HP Fortify Technical Publications. Glossary

Transcription

1 HP Fortify Technical Publications Glossary Document Release Date: April 2014

2 Legal Notices Warranty The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. The information contained herein is subject to change without notice. Restricted Rights Legend Confidential computer software. Valid license from HP required for possession, use, or copying. Consistent with FAR and , Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. Copyright Notice Copyright 2014 Hewlett-Packard Development Company, L.P. Documentation Updates The title page of this document contains the following identifying information: Software version number Document release date, which changes each time the document is updated Software release date, which indicates the release date of this version of the software To check for recent updates or to verify that you are using the most recent edition of a document, go to: This site requires that you register for an HP Passport and sign in. To register for an HP Passport ID, go to: You will also receive updated or new editions if you subscribe to the appropriate product support service. Contact your HP sales representative for details. Part Number:

3 Preface This glossary is intended for customers and employees of HP Fortify. It is a living document, and we welcome your additions, corrections, clarifications, and requests. If you have any questions about or suggestions for this document, please contact the HP Fortify Technical Publications Department at HPFortifyTechPubs@hp.com. Corporate Headquarters Moffett Towers 1140 Enterprise Way Sunnyvale, CA contact@fortify.com Website Preface iii

4 HP Fortify Glossary Words in bold are defined in the glossary. Term Access page accessibility Accuracy action activity alert alert definition alert notification analysis artifact analysis results analysis trace panel analyzer An HP Fortify Project Details page from which you can manage the access to an HP Fortify Security Center project version based on account type. A required project version attribute for both basic remediation and SSA project version types. A measure of how closely the rules used in scanning and analysis come to uncovering an application s actual vulnerabilities. A change to the state of the target program that can be invoked by an event handler. Examples of actions include throwing an exception, showing an error page, terminating the user s session, and rewriting the value of a variable in the target program. One of a series of primary and subordinate tasks that must be signed off to complete the secure development of a project version. Security Center process templates are hierarchical constructions of requirements and activities. A notice generated by Security Center (SSC) when a specified set of conditions (the alert definition) occur. SSC can send an to notify team members of an alert. User-generated rules that determine under what circumstances SSC should generate an alert. An alert definition uses variable, performance indicator, or HP Fortify Governance (SSA project types only) process conditions to specify when HP Fortify Software Security Center (SSC) should generate an alert notification in the Dashboard Alert Notification Pod and by . A notice generated by Security Center (SSC) when a specified set of conditions occur. When SSC receives an alert, it creates an alert notification and displays it in a dashboard pod. In addition, alert notifications can send messages to one or more SSC project version members. A file that contains analysis and auditing data for a project version. Artifacts are evidence of security activities and assessments, delivered in the form of FPRs, alerts, and documents. The information reported by Security Center (SSC). Analysis results are viewed, uploaded, and managed from the Analysis Results tab of the Artifacts page. A section in the HP Fortify Audit Workbench (AWB) graphical user interface that displays the chain of evidence the analyzer used to produce the vulnerability. A component of a security software product that looks for security issues using one or more particular techniques. See: Buffer Analyzer Configuration Analyzer Control flow Analyzer Dataflow Analyzer Semantic Analyzer Structural Analyzer HP Fortify Glossary 4

5 application assignment rule artifact Artifacts page attack surface audit Audit Workbench audited percentage authentication authorization basic remediation project version BIRT BIRT report black box Buffer Analyzer Bugzilla build adapter command User-supplied criterion for sorting events from an application server according to the application that generated the event. For example, an application server running applications A and B might have two application assignment rules: one rule that associates events with notation /a in the URL with application A and a second rule that associates events with notation /b in the URL with application B. See analysis artifact An HP Fortify Project Details page that is used to access analysis results and document artifacts. See also Analysis Results Document Artifacts A collection of code, such as interfaces, services, protocols, and practices, that are accessible to all users, including unauthenticated users. Since all code is fallible, it is important when writing secure code to reduce the attack surface. The process of assessing an application or program for security vulnerabilities. An HP Fortify product that provides a GUI front-end for HP Fortify Static Code Analyzer (SCA). It can be used to scan software projects and to organize, investigate, and prioritize analysis results. Audit Workbench is also able to open results from Security Center (SSC), through a collaborative audit. The percentage of a project's total issues that have been audited. Accessed via the Issues page. Identity verification, typically through the use of logon passwords. Authentication precedes authorization. Access control. After a user has been authenticated (proven his or her identify, typically via a logon password), the operating system or application identifies what resources the user can access during this session, and authorizes access accordingly. One of two types of project versions, the other being SSA (Software Security Assurance). A basic remediation project version requires you to select a project template but does not support process templates. A basic remediation project is designed for vulnerability remediation, but does not formalize a process. See Business Intelligence and Reporting Tool A report based on a Business Intelligence and Reporting Tool (BIRT), which is an open source, Eclipse-based reporting system. Customizing Security Center BIRT reports requires an understanding of database operations and design, SQL syntax, and report design. See also BIRT Testing techniques that automate the attacks hackers use to exploit vulnerabilities. WebInspect is a black box scanner. Black box scanning usually involves mapping the attack surface of an application (crawling), sending attacks, and measuring the response of the web application to gauge whether those attacks were successful. A component of HP Fortify Static Code Analyzer (SCA) that detects overflow vulnerabilities that involve writing or reading more data than a buffer can hold. Third-party, open source software used by engineering groups to keep track of bugs in a given software program. A command that bundles translation and scan steps when using touchless integration. HP Fortify Glossary 5

6 build ID business attributes Business Intelligence and Reporting Tool call graph chief information security officer CISO CLASSPATH client cloud computing CloudScan CloudScan Agent CloudScan Controller cluster Collaboration Module command injection common rule elements Common Weakness Enumeration Compatibility Mode Name of a project being analyzed. Project version attributes that provide business management qualifiers. (Most of these attributes are optional; only business unit is required.) Individual BIRT reports may aggregate or filter data by business attributes. Reporting engine used by Security Center to produce formal reports. Individual reports may be created as MS Word, MS Excel, or PDF documents. A directed graph that represents which functions call each other in a program. The call graph is used by various analyzers, to track taint, among other things. Executive responsible for establishing and maintaining the strategies and programs for an enterprise that ensure the enterprise s information is protected. See chief information security officer An environment variable that tells the Java Virtual Machine (JVM) where it should look for user-defined classes and packages. Requesting program or user in a client/server relationship. For example, the user of a web browser is effectively making client requests for pages from servers all over the web. The browser itself is a client in its relationship with the computer that is getting and returning the requested HTML file. The computer handling the request and sending back the HTML file is a server. A general term for delivering hosted services over the Internet or an intranet. See HP Fortify CloudScan A Hadoop node (task tracker and data node) responsible for executing HP Fortify Static Code Analyzer (SCA) analysis on mobile build session files that have been translated by SCA. Server that receives the HP Fortify Static Code Analyzer (SCA) mobile build session and scan instructions from the CloudScan CLI. It routes the information to the CloudScan Cloud. An event handler construct used to match a sequence of events. For example, an event handler might use a cluster to specify that users be logged out after they attempt three cross-site scripting attacks. See Security Center Collaboration Model A common coding error that affects security, in which executing commands that include unvalidated user input cause an application to execute malicious commands on behalf of an attacker. For more information, see HP Fortify Static Code Analyzer (SCA) elements that are common to all rules. These include <RuleID>, language, and formatversion. See CWE An integration mode that allows HP Fortify Runtime Application Protection to operate with Java Virtual Machines that do not support Java Agents. Compatibility Mode enables operation when Java Agent Mode is not possible, with some limitations. HP Fortify Glossary 6

7 Configuration Analyzer configuration bundle configuration template Content Analyzer Control flow Analyzer coverage event cross-site scripting custom check custom descriptions custom rules Custom Rules Editor CWE DAST An HP Fortify component bundled with the HP Fortify Static Code Analyzer (SCA), which searches for mistakes, weaknesses, and policy violations in programming configuration files. For example, the Configuration Analyzer checks for reasonable timeouts in web application user sessions. A file containing all of the information the Federation Controller uses to govern a Federation, including a configuration template, Rulepacks, settings, and administrator-specified event handlers. An administrator might configure and test HP Fortify Runtime Application Protection in a staging environment, then export a configuration bundle from the staging server and import the configuration bundle into the production server. A baseline host configuration stored on a federation controller. HP Fortify Runtime Application Protection enables a security designer to add functionality to a configuration by supplying additional event handlers or overriding the values of settings. A component of HP Fortify Static Code Analyzer (SCA), which finds security issues and policy violations in static HTML pages and files that contain dynamic HTML. A component of HP Fortify Static Code Analyzer (SCA), which detects potentially dangerous sequences of operations and whether a set of operations is executed in a specific order. An event reported by HP Fortify Program Trace Analyzer (PTA) that represents normal user data and is not considered an attack. A common coding error that affects security, in which unvalidated data is sent to web browser and results in the browser s executing malicious code. For more information, see A user-defined probe for a specific vulnerability that the standard WebInspect repertoire does not address. A custom check is similar to a custom attack agent, with the major difference being that a custom check can be created using a simple wizard, while a custom attack agent is programmed in Visual Basic using a special integrated development environment and requires significant knowledge of the WebInspect architecture. The result is also narrower in scope than that of a typical attack agent. Details specific to your organization, which can be integrated into HP Fortify products. Custom descriptions can be added to HP Fortify Secure Coding Rulepacks or to your own custom rules using the <CustomDescriptionRule> element. This enables you to add organization-specific secure coding guidelines, best practices, and references to other internal documentation. Requirements specific to your company, and developed by your staff, to extend HP Fortify software products for your situation. Custom rules enable you to extend the functionality of HP Fortify Secure Coding Rulepacks by: accommodating proprietary security guidelines analyzing a project that uses third-party libraries or other pre-compiled binaries that are not already covered by the HP Fortify Secure Coding Rulepacks An HP Fortify product for creating and reviewing security or coding practice rules that are tailored for a customer's source code. Common Weakness Enumeration; a description of vulnerabilities created by Mitre ( /cwe.mitre.org) and used as a standard classification throughout the industry. Vulnerability tests conducted on a running application, typically performed in a QA environment. DAST stands for dynamic application security testing. HP Fortify Glossary 7

8 Dataflow Analyzer Dataflow cleanse rule Dataflow entrypoint rule Dataflow pass-through rule Dataflow sink rule default application development phase development strategy dispatch document activity document artifacts dynamic application security testing EAM Enterprise Assessment Management (EAM) event event attribute A component of HP Fortify Static Code Analyzer (SCA), which detects potential vulnerabilities. Uses global, inter-procedural taint propagation analysis to detect the flow of data between a source (site of input) and a sink (dangerous function call or operation). Rule that validation logic and other actions that render tainted data either partially or completely cleansed. Rule that describes program points that introduce tainted data to a program. Dataflow entrypoint rules do this by describing the functions and methods that can be invoked from outside the program. Rule that describes how functions and methods propagate taint from their input to output. Rule that identifies points in a program that tainted data must not reach. A permanent application definition included in the Security Center (SSC). If the SSC receives a security event from an HP Fortify Runtime host, and the HP Fortify Runtime application has no application assignment rule that associates the event to a target application definition or application context path, then the HP Fortify Runtime application associates the incoming event with the default application. A required project version attribute for both basic remediation and SSA project versions. A required project version attribute for both basic remediation and SSA project versions. An asynchronous event routing as specified by an event handler. HP Fortify Runtime Application Protection can dispatch events to a log file, an external system such as syslog, or to a Federation Controller. The Federation Controller can dispatch events to the database or to an alert. An activity that requires the submission of an external process document. Any type of file containing information or tasks pertinent to the secure development of an HP Fortify SSA project version. Document artifacts are used only in HP Fortify Software Security Center SSA projects. See DAST See Enterprise Assessment Management An HP Fortify on Demand offering that assesses application security of in-house software, whether deployed or in development. A hierarchical collection of attributes, assembled by monitors from information in a rule and from the state of the target program. An event can include information such as the name of a vulnerability category, the HTTP request that generated the event, information about an attack, and the stack trace with the program point for the monitor that created the event. A labeled value contained in an event. For example, an event related to SQL injection could carry the following attribute: category: SQL Injection This event attribute has the label category and the value SQL Injection. HP Fortify Glossary 8

9 event handler event handler chain Event Log page event type EventID external metadata Federated mode Federation Federation Controller finite state machine FISMA FoD Fortify 360 Program Trace Analyzer A configuration element that interprets and acts on events. When an event handler detects an event, it can optionally dispatch the event, or, if the event handler is operating in the context of HP Fortify Runtime Application Protection, it can carry out an action in the target program. An ordered set of event handlers that defines a response to one or more events. Each event handler in the chain is given an opportunity to handle an event. By default the evaluation of the event handler chain stops after the first matching event handler fires. The default event handler is carried out if no other event handlers match the event. A user interface (UI) page that is accessed from the HP Fortify Project Versions Details page. The Event Log page lists events in reverse chronological order for a selected HP Fortify project version. Each reported event is of one or more of the following three types: attack, vulnerability, and audit. Attack type: the event is triggered by an intruder trying to attack a system. Vulnerability type: the event is triggered by a vulnerability found during program execution. Audit type: the event is an unexpected or abnormal behavior observed while a program is executing. A dynamically generated unique identifier for each event reported. External metadata include mappings from the HP Fortify categories to alternative categories (such as OWASP 20xx, PCI 1.2, and CWE). See also security content. The operating mode in which a Runtime instance coordinates its activities with other instances, such that a group of HP Fortify Runtime Application Protection instances are managed as a single logical entity. Members of a federation are configured by a Federation Controller, and the members can report events back to the Federation Controller. A group of HP Fortify Runtime Application Protection instances managed as a single logical entity. The Security Center (SSC) that coordinates the activities of hosts operating together in a federation. A mathematical abstraction sometimes used in programming to design digital logic that uses behavioral states as its model. The Federal Information Security Management Act, passed in 2002, which requires each U.S. federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source. FISMA relies on guidelines published by NIST, the National Institute of Standards and Technology. For more information, see and final_updated-errata_ pdf See HP Fortify on Demand A (now deprecated) product that enabled software testers to find security issues without any change to their normal test processes. The PTA transparently observed an application during manual or automated testing and identified security vulnerabilities. It produced code-level details about Runtime security issues discovered during application testing. The functionality of PTA was superseded by HP Fortify SecurityScope, and later by HP Fortify WebInspect Agent. HP Fortify Glossary 9

10 Runtime Application Protection Fortify 360 Source Code Analyzer Fortify 360 SSA Governance Module Fortify 360 Suite fortifyclient Fortify priority order Fortify project results fortifyupdate FPO FPR fprgenerator fprutility FSM General Page GUI Tools Hierarchical Summary Report Host host configuration HP Fortify Audit Workbench (AWB) HP Fortify CloudScan See HP Fortify Runtime Application Protection See HP Fortify Static Code Analyzer See HP Fortify Governance Module Formerly, the collective name for the Security Center and its components. A command-line utility for managing files and performing common automated tasks (such as analysis result uploads) on Security Center (SSC). A designation of the seriousness of an issue detected by HP Fortify Static Code Analyzer (SCA), applied automatically to FPR files. A category of Critical, High, Medium, or Low is assigned to an issue to denote the likelihood that it will be exploited. Fortify priority order is also visible within Security Center (SSC). The HP Fortify Static Code Analyzer output file format A command-line utility for downloading the latest Secure Coding Rulepacks. See Fortify priority order See Fortify project results A command-line utility for generating FPRs from Fortify 360 Program Trace Analyzer (PTA) events. A command-line utility for manipulating FPRs. See finite state machine An HP Fortify Project Details page that provides information on the HP Fortify project version, business attributes, technical attributes, and analysis results processing rules. See SCA Tools An Security Center Portfolio Report that enables you to create a historical summary of issues based on Security Center project version and issue categorization. In HP Fortify Runtime Application Protection, a computer running one or more Federated instances of HP Fortify Runtime Application Protection. The set of files that determines the behavior of HP Fortify Runtime Application Protection on a host. The host configuration includes rules files and a configuration file specifying global settings, rules, and event handlers. An HP Fortify product that provides a GUI front-end for HP Fortify Static Code Analyzer (SCA). It can be used to scan software projects and to organize, investigate, and prioritize analysis results. Audit Workbench is also able to open results from Security Center (SSC), through a collaborative audit. A service of HP Fortify available to users of HP Fortify Static Code Analysis (SCA), that enables them to efficiently manage computing resources by offloading the processorintensive scanning phase of the analysis from build machines to a cloud of machines. HP Fortify Glossary 10

11 HP Fortify Governance Module (Fortify 360 SSA Governance Module) HP Fortify on Demand (FoD) HP Fortify Portfolio Report Group HP Fortify project version HP Fortify Runtime Application Protection HP Fortify Runtime platform HP Fortify Runtime analyst HP Fortify Runtime host HP Fortify Runtime operator HP Fortify Runtime solution designer An optional component of Security Center which provides: comprehensive identification and removal of security vulnerabilities in software enhancement of an organization s existing development and software procurement processes to ensure that security is given appropriate consideration A way to quickly, accurately, and affordably test the security of certain enterprise applications, without the need to install or manage additional software. A group of reports that enable you to compare issues, trends, and indicators across multiple Security Center (SSC) project versions. See also Hierarchical Summary Report Issue Trending Report Key Performance Indicators Report Security at a Glance Report See Security Center (SSC) project version An HP Fortify application that addresses security vulnerabilities in software that has already been deployed. HP Fortify Runtime Application Protection automatically blocks attacks for common vulnerabilities from inside applications. Runtime Application Protection is responsible for: attaching monitors to the target program as specified by rules providing an environment for executing monitors executing the event handler chain when monitors generating events A single invocation of Runtime Application Protection monitors one and only one target program. The common elements underlying HP Fortify Runtime Application Protection and HP Fortify SecurityScope, including configuration and rule formats, system requirements, and supported environments. A person responsible for monitoring HP Fortify Runtime Application Protection on an ongoing basis and for making limited configuration changes. Looks at Runtime Application Protection output and makes decisions, modifies event handlers, and adjusts settings as necessary. A computer running one or more federated instances of an HP Fortify Runtime Application Protection or HP Fortify SecurityScope application. A person responsible for installation, basic configuration, and ongoing maintenance of the Runtime system. A person responsible for configuring and customizing HP Fortify Runtime Application Protection or HP Fortify SecurityScope for a given application. HP Fortify Glossary 11

12 HP Fortify SecurityScope HP Fortify Secure Coding Rulepack Security Center Security Center attribute definitions Security Center Collaboration Module Security Center Dashboard Security Center Issue Report Group Security Center Process Designer Security Center process template Security Center project SecurityScope runs atop HP Fortify s Runtime platform, allowing it to monitor your code for software vulnerabilities as it runs. When used in conjunction with HP Fortify Static Code Analyzer and HP WebInspect, SecurityScope output can be processed using HP Fortify Runtime Hybrid Analysis technology to correlate dynamic test results with static test results. SecurityScope provides Runtime technology to help connect your dynamic results to your static results. Rules that HP Fortify Static Code Analyzer (SCA) uses to model important attributes of the program under analysis. These rules provide meaning to relevant data values and enforce secure coding standards applicable to the code base. The Rulepacks describe general secure coding idioms for popular languages and out-of-the-box public APIs. See also Custom Rules Rulepack A centralized system that helps application developers find, fix, and verify security vulnerabilities, to comply with application security standards and to meet audit, regulatory, customer, and partner requirements. Security Center (SSC) combines results from HP Fortify Static Code Analyzer (SCA), HP WebInspect, HP Fortify Runtime Application Protection, and other industry analyzers. The optional and required attributes required during creation of a new HP Fortify Software Security Center (SSC) project version or a Runtime application. A component of Security Center (SSC) which enables teams to audit issues and collaboratively prioritize vulnerabilities. A user interface that appears when you log on to the Security Center (SSC). The dashboard contains multiple pods that provide access to the SSC project versions and features. A group of reports that summarize the presence of specific categories of vulnerabilities in a single Security Center (SSC) project version. See also OWASP 2004 Report OWASP 2007 Report PCI Compliance: Application Security Report Penetration Testing Correlation Report Seven Pernicious Kingdoms Report A utility that enables default work owners to be assigned to process template requirements and activities. Because there is no way to predict which HP Fortify Software Security Center user account names may be assigned as work owners, the Process Designer client tool assigns work owners to requirements and activities by persona. A guide for the secure development team, used to navigate through the various requirements and activities needed to fulfill an enterprise s secure development standards. (Required only when creating an SSA project version.) See project. HP Fortify Glossary 12

13 Security Center Project Report Group Security Center project template Security Center project version Security Center SSA Portfolio Reports Group HP Fortify Static Code Analyzer (SCA) HP WebInspect HP Fortify WebInspect Agent Hybrid 2.0 Technology IDE IDS impact individual auditor Issue Trending Report Issues page A group of reports that enables you to summarize user-selectable categories of information for a single Security Center project version. A template that governs how HP Fortify products categorize, summarize, and report project data and enable customized project settings. An iteration, or specific incidence, of a project. A project version contains data, auditing, and project attributes for a particular version of the project's code base. Users should create a new HP Fortify project version for each new version of the code base, rather than creating a new project. A project may have one or more project versions. A project version may track results from one or more analysis artifacts. A group of reports that contains one report that summarizes the completion of Secure Software Assurance Requirements and Activities across one or more Security Center project versions. See also SSA Progress Report. A product that uses a set of software security analyzers to search source code for violations of security-specific coding rules and guidelines in a variety of languages. The rich data provided by HP Fortify SCA language technology enables the analyzers to pinpoint and prioritize violations so that fixes can be fast and accurate. A software package that performs web application security testing and assessment for complex web applications, by identifying security vulnerabilities undetectable by other scanners. WebInspect Agent (named SecurityScope in Software Security Center 4.00 and earlier versions) runs atop HP Fortify s Runtime platform, allowing it to monitor your code for software vulnerabilities as it runs. When used in conjunction with HP Fortify Static Code Analyzer and HP WebInspect, SecurityScope output can be processed using HP Fortify Runtime Hybrid Analysis technology to correlate dynamic test results with static test results. SecurityScope provides Runtime technology to help connect your dynamic results to your static results. The presentation and grouping of correlated results from HP WebInspect penetration tests, HP Fortify SecurityScope, and HP Fortify Runtime Application Protection. Integrated Development Environment; a programming environment integrated into an application. Intrusion Detection System. This kind of system supplements perimeter security applications (such as firewalls) and identifies attacks that have passed through those defenses. The potential damage an attacker could do to your assets by successfully exploiting a vulnerability. This damage could be in the form of financial loss, compliance violation, loss of brand reputation, negative publicity, and more. A user who performs a single security review of an Security Center project for a specific organization. An individual auditor uses custom rules to focus on a subset of security issues rather than trying to address all areas of the application. One of the Security Center Portfolio Reports, which provides an overview of changes to project risk over time. The default HP Fortify Project Details page. Provides current state and trending data on the selected HP Fortify project version. HP Fortify Glossary 13

14 Java Agent Mode Key Performance Indicators Report LDAP injection likelihood link token log forging MetaInfo.accuracy MetaInfo.audience MetaInfo.impact MetaInfo.impactBias MetaInfo.primaryAudien ce MetaInfo.priority MetaInfo.probability monitor MonitorID OWASP Reports (2004, 2007, 2010) partial cleanse path manipulation payload The default Java integration mode. Java Agent Mode is available in JVM's version 1.5 and newer, is the simplest mode of operating HP Fortify Runtime Application Protection with a JVM, and provides the most capabilities. An Security Center Portfolio Report that condenses multiple software security performance indicators and organizes them by project attributes. Managers can use this view of the project portfolio to do basic comparisons among the attribute groupings. A common coding error that affects security, in which a dynamic LDAP filter is constructed with user input, allowing an attacker to modify the statement's meaning. For more information, see The probability that a vulnerability will be accurately identified by an outsider and successfully exploited. A unique number, generated by HP Fortify on Demand, which authorizes tenants to upload source code for analysis. A common coding error that affects security, in which unvalidated user input is written to log files, allowing an attacker to forge log entries or inject malicious content into the logs. For more information, see The accuracy of a rule. That is, the actual rate for which a reported event turns out to be a true vulnerability. The target audience for an event. The potential damage an attacker could do to assets by successfully exploiting a given vulnerability. This damage could be in the form of financial loss, compliance violation, loss of brand reputation, and/or negative publicity, among other things. (The value is hardcoded in the rule.) The primary security attribute affected by a given vulnerability. The person within an organization who is likely to be most concerned with a particular issue. See HP Fortify priority order The probability that a given vulnerability will be discovered by an attacker or an auditor. A Java or.net class built to watch program points. Monitors are connected to the target program as specified by rules. Monitors can create events. HP Fortify Runtime Application Protection includes a set of predefined monitors, but users can also add their own monitors. A unique identifier for the monitor that generated a particular event. (The value is hardcoded in the rule.) Note: One rule can contain multiple monitors. An Security Center Issue Report that provides a summary of OWASP vulnerabilities in a single Security Center project version. A taint cleanse rule that specifies the taint flags to be added or removed. A type of security vulnerability that enables an attacker to specify a path used in an operation on a file system, overwrite the specified file, or run the application with a configuration controlled by the attacker. A discrete software unit deployed over a network. HP Fortify Glossary 14

15 PCI Compliance: Application Security Report penetration test Penetration Testing Correlation Report performance indicators personas pod Process Designer process templates program point project project dependencies An Security Center (SSC) Issue Report that provides detailed information on the completion status of the security requirements issues for a single SSC project version. The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that all companies that process, store, or transmit credit card information maintain a secure environment. A method of evaluating the security of a computer system or network by simulating an attack from a malicious source known as a black hat hacker. The internal process involves an active analysis of the system for any potential vulnerabilities that could result from poor or improper system configuration, known or unknown flaws in hardware and software, and operational weaknesses in process or technical counter-measures. Note that penetration tests can be inefficient because testing cannot be done until software is complete, and there is often a very narrow window for testing before software goes live. An Security Center (SSC) Issue Report that correlates results from third-party penetration testing tools with issues detected by HP Fortify Runtime Application Protection, and HP Fortify Static Code Analyzer (SCA) for a single SSC project version. Customized metrics that are normalized across project version boundaries and that can represent complex higher-level abstractions such as monetary costs. A functional organization or job title that has responsibility for one or more portions of an Security Center SSA project version. A persona has sign-off responsibility for requirements and activities defined in an SSA project version's process template. A window or unit of information presented to the customer via the Security Center (SSC) dashboard. A tool used to edit Security Center (SSC) process templates. Hierarchical constructions of requirements and activities. When you create a new SSA project version, Security Center (SSC) suggests a process template. A location within a target program specified by a rule. A customer code base that is evaluated by HP Fortify security software. The top-level container for one or more project versions. When you work with a new code base, the project and first project version are automatically created. A project includes one or more project versions that users create and specify as desired. A project is specified on the following interface panels within Security Center: Project Version Dependencies Business Attributes Technical Attributes Project Template or process template, depending on the type of project version (basic remediation or SSA) See also project version. Optional project attributes that enable you to identify other project versions that affect the completion or status of the current project. An optional field for documenting dependencies among project versions. HP Fortify Glossary 15

16 Project Onboarding project state project state activity project template project version project version attributes project version type proxy server RAST report ReportGenerator requirement results certification The activities associated with beginning to use HP Fortify security solutions. These activities include installing software, creating projects and project versions, defining user access, and producing analysis results. (Sometimes called Instant-On Assessment) The state of completion of a project, as reported by Security Center (SSC). A project state can be not started, in progress, requires attention, awaiting sign-off, signed off with exemption, or signed off. An activity that ensures that a project conforms to certain thresholds. If the threshold is exceeded, that may indicate that there are critical issues that must be audited. A formula, or template, that determines how HP Fortify products prioritize issues. Prioritizing issues of a particular category or type helps guide the security team's auditing and remediation activities. Security Center (SSC) provides some standard templates. Users may employ those as is, modify them, and/or create additional templates. A particular iteration of the analysis of a code base as it applies to Security Center (SSC). A project always begins with a first version, and the administrator then controls when new versions of a project are created and what they are named. Security Center (SSC) supports two types of project versions: basic remediation SSA Metadata that Security Center uses to perform cross-project comparisons and reporting functions, and also to assign process templates to SSA (Software Security Assurance) projects. One of two categories of project version: either basic remediation or Software Security Assurance (SSA). A computer that serves as an intermediary between a workstation user and the internet. Requests for internet services made by the client (the workstation) must pass through the proxy server, as also do the web server responses. A proxy server can be used to increase network security, provide adequate caching space, and regulate administrative control. Vulnerability tests conducted on an application at runtime. RAST stands for runtime application security testing. See HP Fortify SecurityScope A document generated by Security Center (SSC), Audit Workbench (AWB), or ReportGenerator, containing information on one or more FPRs. See also: OWASP Reports PCI Compliance: Application Security Report Penetration Testing Correlation Report Seven Pernicious Kingdoms Report A command-line utility for generating PDF, rtf, or xml reports from FPRs. Along with activities, one of a series of primary and constituent tasks that must be signed off to complete the secure development of a particular project version. A verification that the analysis has not been altered since it was produced by HP Fortify Static Code Analyzer (SCA), HP Fortify SecurityScope, or HP Fortify Runtime Application Protection. Results certification shows specific information about the scanned code. HP Fortify Glossary 16

17 Runtime Application Protection rule RuleID Rulepack runtime application security testing SaaS SAST SCA SCA Tools SDK SDL SDLC security content Security at a Glance Report See HP Fortify Runtime Application Protection A rule specifies a set of program points and names a set of monitors. HP Fortify Runtime Application Protection applies a rule by attaching the named monitors to the specified program points. A rule may include a configuration for each named monitor including information such as the attributes that the monitor should set when it creates an event or other settings that determine the behavior of the monitor. A unique identifier for the rule that generated a particular event. (The value is hardcoded in the rule.) A collection of rules used to model important attributes of the program under analysis. These rules provide meaning to relevant data values and enforce secure coding standards applicable to the code base. See RAST See Software as a Service Static application security testing. Vulnerability tests conducted on an application s static code. See HP Fortify Static Code Analyzer See HP Fortify Static Code Analyzer A collection of tools that extend the reach of SCA by providing a connection to SCA via graphical desktop clients, IDE plugins, and command-line tools that allow you to view, search on, audit, and generate reports on security vulnerabilities. Software Development Kit See Security Development Lifecycle See Secure Development Life Cycle. Note that SDLC can also stand for Software Development Life Cycle. Security content consists of Secure Coding Rulepacks and external metadata. The external metadata include mappings from the HP Fortify categories to alternative categories (such as OWASP 20xx, PCI 1.2, and CWE). You can modify the existing mapping in the external metadata document (externalmetadata.xml) or create your own files to map HP Fortify issues to different taxonomies, such as internal application security standards or additional compliance obligations (recommended). An Security Center Portfolio Report that provides a high-level overview of the potential security risk and current security findings across the five highest-risk project versions. security coverage Security coverage = [(exercised APIs) / (total APIs)] * 100 Fortify 360 Program Trace Analyzer (PTA) calculated a security coverage value based upon how many of the security-sensitive APIs within the code were exercised during testing versus the total number of security-sensitive APIs within the code. Secure Development Life Cycle (SDLC) Security Development Lifecycle (SDL) A plan designed to ensure that security is inherent in enterprise software design and development, rather than an afterthought addressed during the development phase. An established approach to producing secure code, as defined by Microsoft. HP Fortify Glossary 17

18 Security Research Group (SRG) Semantic Analyzer session ID Seven Pernicious Kingdoms Report signing-off activities sign-off state Sink Smart Scan Smart Update Software as a Service (SaaS) Software Security Assurance (SSA) See Software Security Research. A component of HP Fortify Static Code Analyzer (SCA) that detects potentially dangerous uses of functions and APIs at the intra-procedural level. Authentication credentials that are stored so the user does not have to enter them repeatedly. Since the session ID can be used instead of a user name and password combination, an attacker who discovers and provides a valid session ID in a request could perform session hijacking or replay attacks. An Security Center Issue Report based on a taxonomy of the same name that summarizes the presence of several HP Fortify-defined issues for a single HP Fortify Software Security Center project version. The Seven* Pernicious Kingdoms are: Input validation and representation API abuse Security features Time and state Error handling Code quality Encapsulation A possible eighth: Environment For more information, see As secure development proceeds, the Security Center persona or personas must sign off on assigned activities. The state of an activity, requirement, or process template. Valid states: Awaiting sign-off Signed off with exemption Signed off Document rejected A place in the code where a potentially harmful function call or operation can take place. An intelligent feature that discovers the type of server that is hosting a web site and checks for known vulnerabilities against that specific server type. For example, if you are scanning a site hosted on an IIS server, HP WebInspect will probe only for those vulnerabilities to which IIS is susceptible. It will not check for vulnerabilities that affect other servers, such as Apache or iplanet. An HP WebInspect feature which contacts the Hewlett Packard data center via the Internet to check for new or updated adaptive agents, vulnerability checks, and policy information. Smart Update will also ensure that you are using the latest version of HP WebInspect, and will prompt you if a newer version of the product is available for download. Also referred to as on-demand software, SaaS is a software delivery model in which software and its associated data are hosted centrally (typically in the Internet cloud ). The software and data are usually accessed over the Internet using a web browser. A holistic approach to software development and procurement aimed at making critical business software more secure and impervious to attack by addressing security risks at the application code level. HP Fortify Glossary 18

19 Software Security Research (SSR) Source SQL injection SRG SSA SSA Progress Report SSA project version SSA project version process template SSR stack trace Standalone Mode static application security testing static source code analysis (a.k.a. static analysis) STIG Structural Analyzer structural rule A team of security experts dedicated to conducting research and providing customers with knowledge and services relevant to a broad range of security topics. The security knowledge and services are delivered in many forms, including HP Fortify Secure Coding Rulepacks, HP Fortify Runtime Rulepack Kits, HP WebInspect SecureBase, premium content, and advanced services and training. Note: Software Security Research (SSR) comprises the former HP Fortify Security Research Group (SRG) and WebInspect Software Research Group (WSRG). A place in the code where malicious data can enter. An attack that allows code to be injected and exploits a security vulnerability in the database layer of an application. Security Research Group. See Software Security Research (SSR). See Software Security Assurance An Security Center SSA Project Report that summarizes the completion of Secure Software Assurance requirements and activities across one or more Security Center project versions. A type of project version that manages ongoing code development through activities listed in a process template. A hierarchical arrangement of requirements and activities that must be signed off to complete the secure development of a particular project version. See Software Security Research. A report of the active stack frames at a given point during the execution of a program. It is commonly used during interactive and post-mortem debugging and can be displayed to the user of a program as part of an error message that the user can report to the programmer. A stack trace is reported as a string of events. When a function produces an error and is then called by other functions, an error chain is created. This is the stack trace. The self-sufficient operating mode for HP Fortify Runtime Application Protection. The Runtime depends only on locally available resources (rules, configuration, and monitors). It does not coordinate its activities with other instances of the Runtime or with a Federation Controller. A contrasting alternative to Federated Mode. See SAST Any analysis of computer software that is performed without actually executing the programs under consideration. (Analysis performed on executing programs is known as dynamic analysis.) Static analysis is powerful because it allows for the quick consideration of many possibilities. The tool can explore many what if scenarios without performing the computations necessary to execute the code for all scenarios. Security Technical Implementation Guides. The official security configuration guidance and policies used by the United States Department of Defense. As of June 2012, STIG v3.0 is the current document. For more information, see A component of HP Fortify Static Code Analyzer (SCA) that identifies potentially dangerous flaws in the structure or definition of a program. It identifies violations of secure programming practices and techniques that are often difficult to detect. A rule that identifies a problematic code pattern. Examples of such a code pattern include: a source code comment, a bad method call, or a dangerous setting for a field in a class. For more information, refer to the HP Fortify Static Code Analyzer (SCA) Custom Rules Guide. HP Fortify Glossary 19