Prep Work Exercises. Open Your VM c:\vm Images\2017\windows 10 x64 (2).vmx. Check Access to

Transcription

1 Prep Work Exercises Open Your VM c:\vm Images\2017\windows 10 x64 (2).vmx UID: Admin PWD: Check Access to UID: Admin PWD: Command Line Scan open a dos prompt cd c:\share\trainer Material\Code\Java\riches_java_src sourceanalyzer -b riches-class clean sourceanalyzer -b riches-class -sql-language PL/SQL -source 1.6 -cp./web-inf/lib/*.jar;./lib/*.jar./**/*java./**/*jsp./**/*sql./**/*xml./**/*js./**/*html sourceanalyzer -b riches-class -source 1.6 -Xmx3200M -64 scan f richesresults.fpr

2 Application Security Fortify-On-Demand Application Defender Fortify WebInspect Sameer Kamani Security Solutions Architect Jeffrey Hsiao Security Solutions Architect

3 Agenda Prep Work Exercises Introductions Application Security Overview Fortify SCA Overview and Exercises Fortify SSC Overview and Exercises DevOps and Solution Architecture Putting It All Together Team Exercise Wrap-Up

4 Introductions Name and organization Role and duties Secure coding background

5 HPE Software is now Micro Focus! Laptops Printers Servers Network Storage Enterprise Services Enterprise Software

6 The Software Security Problem

7 Existing network and perimeter based security is insufficient % of breaches exploit vulnerabilities in the application layer Yet the ratio of spending between perimeter security and application security is 23-to-1 - Gartner Maverick Research: Stop Protecting Your Apps; It s Time for Apps to Protect Themselves (2014)

8 Vulnerabilities in Software What is a software or application vulnerability? A vulnerability is a hole or a weakness in the application, which can be a design flaw or an implementation bug, that allows an attacker to cause harm to the stakeholders of an application.

9 So How Bad Can It Be?

10 Vulnerabilities in Software OWASP The Open Web Application Security Project is a worldwide free and open community focused on improving the security of application software. This community routinely publishes a list of the top-10 application security vulnerabilities. New list published in Previous list was published in 2013.

11 OWASP Top 10 As of 2017, OWASP lists the following top-10 categories: 1) Injection 2) Broken Authentication 3) Sensitive Data Exposure 4) XML External Entities (XXE) 5) Broken Access Control 6) Security Misconfiguration 7) Cross-Site Scripting (XSS) 8) Insecure Deserialization 9) Using Components with Known Vulnerabilities 10) Insufficient Logging & Monitoring

12 OWASP A1 Injection Flaws Multiple Types of Vulnerabilities SQL Injection LDAP Injection XPath Injection XSLT Injection HTML Injection OS Command Injection Basic Definition: Interpreters execute unintended commands on a server

13 OWASP A1 Injection Flaws SQL Injection The Worst of the Worst Has been on the top of the OWASP Top 10 since the beginning The favorite vulnerability of Anonymous, LulzSec, and Black Hats Pretty easy to detect and exploit Easy access to your data What is it? Data from an untrusted source is mixed into a SQL query allowing an attacker to change the query.

14 Injection Attack General Algorithm 1. Generate dynamic string to be used by an interpreter Append raw data to string Raw data is unexpected 2. Pass string to interpreter to be executed 3. Interpreter performs some other operation as a result of unexpected data

15 rform a SQL Injection Attack Conceptual Example and Flow 1. dynamic query against a SQL database such as: Select * from USERS where name = +username+ 2. User sets username = x'; drop table members; SQL database query has now changed meaning: Select * from USERS where name = x'; drop table members; Database will now delete the members table instead of querying user table

16 Preventing SQL Injections Another Exploit - incorrect filtered escape character 1) SQL Statement intended to retrieve the user s account transactions: String query = "SELECT * FROM acct_trans WHERE acct_num = " + request.getparameter( AcctNum") + "; 2) Exploit: AcctNum = or 1 = ) Result: SELECT * FROM acct_trans WHERE acct_num = or 1 = 1 --

17 How Do I Fix SQL Injection? Input Validation Yes Detect unauthorized input before processed by application Parameterized Queries (prepared stmt) Even Better Define SQL code and then pass in each parameter to the query later Parameters are placeholders for values

18 Parameterized Query NOT

19 Injection Attack Costly Example Heartland Payment Systems Jan, 2009 Jan M records stolen $130M + SQL Injection HR MAC III (cmd_proc Enabled) Payment Processing MAC I

20 One Vulnerability To Rule Them All Heartland Payment Systems The method used to compromise Heartland s network was ultimately determined to be SQL injection. Code written eight years ago for a web form allowed access to Heartland s corporate network. This code had a vulnerability that (1) was not identified through annual internal and external audits of Heartland s systems or through continuous internal system-monitoring procedures, and (2) provided a means to extend the compromise from the corporate network to the separate payment processing network. Although the vulnerability existed for several years, SQL injection didn t occur until late the intruders spent almost six months and many hours hiding their activities while attempting to access the processing network, bypassing different anti-virus packages used by Heartland. After accessing the corporate network, the fraudsters installed sniffer software that was able to capture payment card data, including card numbers, card expiration dates, and, in some cases, cardholder names as the data moved within Heartland s processing system. Heartland Payment Systems: Lessons Learned from a Data Breach Julia S. Cheney, January 2010 Federal Reserve Bank of Philadelphia

21 Injection Attack Government Example Illinois State Election Board The successful hack of the Illinois system began with a scan of the state election board's site with Acunetix, a commercial vulnerability scanning tool used to discover SQL injection vulnerabilities and other site weaknesses. The attacker used information on an SQL injection bug to then use SqlMap, an open source tool, to access user credentials and data, and the DirBuster tool to discover hidden files and directories on the Web server. Yahoo reports that officials suspected "foreign hackers" for the attack. After Illinois hack, FBI warns of more attacks on state election board systems ARS Technica Reported on 8/29/

22 Exercise 1: Start the Fortify Demo Environment Setup Start the Fortify Demo Server There s a Launch the Riches Demo App Shortcut on your desktop **It should already be started. You Should see some Command Prompt Windows.

23 Demo: SQL Injection Open Internet Explorer and browse to (there should also be a shortcut) Click the Locations Button at the top. There is SQL Injection in this form. See if you can find it! Valid Zip Codes (94404, 10005, 94123)

24 Demo: SQL Injection Open Internet Explorer and browse to (there should also be a shortcut) Click the Locations Button at the top. There is SQL Injection in this form. See if you can find it! Valid Zip Codes (94404, 10005, 94123) Try entering ' or '1'='1 in the Find ATMs/Locations field

25 OWASP A7 Cross Site Scripting (XSS) The Most Prevalent Vulnerability on the OWASP Top 10 Was at the top until the ranking methodology changed Very easy to detect and exploit What is it? Your application is used as a platform to attack your users. Allows an attacker to insert malicious code into the user s session Used to deface web sites, hijack sessions, steal credentials, and install malware

26 OWASP A7 Cross Site Scripting (XSS) Reflected XSS Requires a user to execute an action that contains the attack payload. (Such as clicking a link in a phishing ) The attack only affects the user that executes the action Persistent XSS Attack payload is injected into a data store, such as a database. The attack affects every user that uses the application. The most impactful variant of XSS

27 Preventing XSS Input/Output Validation Blacklisting Developing a naughty list of characters/tags Nearly impossible to write black lists that cover all attack vectors Many ways to obfuscate attack payloads Using case, null characters, and flaws in browser rendering Using alternate tags, such as IMG, IFRAME, links, body, etc Using alternate encodings and languages Check out: Whitelisting Using regular expressions [A-Za-z0-9]{5,25} Possible regex for a username

28 Preventing XSS Output Encoding Encoding Making Malicious Code Unexecutable <script> becomes <script> HTML Encoding for all data rendered in plain HTML Special care should be taken for data inserted into JavaScript and as tag attributes Many Standard Encoding Libraries are not sufficient Use the AntiXSS Library from Microsoft for.net (now included in 4.5) OWASP Enterprise Security API (ESAPI)

29 Cross Site Scripting Famous Example PayPal, circa Steal credit card numbers 1. Users access URL on genuine PayPal site 2. Page modified via XSS attack to silently redirect user to external server 3. Fake PayPal Member log-in page 4. User supplies login credentials to fake site Exploitable for two years

30 Exercise 2: XSS Injection Click the submit button on the login form. Open Internet Explorer and browse to (there should also be a shortcut) There is Cross Site Scripting in the login page. See it? Valid Login (eddie/eddie)

31 Exercise 2: XSS Injection Click the submit button on the login form. Open Internet Explorer and browse to (there should also be a shortcut) There is Cross Site Scripting in the login page. See it? Valid Login (eddie/eddie) Try entering ';</script><script>alert('xss');</script> In the login field

32 The Solution

33 Cost Software Security Assurance (SSA & SDLC) Security Design Code Test Integration - Staging Operate Monitoring + Protection 30x more costly to secure in Production 30X Security Gate Remediation + 15X Secure SDLC 10X 5X 1X Requirements Coding Integration/ Component Testing System Testing Production Source: NIST

34 The right approach for the new SDLC Build it in 1 Secure Development Continuous feedback on the developer s desktop at DevOps speed 2 Security Testing Embed scalable security into the development tool chain 3 Continuous Monitoring and Protection Monitor and protect software running in Production Improve SDLC Policies This is application security for the new SDLC

35 Software Security Analysis and Defense Static Analysis (Fortify): analysis of computer software that is performed without actually executing programs (i.e. run on source code) Dynamic Analysis (WebInspect): analysis of computer software that is performed by executing programs on a real or virtual processor (Pentesting against a running web application) RASP (Application Defender): software agent protects and monitors production systems. Static Dynamic RASP Requires source code Only Web Applications and services Only Web Applications and services Finds most issues Finds fewer issues Protects and monitors applications Provides line of code level detail Provides request and response Requires a software agent to be installed Preferred by developers Preferred by security and SOC Can protects against zero days

36 The right approach for the new SDLC Build it in Fortify SCA SAST WI Agent IAST WebInspect DAST App Defender RASP Secure Development Continuous feedback on the developer s desktop at DevOps speed Security Testing Embed scalable security into the development tool chain Continuous Monitoring and Protection Monitor and protect software running in Production Improve SDLC Policies This is application security for the new SDLC

37 MF Fortify Solutions

38 Security solutions backed by MF Security Research Ecosystem Partner MF Security Research SANS, CERT, NIST, OSVDB, software & reputation vendors Researchers Customers sharing data Largest commercial IT security research group Continuously finds more vulnerabilities than the rest of the market combined (50-75% of publicly reported critical vulnerabilities) Frost & Sullivan winner for vulnerability research last four years FSRG ESS Collaborative effort of market leading teams: ArcSight, Fortify, MF Labs, Application Security Center Collect network and security data from around the globe

39 Software Security Assurance (SSA & SDLC) Security Design Code Test Integration - Staging Operate Development Fortify Static Suite Static Code Analyzer (SCA) Audit Workbench (AWB) IDE Plugin Software Security Center (SSC) Hybrid Testing Fortify Dynamic Suite Web Inspect (WI) WebInspect Enterprise (WIE) Continuous Web Monitoring (CM) On-demand Web Scans Software Security Center (SSC) / Operations Visibility & Defense Application Defender Fortify On Demand (FOD) / Vendor Management Application Defender

40 MF Fortify SCA

41 Software Security Assurance Top 2 for WebInspect Secure Development Remediation Assessment Monitoring Protection Continuous Integration Process Driven Triage Security Acceptance Testing Continuous Monitoring Realtime Application Self Protection

42 MF Fortify Static Code Analyzer (SCA) Securing your application code in development Features: Automate static application security testing to identify security vulnerabilities in application source code during development Pinpoint the root cause of vulnerabilities with line of code details and remediation guidance Prioritize all application vulnerabilities by severity and importance Supports 24 languages, > 750 vulnerability categories, 840,000 APIs Benefits: Reduces the cost of identifying and fixing vulnerabilities Problem it solves: Identifies all risks in the source code for applications in development Reduces risk that a vulnerability will slip by and cause a problem later Saves valuable development time and effort

43 MF Fortify SCA Process Flow Translation Source Code to Fortify Intermediate Model Analysis Fortify Intermediate Model to List of Possible Vulnerabilities Audit Vulnerability Verification, Triage and Remediation

44 MF Fortify SCA Process Flow Translation Phase 44

45 MF Fortify SCA Process Flow Translation requirements All Languages Source code needs to be in a buildable state C, C++, Objective C compiler is required to run SCA translator C#, VB.Net solutions must be compiled to create pdb files Java, JavaScript, SQL, PHP, ColdFusion, APEX,... translated directly by the SCA translator

46 MF Fortify SCA Process Flow Translation Source Code to MF Fortify Intermediate Model Analysis MF Fortify Intermediate Model to List of Possible Vulnerabilities Audit Vulnerability Verification, Triage and Remediation

47 MF Security Fortify SCA Analysis Each analyzer has corresponding rule types. Looks for unsafe function calls based on their signature Detects potentially dangerous flaws in the structure or definition of a program Structural Semantic Configuration Uses XPath queries and namevalue matching to identify issues in application s configuration files Detects potentially dangerous execution sequences Control flow Buffer Buffer analyzer detect access to buffer beyond its boundaries Non-trusted input can potentially control application operation. Data flow Scan Content Searches for security issues and policy violations in HTML

48 MF Fortify SCA Process Flow Analysis Phase

49 Static Application Security Testing Accurately identify root cause and remediate underlying security flaw Results User Input XML PL/SQL VBScript VB.NET HTML Java.NET ABAP PHP T-SQL ASP C# CFML COBOL Visual Basic Python Classic ASP JavaScript/AJAX C/C++ SCA Frontend JSP T-SQL XML Java SCA Analysis JSP XML Java T-SQL 22+ Languages SQL Injection

50 MF Fortify SCA Process Flow Translation Analysis Audit Source Code to MF Fortify Intermediate Model MF Fortify Intermediate Model to List of Possible Vulnerabilities Vulnerability Verification, Triage, and Remediation

51 MF Fortify SCA Process Flow Audit Phase = MF Fortify Utilities + You MF Fortify Utilities Secure Coding Plugins Visual Studio, Eclipse, Audit Workbench (AWB) Audit Workbench (AWB) An MF Fortify Graphical User Interface (GUI) utility Rich features to review results from MF Fortify SCA analysis Secure Coding Plug-ins Very similar functionalities to AWB FPR Eclipse, Visual Studio Software Security Center (SSC) Contains a collaboration module with similar functionalities to AWB Has a rich reporting interface and stores all findings in the DB Software Security Center (SSC) You Verify and remediate issues found by MF Fortify SCA

52 Audit Phase = MF Fortify Utilities + You MF Fortify Utilities Audit Workbench (AWB) An MF Fortify Graphical User Interface (GUI) utility Rich features to review results from MF Fortify SCA analysis Secure Coding Plug-ins Very similar functionalities to AWB Eclipse, Visual Studio Software Security Center (SSC) You Contains a collaboration module with similar functionalities to AWB Has a rich reporting interface and stores all findings in the DB Verify and remediate issues found by MF Fortify SCA

53 MF Fortify Software Security Center Management, tracking and remediation of enterprise software risk Features: Specify, communicate and track security activities performed on projects Role-based, process-driven management of software security program Flexible repository and exporting platform for security status, trending and compliance Integrates with Audit Assistant Benefits: Problem it solves: Provides visibility into security activities within development Provides a clear, accurate picture of software risk across the enterprise Lowers cost of resolving vulnerabilities Identify areas of improvement for accelerated reduction of risk and costs

54 Static Software Scanning Process Check in Code Scheduled or Triggered Check-out and Build Code Repository Scrum Developers Continuous Integration Jenkins, TFS, etc. (Auto) Deliver for Analysis REPEAT AS NECESSARY Vulnerability Findings Issue Tracking Developer Fixes Bug / Finding Scanning Engine (SCA) Integrations SonarQube, Archer, etc. Mgmt Portal (SSC) Security/Tech Lead Submit Findings to Bug Tracker

55 Fortify SCA Suite Fortify SCA Static source code analysis. Audit WorkBench (AWB) Visual interface for analysis of software vulnerabilities. Secure Coding Plug-ins Integrated vulnerability detection into Integrated Development Environments (IDEs). Fortify SSC Server Management for multiple audit projects from a single centralized console.

56 How to run a Scan

57 Fortify scanning Multiple ways to scan a project IDE Plug-ins Build integration (Ant, maven, make, Jenkins, ) Command Line Audit WorkBench (AWB) Scan Wizard

58 Using the SCA Command Line interface

59 SCA Command Line Interface Command Line Interface Help sourceanalyzer -h Java Command Line Syntax sourceanalyzer -b <build_id> -cp <classpath> <file_list>.net Command Line Syntax sourceanalyzer -vsversion 9.0 -b MyBuild -libdirs ProjOne/Lib;ProjTwo/Lib ProjOne/bin/Debug ProjTwo/bin/Debug C/C++ Command Line Syntax sourceanalyzer -b <build_id> <compiler> [<compiler options>]

60 Exercise 3: Command-Line Scan Translation Exercise Java Source Code CD C:\Program Files\HPE_Security\Fortify_SCA_and_Apps_17.10\Samples\basic\eightball Commands sourceanalyzer -b EightBall -clean sourceanalyzer -b EightBall source 1.6 EightBall.java sourceanalyzer -b EightBall -source 1.6 -Xmx3200M scan f EightBall.fpr sourceanalyzer -b EightBall -show-files sourceanalyzer -b EightBall -show-build-warnings

61 Using the AWB

62 Exercise 4: Scanning With Audit Workbench

63 Exercise 4: Scanning With Audit Workbench

64 Exercise 4: Scanning With Audit Workbench

65 Exercise 4: Scanning With Audit Workbench

66 Exercise 4: Scanning With Audit Workbench

67 Exercise 4: Scanning With Audit Workbench

68 Exercise 4: Audit Workbench Scan Exercise Start Audit Workbench Select Advanced Scan Navigate to C:\Users\Workshop\Desktop\Trainer_Materials\ri ches_wealth_src Click OK Specify Java Version 1.6 Click Next > Add -Xmx2700M to translation and scan command line options Click Next > then click Scan

69 Configuring AWB

70 Configuration Options

71 Server Configuration where to DOWNLOAD rulepacks UPLOAD scan results Get SCA updates

72 Server Configuration If you have an SSC instance then rulepacks can be downloaded from it. Can automatically check for rulepack updates.

73 Typical Configuration download rulepack Corporate Network Software Security Center From Update.fortify.com Internet From SSC

74 Typical Configuration upload scan results Corporate Network Software Security Center Upload scan results to SSC instance

75 Security Content Management Security Content Version Click to manually check for new security content Click to import security content (custom rules)

76 Audit Configuration - Appearance Control Issue Display Tweak Issue Summary Display Merge comments with analysis tag changes

77 Audit Configuration - Configuration Override default Filter Set Set attribute to use for quick audit feature Configure how issues are copied Project Save Options

78 Memory Considerations SCA is a java application Can be set using the Xmx command line option -Xmx10800M -Xmx8G You can set the maximum java heap space via environment variable SCA_VM_OPTS=-Xmx4G used for SCA AWB_VM_OPTS=-Xmx2G used for Audit Workbench Value should not be greater that two thirds of total system memory

79 Using the Eclipse Plugin

80 MF Fortify SCA Eclipse IDE Plug-in

81 Fortify SCA Eclipse IDE Plug-in

82 Fortify SCA Eclipse IDE Plug-in Noted: you should make sure all libraries are included, and source codes are compliable before you scan.

83 MF Fortify SCA Eclipse IDE Plug-in Package Explorer Source Code Analysis Result Summary and details Analysis Trace

84 Exercise 5: Eclipse IDE Plugin Scan In Package Explorer Open Project Riches Fortify Analyze Project Start Scan

85 Remediate/Rescan

86 Exercise 6: Remediate SQLI and Rescan SCA Analysis Result Find SQL Injection Expand SQL Injection Choose LocationService.Java:121 Determine if the SQLI is exploitable or not Make change to the code Rescan

87 Exercise 6: Remediate SQLI

88 Exercise 6: Remediate SQLI // String querystr = "SELECT * FROM location WHERE zip = '" + zip + "'"; String querystr = "SELECT * FROM location WHERE zip =?"; statement = conn.preparestatement(querystr); statement.setstring(1, zip);

89 Using the Visual Studio Plugin

90 MF Fortify SCA Visual Studio IDE Plug-in

91 MF Fortify SCA Visual Studio IDE Plug-in

92 Exercise 7: Visual Studio IDE Plugin Scan In Solution Explorer Open Project Riches Fortify Analyze Project Start Scan

93 Working with the Results

94 Exercise 8: Remediate SQLI and Rescan SCA Analysis Result Find SQL Injection Expand SQL Injection Choose LocationDB.cs:30 Determine if the SQLI is exploitable or not Make change to the code Rescan

95 Exercise 8: Remediate SQLI

96 Exercise 8: Remediate SQLI //SqlCeCommand query = new SqlCeCommand("SELECT * FROM [location] where atm = 'Yes' and zip = '" + zip + "'", connection); SqlCeCommand query = new SqlCeCommand("SELECT * FROM [location] where atm = 'Yes' and zip connection);// query.parameters.addwithvalue("@postalcode", zip);

97 Working with the Results

98 Working with the results... Issues Source Code Functions Analysis Evidence Issue Auditing

99 Working with the results... Issues Source Code Functions Analysis Evidence Issue Auditing

100 Issues Panel My Issues: Filter issues to only display issues assigned to current user. Filter Set: Current Filter being used to display issues. Folders: One tab for each folder. The default folders are one for each Fortify Priority and one for all issues. Critical, High, Medium, Low, ALL Group By: How the issues are grouped together. The default grouping is by Category. Group Counts: This shows how many issues have been audited and how many total issues for the group. 0/5 means a total of 5 issues with 0 (zero) issues audited.

101 Issues Panel Folder Dialog Shortcut: Clicking the will open the dialog to edit folders. Folder Name: Name of the currently selected folder. Group Icon: A folder graphic is used as the group icon. This should not be confused with the Folders that are represented by the tabs. Issue Icon: Represents the auditing that has been done for the issue. Search: Used to search issues. Advanced searching capabilities are available.

102 Issues Panel analysis tag icons Not an Issue Reliability Issue Bad Practice Suspicious Exploitable Not Audited Previously Audited

103 Issue Grouping Analyzer File Name RTA Protected DISA STIG Create Custom Grouping

104 Issue Grouping - custom

105 Exercise 9: Issue Grouping Create a 2-level grouping FISMA NIST

106 Working with the results... Issues Source Code Functions Analysis Evidence Issue Auditing

107 Working with the results... Issues Source Code Functions Analysis Evidence Issue Auditing

108 Analysis Evidence Panel source sink Trace of analysis evidence used in identifying the issue. From source to sink. Icons are meaningful and documented in the About the Analysis Evidence Panel section of the Audit Workbench User Guide.

109 Analysis Evidence Panel

110 Analysis Evidence Panel The issue title is the last node in the analysis trace (sink)

111 Analysis Evidence Panel Shared Sink Sub-group title is the first line of the Analysis Evidence (source)

112 Analysis Evidence Panel Shared Sink Shared sink Different sources Two issues

113 Analysis Evidence Panel One sink Multiple paths One Source One issue

114 Working with the results... Issues Source Code Functions Analysis Evidence Issue Auditing

115 Working with the results... Issues Source Code Functions Analysis Evidence Issue Auditing

116 Issue Auditing Panel - Summary Set the analysis tag List of saved comments Short description of the selected issue Edit tags Suppress the issue Enter comments here Submit to bug tracking system Commit or cancel current comment

117 Issue Auditing Panel - Details Code specific abstract of selected issue. Detailed description of the selected issue.

118 Issue Auditing Panel - Recommendations Suggestions and examples of how to secure the vulnerability or remedy the bad practice.

119 Issue Auditing Panel - Recommendations Scroll down to see mappings and external research references.

120 Issue Auditing Panel - History Activities such as changing the analysis tag and suppressing an issue are logged. Comment history.

121 Issue Auditing Panel - Diagram Red lines in the diagram are the flow of tainted data Standard UML call graph of the Analysis Evidence

122 Issue Auditing Panel - Warnings Displays warnings/errors that occurred during the scan. Can export individual entries or all entries to a text file.

123 Working with the results... Issues Source Code Functions Analysis Evidence Issue Auditing

124 Working with the results... Issues Source Code Functions Analysis Evidence Issue Auditing

125 Source Code Panel Clicking an issue syncs the source code panel to the file and line number of the sink.

126 Source Code Panel Clicking on a trace node syncs the source code panel to node s file and line number.

127 Source Code Panel - Project Summary

128 Source Code Panel - Project Summary If someone tries to tamper with the FPR file directly, result certification will become invalid

129 Source Code Panel - Project Summary Executable LOC: SCA doesn t count blank lines and comments Total LOC: SCA doesn t include HTML, XML and properties files The list of all scanned files. Same as # sourceanalyzer -b build_id -show-files

130 Source Code Panel - Project Summary Time only for analysis phase

131 Working with the results... Issues Source Code Functions Analysis Evidence Issue Auditing

132 Working with the results... Issues Source Code Functions Analysis Evidence Issue Auditing

133 Functions Panel Lists all functions that were declared or called in the source code scanned. Package Class Function Name Show all functions or only those not covered by rules. Group by package, class or just list functions. Include internal, external, and/or superclass API s used in the source code scanned. Legend Search packages, classes and functions

134 Working with the results... Issues Source Code Functions Analysis Evidence Issue Auditing

135 Other Features

136 Suppression A way to hide an issue from view and consider it audited. What might be suppressed? Issues that you are certain will not be of concern. Issues that you plan to never fix. Issues that are warnings concerning code quality or correctness (lower priority).

137 Suppression Three ways to suppress Suppress the currently selected issue Right click on an issue Right click on a group of issues

138 Suppression How to view suppressed issues Interface will display suppressed issues by default when set. Toggles showing suppressed issues

139 Suppression Viewing suppressed issues Total suppressed issues in current folder The icon for suppressed issue

140 Suppression Unsuppress an issue While viewing suppressed issues, right click on a suppressed issue.

141 Exercise 10: Audit and Suppress Audit all insecure randomness issues Add a comment to all issues related to: Suppress all Dead Code

142 Software Security Center Overview

143 MF Fortify Software Security Center Management, tracking and remediation of enterprise software risk Features: Specify, communicate and track security activities performed on projects Role-based, process-driven management of software security program Flexible repository and exporting platform for security status, trending and compliance Benefits: Problem it solves: Provides visibility into security activities within development Provides a clear, accurate picture of software risk across the enterprise Lowers cost of resolving vulnerabilities Identify areas of improvement for accelerated reduction of risk and costs

144 MF Security Fortify Software Security Center Vulnerability detail Line of code vulnerability detail Remediation explanation and advice Vulnerabilities identified in the scan

145 SSC Functional Areas SSC Administration User Access System Configuration Issue Template (Project Template) Application (Project) Administration Application Management Attributes Assignment Program Management Audit Page (Collaboration Module) Reporting

146 Exercise 11: Software Security Center Walk Through 1. Click on Launch the Fortify SSC Server 2. Open a web browser 3. Navigate to 4. Login information is in student_logins.txt on your Desktop. Log in as admin. 5. Password is Workshop2017!

147 SSC Interface Administration Header Dashboard Task List Activity List

148 Exercise 12: Create a New Application Create a New Application New Application Click on Launch the Fortify SSC Server Open a web browser Navigate to Name: Riches2 Version: v9 Development Phase: New Login information is in student_logins.txt on your Desktop. Log in as admin. Password is Workshop2017! Click Application Click New Application

149 Create A New Application Application New Application

150 Exercise 13: Upload FPR Upload FPR Login Launch AWB Click Tools Click Configure Upload Enter SSC Login Credentials Click Upload Audit Project SSC URL: Username: admin Password: Workshop2017! Application: Riches2, V9

151 Upload FPR You need to setup Server Configuration Upload FPR Configuration before you can upload FPR Click Tools then Upload Audit Project. Enter SSC user and password. Select the appropriate project and version

152 Scan analytics Machine learning to make AppSec more efficient Identify true vulnerabilities and prioritize them for remediation faster Focus on triaging and investigating high priority vulnerabilities. Return value-added time to your developers and auditors Exploitable Potential Vulns. Fortify Scan Analytics Indeterminate Not an Issue 152

153 Return value-added time to auditors and developers Without sacrificing scan integrity Non-issue reduction Accuracy False negative 25% 90% 80%-98% <1% Results obtained are based on real world applications and scenarios. Results vary based on training and customization. They are not guarantees of future performance.

154 Reporting

155 Data Visualization Dashboards and Reports Global dashboard highlights risk across software portfolio Vulnerability status by application

156 Reporting Features AWB/Plugins SSC BIRT Reporting X X BIRT Customization X Simple Layout Configuration X X PDF X X HTML X X DOC X XLS X Asynchronous X Synchronous X Issues Reports X X Portfolio Reports X Application Reports X Dashboards X

157 Report Type CWE/SANS Top 25 DISA STIG Developer Workbook FISMA Compliance: FIPS-200 OWASP Mobile Top 10 OWASP Top 10 PCI DSS Compliance Application Security Requirements

158 Layout Default Report Layout Title Page Table Of Contents Executive Summary Project Description Issue Breakdown Issue Detail/Summary

159 Exercise 14: Generate AWB Reports Generate AWB Reports Features Launch AWB Click Reports Generate BIRT Report - Security Auditor View Click Reports New BIRT Reporting Engine Simple Layout Configuration Saves as DOC,HTML, PDF Synchronous Generate BIRT Report Quick View Click Reports Click Tools->Generate Legacy Report

160 AWB Reports: Generation Reports

161 Exercise 15: Generate SSC Reports Generate SSC Reports Features Click on Launch the Fortify SSC Server Open a web browser Navigate to Login information is in student_logins.txt on your Desktop. Log in as admin. Password is HPpass2017! Click Reports New BIRT Reporting Engine BIRT Customizations Simple Layout Configuration Saves as XLS,HTML, PDF Asynchronous Dashboard Portfolio and Application Reports Click New Report

162 Generate SSC Reports Reports New Report

163 DevOps and Solution Architecture

164 164 DevOps Definition, Principles and Benefits DevOps- A practice that emphasizes the collaboration and communication between software developers and IT professionals, with the goal of automating the process of software delivery and infrastructure changes. Principles Develop and test in an environment similar to production Deploy builds frequently Automate the process of delivering software Validate quality continuously Benefits Faster time to value Faster time to market with higher quality Stay ahead in a competitive environment

165 165

166 166

167 Static Code Security Analysis for the Enterprise Start with Assessment, Visibility, and Own the Debt First / DevOps Second 167

168 168 Effective / High Velocity DevSecOps Repair MY Issues 7 8 Check in Secure Code Source Code Mgmt System 1 Build / Translation Job IDE Security Plugin Local Remediation Scan Light Weight Static Scan Prerequisites: 1) Base line scan / audit performed 2) Confidence threshold defined 3) Audit Filters or Rules from previous scans applied via vuln mngt platform Developer 5 Lead Developer Triage & Assign to Defect Tracking System 4 New / Critical Issues Exist Alert Vulnerability Mngt Platform 3 Upload New Scan Merged with Existing Defect Mgmt System Translated Files sent to available scan server 2 Security Analysis Static Scan Servers Cluster 6 Developer is sent ticket with embedded link to issues

169 Expertise Time to Value Enterprise Workstation w/ SCA Advanced Workstation w/ SCA Scanning Server Basic Workstation w/ SCA Workstation w/ SCA Scanning Server Scanning Server Fortify SSC Fortify SSC Cloud Scan Controller Workstation w/ SCA Scanning Server Fortify SSC Mobile Build Analyzer Sensors 1 Days

170 Putting It All Together Team Exercise

171 Software Security Assurance Roles & Workflow 1 SSC Administrator Manage users, roles, access, project templates, filters,... Dynamic scan results published to SSC 5 Executive Management CISO/PM s and others can view metrics, generate reports and better manage risk Build Manager 3 SCA scan is executed as part of the build process, and all static code analysis results can be uploaded into SSC Build / Scan Machine Build and Scan could be different physical machines Software Security Center (SSC) Rights and roles Project Templates Applications and Versions Dynamic and Static Scan Results 4 Development Manager and IA Team Triage results (as part of the IA review process) and assign tasks via Change Management process Code Repository Configuration Management Check-out, remediate & check-in Remediate 2 Developers SCA Scan on Desktop Write Code MF Fortify Static Code Analyzer (SCA), IDE Plugins, Audit Workbench (AWB)

172 Enterprise process where developers have SCA and a build/scan server is in place Step 1: All policy, governance (Mitre/CWE (Common Weakness Enumeration), FISMA, etc), roles and responsibilities will be established in the SSC. Including process flow, and use cases, and other know how to help each participant understand their role in the process. Step 2: As Developers go about their day to day development tasks, they will scan their code for the Application Security policies established by the IA team. Once the Developer has checked their code in, it will uploaded the build server. Developers will have access the SSC server to view activities assigned to them, and to better understand their role, and other helpful tips/techniques. Step 3: Once the code has been promoted by the developers, an entire scan will be conducted on the application as a whole as part of the build process, and the results file will be uploaded to the SSC. Step 4: Results from the scans will be triaged/audited by IA, Testers or others, and any issue which needs to be address will be assigned to the appropriate development manager. The development manager will follow the established company Change Control process and assign the work to a developer for remediation (back to step 2). Step 5: Project Managers, Executives, and others will have access to the HP Fortify SSC server to generate reports, review project metrics; essentially managing risk and activities

173 Group Exercise Life Cycle Break up into Pairs Log in SSC User 1 Task 1 Create Users Create Projects Task 2 Open Collaborative audit Audit User 2 Task 1 Scan Sample Code Upload Task 2 Open Collaborative Audit Review Comments

174 Q&A?

175 Enterprise Adoption Success Scorecard The Only Questions You Really Need to Ask 1. Do you have SSC stood-up and operating properly? 2. Are the FPRs of record for active development teams loaded at least once per week? 3. Does your CISO and/or Application Development Director have a login? 4. Does your CISO and/or Application Development Director login to SSC and review the portfolio results at least once per month? 5. Has your CISO and/or Application Development Director specified a remediation policy for Fortify findings? 175

176 Thank You