Académique Documents
Professionnel Documents
Culture Documents
Document Release Date: November 2012 Software Release Date: November 2012
Legal Notices
Warranty The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. The information contained herein is subject to change without notice. Restricted Rights Legend Confidential computer software. Valid license from HP required for possession, use, or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. Copyright Notice Copyright 2012 Hewlett-Packard Development Company, L.P.
Documentation Updates
The title page of this document contains the following identifying information: Software version number Document release date, which changes each time the document is updated Software release date, which indicates the release date of this version of the software
To check for recent updates or to verify that you are using the most recent edition of a document, go to: http://h20230.www2.hp.com/selfsolve/manuals This site requires that you register for an HP Passport and sign in. To register for an HP Passport ID, go to: http://h20229.www2.hp.com/passport-registration.html You will also receive updated or new editions if you subscribe to the appropriate product support service. Contact your HP sales representative for details. Part Number: 1-1b3-2012-11-370-01
Contents
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .vi Contacting HP Fortify. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vi Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vi Corporate Headquarters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vi Website . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vi About the Software Security Center Documentation Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vi
Chapter 1: Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
About This Chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Starting Process Designer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Process Designer Account Permission Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Permissions for Template Assignment Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Configuring the Connection to Software Security Center. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Creating and Editing Software Security Center Process Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Downloading Software Security Center Process Templates from Software Security Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Loading a Process Template from Disk. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Committing and Saving Edited Process Templates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Committing a Process Template to Software Security Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Saving Process Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Process Template Display Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Changing the Display Name of a Process Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Customizing the Process Designer View. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Restoring the Default Process Designer View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Basic Software Security Center Process Designer Workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Summary of Requirements and Activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Demonstration Work Flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Chapter 3: Customizing Software Security Center Process Templates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
About This Chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Overview of Customizing a New Process Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Using Global Design Elements in New Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Choosing a Baseline Process Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Process Template Assessment Criteria. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Selecting a Baseline Process Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Global Design Elements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
HP Fortify Software Security Center Process Designer User Guide iii
Managing Global Design Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Synchronizing Global Design Elements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Process Template Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Defining New Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Process Template Activities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Process Template Activity Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Time Lapse Activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Creating a Time Lapse Activity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Document Activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Constructing Document Activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Creating a Document Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Creating a Document Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Project State Activities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Overview of Constructing a Project State Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Software Security Center Equation Variables. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Creating an Equation Variable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Creating Performance Indicators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Creating a Project State Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 35 37 38 39
Adding an Activity to a Requirement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Creating and Managing Sign-Off Personas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 Default Personas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 Creating a Persona . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 Adding a Persona to a Requirement or Activity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Default Work Owners. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Adding a Default Work Owner to a Requirement or Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Software Security Center Project Templates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Assigning a Project Template to a Process Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Chapter 4: Working with Software Security Center Template Assignment Policies . . . . . . . . . . . . . . . . . . . . 43
About This Chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Overview of the Software Security Center Center Template Assignment Policy Operation . . . . . . . . . . . . . . 43 Getting Started with Software Security Center Template Assignment Policy Editor. . . . . . . . . . . . . . . . . . . . . 43 Downloading Software Security Center Template Assignment Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Uploading Edited Template Assignment Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 Saving Software Security Center Template Assignment Policies to Disk . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 Working With Template Assignment Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Overview of Template Assignment Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Overview of Assignment Rule Elements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Overview of Constructing Template Assignment Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 An Example Software Security Center Template Assignment Policy Editing Session . . . . . . . . . . . . . . . . . . . . 46 Overview of Example Editing Session Tasks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
HP Fortify Software Security Center Process Designer User Guide iv
Creating a New Template Assignment Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Specifying a Policys Assignment Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Raising or Lowering the Runtime Order of a Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Removing a Software Security CenterTemplate Assignment Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
46 47 48 48
Preface
Contacting HP Fortify
If you have questions or comments about any part of this guide, contact one of the HP Fortify resources listed in this section.
Technical Support
650.735.2215 fortifytechsupport@hp.com
Corporate Headquarters
Moffett Towers 1140 Enterprise Way Sunnyvale, CA 94089 650.358.5600 contact@fortify.com
Website
http://www.hpenterprisesecurity.com
vi
Chapter 1: Introduction
This document contains information about how to use Process Designer to create and edit process templates for your HP Fortify Software Security Center projects.
Note: Process Designer is installed by default during HP Fortify Source Code Analyzer installation. To use it,
Description In procedure steps, bold indicates items that appear in the user interface. In command lines, italics indicate placeholders for information you supply. In documentation, italic letters indicate terms that the document uses in specific ways, usually the first time a term occurs in a topic. Italics also denote emphasis.
ReadOnly, FileName
In text and command lines, the use of bold and italic together indicates named arguments. In command lines, square brackets contain optional choices. In command lines, terms enclosed in braces and separate by a vertical bar indicate a choice between two or more items. You must choose one of the items unless all of the items are enclosed in square brackets.
[ expressionlist ]HP Fortify Real-Time Analyzer: Microsoft .NET Edition { While | Until}
In command lines, monospace font indicates code. In code examples, a column of three periods indicates that part of an example has been omitted intentionally.
Convention backslash \
Description In code examples, the backslash character is used to continue command examples that are too long to fit on a single line. For example:
dd if=/dev/rdsk/c0t1d0s6 \ of=/dev/rst0 bs=10b count=10000
In Unix-like systems, you can type command lines that contain the line continuation character: braces { } ellipses As displayed (with a backslash) On a single line without a backslash
Software Security Center Account Type Administrator Security Lead Manager Developer
To upload assignment rules via TAP to Software Security Center you must have the following permissions:
10
Security Center, and information about any proxy server used to connect to that server instance. To configure the connection between Process Designer and Software Security Center: 1. In Process Designer, select Options Options. The Options dialog box opens.
2. In the Server URL box, type the network location for your Software Security Center instance. 3. In the Proxy Server and Port boxes, type any proxy information required to connect to your Software Security Center server. 4. Click OK.
11
Downloading Software Security Center Process Templates from Software Security Center
This section provides instructions on how to download a process template from Software Security Center.
Note: To download a working copy of a process template from Software Security Center, you must have a user
account for the Software Security Center instance associated with Process Designer (see Configuring the Connection to Software Security Center on page 11).
Description Prescribes the minimal risk mitigation activities for an external component that your organization cannot directly control. Use only for projects that have limited exposure to external systems and not for projects that interact with sensitive data or high-risk applications. Prescribes the minimal risk mitigation activities for an application. Use only for projects that have limited exposure to external systems and not for projects that interact with sensitive data or high-risk applications. Prescribes the minimal risk mitigation activities for high-risk applications that your organization cannot directly control (for example, provider-supplied software, open source software, and so on). Use this template for an externally-developed application that is to be used with other high-risk applications or that is to interact with sensitive information. Prescribes risk mitigation activities for high-risk applications that have already undergone (or are well into) one production release. Use this for projects that, if compromised, would result in significant business exposure. The most comprehensive prescription of risk mitigation activities for a high-risk application that is still in the project planning phase. Use this for projects that, if compromised, would result in significant business exposure.
12
Description Prescribes the minimal risk mitigation activities for low-risk applications that your organization cannot directly control (for example, provider-supplied software, open-source software, commercial off-the-shelf software, and so on). Use only for projects that have minimum exposure to external systems and not for projects that interact with sensitive data or high-risk applications. Prescribes risk mitigation activities for low-risk applications that have already undergone (or are well into) one production release. Use this for projects that have limited exposure to external systems. Do not use for projects that interact with sensitive data or high-risk applications. Prescribes the minimal risk mitigation activities for low risk applications that is still in the project planning phase. Use this for projects that have limited exposure to external systems. Do not use for projects (can't display the rest in the UI) that interact with sensitive data or high-risk applications. Prescribes the minimal risk mitigation activities for an externally-developed open-source component that your organization does not directly control. Use this for projects that have limited exposure to external systems. Do not use this for projects that interact with sensitive data or high-risk applications. Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. This template provides guidance on the application secretaryships activities that must be completed in order to comply with the PCI-DSS v2.0 standard as of June 2012.
Open Source
13
Designer connection settings using the procedure in Configuring the Connection to Software Security Center on page 11. The Create Template dialog box opens and lists the available Software Security Center process templates.
Note: By default, the dialog box displays the message 2 errors detected. After you specify the template
name and select an existing process template to copy, Process Designer no longer displays this message. 3. In the Template name box, type a name for the template. 4. In the Template column, select a process template. 5. Click OK.
14
Process Designer downloads the data for the process template you selected and displays it in a new <Template_Name> page.
For information about how to customize your Process Designer view, see Customizing the Process Designer View on page 21. 6. To save the new process template, select File Save, and then browse to the directory in which you want to save it. Process Designer saves the template as an FPD file (with the fpd file extension) in the specified directory. 7. To close the process template, select File Close.
15
Designer connection settings using the procedure in Configuring the Connection to Software Security Center on page 11. The Edit Template dialog box lists all of the process templates in the Software Security Center system.
3. In the Template column, select the process template to edit. 4. Click OK.
16
Process Designer downloads the data for the process template you selected and displays it on a new <Template_Name> page.
For information about how to customize your Process Designer view, see Customizing the Process Designer View on page 21. 5. Make any necessary changes to the template. For information about what you can modify and how to modify it, see Chapter 3: Customizing Software Security Center Process Templates on page 26. 6. To save the modified process template, select File Save. Process Designer saves the template as an FPD file (with the fpd file extension) in the directory you specify. 7. To close the template, select File Close.
17
If you choose to create a new process template, Process Designer prompts you to type a name for the new template instance. Process Designer uploads the process template to Software Security Center, which now displays the template name in its Process Templates list.
18
To check the Process Templates list in Software Security Center for templates you have committed: 1. Log on to Software Security Center, and then click the Administration tab. 2. In the Process Management section of the Administration panel (on the left), click Process Templates. Software Security Center lists all of the committed process templates in the system in the right pane.
19
20
You can change the Process Designer view in the following ways: To toggle between a horizontal (default) and a vertical orientation of fields in the upper panel use the Horizontal orientation ( ) and Vertical orientation ( ) buttons. In the lower panel, drag a tab up to display it in its own panel.
21
The demonstration workflow illustrates the creation and relationship of the requirements and activities process template design elements.
22
To perform a simple Process Designer customization workflow: 1. Create a new process template. (See Creating Process Templates (Based on Existing Templates) on page 14.) Name the template EXAMPLE High Risk 3rd Party Development and select the High Risk 3rd Party Development template to base it on.
Note: Do not commit the template to Software Security Center. Committing a template adds the modified
copy of the template you created for this demonstration to Software Security Center.
23
2. Add a new requirement to the working copy of the EXAMPLE High Risk 3rd Party Development Software Security Center process template. a. In the Requirements section, click Add. The Add Requirement dialog box opens.
Process Designer displays an error message next to the Name box to remind you to type a name for the new activity. b. In the Name box, type EXAMPLE REQUIREMENT. c. (Optional) From the Default Work Owner list, select the persona to which you want to assign responsibility for the requirement. d. From the Persona list, select the persona for the user who is to sign off on the completed requirement. e. In the Description box, type Example requirement. f. (Optional) In the Due Date box, specify the number of days or weeks after which the requirement must be signed off on, and then select Days or Weeks from the list on the right. g. Click OK. 3. Create a new activity in the working copy of the EXAMPLE High Risk 3rd Party Development Software Security Center process template. a. In the global elements area (lower pane), select the Activities tab, and then click Add. The Add Activity dialog box opens. b. In the Name box, type EXAMPLE PROJECT STATE ACTIVITY. c. From the Type list, select Project State. For more information about activity types, see Process Template Activity Types on page 32. d. From the Default Work Owner list, select the persona to which you want to assign responsibility for the activity. e. From the Persona list, select the persona for the user who is to sign off on the completed activity. f. In the Description box, type Example project state activity. g. Click OK. Process Designer adds EXAMPLE PROJECT STATE ACTIVITY to the Activities list. To the right, in the activities detail area for the new activity, Process Designer displays a red x next to the Indicator list. The x reminds you that you must choose an indicator type.
HP Fortify Software Security Center Installation and Configuration Guide 24
h. From the Indicator list, select Total Issues. You can now add the new activity to the EXAMPLE REQUIREMENT requirement. 4. In the Requirements list, select EXAMPLE REQUIREMENT. 5. To the right of the Activities box, click Add. The Add Activity dialog box opens.
Because an activity can be used only once in a process template, Process Designer lists activities that have not been added to any other requirement in this process template. a. From the list of activities, select EXAMPLE PROJECT STATE ACTIVITY. b. Click OK. 6. Delete EXAMPLE PROJECT STATE ACTIVITY. a. In the global elements area, select Abuse Case Creation. Process Designer does not enable the Remove button. Because global element definitions downloaded from Software Security Center exist outside of a process template, the activity cannot be deleted. b. Select EXAMPLE PROJECT STATE ACTIVITY. Process Designer enables the Remove button. Because global element definitions that have not been uploaded to Software Security Center exist only within the working copy of the process template being edited, the activity can be deleted. c. Click Remove. Process Designer deletes EXAMPLE PROJECT STATE ACTIVITY. 7. Delete EXAMPLE REQUIREMENT. a. In the Requirements area, select Threat Model. b. Select EXAMPLE REQUIREMENT, and then click Remove. Process Designer removes EXAMPLE REQUIREMENT. 8. Discard the High Risk 3rd Party Development template created for this demonstration. On the High Risk 3rd Party Development Edit tab, click the X to close the tab, and then click No to discard the modified template.
25
26
Criteria
Data Business Risk Access
Description Sensitivity of the data processed by the application Aggregate risk to the business, including, but not limited to, disruption of activity, property loss, and damage to reputation Security risks presented by external entities malicious interactions with any portion of the application Access can be broadly categorized as follows: Human interactions via input devices Network interactions with network systems of variable trustworthiness (external internet being least trustworthy and internal corporate network being the most trustworthy) External program or application program interface (API) interactions
Origin
Source of program components If an SSA project version incorporates any components provided by a third party, then use a process template that includes risk mitigation activities for outsourced components.
27
SSA Project Version Characteristics Defines risk mitigation activities for projects that contain at least one component supplied by an external third party operating under the control of the enterprise
Data:
For projects that do not interact with sensitive data, select Low Risk. For projects that interact with sensitive data, select High Risk. For projects with low business risk, select Low Risk. For projects with high business risk, select High Risk. For projects that do not interact with other high-risk, applications, select Low Risk. For projects that interact with other high-risk, applications, select High Risk.
Business Risk:
Access:
Origin:
For either high or low risk, contains one or more components developed by third parties operating under the direction of the enterprise Active Development: Low Risk, High Risk Defines risk mitigation activities for projects that have undergone at least one production release
Data:
For projects that do not interact with sensitive data, select Low Risk. For projects that interact with sensitive data, select High Risk. For projects with low business risk, select Low Risk. For projects with high business risk, select High Risk. For projects that do not interact with other high-risk, applications, select Low Risk. For projects that interact with other high-risk, applications, select High Risk.
Business Risk:
Access:
Origin:
For either high or low risk, contains no components developed by third parties
28
SSA Project Version Characteristics Defines risk mitigation activities for projects that contain at least one component supplied by a third party operating outside the control of the enterprise
Data:
For either high or low risk, contains one or more components developed by third parties operating outside of the control of the enterprise HP Fortify Basic Template Defines risk mitigation activities for projects that present only minimal risk
Data:
Contains no components developed by third parties New Development: Low Risk, High Risk Defines risk mitigation activities for projects in the design phase, or that have yet to undergo a production release
Data:
For projects that do not interact with sensitive data, select Low Risk. For projects that interact with sensitive data, select High Risk. For projects with low business risk, select Low Risk. For projects with high business risk, select High Risk. For projects that do not interact with other high-risk, applications, select Low Risk. For projects that interact with other high-risk, applications, select High Risk
Business Risk:
Access:
Origin:
29
SSA Project Version Characteristics Defines risk mitigation activities for projects developed by third parties operating outside the control of the enterprise
Data:
Project does not interact with sensitive data, choose Low Risk.
Business Risk:
For projects with low business risk, select Low Risk. For projects with high business risk, select High Risk.
Access:
For either high or low risk, contains one or more components developed by third parties PCI-DSS Application Security Requirements Defines risk mitigation activities for projects that must perform the activities specific to Payment Card Industry-Data Security Standard (PCI-DSS v2.0 standard as of June 2012)
Data:
Specific to PCI-DSS
Access:
For projects that interact with applications as defined by the applicable PCI-DSS standards
Origin:
30
Description Tasks that must be performed to fulfill a process template requirement External process documents required to define a document activity Specify the default work owner and sign-off responsibilities for process template activities and requirements For information about work owners, see Default Work Owners on page 41. Performance indicators use formulas constructed from equation variables to provide project state activities a numeric or percentage metric for a specific aspect of a Secure Software Assurance project version Equation variables use formulas constructed from search strings and search targets to provide performance indicators with the formulas used to calculate a numeric or percentage metric Determine how HP Fortify products prioritize issues
Performance indicators
Equation variables
Project templates
For a seventh type of global entity, HP Fortify Software Security Center template assignment policies, Process Designer provides a separate editing environment.
However, after a design element has become global, you cannot delete it.
31
Typically, most process template contain a similar set of requirements. It is the activities contained within those broadly similar requirements sets that determine the shape and texture of a given process template.
Icon
Description Defines an operation, such as the upload of a measurement file, that must occur at certain times during the SSA project versions lifecycle References an external document that must be completed by one or more members of the SSA secure development team Specifies the value of a process template performance indicator
You cannot use Process Designer or Software Security Center to create or modify time lapse activity events.
32
Document Activities
A a document activity in a Software Security Center SSA project version references an external document that must be exported from Software Security Center for completion by one or more members of the project team. In Process Designer, you can choose to reference an existing document, or you can reference a placeholder for a document that the project team is to add to the activity sometime later in the project. Regardless of how the document activity references its external document, in Software Security Center the project team must access the document from a centrally accessible external location; Software Security Center does not provide version control or document management capabilities. After the project team has completed the external process document, the activitys work owner imports the completed document back into the Software Security Center document activity. The sign-off persona or personas assigned to the activity then review the completed document, and either sign off on the document activity, or sign off on it with exception.
33
Whenever possible, reference external documents by URL. Documents referenced by URL helps ensure that the project team accesses the current version of the process document from its shared network location. To create a new document definition: 1. In the global elements panel, click the Document Definitions tab, and then click Add. The Add Document Definition dialog box opens. 2. Specify the new document definition details: In the Name box, type a name for the new document definition. If the document referenced by this definition already exists, select either File or URL to specify whether the document is to be imported from disk or referenced by a URL. (Optional) If the existing document referenced by this definition is to be imported from disk, click Import, and then browse to and select the referenced file. If the document is to reference a URL, then type the URL in the text box. (Optional) Type a description of the document.
3. Click OK. Process Designer adds the new document definition to the list of definitions.
34
Relational operator
Search String "Search_String"
Description Searches for the specified search string without qualification Searches for an exact match of the term wrapped in quotation marks (" ") Searches for values that match a Java-style regular expression delimited by slash marks (/)For example, /eas.+?/ Comma-separated pair of numbers that specifies the beginning and end of the number range Use a left or right bracket ([ ]) to specify that the range includes the adjoining number Use a left or right parentheses (( )) to specify that the range excludes (is greater than or less than) the adjoining number For example, (2,4] means greater than two, less than or equal to 4.
! (not equal)
Negate a statement with an exclamation character (!) For example, !file:Main.java returns all issues that are not in Main.java
HP Fortify Software Security Center Process Designer User Guide 35
Search-string modifier
[issue age] <custom_tagname>
Description Searches for the issue age, which is either removed, existing, or new Searches the specified custom tag analysis is the default name for Primary Custom Tag which searches the issue analysis field Searches the issues metagrouping field. The default metagroups are: [OWASP Top Ten 2004] [OWASP Top Ten 2007] Searches the issues for the specified analyzer Searches the issues for type of analysis (runtime, configuration, data flow) Searches the issue attributes using the specified string Searches the issues for the specified audience Searches the issues to find true if Primary Custom Tag is set and false if not set Searches for the given category or substring of a category Searches in the comments entered on the issue Searches for issues with comments from user Searches for issues with the specified confidence value Searches for the file the issue is in High, Medium, and Low issues based on the combined values of HP Fortify SCA confidence and severity Searches the issues for a user name in the history Searches for all issues in the specified kingdom Searches for all issues with confidence up to and including the number specified as the search term Searches for all issues with confidence lower than and including the number specified as the search term Searches for issues in the specified package Returns the issues containing the context of the sink node Searches for all issues related to the specified sink rule Searches for all issues with the specified severity rating Returns the issues that have the specified string in the sink function Returns the issues that have the specified string in the source function
<metagroupings>
analyzer Analysis Type Any Attribute audience audited category (cat) comments (comment, com) comment user confidence (con) file HP Fortify Priority Order historyuser kingdom maxconf
minconf
36
Search-string modifier
source context sourcefile status suppressed taint
Description Returns the issues containing the context of the source node Returns the issues containing the file the source node is in. Searches the status of issues reviewed, not reviewed, or under review Searches for issues that have been suppressed Searches for issues that have the specified taint flag
Variable Examples
Software Security Center search-string syntax is similar to that of the Google search engine. Table 10 illustrates some common Software Security Center variable search strings.
Table 10: Software Security Center variables, common search strings
Search-string target All issues that contain cleanse as part of any modifier Categories except for SQL Injection Filenames containing
com/fortify/awb
file:"com/fortify/awb"
Paths that contain traces with cleanse as part of the name Paths that contain traces with mydbcode.sqlcleanse as part of the name Privacy violations in filenames that contain jsp with getSSN() as a source. Suppressed vulnerabilities with asdf in the comments Two (or more) queries use the same modifier to create a logical OR
trace:cleanse
trace:mydbcode.sqlcleanse
suppressed:true comments:asdf
category:sql injection category:privacy violation (Category equals sql injection OR privacy violation)
4. Define the equation variable, as follows: a. From the list on the left, select a modifier. b. From the center list, select an operator. c. In the box on the right, type a search string. d. Click OK. The Add Equation Variable dialog box opens. The Search string box displays the search string you specified. 5. Click OK. Process Designer adds the new equation variable to the Equation Variables list and displays the details of the activity on the right side of the Activities tab.
38
For more information about working with personas in Software Security Center, see the HP Fortify Software Security Center User Guide.
Default Personas
Software Security Center includes a default set of global persona definitions, which are listed in Table 11.
Table 11: Software Security Center default personas
Default Persona Architect Business Risk Owner Developer Operations and Build Teams Project Manager QA Testers Security Expert/Champion Support Operations
Example responsibilities High-level design and system engineering Sign off on the complete set of business and technological risks for the application Design and implement code, scan that code for vulnerabilities, and address security issues contained in that code Deploy and maintain applications in production settings. Ensure that all project milestones are enumerated and completed Test and verify software throughout the secure development process Define and ensure compliance with the SSA project versions security strategy and delivery Internal and external customer support and technical operations support
Creating a Persona
The procedure in this section describes how to define a new persona. More specifically, the procedure describes how to create a new global activity definition of type Document. To define a new persona: 1. In the global elements panel, click the Personas tab, and then click Add. The Add Persona Definition dialog box opens. 2. Supply the persona details as follows: a. In the Name box, type a name for the persona. b. (Optional) Type a description of the persona.
HP Fortify Software Security Center Process Designer User Guide 40
c. Click OK. Process Designer adds the persona to the Personas list. For instructions on how to add a persona to a process template requirement or activity, see Adding a Persona to a Requirement or Activity.
41
42
Overview of the Software Security Center Center Template Assignment Policy Operation
In Software Security Center, you must select a process template before you can finish creating a new SSA project version. When you select a process template, Software Security Center uses the servers template assignment policies to recommend a process template that corresponds to the project versions attributes. To determine which process template to recommend, Software Security Center sequentially evaluates its list of template assignment policies until it finds the first policy with assignment rules that matches the SSA project versions attributes. Software Security Center then stops scanning the list of Template Assignment Policies and places the process template specified by the matching policy in the process template panels Template list. (Software Security Center permits you to override that recommendation and choose another process template if desired.)
Getting Started with Software Security Center Template Assignment Policy Editor
This section contains the following topics: Downloading Software Security Center Template Assignment Policies Uploading Edited Template Assignment Policies Saving Software Security Center Template Assignment Policies to Disk
43
Process Designer updates the right-side details pane with the template assignment policy rules.
For more information about template assignment policy rules, see Overview of Assignment Rule Elements on page 45.
44
Assignment criterion
Type,
Description Use the And, Or, and Not logical operators to create Boolean expressions that provide container elements for Project Attribute elements Select Project Attribute Definition to enable the Project Attribute and Project Attribute Value lists, described later in this table When Type equals Project Attribute Definition, use the Project Attribute list to choose an existing global project attribute definition The choice of project attribute determines the values listed in the Project Attribute Value list, described next
logical operator
Type,
When Type equals Project Attribute Definition, use the Project Attribute Value list to choose the value of the project attribute selected in the Project Attribute list
Additionally, the following governs how you can add a child to a node:
2. In the Name text entry area, type EXAMPLE Template Assignment Policy. 3. From the Process Template list, select Low Risk 3rd Party Development. If Software Security Center selects EXAMPLE Template Assignment Policy during the creation of a new SSA project version, the policy will recommend the Low Risk 3rd Party Development process template. 4. In the Description box, type Example of a new template assignment policy. 5. Click OK. Process Designer adds the new definition to the list of definitions.
46
c. From the Type list, select Or. d. Click OK. Process Designer displays the Or operator as a child of the EXAMPLE template assignment policy. 2. Add the first Project Attribute specifier to EXAMPLE Template Assignment Policy. a. From the list of assignment rules on the right, select the Or operator you created in the preceding step, b. Click Add Child. The Add Child dialog box opens. c. Select the Or.
Note: If you select an element that cannot support a child element, Process Designer does not enable the Add Child button. This Process Designer feature helps you construct well-formed template assignment
rules. d. From the Project Attribute list, select Development Strategy. Process Designer updates the Project Attribute Value List with the valid values for the Development Strategy attribute. e. From the Project Attribute Value list, select Fully Outsourced. f. Click OK. Process Designer adds the new Project Attribute child to the Or logical operator. 3. Repeat step 2, but this time, from the Project Attribute Value list, select Partially Outsourced. 4. Repeat step 2, but this time, from the Project Attribute Value list, select Open Source. The policy now specifies assignment rules for any SSA project version that contains any code developed by a third party.
47
48