1 / 97

Mastering SCA Audit Workbench Edition for Secure Software Development

Learn to install, configure, scan projects, filter issues, handle FPRs, and generate reports using SCA. Installation, configuration, scanning, filtering, FPRs handling, supported platforms, requirements, and more covered in this course.

billyf
Download Presentation

Mastering SCA Audit Workbench Edition for Secure Software Development

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Using SCA (Audit Workbench Edition)

  2. Using SCA • In this course, you will learn: • How to install and configure SCA • How to scan a project and triage the results • How to filter the issues • How to handle the FPRs • How to generate reports

  3. Using SCA • Installation and configuration • Scanning a project with the GUI interfaces • Issue Filtering • Handling FPRs • Reporting

  4. System Requirements • Supported Platforms: • HPUX 11v1 • AIX 5.2 • Linux Fedora 7, ES 4/5, SUSE 10 • Mac OSX 10.4, 10.5 • Solaris 8,9 (SPARC only), 10 (SPARC and Intel x86) • Windows 2003/XP (x86 and x64), 2000/Vista (x86 only) • Supported IDE • Visual Studio 2003/5/8 • Eclipse 3.x base IDE • IBM WSAD (Eclipse 2.0 base) • Hardware • High-end processor • At least 1 GB of RAM (recommend 2G) • 2G of hard disk

  5. Installation (Windows only)

  6. Installation Accept the license agreement to continue

  7. Installation Choose the folder that contains the license file, please get the license file from your Fortify Champion The license file is always fortify.license

  8. Installation You can install Eclipse after you have installed SCA. But you need to have VS 2003/5/8 installed before you can install the VS plug-in. An command-line add-in does not load when you start the Visual Studio 2005 SP1 (only on SP1) IDEKB934517 http://support.microsoft.com/kb/934517

  9. Installation If you have previous version of SCA, it can migrate the old setting to the new version

  10. Installation You can change the server setting after installation thru the GUI or thru scapostinstall

  11. Installation You can download rulepack later. But if you don’t have any rulepack downloaded, you will not able to find any vulnerability

  12. Installation

  13. <Install_dir>/bin/scapostinstall • Setting Fortify Manager or Fortify 360 Server URL (requires server login name and password) • Rulepack update location • Change your language • Etc…

  14. Configuration Options  Options Noted, you have to open a FPR in order to access the “Option” menu, please open <install_path>\Samples\basic\sampleOutput\Webgoat.fpr

  15. SCA Version Server Configuration Where to DOWNLOAD rulepack Where to UPLOAD scan results

  16. You need to have an account in F360 server to complete the setup Default will update rulepack for every 15 days Server Configuration If you have F360 server, then you should download rulepack from F360 server and type in your F360 server URL in this box

  17. Typical Configuration (Download rulepack) Internet Corporate Network F360 Server Download rulepack from Fortify.com Download rulepack Desktop Desktop Desktop

  18. Typical Configuration (Upload FPR) Corporate Network F360 Server Upload scan result (FPR file) Desktop Desktop Desktop

  19. Command Line Alternative • You can change the rulepack download URL and Fortify Manager URL from scapostinstall as well

  20. Existing rulepack version Click to download manually new rulepack Rulepack Management

  21. Other Alternatives for Downloading Rulepacks • You can run <install_path>\bin\rulepackupdate.bat as well (may be as a schedule job) • You can also login to http://customerportal.fortify.com, click download rulepack, and then unzip all the files into <install_path>\Core\Config\rules Customer Portal

  22. Max memory you can set • Due to 32-bit OS limitation, the max heap memory you can set for a Java application is roughly as follows: • Linux 2.4 - 1800 MB • Linux 2.6 - 2650 MB • Windows 2000 - 1500 MB • Windows 2003 - 1500 MB • Windows XP - 1250 MB • Mac OS X - 1800 MB • AIX 5.2 - no limit • Solaris 8 - 1800 MB • And your Physical Memory should be at least 200M large than the SCA Memory Setting in here • SCA supports 64 bits OS as well

  23. Max Memory • For Eclipse Plug-in, you may want to setup Eclipse memory as well • Open your eclipse.ini (inside your eclipse directory) and change the “-Xmx” value directly, e.g. “-Xmx1250m” • You can also setup the max memory via environment variable • SCA_VM_OPTS=-Xmx1250m • AWB_VM_OPTS=-Xmx1250m

  24. Using SCA • Installation and configuration • Scanning a project with the GUI interfaces • Issue Filtering • Handling FPRs • Reporting

  25. <install_path>\Samples\basic\eightball Your First Scan Noted: you should make sure all libraries are included, and source codes are compliable before you scan.

  26. Your First Scan Source Code API List Analysis Result Analysis Trace Summary and details

  27. Default 4+1 folders: Critical, High, Medium, Low, ALL Customizable thru Project Configuration Default group by Category, you can also group by file name, package name, etc. You can create new grouping and sub-grouping 0/43 means total 43 SQL Injection Issues You have reviewed 0 (zero) issue Analysis Results Panel

  28. Risk Level • risk = impact · likelihood • impact is a constant defined per rule • likelihood = accuracy · confidence · probability

  29. Examples

  30. The issue title is the last node in the analysis trace (sink function)

  31. Sub-group title is the first line of the analysis trace (source function) Two issues have the same sink function

  32. SCA consider this as two issues File1.java:123 File2.java:456 File1.java:222 File2.java:567 File1.java:333 File2.java:789 sink.java:10

  33. SCA consider this as ONE issue File1.java:123 File1.java:222 File2.java:567 File1.java:333 File2.java:789 sink.java:10

  34. Counted as ONE issue

  35. Detail description of the vulnerability Short description of the vulnerability How should I fix this vulnerability Set the analysis value You can type in your comment in here Submit to bug tracking system Suppress this issue Summary Panel

  36. History Panel Comments are threaded When you change the analysis value, suppress an issue, or type in comments, the activities are logged

  37. Diagram Panel: Standard UML call graph

  38. Reviewed Issues When you set the analysis value, the icon will be changed, different value will be mapped to different icon Total 2 issues, 1 reviewed

  39. Project Summary

  40. If someone tries to tamper the file directly, result certification will become invalid Project Summary

  41. Project Summary Logical LOC, SCA doesn’t count blank lines, comments, etc. Total LOC, but SCA doesn’t count HTML, XML, properties files The list of all scanned files. Same as # sourceanalyzer -b build_id -show-files

  42. Scan phase only Missing Jars/libraries, invalid files, etc. Should review build warning Same as running the following command # sourceanalyzer -b build_id -show-build-warnings Project Summary

  43. Using SCA • Installation and configuration • Scanning a project with the GUI interfaces • Issue Filtering • Handling FPRs • Reporting

  44. Issue Filtering • Suppression • Filter Set and Visibility Filter • Audit Guide • Use Filter text file • Custom Rule

  45. Suppress an instance Right click on a group Right click on an instance Suppression

  46. Suppression Suppress all instances that called “clean()” function Search function: tracenode matches “clean”

  47. View suppressed issues OR

  48. If you enabled “Show Suppressed Issues” The total suppressed issue count will be show in the title as well Hot (117) does not contains Suppressed (1) issues Right click to un-suppress the issue The icon for suppressed issue Unsuppress issue

  49. Issue Filtering • Suppression • Filter Set and Visibility Filter • Audit Guide • Use Filter text file • Custom Rule

  50. Filter Set • By default, there are 4 different filter sets • E.g. change Filter Set to “Developer View” will result in hiding some low impact issues And you can create custom Filter Set

More Related