpr sourceanalyzer -b "Build ID" -Xmx1280M -Xss8M -debug -logfile scan.log -scan -f Results.fpr -html-report Parallel Processing : -j 4 (4 no.of cores) -Xmx heap size, -Xss Stack size

Software

Hp fortify source code analyzer(sca)