HPE Security Fortify Software Security Center User Guide

HPE Security Fortify Software Security Center
Software Version: 16.10
User Guide
Document Release Date: April 2016
Software Release Date: April 2016
User Guide
Legal Notices
Warranty
The only warranties for Hewlett Packard Enterprise Development, LP products and services are set forth in
the express warranty statements accompanying such products and services. Nothing herein should be
construed as constituting an additional warranty. HPE Security shall not be liable for technical or editorial
errors or omissions contained herein.
The information contained herein is subject to change without notice.
Restricted Rights Legend
Confidential computer software. Valid license from HPE Security required for possession, use or copying.
Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software
Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under
vendor's standard commercial license.
The software is restricted to use solely for the purpose of scanning software for security vulnerabilities that is
(i) owned by you; (ii) for which you have a valid license to use; or (iii) with the explicit consent of the owner of
the software to be scanned, and may not be used for any other purpose.
You shall not install or use the software on any third party or shared (hosted) server without explicit consent
from the third party.
Copyright Notice
© Copyright 2008 - 2016 Hewlett Packard Enterprise Development, LP
Trademark Notice
Adobe™ is a trademark of Adobe Systems Incorporated.
Microsoft® and Windows® are U.S. registered trademarks of Microsoft Corporation.
UNIX® is a registered trademark of The Open Group.
Documentation Updates
The title page of this document contains the following identifying information:
l
Software Version number
l
Document Release Date, which changes each time the document is updated
l
Software Release Date, which indicates the release date of this version of the software
To check for recent updates or to verify that you are using the most recent edition of a document, go to:
https://www.protect724.hpe.com/community/fortify/fortify-product-documentation
You will receive updated or new editions if you subscribe to the appropriate product support service. Contact
your HPE Security sales representative for details.
HPE Security Fortify Software Security Center (16.10)
Page 2 of 134
User Guide
Contents
Preface
9
Contacting HPE Security Fortify Support
9
For More Information
9
About the Documentation Set
9
Change Log
10
Chapter 1: Introduction
14
Intended Audience
14
Related Documentation
14
Changes to the HPE Security Fortify Software Security Center 16.10 Interface
15
New Login Screen
15
Hewlett Packard Enterprise Header
16
Integration with CloudScan
16
Show 5 More
16
Application Versions Overview Changes
16
Changing Your Password
17
Grouping by Custom Folders
17
Group by List
17
SSC Dashboard
17
Custom Tags
18
Coexistence of the New UI and the Legacy UI
18
Current Limitations
18
Switching Between the New User Interface and the Legacy User Interface
19
Viewing Software Security Center Keyboard Shortcuts
20
Chapter 2: Getting Started with Software Security Center
21
About the Central Role of Software Security Center
21
Security Management Workflow
22
User Accounts and Access
22
Active Directory/LDAP Integration
23
Logging on to Software Security Center for the First Time
23
HPE Security Fortify Software Security Center (16.10)
Page 3 of 134
User Guide
Changing Your Password
24
Enabling and Disabling Receipt of Email Alerts
25
About the Software Security Center Dashboard
25
Refining the Data Displayed on the Software Security Center Dashboard
26
Deactivating Application Versions
28
Reactivating Application Versions
28
Chapter 3: Managing User Accounts
Software Security Center User Account Management
30
30
Administrator Accounts
30
Security Lead Accounts
31
Manager Accounts
31
Developer Accounts
32
About Modifying Your User Account
33
About Tracking Teams
33
About Roles
34
Pre-configured Roles
34
Role-Based Permissions for Software Security Center Server
35
Creating Custom Roles
39
Deleting Custom Roles
40
Software Security Center Account Administration
41
Creating Local User Accounts
41
Registering LDAP Entities with Software Security Center
42
Unlocking Locked User Accounts (Local Users Only)
45
Chapter 4: Applications and Application Versions
About Tracking Development Teams
46
47
About the Application Creation Process
47
Strategies for Creating Application Versions
47
Strategies for Packaged Software
48
Strategies for Continuous Deployment
48
About Annotating Application Versions for Reporting
48
Viewing the List of SSC Applications
49
About Creating Application Versions
49
Application Version Attributes
49
Creating Custom Attributes
51
Specifying New Custom Attributes in Existing Application Versions
53
HPE Security Fortify Software Security Center (16.10)
Page 4 of 134
User Guide
Template Selection
53
Creating the First Version of a New Application
54
Adding a New Version to an Application
56
Searching Applications and Application Versions from the Applications View
60
Updating the Application Overview Page
60
Editing Application Version Details
60
About Deleting Application Versions
61
Deactivating Application Versions
61
Reactivating Application Versions
62
Deleting an Application Version
62
Using Bug Tracking Systems to Help Manage Security Vulnerabilities
63
Bug Tracker Configuration
63
Configuring Bug Tracking for an Application Version
64
Submitting Exploitable Bugs in a Batch
66
About Using State Management to File Many Issues
67
Bug State Management
68
Changing the Template Associated with an Application Version
68
Setting Analysis Result Processing Rules for Application Versions
70
Custom Tags
72
Adding Custom Tags to the System
73
Modifying Custom Tag Attributes
74
Globally Hiding Custom Tags
74
Deleting Custom Tags
75
Adding Custom Tag Values
75
Editing Custom Tag Values
76
Deleting Custom Tag Values
76
Associating Custom Tags with Issue Templates
77
Viewing the Custom Tags Associated with an Issue Template
78
Removing Custom Tags from Issue Templates
78
Assigning Custom Tags to Application Versions
79
Disassociating a Custom Tag from an Application Version
80
Managing Custom Tags Through Issue Templates
80
Managing Custom Tags Through an Issue Template in an FPR File
80
Chapter 5: Variables, Performance Indicators, and Alerts
Working with Variables
HPE Security Fortify Software Security Center (16.10)
81
81
Page 5 of 134
User Guide
Creating Variables
81
Variable Syntax
82
Performance Indicators
83
Creating Performance Indicators
83
Alert Definitions
84
Creating Alerts
85
Editing Alerts
86
Deleting Alerts
86
Viewing and Marking Alerts
87
Chapter 6: About Working with Scan Artifacts
89
Uploading Scan Artifacts
89
Viewing File Processing Errors
91
Uploading Third-Party Results to Software Security Center
92
Uploading SAP NetWeaver Data to an SSC Application Version
93
Viewing Scan Errors
94
Downloading Scan Artifacts
95
Downloading the Merged FPR File for an Application Version
95
Downloading Individual Scan Results
95
Viewing High-Level Summary Results
96
To view high-level summary results for an application version from the Overview page:
96
Displaying Additional Application Versions on the Dashboard
97
Viewing Issue Metadata
98
Mapping Scan Results to External Lists
99
Purging Scan Artifacts
99
Deleting Artifacts
Chapter 7: Collaborative Auditing
About Auditing
100
101
101
About Current Issues State
101
Audit Conflicts
102
Auditing Issues
102
Accessing the Audit Page from the Dashboard
106
Accessing the Audit Page from the Applications Tab
106
HPE Security Fortify Software Security Center (16.10)
Page 6 of 134
User Guide
Filtering Issues for Display on the Overview and Audit Pages
107
Changing Displayed Issues Using Filter Sets
109
Setting Issue Viewing Preferences
110
Viewing Suppressed Issues
110
Viewing Removed Issues
111
Viewing Hidden Issues
111
Searching Globally in Software Security Center
112
Software Security Center and WebInspect Enterprise Integration
114
Viewing WebInspect Scan Results in Software Security Center
Viewing Additional Details and Recommendations
114
116
WebInspect Audit Data
116
False Positives
117
Chapter 7: Software Security Center and CloudScan Integration
118
Viewing CloudScan Scan Request Details
118
Exporting CloudScan Scan Request Details
119
Canceling CloudScan Scan Requests
120
Viewing CloudScan Sensor Information
120
Viewing CloudScan Controller Information
121
Chapter 8: BIRT Reports in Software Security Center
Software Security Center Issue Reports
123
123
CWE/SANS Top 25 Reports
124
Developer Workbook Report
124
DISA STIG 3, 3.4, 3.5, 3.7, and 3.9 Reports
124
FISMA Compliance: FIPS - 200 Report
124
OWASP Mobile Top 10 Reports
124
OWASP Top 10 Reports
125
PCI DSS Compliance: Application Security Report
125
Penetration Testing Correlation Report
125
Seven Pernicious Kingdoms Report
125
Vulnerability Report
125
Software Security Center Portfolio Reports
126
Hierarchical Summary Report
126
Issue Trending Report
126
Key Performance Indicators Report
126
HPE Security Fortify Software Security Center (16.10)
Page 7 of 134
User Guide
Security at a Glance Report
127
Application Summary Report
127
Generating and Viewing Reports
127
Preventing Destructive Libraries and Templates from being Uploaded to Software Security Center 129
BIRT Libraries
129
Importing Report Libraries
130
Customizing Software Security Center BIRT Reports
130
Acquiring the BIRT Report Designer
131
Exporting Report Definitions from Software Security Center
131
Importing Report Definitions into Software Security Center
132
Chapter 9: Authentication Tokens
133
Generating Authentication Tokens
133
Send Documentation Feedback
134
HPE Security Fortify Software Security Center (16.10)
Page 8 of 134
User Guide
Preface
Preface
Contacting HPE Security Fortify Support
If you have questions or comments about using this product, contact HPE Security Fortify Technical Support
using one of the following options.
To Manage Your Support Cases, Acquire Licenses, and Manage Your Account
https://support.fortify.com
To Email Support
fortifytechsupport@hpe.com
To Call Support
650.735.2215
For More Information
For more information about HPE Security software products: http://www.hpenterprisesecurity.com
About the Documentation Set
The HPE Security Fortify Software Security Center documentation set contains installation, user, and
deployment guides for all HPE Security Fortify Software Security Center products and components. In
addition, you will find technical notes and release notes that describe new features, known issues, and lastminute updates. You can access the latest versions of these documents from the following HPE Security
user community website:
https://www.protect724.hpe.com/community/fortify/fortify-product-documentation
You will need to register for an account.
HPE Security Fortify Software Security Center (16.10)
Page 9 of 134
User Guide
Change Log
Change Log
The following table lists changes made to this guide with each release and version.
Software ReleaseVersion
Change
16.10
Release Numbering
The release numbering scheme for the entire Software Security Center
product suite has changed. Starting with this 16.10 release, the release
numbering format is year.minor release.
Examples:
Release 16.10 would be for a product released in 2016, and the first release of
the year.
Release 17.21 would be for a product released in 2017, and the first patch to
the second release of the year.
Extensible Custom Tags
This release introduces extensible custom tags.
Topics Added
"Changes to the HPE Security Fortify Software Security Center 16.10
Interface" on page 15
"Changing Your Password " on page 24
"Displaying Additional Application Versions on the Dashboard" on page 97
"Enabling and Disabling Receipt of Email Alerts" on page 25
"Unlocking Locked User Accounts (Local Users Only)" on page 45
"Role-Based Permissions for Software Security Center Server" on page 35
"Uploading SAP NetWeaver Data to an SSC Application Version" on page 93
"Viewing CloudScan Scan Request Details" on page 118
"Canceling CloudScan Scan Requests" on page 120
"Viewing CloudScan Sensor Information" on page 120
"Viewing CloudScan Controller Information" on page 121
Topics Modified
HPE Security Fortify Software Security Center (16.10)
Page 10 of 134
User Guide
Change Log
Software ReleaseVersion
Change
l
"Security Management Workflow" on page 22
l
"Enabling and Disabling Receipt of Email Alerts" on page 25
l
"Switching Between the New User Interface and the Legacy User Interface
" on page 19
4.40
l
"About Modifying Your User Account " on page 33
l
"Role-Based Permissions for Software Security Center Server" on page 35
l
"Creating the First Version of a New Application" on page 54
Terminology changes:
The entities referred to as projects and project versions in SSC 4.30 and earlier
versions are now referred to as applications and application versions,
respectively.
What were previously referred to as project templates for projects are now
referred to as issue templates for applications.
Removed:
l
Requesting Project Attribute Info. This functionality exists in the 4.30
user interface, but not in version 4.40.
l
Adding Custom Tag Values During Audits. This functionality exists in
the 4.30 user interface, but not in version 4.40.
l
About CloudScan in Software Security Center. This functionality exists
in the 4.30 user interface, but not in version 4.40.
Note: All version 4.30 functionality is still available through the 4.30
user interface.
l
All topics related to SSA applications and their corresponding process
templates, activities, and personae, which no longer exist in SSC v 4.40
l
All topics related to requesting dynamic WebInspect scans
l
All references to extensible custom tags, which enabled users to add new
custom tag values during audits. These are not supported in this release.
l
About Search Modifiers
l
Search Query Examples
l
About Customizing User Account Preferences
l
About Page Configuration Limits
l
Selecting Project Versions to Display
HPE Security Fortify Software Security Center (16.10)
Page 11 of 134
User Guide
Change Log
Software ReleaseVersion
Change
l
Enabling and Disabling Email Alerts
l
Receiving Runtime Alerts
l
Configuring Date and Time Format
l
About Application Dependencies
l
The note "The Add Permissions dialog box provides a search feature that
you can use to search for permissions based on search conditions that you
specify from "Creating Custom Roles" on page 39"
l
Changing Your Account Information - If you are not an administrator,
and you need to change your own account information, including your
password, you must revert to the legacy user interface to do so.
l
Moving Pods Between Pages
l
The section About the Icons on the Projects Tab
l
About the Runtime Tab and About Runtime Events
Added:
l
"Changes to the HPE Security Fortify Software Security Center 16.10
Interface" on page 15
l
"Editing Application Version Details" on page 60
l
"Deleting Artifacts" on page 100
l
"Uploading Scan Artifacts" on page 89
l
"Downloading Scan Artifacts" on page 95
l
"Purging Scan Artifacts" on page 99
l
"Accessing the Audit Page from the Applications Tab" on page 106
l
"Accessing the Audit Page from the Dashboard" on page 106
l
"Filtering Issues for Display on the Overview and Audit Pages" on page 107
l
"Viewing WebInspect Scan Results in Software Security Center" on page
114
l
"Searching Applications and Application Versions from the Applications
View" on page 60
l
"Viewing Scan Errors " on page 94
l
"Viewing Suppressed Issues" on page 110
l
"Viewing Removed Issues" on page 111
l
"Viewing and Marking Alerts" on page 87
HPE Security Fortify Software Security Center (16.10)
Page 12 of 134
User Guide
Change Log
Software ReleaseVersion
Change
l
"Refining the Data Displayed on the Software Security Center Dashboard"
on page 26
4.30
Added:
l
Caution about preventing the upload of destructive libraries and templates
to Software Security Center
l
Several new reports to "Software Security Center Issue Reports" on page
123
l
Information about the Options field to "Generating and Viewing Reports" on
page 127
Removed:
l
References to the Software Security Center online Process Guide from
"Related Documentation" on page 14 and "About the Software Security
Center Dashboard" on page 25
l
Appendix B: ;Software Security Center Report Summaries
Modified:
l
The name of Appendix A: Authorization Tokens to "Authentication Tokens"
on page 133 and all “authorization” token references to “authentication”
token.
HPE Security Fortify Software Security Center (16.10)
Page 13 of 134
Chapter 1: Introduction
This guide provides all Software Security Center users with detailed information about how to use Software
Security Center.
Topics covered in this section:
Intended Audience
14
Related Documentation
14
Changes to the HPE Security Fortify Software Security Center 16.10 Interface
15
Switching Between the New User Interface and the Legacy User Interface
19
Viewing Software Security Center Keyboard Shortcuts
20
Intended Audience
This guide is intended for use by enterprise security leads, development team managers, and developers.
Software Security Center (SSC) provides security team leads with a high-level overview of the history and
current status of an application. Your security team can then ensure that both developers and auditors work
effectively together to provide the best response to application issues.
SSC provides auditors with a centralized facility for managing issues. If the manager needs to work offline or
with the advanced tools that HPE Security Fortify Audit Workbench (AWB) offers, current application state
and up-to-date auditing information are made available for download.
Managers can use SSC to prioritize issues to reflect the needs of the enterprise. That prioritization can then
be used to prioritize the activities of the application development team.
Developers are responsible for creating and maintaining one or more code bases that conform to secure
coding practices. SSC provides a focal point for managing and transmitting information about specific issues
received from analysis agents to supported Integrated Development Environments (IDEs), or to standalone
clients such as AWB. Developers can then use the application snapshots that SSC produces to measure
their progress through the secure development life cycle.
Related Documentation
The following documents provide additional information about Software Security Center:
l
HP Fortify Software Security Center User Guide: Legacy User Interface is the user guide for HP Software
Security Center version 4.30. The 4.30 user interface is available from the 16.10 user interface. Specific
HPE Security Fortify Software Security Center (16.10)
Page 14 of 134
User Guide
Chapter 1: Introduction
areas of functionality are only available in the 4.30 interface. For more information, see "Changes to the
HPE Security Fortify Software Security Center 16.10 Interface" below.
l
HPE Security Fortify Software Security Center Installation and Configuration Guide provides system and
database administrators with complete instructions on how to install and configure Software Security
Center server software.
l
HP Fortify Software Security Center Installation and Configuration Guide: Legacy User Interface provides
system and database administrators with complete instructions on how to configure Software Security
Center server software using the legacy (v 4.30) user interface.
l
HPE Security Fortify Software Security Center System Requirements document provides system and
database administrators with the minimum and recommended hardware and software requirements for
installing and using Software Security Center server software.
l
HPE Security Fortify Software Security Center Release Notes document provides product information
that is not included in the regular documentation set.
l
What's New in HPE Security Fortify Software Security Center Products contains information about
features added to Software Security Center since its previous release.
For information about all of the guides in the Software Security Center documentation suite, see
HPE Security Fortify Software Security Center Documentation Set.
Changes to the HPE Security Fortify Software
Security Center 16.10 Interface
The SSC 16.10 release introduces changes to its user interface and additional functionality and features.
New Login Screen
The Fortify Software Security Center login screen has a new look.
HPE Security Fortify Software Security Center (16.10)
Page 15 of 134
User Guide
Chapter 1: Introduction
Hewlett Packard Enterprise Header
In this release, the product header has changed. What was previously the HP Fortify header is now the
Hewlett Packard Enterprise header.
Integration with CloudScan
If an SSC administrator integrates SSC and CloudScan, the Hewlett Packard Enterprise header includes the
Scans link, which you can use to navigate to the Scans view. The Scans view includes the Scan Request,
Sensors, and Controller pages for CloudScan. (See "Viewing CloudScan Sensor Information" on page 120,
"Viewing Scan Errors " on page 94, and "Viewing CloudScan Controller Information" on page 121.)
Show 5 More
If more application versions than those shown on the dashboard, and you want to see more versions, you can
now select Show 5 more. See "Displaying Additional Application Versions on the Dashboard" on page 97.
Application Versions Overview Changes
The Overview toolbar now includes the Trend button, which you use to navigate to the Trend page for the
selected application version. From the Trend page, you can view trends in variables and performance
indicators across specified time periods.
The Artifacts button has replaced the Scans button on the Overview toolbar. The functionality has not
changed.
HPE Security Fortify Software Security Center (16.10)
Page 16 of 134
User Guide
Chapter 1: Introduction
Changing Your Password
You can now change the password for your own user account. For instructions, see "Changing Your
Password " on page 24.
Grouping by Custom Folders
From the Audit page, you can now group issues by folder. This enables you to use any custom folders
created in Audit Workbench to group issues.
Group by List
The Overview page for application versions now includes the Group by list.
SSC Dashboard
The new Dashboard includes the following features:
Improved selection of data for viewing
To give you more precise control over the findings displayed, in addition to the Group by setting, the
Dashboard now includes the Aggregate by and Filter by settings. You can select multiple attributes from
the Filter by list to filter displayed data.
With the new Aggregate by setting, you can specify an attribute to use to summarize and display all data
specified by the selected "group by" and filter attributes. When custom attributes are defined and assigned to
your application versions, aggregating data a particulary powerful way to set your viewing preferences.
You can combine all of these settings (Group by, Aggregate by, Filter by, and custom attributes) to extract
a focused subset of information from a large volume of mostly extraneous information. For more information,
see "Refining the Data Displayed on the Software Security Center Dashboard" on page 26. For information
about how to create custom attributes, see "Creating Custom Attributes" on page 51.
HPE Security Fortify Software Security Center (16.10)
Page 17 of 134
User Guide
Chapter 1: Introduction
Custom Tags
Extensible custom tags
This release re-introduces extensible custom tags. If you create a new custom tag and make it extensible,
users can add new values to the tags as they audit events.
Setting the primary tag for an application version
You can now set the primary tag for an application version. For information, see "Assigning Custom Tags to
Application Versions" on page 79.
Coexistence of the New UI and the Legacy UI
Note that, for now, you can still work with SSA projects and process templates in the legacy (v 4.30) user
interface, which is carried forward for this release. You can work in either or both the new and legacy
interfaces. Be aware, however, that functionality introduced in versions 4.40 and 16.10 is not available in the
legacy version. Also, administrators can now block all access to the legacy user interface.
Current Limitations
Requesting Access
The options that you access from the Can’t access or need an account? link on the Login page are not
available in this release. For access, contact your SSC administrator.
Runtime Functionality
The Runtime tab does not exist in the new user interface. You can still find this functionality in the legacy UI
but, in order to use it, you must configure your Runtime connection through the new UI. For instructions, see
the HPE Security Fortify Software Security Center Installation and Configuration Guide.
Changing your Account Information
If you are not an administrator, and you need to change your account information, you must revert to the
legacy user interface to do so. For instructions on how to navigate to the legacy interface, see "About
Modifying Your User Account " on page 33. (See "Changing Your Account Information" in the HP Fortify
Software Security Center User Guide: Legacy User Interface.)
SSA Projects
In 4.30 and earlier releases, SSC supported both basic projects and SSA projects. In this release, only basic
applications are supported. Similarly, SSC provides issue templates for basic projects, but no longer provides
HPE Security Fortify Software Security Center (16.10)
Page 18 of 134
User Guide
Chapter 1: Introduction
the process templates that were assigned to SSA projects.
Note: You can still work with SSA projects and process templates in the legacy user interface, which is
carried forward from 4.30 for this release.
Formatting Date and Time Display
You cannot change the format for date and time display.
Creating Custom Tags During Audits
In this version, you cannot create a custom tag during an audit. Instead, administrators must create all
custom tags from the Administration page.
Switching Between the New User Interface and the
Legacy User Interface
After you first log in, SSC opens in the 16.10 user interface.
To access the legacy user interface:
1. Log on to SSC.
2. At the right end of the Hewlett Packard Enterprise header, click the user profile icon, and then select
4.30 UI.
Your data open in the legacy UI.
To return to the new user interface from the legacy user interface:
l
In the HP Fortify Software Security Center header, click the Go to the new UI link.
See Also
Introducing the Redesigned HPE Security Fortify Software Security Center User Interface
HPE Security Fortify Software Security Center (16.10)
Page 19 of 134
User Guide
Chapter 1: Introduction
Viewing Software Security Center Keyboard
Shortcuts
To view the keyboard shortcuts used to navigate the SSC user interface:
1. Log on to SSC.
2. Do one of the following:
l
At the right end of the Hewlett Packard Enterprise header, click the user profile icon, and then select
Hotkeys.
l
Press the question mark key (?) on your keyboard.
HPE Security Fortify Software Security Center (16.10)
Page 20 of 134
Chapter 2: Getting Started with Software
Security Center
Software Security Center (SSC) is a browser-based product that provides a set of capabilities across the
software development life cycle to automate detection of security vulnerabilities in applications. It helps your
security and development teams work together to resolve security flaws quickly and accurately by making
correlated data from HPE Security Fortify Static Code Analyzer (SCA), HPE Security Fortify CloudScan,
HPE Security WebInspect, and third-party tools available through its collaborative online environment.
This section contains the following topics:
About the Central Role of Software Security Center
21
Security Management Workflow
22
User Accounts and Access
22
About the Software Security Center Dashboard
25
About the Central Role of Software Security Center
Software Security Center (SSC) provides a location for collecting, correlating, and exporting security analysis
results. The SSC server resides in a central location and receives results from different security activities,
such as static, dynamic, and real-time analysis.
SSC is designed to help you:
l
Identify and prioritize a baseline of existing vulnerabilities
l
Prevent new vulnerabilities from being introduced
l
Remediate existing vulnerabilities and lower the baseline
l
Ensure that your code is in compliance with internal and external security mandates
SSC works within your organization to answer the following questions:
l
How do we drive the adoption of good application security practices?
l
How do we get actionable results to development teams?
l
Do we measure application teams on a team-by-team basis or as a unit?
l
How do we track results over time?
HPE Security Fortify Software Security Center (16.10)
Page 21 of 134
User Guide
Chapter 2: Getting Started with Software Security Center
Security Management Workflow
The following figure illustrates the flow of security management processes within Software Security Center.
As development teams perform scans, they submit periodic scan results from a continuous integration server
into SSC.
Security teams submit periodic results of a dynamic assessment into SSC.
SSC correlates and tracks the scan results and assessment results over time, and makes the information
available to developers through the Audit Workbench web interface, or through IDE plugins such as the
HPE Security Fortify Plugin for Eclipse, the HPE Security Fortify Package for Visual Studio, and others.
Users can also push issues into defect tracking systems, including HPE ALM, JIRA, TFS/Visual Studio
Online, and Bugzilla.
User Accounts and Access
Software Security Center supports two methods of authentication:
l
Local user accounts created within the interface
l
Active Directory/LDAP accounts associated with standard corporate authentication (Active
Directory/LDAP integration supports user assignment by group or organizational unit)
HPE Security Fortify Software Security Center (16.10)
Page 22 of 134
User Guide
Chapter 2: Getting Started with Software Security Center
Topics covered in this section:
Active Directory/LDAP Integration
23
Logging on to Software Security Center for the First Time
23
Changing Your Password
24
Enabling and Disabling Receipt of Email Alerts
25
Active Directory/LDAP Integration
Active Directory/LDAP integration enables Software Security Center (SSC) to authorize users based on their
existing corporate credentials. In addition, assignment by group or organizational unit enables SSC to take
advantage of the existing joiners/leavers processes. A new person who joins a group automatically has
access to SSC. A person who leaves a group automatically loses access.
The user who deploys SSC must configure the integration with the Active Directory/LDAP during installation.
For detailed information, see the HPE Security Fortify Software Security Center Installation and
Configuration Guide.
See Also
"Registering LDAP Entities with Software Security Center" on page 42
"Software Security Center User Account Management" on page 30
Logging on to Software Security Center for the First Time
To log on to SSC, your SSC administrator must provide you with the URL for your instance, a username, and
a password.
To log on to SSC for the first time:
1. To make sure that you access the newest version of the SSC user interface, clear your web browser’s
cache.
2. In a web browser, type the URL for your SSC instance, as follows:
l
If SSC is configured to use secure HTTP protocol, type the following URL:
https://<host_ip>:<port>/ssc/
where <port> represents the port number used by your application server.
l
If SSC is configured to use insecure HTTP protocol (not recommended), type the following URL:
http://<host_ip>:<port>/ssc/
where <port> represents the port number used by your application server.
The default logon credentials for a new SSC installation are username “admin” and password “admin.”
You must change your credentials at your first logon.
3. In both the Username and Password boxes, type admin.
HPE Security Fortify Software Security Center (16.10)
Page 23 of 134
User Guide
Chapter 2: Getting Started with Software Security Center
4. Click Log in.
5. Change your credentials when SSC prompts you to do so.
Changing Your Password
To modify your user account information (other than your password), you must use the legacy user interface.
To change your password:
1. Log on to SSC.
2. At the right end of the Hewlett Packard Enterprise header, click the user profile icon, and then select
Change Password.
The HPE Security Fortify Software Security Center - Change Password dialog box opens.
For instructions on how to modify your other user account information, see the HP Fortify Software Security
Center User Guide: Legacy User Interface.
HPE Security Fortify Software Security Center (16.10)
Page 24 of 134
User Guide
Chapter 2: Getting Started with Software Security Center
Enabling and Disabling Receipt of Email Alerts
To enable or disable your receipt of email alerts:
1. Log on to SSC.
2. At the right end of the Hewlett Packard Enterprise header, click the user profile icon, and then select
Preferences.
3. In the Preferences dialog box, select or clear the Email Alert Notifications check box, and then click
Save.
About the Software Security Center Dashboard
After you log on to SSC, the Dashboard displays data for the application versions to which you have access
that pose the highest potential business risk to your organization. By default, data are shown on the
Reviewed tab for reviewed (audited) findings. To view unreviewed findings, click the Pending tab.
Topics covered in this section:
Refining the Data Displayed on the Software Security Center Dashboard
26
Deactivating Application Versions
28
Reactivating Application Versions
28
HPE Security Fortify Software Security Center (16.10)
Page 25 of 134
User Guide
Chapter 2: Getting Started with Software Security Center
Refining the Data Displayed on the Software Security Center
Dashboard
Assuming you have active application versions and scan results uploaded on your Software Security Center
server, after you log on, the SSC Dashboard displays data for the application versions that pose the highest
potential business risk to the organization. In the default view, you see the data for reviewed (audited)
findings for the application versions to which you have access. No filters are applied to the data.
The Dashboard provides three settings that you can use alone or in any combination to refine the data
displayed.
Selecting a grouping attribute
To group your data based on a single application version attribute, select the attribute from the Group by list.
(The default grouping attribute is the application version.)
In addition to the grouping attribute you selected, the resulting data reflects any attributes you have selected
from the Aggregate by and Filter by lists.
Note: You can achieve finer control over the data displayed if your Group by list includes custom
attributes (of the single-select type). For instructions on how to create custom attributes, see "Creating
Custom Attributes" on page 51.
HPE Security Fortify Software Security Center (16.10)
Page 26 of 134
User Guide
Chapter 2: Getting Started with Software Security Center
Selecting an aggregating attribute
To aggregate the data shown on the Dashboard based on a single application attribute, select the attribute
from the Aggregate by list. The Dashboard displays your data based on the aggregating attribute, and any
attributes you have selected from the Group by and Filter by lists.
Note: You can achieve finer control over the data displayed if your Aggregate by list includes custom
attributes (of the single-select type). For instructions on how to create custom attributes, see "Creating
Custom Attributes" on page 51.
Selecting one or more filtering attributes
To selectively display data based on an application attributes, select an attribute from the Filter by list. You
can select multiple attributes, but you must select them one at a time.
HPE Security Fortify Software Security Center (16.10)
Page 27 of 134
User Guide
Chapter 2: Getting Started with Software Security Center
The Dashboard displays your data based on the selected filter attributes, and any other attributes you have
selected from the Group by and Aggregate by lists.
Clearing selections from the custom attributes lists
To clear your attribute selection from a list, click the Clear all icon
.
Deactivating Application Versions
Deactivating an application version hides that version on the Applications page. If you delete all versions of
an application, SSC automatically deletes the application.
To deactivate an SSC application version:
1. From the Applications page, select the version name for the application version you want to deactivate.
SSC opens the Overview page for the selected version.
2. On the application version toolbar, click Profile.
3. In the Application Profile dialog box, click Application Settings.
4. In the Version Settings panel, click Deactivate.
SSC prompts you to confirm that you want to deactivate the version.
5. Click OK.
The Deactivate button is now the Activate button. If you need to, you can re-activate the version later.
6. Close the Application Profile dialog box.
See Also
"Deleting an Application Version " on page 62
Reactivating Application Versions
If a specific application version has been deactivated and is not listed on the Dashboard or in the Applications
view, you can reactivate it to make it visible again.
If the deactivated application version was the only version of the application that exists, you can do one of the
following to access and reactivate it:
HPE Security Fortify Software Security Center (16.10)
Page 28 of 134
User Guide
Chapter 2: Getting Started with Software Security Center
l
Return to the legacy user interface and reactivate it there. (For instructions, see the HP Fortify Software
Security Center User Guide: Legacy User Interface.
l
Create a new version of the deactivated application, and then follow the procedure described below.
To reactivate an application version when another version of the application exists:
1. On the Hewlett Packard Enterprise header, click Applications.
2. In the Applications view, click an application version name.
The Overview page for the selected application version opens.
3. On the application version toolbar, click Profile.
The Application Profile dialog box opens.
4. Click Application Settings.
5. In the Other Versions section, next to the inactive version you want to reactivate, click Activate.
SSC prompts you to confirm the activation.
6. Click OK.
7. Close the Application Profile dialog box.
The application version is now again represented on the SSC Dashboard and in the Applications view.
HPE Security Fortify Software Security Center (16.10)
Page 29 of 134
Chapter 3: Managing User Accounts
This section contains the following topics:
Software Security Center User Account Management
30
About Modifying Your User Account
33
About Tracking Teams
33
About Roles
34
Software Security Center Account Administration
41
Software Security Center User Account Management
In accordance with secure deployment guidelines, the HPE Security Fortify Software Security Center
Installation and Configuration Guide directs the primary system administrator of a new installation of Software
Security Center to create a non-default Administrator-level account, and then to delete the default admin
account. The non-default SSC Administrator account is used to create additional SSC user accounts.
Software Security Center supports four default user accounts. The following sections provide information
about each of these account types, in order of descending level of privilege:
Administrator Accounts
30
Security Lead Accounts
31
Manager Accounts
31
Developer Accounts
32
This section contains information about Software Security Center roles, user account administration, and
how to register AD/LDAP entities with Software Security Center.
Administrator Accounts
Users who have Administrator accounts have complete access to all Software Security Center user and
application version data and can manage the entire SSC system. Only users who have Administrator
accounts can create, edit, or delete other user accounts.
HPE recommends that you create only the Administrator-level accounts necessary to create and edit local or
LDAP Software Security Center user accounts. The Security Lead and lesser accounts can perform all other
application-related activity.
HPE Security Fortify Software Security Center (16.10)
Page 30 of 134
User Guide
Chapter 3: Managing User Accounts
SSC permits the explicit addition of Administrator-level accounts to application versions. This enables
Administrator users to be assigned issues from the SSC Audit page.
Security Lead Accounts
Use Security Lead accounts to perform overall administration of one or more application versions, including
the Managers and Developers assigned to collaborate on those application versions. The following table
summarizes the read (view) and write (create or modify) privileges available to a Security Lead account.
Functional Area
R
W
Comments
Access, to application
X
X
Application versions the Security Lead created or to which the Security
versions
Lead account is assigned
Alerts
X
X
Artifact, Documents
X
X
Artifact, FPR
X
X
Event Log
X
Performance Indicators
X
X
Issue templates
X
X
Upload, download, and delete
Application versions
X
X
Create, manage assigned
Reports
X
X
Add, edit, or delete report definitions
Rulepacks
X
X
Import or delete
Users: local and LDAP
X
Variables
X
View all event logs
Only Administrator accounts can create or edit users
X
Manager Accounts
With a Manager account, you can manage the secure development of the Software Security Center
application versions to which you are assigned and perform tasks such as the assigning one or more
Developer accounts to the application version. The following table summarizes the read (view) and write
(create or modify) privileges for a Manager account.
Functional Area
R
Access, to application versions
X
W
Comments
Application versions to which the user is assigned
HPE Security Fortify Software Security Center (16.10)
Page 31 of 134
User Guide
Chapter 3: Managing User Accounts
Functional Area
R
W
Comments
Alerts
X
X
Create for assigned application versions
Artifact, Documents
X
X
Artifact, FPR
X
X
Event Log
X
Performance indicators
X
Issue templates
X
Application versions
X
X
Delete or retire only assigned application versions
Reports
X
X
View or generate reports
Rulepacks
X
X
Export
Users: local and LDAP
X
Variables
X
View events for assigned application versions only
Only Administrator accounts can create or edit users
Developer Accounts
With a Developer account, you can perform secure development tasks for the SSC application versions to
which you are assigned. The following table summarizes the read (view) and write (create or modify)
privileges for a Developer account.
Functional Area
R
W
Access to application versions
X
Alerts
X
Application versions
X
Artifact, Documents
X
X
Artifact, FPR
X
X
Event Log
X
Performance Indicators
X
Issue templates
X
Reports
X
Comments
For application versions to which the user is assigned
X
Create for assigned application versions
View only assigned
View, comment, audit
View events associated with assigned application versions
X
View or generate reports
HPE Security Fortify Software Security Center (16.10)
Page 32 of 134
User Guide
Chapter 3: Managing User Accounts
Functional Area
R
Rulepacks
X
Users, local and LDAP
Variables
W
Comments
(Administrator accounts only)
X
Validate variable search strings
About Modifying Your User Account
To modify your user account information (other than your password), you must use the legacy user interface.
To access the legacy user interface:
1. Log on to SSC.
2. At the right end of the Hewlett Packard Enterprise header, click the user profile icon, and then select
4.30 UI.
For instructions on how to modify your user account information, see the HP Fortify Software Security Center
User Guide: Legacy User Interface.
For instructions on how to change your password, see "Changing Your Password " on page 24.
About Tracking Teams
As an administrator or security lead, you need access to information that enables you to track and monitor
your team’s progress and ensure that good application security practices are in place and followed. Software
Security Center provides a central point for guiding the adoption of good security practices. By understanding
how information is tracked and reported, you can accurately measure development team progress based on
application security standards.
HPE Security Fortify Software Security Center (16.10)
Page 33 of 134
User Guide
Chapter 3: Managing User Accounts
About Roles
Roles determine the actions a user can perform in Software Security Center.
For more fine-grained control over user access to SSC functionality, you can create custom roles and assign
them permissions in the SSC interface. For instructions on how to create a role, see "Creating Custom
Roles" on page 39.
Topics covered in this section:
Pre-configured Roles
34
Role-Based Permissions for Software Security Center Server
35
Creating Custom Roles
39
Deleting Custom Roles
40
Pre-configured Roles
The following table lists the pre-configured roles you can assign to users in Software Security Center.
Role
Description
Administrator
Has full access to the system and all results
Application Security
Performs tasks required to execute dynamic scan requests, including:
Tester
Developer
l
View application versions
l
View and generate reports
l
Process dynamic scans
l
Upload scan results
l
Audit issues
Developer responsible for producing security results and taking action to triage or
remediate security issues
For a complete list of Developer permissions, see "Developer Accounts" on page
32.
Manager
Responsible for guiding developers to work on results
Managers cannot create applications but can grant or revoke access to their team
members
For a complete list of Manager permissions, see "Manager Accounts" on page 31.
HPE Security Fortify Software Security Center (16.10)
Page 34 of 134
User Guide
Chapter 3: Managing User Accounts
Role
Description
Security Lead
Security team member who can create application versions and users
For a complete list of Security Lead permissions, see "Security Lead Accounts"
on page 31.
View Only
Can view results, but cannot interfere with the issue triage or the remediation
process.
Example users: system automation account or temporary auditor
WebInspect
Can connect a WebInspect Enterprise instance to Software Security Center and
Enterprise System
retrieve issue audit information.
This role is intended for use only by a WebInspect Enterprise instance.
See Also
"About Roles" on the previous page
"Creating Custom Roles" on page 39
Role-Based Permissions for Software Security Center Server
The following table shows what activities users assigned to various roles can and cannot perform in Software
Security Center. Note that the table does not display permission information for Administrators. Users
assigned the Administrator role have permission to perform all activities in SSC.
Event Logs
Jobs
Performance
Activity
Security
Lead
Manager
Developer
View Only
View
Yes
No
No
No
Export
Yes
View
Yes
No
No
No
Filter by
Yes
Cancel
Yes
Set priority
Yes
View
Yes
Yes
Yes
Yes
Create
Yes
No
No
No
Indicators
HPE Security Fortify Software Security Center (16.10)
Page 35 of 134
User Guide
Chapter 3: Managing User Accounts
Rulepacks
Variables
Alerts
Activity
Security
Lead
Manager
Developer
View Only
Delete
Yes
No
No
No
View
Yes
Yes
Yes
No
Update
Yes
No
No
Export
Yes
Yes
Yes
Import
Yes
No
No
Delete
Yes
No
No
View
Yes
Yes
Yes
Yes
Create
Yes
No
No
No
Delete
Yes
No
No
No
View
Yes
Yes
Yes
Yes
View others'
No
No
No
No
Create
Yes
Yes
Yes
Yes
Notify all app
Yes
Yes
No
No
Edit own
Yes
Yes
Yes
Yes
Edit others'
No
No
No
No
Delete own
Yes
Yes
Yes
Yes
Delete others'
No
No
No
No
View
Yes
Yes
Yes
Yes
Create
Yes
No
No
No
Delete
Yes
No
No
No
Edit
Yes
No
No
No
View
Yes
Yes
Yes
Yes
Create
Yes
No
No
No
Delete
Yes
No
No
No
version users
Attributes
Custom Tags
HPE Security Fortify Software Security Center (16.10)
Page 36 of 134
User Guide
Chapter 3: Managing User Accounts
Issues
Reports
Report Libraries
Local
LDAP
Activity
Security
Lead
Manager
Developer
View Only
Edit
Yes
No
No
No
View
Yes
Yes
Yes
Yes
Create
Yes
No
No
No
Delete
Yes
No
No
No
Edit
Yes
No
No
No
Download
Yes
Yes
Yes
Yes
View
Yes
No
No
No
Create
Yes
Delete
Yes
Edit
Yes
Download
Yes
View
Yes
No
No
No
Delete
Yes
Edit
Yes
Import
Yes
Download
Yes
View
Yes
No
No
No
Create
No
Delete
No
Edit
No
Export
Yes
View
Yes
No
No
No
Create
No
HPE Security Fortify Software Security Center (16.10)
Page 37 of 134
User Guide
Chapter 3: Managing User Accounts
Activity
Security
Lead
Delete
No
Edit
No
Export
Yes
Refresh
No
View
Yes
Create
No
Delete
No
Edit
No
Export
Yes
Configuration
View
Reports
Roles
Dashboard
Manager
Developer
View Only
No
No
No
No
No
No
No
View
Yes
Yes
Yes
Yes
View others'
Yes
Yes
Yes
Yes
Create
Yes
Yes
Yes
No
Download
Yes
Yes
Yes
Yes
Delete own
Yes
Yes
Yes
No
Delete others'
Yes
Yes
Yes
No
View
Yes
Yes
Yes
Yes
Create
Yes
No
No
No
This user
This user
This user only
This user only
only
only
This user
This user
This user only
This user only
only
only
Yes
No
No
No
Yes
No
No
No
application
Todo
Activity Feed
Version Dashboard
Create new
version
Edit
HPE Security Fortify Software Security Center (16.10)
Page 38 of 134
User Guide
Chapter 3: Managing User Accounts
Scan artifacts
Activity
Security
Lead
Manager
Developer
View Only
Upload
Yes
Yes
Yes
No
Download
Yes
Yes
Yes
Yes
Download
Yes
Yes
Yes
Yes
Delete
Yes
Yes
No
No
Purge
Yes
Yes
No
No
Approve
Yes
Yes
Yes
No
Assign users
Yes
Yes
Yes
No
Claim
Yes
Yes
Yes
No
File bugs
Yes
Yes
Yes
No
Suppress
Yes
Yes
Yes
No
Add
Yes
Yes
Yes
No
Yes
Yes
Yes
Yes
Custom tags
Yes
Yes
View only
View only
Processing
Yes
Yes
View only
View only
Bug Tracker
Yes
Yes
View only
View only
Application
Yes
Yes
View only
View only
app file
Audit
comments
Profile
Advanced
options
Rules
Settings
Creating Custom Roles
You can define roles of your own and assign them permissions.
To define and configure permissions for a new role:
1. Log on to SSC as an Administrator, and then, in the Hewlett Packard Enterprise header, click
Administration.
2. In the left panel of the Administration page, select Users, and then select Roles.
HPE Security Fortify Software Security Center (16.10)
Page 39 of 134
User Guide
Chapter 3: Managing User Accounts
3. In the Roles toolbar, click New.
The Create New Role dialog box opens.
4. Provide the information described in the following table.
Field
Description
Name
Role name
Description
(Optional, but recommended) Role description
Universal
To assign the new role access to all application versions and runtime applications,
Access
select this check box.
Note: HPE strongly recommends that you select universal access only for
administrator-level users.
5. To add permissions (specify the functional areas available to users in this role), click + Add
Permissions.
The Add Permissions dialog box opens.
6. Scroll through the table and select the check boxes that correspond to the permissions that you want to
grant to the new role.
7. Click Done.
8. In the Create New Role dialog box, click Save.
SSC checks permissions to guard against states that are known to be incompatible. If the role and
permissions you selected do not conflict, then you are returned to the Roles page, which displays detailed
information about the new role.
Deleting Custom Roles
If a custom role listed on the Roles page is assigned to no user accounts, you can delete that role.
To delete a role:
1. Log on to Software Security Center as an Administrator or Security Lead, and then click
Administration.
2. In the left panel of the Administration view, select Users, and then select Roles.
3. In the table, click the check box for the custom role you want to delete.
4. In the Roles toolbar, click Delete.
SSC prompts you to confirm that you want to delete the role.
5. Click OK.
See Also
Creating Custom Roles
HPE Security Fortify Software Security Center (16.10)
Page 40 of 134
User Guide
Chapter 3: Managing User Accounts
Software Security Center Account Administration
Only users who have Administrator accounts can create new user accounts and edit information for existing
accounts. Use Administrator accounts to manage the SSC system. HPE recommends that you create only
the Administrator-level accounts necessary to create and edit local or LDAP Software Security Center user
accounts. The Security Lead and lesser accounts can perform all other application-related activities.
SSC permits the explicit addition of Administrator-level accounts to application versions. This enables
Administrator users to be assigned issues from the SSC Audit page.
Topics covered in this section:
Creating Local User Accounts
41
Registering LDAP Entities with Software Security Center
42
Unlocking Locked User Accounts (Local Users Only)
45
Creating Local User Accounts
Software Security Center Administrator-level accounts can add new local user accounts to the list of SSC
users.
To create an SSC user account:
1. Log on to SSC as an Administrator, and then click Administration.
2. In the left panel of the Administration view, select Users, and then select Local.
The Local page opens and lists local users.
3. In the Local toolbar, click New.
The Create New User dialog box opens.
4. Provide the information listed in the following table.
Field or Check Box
Description
Username
Username for SSC logon.
First Name
First name of user.
Last Name
Last name of user.
Email
Email address of user.
Roles
Select the check boxes that correspond to the roles you want to assign
to the user.
HPE Security Fortify Software Security Center (16.10)
Page 41 of 134
User Guide
Chapter 3: Managing User Accounts
Field or Check Box
Description
Password
Password for the new user.
Confirm Password
Password for the new user.
User must change
Select this check box to require the user to change the password at the
password at next login
next login to SSC.
Password never expires
Select this check box to allow the user to use the originally assigned
password until he wants to change it.
To require the user to change his or her password every thirty days,
leave this check box cleared.
Suspended
Select this check box to suspend user access to SSC.
5. To specify the applications that the new user can access:
a. In the Access section, click + Add.
The Select Application Version dialog box opens.
b. From the Application list, select the application to which you want the user to have access.
The Versions list displays all existing versions of the selected application.
c. To select all versions, select the check box to the left of Versions. Otherwise select the check
boxes for the versions that the user can access.
d. Click Done.
e. To add another application version or versions, repeat steps a through d.
6. Do one of the following:
l
To save your settings and exit the Create New User dialog box, click Save.
l
To save your settings and create another new user, click Save and Add Another.
SSC adds the user account to the list of users.
Registering LDAP Entities with Software Security Center
Users who have Administrator-level accounts can add LDAP groups, organizational units, and users to the
list of Software Security Center users. SSC automatically updates access control as users join and leave
groups.
To register an LDAP organizational unit, group, or user with Software Security Center:
1. Log on to Software Security Center as an Administrator, and then, in the Hewlett Packard Enterprise
header, click Administration.
2. In the left panel, click Users, and then select LDAP.
HPE Security Fortify Software Security Center (16.10)
Page 42 of 134
User Guide
Chapter 3: Managing User Accounts
3. In the LDAP toolbar, click Add.
The Add New LDAP Entity window opens.
4. From the LDAP Entity list, select the type of LDAP entity you want to register (Group, User, or
Organizational Unit).
5. In the list of returned entities, select the user, group, or organizational unit that you want to register.
6. In the Roles section, select the check boxes that correspond to the roles you want to assign to the
selected entity.
7. To provide the LDAP entity access to versions of an application, in the Access section, do the following.
HPE Security Fortify Software Security Center (16.10)
Page 43 of 134
User Guide
Chapter 3: Managing User Accounts
Note: You can add versions for multiple applications, but you must add them one at a time using the
following steps.
a. Click Add.
The Select Application Version dialog box opens.
b. From the Application list, select the name of an application that you want the LDAP entity to
access.
The Versions section lists all active versions of the application.
c. To display inactive versions of the application, select the Show Inactive Versions check box.
d. In the Versions section, select the check boxes for all of the versions that you want the entity to
access.
e. Click Done.
The Access section lists the application versions you selected.
8. Do one of the following:
l
To save your changes and close the Add New LDAP Entity dialog box, click Save.
l
To save your changes and register another LDAP entity, click Save And Add Another.
SSC adds the entities to its list of users.
HPE Security Fortify Software Security Center (16.10)
Page 44 of 134
User Guide
Chapter 3: Managing User Accounts
For information about how to specify the LDAP server, see the HPE Security Fortify Security Center
Installation and Configuration Guide.
Unlocking Locked User Accounts (Local Users Only)
After a local user tries unsuccessfully to log on to SSC more than three times, SSC locks the account and
prevents the user from attempting more logins. As an administrator, you can unlock the account for the user.
After a user notifies you that they are locked out of SSC, unlock the account as follows:
1. In the Hewlett Packard Enterprise header, select Administration.
2. In the left panel of the Administration page, select Users, and then click Local.
3. Find the locked user account, and expand the account row to view the details.
4. At the bottom left, the message User has reached the maximum login attempts is displayed.
5. To the right of the message, click unlock.
SSC prompts you to confirm that you want to unlock the account.
6. Click Yes.
HPE Security Fortify Software Security Center (16.10)
Page 45 of 134
Chapter 4: Applications and Application
Versions
To obtain consistent measurement results in Software Security Center, you define an application for a single
code base. SSC organizes the iterative development and remediation of code bases into applications and
application versions.
l
An application is a code base that serves as a container for one or more application versions. If you are
working with a new code base, you create a new SSC application. SSC automatically creates the first
version of that application.
l
An application version is an instance of the application or code base that is to eventually be deployed. It
contains the data, auditing, and attributes for a particular version of the application code base. If you are
working with an existing code base, you create new application versions rather than new applications.
An application version is the base unit for team tracking. It provides a destination for security results that is
useful for getting information in front of developers and producing reports and performance indicators. Code
analysis results for an application version are tracked as shown in the following table.
Existing Analysis Results
+ New Scan Results
= Trending Results
Results of any previous security
Merge with the existing results
Identify security issues that
analysis from HPE Security Fortify
(from the same analyzer used to
have been fixed, and issues
SCA, HPE Security WebInspect, or
perform this scan)
that remain.
other analyzer
Mark resolved issues
Identify new issues
Keep unchanged issues
SSC analysis processing rules verify that the new scan is comparable to the older scan.
This content provides information about applications and application versions. It contains instructions for
viewing and creating applications, configuring application attributes, assigning issue templates, and more.
This section contains the following topics:
About Tracking Development Teams
47
About Creating Application Versions
49
Searching Applications and Application Versions from the Applications View
60
Updating the Application Overview Page
60
Editing Application Version Details
60
HPE Security Fortify Software Security Center (16.10)
Page 46 of 134
User Guide
Chapter 4: Applications and Application Versions
About Deleting Application Versions
61
Using Bug Tracking Systems to Help Manage Security Vulnerabilities
63
Changing the Template Associated with an Application Version
68
Setting Analysis Result Processing Rules for Application Versions
70
Custom Tags
72
About Tracking Development Teams
As an administrator or security lead, you need access to information that enables you to track and monitor
your team’s progress and ensure that good application security practices are in place and followed. Software
Security Center provides a central point for guiding the adoption of good security practices. By understanding
how information is tracked and reported through applications and applications versions, you can accurately
assess development team progress based on application security standards.
Topics covered in this section:
About the Application Creation Process
47
Strategies for Creating Application Versions
47
About Annotating Application Versions for Reporting
48
Viewing the List of SSC Applications
49
About the Application Creation Process
After you log on to Software Security Center and start to add a new application, the Create New Application
wizard displays a sequence of steps, each of which presents the team members responsible for creating the
application version with one or more strategic choices. After the team agrees upon and makes their
selections, the security lead can click Finish to complete the creation process.
Typically, the security team evaluates and decides on all the options before they actually start to create the
application version. The following sections describe the options displayed on the creation wizard screens.
Next
"Application Version Attributes" on page 49
See Also
"Template Selection" on page 53
Strategies for Creating Application Versions
As a Security Lead, you might choose to create an application version that allows you to track vulnerabilities
within deployed applications. Security vulnerabilities often occur in areas of code where different components
HPE Security Fortify Software Security Center (16.10)
Page 47 of 134
User Guide
Chapter 4: Applications and Application Versions
come together. Although teams may work on different components, it is a good practice to track the entire
software component as one piece. As an example, suppose that a text manipulation library is safe on its own,
and a file access library is safe on its own. The combination of the text manipulation library and file access
library is not necessarily safe, because one may not know the origin of the text being processed.
Topics covered in this section:
Strategies for Packaged Software
48
Strategies for Continuous Deployment
48
Strategies for Packaged Software
For software that ships or is deployed as a concrete version, you might use the following strategies:
l
If you are creating a brand new application, start a new application version.
l
Create a single application version for each release. For example, the Security Lead or Development
Manager may deactivate past versions in Software Security Center to archive results and remove them
from view.
l
If you are working on an existing application with an evolving code base, create an application version
based on an existing version. For example, Application A has several versions. Each new version is
initiated based on the results of the previous version. Each successive version is just evolved code
(versus a complete rewrite).
Strategies for Continuous Deployment
For applications that use continual deployment, running HPE Security scans with the -build-label xxxx
flag enables you to identify which source control checkout was scanned (where xxxx represents the ID from
your version control system). Relating scans to source control checkout improves your ability to determine
when individual issues were introduced and remediated.
About Annotating Application Versions for Reporting
Software Security Center provides a set of application attributes that you can apply to individual application
versions. You can use these attributes to group application versions for reporting, or to associate application
versions with external systems.
SSC provides a base set of application attributes, which Administrators can customize for the organization.
Sample customizations can help organizations track onboarding progress by application ID, line of business,
business unit, or regulatory compliance obligations.
HPE Security Fortify Software Security Center (16.10)
Page 48 of 134
User Guide
Chapter 4: Applications and Application Versions
Viewing the List of SSC Applications
To view a list of all SSC applications:
l
On the Hewlett Packard Enterprise header, click Applications.
See Also
"Displaying Additional Application Versions on the Dashboard" on page 97
"Searching Applications and Application Versions from the Applications View" on page 60
About Creating Application Versions
You can create a new Software Security Center application version for an entirely new application or create
one for existing application version. The following topics provide instructions for each method:
"About the Application Creation Process" on page 47
"Creating the First Version of a New Application" on page 54
"Adding a New Version to an Application" on page 56
Application Version Attributes
Application versions have business attributes, technical attributes, and organization attributes. These
attributes are metadata that SSC uses to perform cross-application comparisons and reporting.
When you create a new application version, the Create New Version wizard guides you through the selection
of required and optional business, technical, and organization application attributes. The application version
type cannot be finished until you select values for all required attributes. For example, to create an application
version, you must specify values for the following attributes:
l
Development phase
l
Development strategy
l
Accessibility
In addition to the default attributes that SSC provides, Administrators and Security Leads can create custom
attributes to assign to application versions. Custom attributes are extremely useful when you need to focus
on a highly specific subset of data. For instructions on how to create custom attributes, see "Creating
Custom Attributes" on page 51.
The following table lists the default set of attributes for SSC applications. Note that this list does not include
custom attributes that an SSC administrator may have added to the system. Attributes marked with an
asterisk are required.
HPE Security Fortify Software Security Center (16.10)
Page 49 of 134
User Guide
Chapter 4: Applications and Application Versions
Business Risk Rating refers to the relative risk the application poses to the organization's business goals
(high, medium, or low).
Technical Attribute
Description
*Development Phase
Current phase of development the application version is in.
*Development Strategy
Staffing strategy used for application development
*Accessibility
Level of access required to use the application
Application Type
Nature of the code base (library, application, or application
component)
Target Deployment Platform
Deployment platform for the application
Interfaces
Interfaces used to access the application
Development Languages
Languages used to develop the application
Authentication System
System used to authenticate users who try to access to the
application
Organization Attributes
Business Unit
Business unit for which the application is to be developed or
business unit to develop the application
Industry
Industry for which the application is to be developed
Region
Geographical location of the development team
Business Risk Attributes
Known Compliance Obligations
All known compliance obligations that the application must
meet
Data Classification
Types data to be stored by this application
Application Classification
Direct consumers of the application
HPE Security Fortify Software Security Center (16.10)
Page 50 of 134
User Guide
Chapter 4: Applications and Application Versions
Creating Custom Attributes
Software Security Center comes with technical, organization, and business attributes that enable
administrators and security leads to categorize applications and application versions. As an administrator or a
security lead, you can create your own custom attributes that can be set for application versions.
Note: You can create custom attributes only if you have either an Administrator or Security Lead user
account.
To create an attribute:
1. Log on to SSC as an administrator or a security lead.
2. In the Hewlett Packard Enterprise header, click Administration.
3. In the left panel, under Templates, click Attributes.
SSC lists the attributes in a table to the right.
4. Click New.
The Create New Attribute dialog box opens.
5. Complete the fields described in the following table.
Field
Description
Name
Type a descriptive name for the attribute.
Description
Type a brief description.
The description is displayed under the attribute field in the Create New Application
wizard.
Required
Select this check box to require users to set the attribute that you are defining here
when they create an application template.
HPE Security Fortify Software Security Center (16.10)
Page 51 of 134
User Guide
Chapter 4: Applications and Application Versions
Field
Description
Hidden
Select this check box to prevent the new attribute from being displayed in the Create
New Application wizard.
Category
Select Technical, Business or Organization to specify the attribute type.
Depending on the category you select, the attribute is displayed on the Business
Attributes step, the Technical Attributes step, or the Organization Attributes
step of the Create New Application wizard.
Note: If your SSC instance is integrated with WebInspect, the list also includes the
Dynamic Scan Request category.
Scope
Select the value that indicates whether the attribute applies only to application
versions, runtime applications, or to both.
Type
Select one of the following control types:
l
To create a check box for the attribute, select Boolean.
l
To create a calendar selection control for the attribute, select Date.
Note: This type is not available for a Dynamic Scan Request attribute.
l
To create a list from which a user can select only a single value for the attribute,
select List of Values - Single Selection.
Note: If you create a single-select type attribute, users can select it from the
Group by and Aggregate by lists on the Dashboard to customize the data
they view.
l
To create a list from which a user can select multiple values for the attribute,
select List of Values - Multiple Selection.
l
To create a field that accepts an integer value, select Integer.
l
To create a text field into which a user can type a single line of text, select Text Single Line.
l
To create a text field into which a user can type multiple lines of text, select Text Multiple Lines.
Note: If you select one of the List of Values types, additional fields are displayed
in which you add the values and their descriptions, and specify whether or not
they are hidden.
6. Click Save.
The new attribute is available the next time a user uses the Create New Application wizard.
HPE Security Fortify Software Security Center (16.10)
Page 52 of 134
User Guide
Chapter 4: Applications and Application Versions
For instructions on how to specify custom attributes in existing application versions, see "Specifying New
Custom Attributes in Existing Application Versions" below.
See Also
"Application Version Attributes" on page 49
Specifying New Custom Attributes in Existing Application Versions
To apply a new custom attribute to existing application versions:
1. On the Hewlett Packard Enterprise header, select Applications.
2. On the Applications page, select the application for which you want to specify a new attribute.
SSC displays the Overview page for that version.
3. On the application version toolbar, select Profile.
The Application Profile - <application_name> window opens to the Advanced Options section.
4. Click Application Settings.
5. In the Version Settings section, click the edit icon.
The Edit Version wizard opens to Step 1. General.
6. Click Next Step.
7. On Step 2. Define Attributes and Risk, select the attribute category (Technical Attributes,
Organization Attributes, or Business Risk Attributes), and then select the value or values for the
custom attribute.
8. Navigate to Step 4 of the wizard, and then click Finish.
See Also
"Creating Custom Attributes" on page 51
"Editing Application Version Details" on page 60
Template Selection
Software Security Center issue templates provide HPE Security client and server products an optimal means
of categorizing, summarizing, and reporting application data. Issue templates also enable the use of
customized application settings at the enterprise level and not just at the application level.
Although you can change the issue template for an application after you finish creating the application, your
security team must carefully consider its choice of template before completing the application creation
process.
HPE Security Fortify Software Security Center (16.10)
Page 53 of 134
User Guide
Chapter 4: Applications and Application Versions
Creating the First Version of a New Application
An SSC application version consists of the data and attributes for a given variant of the application code
base. The following procedure describes how to create the first version of a new application.
To create a new application:
1. Log on to Software Security Center as either an Administrator or a Security Lead.
2. In the toolbar, click + New Application.
The Create New Application wizard opens to Step 1. General.
3. In the Application Setup section, do the following:
a. In the Application Name box, type a name for the new application.
b. (Optional) in the Application Description box, type a description.
4. In the Version Setup section, provide the information described in the following table.
Field
Description
Version Name
Type a name for the version. The wizard uses the application name and appends
the version name to it automatically.
Version
(Optional)
Description
Use Existing
Application
Version
a. To use the settings of an existing application version, select this check box.
Otherwise, proceed to step 5.
b. To open the Select Application Version dialog box, click Browse.
c. From the Applications list, select the application.
d. From the Versions list, select the row that displays the version name you
want, and then click Done.
By default, SSC includes all settings of the selected application version.
e. To exclude some of the settings, clear one or more of the following check
boxes:
o
Version Attributes
o
Custom Tags
o
Analysis Processing Rules
o
User Access Settings
o
Bug Tracker Settings
HPE Security Fortify Software Security Center (16.10)
Page 54 of 134
User Guide
Chapter 4: Applications and Application Versions
Field
Description
f. To copy over all of the issues associatedd with the selected application
version, select the Application State check box.
5. To advance to Step 2. Define Attributes and Risk, click Next Step.
6. In the Technical Attributes section, provide the information described in the following table.
Field
Description
Development Phase
Leave New selected.
Development Strategy
Select the strategy used to develop the application version.
Accessibility
Select the value that specifies how the application is to be accessed.
Application Type
Select the application type.
Target Deployment Platform
Select the target deployment platform.
Interfaces
Select the check boxes for the interfaces available to access the
application.
Development Languages
Select the check boxes for the languages used to develop the
application version.
Authentication System
Select the check boxes for the authentication systems used to
access the application.
7. Click Organization Attributes, and then provide the information described in the following table.
Field
Description
Business Unit
Select the business unit for which the application version is being
developed.
Industry
Select the industry sector to which the application version applies.
Region
Select the region for which the application version is being
developed.
8. Click Business Risk Attributes, and then provide the information described in the following table.
Field
Description
Known Compliance
Select the check boxes for all of the known compliance obligations
Obligations
that the application version must meet.
Data Classification
Select the check boxes for all of the data classifications that apply to
HPE Security Fortify Software Security Center (16.10)
Page 55 of 134
User Guide
Chapter 4: Applications and Application Versions
Field
Description
the application version.
Application Classification
Select the check boxes for all of the application classifications that
apply to this application version.
9. Click Next Step.
10. In the Issue Template section, select the check box for a template to set the minimum thresholds for
issue detection. To see a description of each template, select its check box.
A thumbs-up icon (
) is displayed next to the issue template that HP recommends based on your
selections.
11. To advance to Step 4. Assign Responsibilities and Team section, click Next Step.
12. In the Assign Responsibilities section, click Project Manager, Security Manager, Development
Manager, or Team.
13. In the Assign Team section, do one of the following:
a. To assign a user from the SSC database, leave Local selected.
b. Select the check box for the team member or members you want to assign.
Note: To find a specific user, type a user name into the Search by User Name box, and then click
Find.
Alternatively,
a. To assign a user from the LDAP directory (if LDAP authentication is configured for your
SSC server), click LDAP, and then, from the View by list, select the attribute to use to display
LDAP entities.
b. Select the check box for the team member or members you want to assign.
Note: To find a specific user, type a username into the Search by User Name box, and then click
Find.
14. Click Finish.
SSC indicates that the application was successfully created and adds the new application version to the
application versions list.
Adding a New Version to an Application
A version consists of the data and attributes for a given variant of the application code base. The following
procedure describes how to create a new version of an existing application.
To create a new version of an existing application:
HPE Security Fortify Software Security Center (16.10)
Page 56 of 134
User Guide
Chapter 4: Applications and Application Versions
1. Log on to Software Security Center as either an Administrator or Security Lead.
2. In the Hewlett Packard Enterprise header, click Applications.
3. On the Applications page, select a version of the application for which you want to create a new version.
SSC displays the Overview page for that version.
4. On the application version toolbar, click + New Version.
The Create New Version wizard opens to Step 1. General.
5. In the Version Setup section, do the following:
a. In the Version Name box, type a name for the new version.
The wizard uses the application name and appends the version name to it automatically.
b. In the Version Description box, type a description of the new version.
c. If you prefer to specify all of the attributes of the new version manually, proceed to To apply the
setting of an existing application version to the new version:
i. Select the Use Existing Application Version check box.
ii. Click Browse, and then navigate to and select the application version with the attribute
settings you want to apply to the new version.
iii. Clear any of the following check boxes for the settings that you do not want to apply to this
version:
l
Version Attributes
l
Custom Tags
l
Analysis Processing Rules
l
User Access Settings
l
Bug Tracker Settings
6. To advance to Step 2. Define Attributes and Risk, click Next Step.
7. From the Business Risk Rating list, select the level of risk that this application version poses to the
organization's business goals.
8. In the Technical Attributes section, provide the information described in the following table.
Field
Description
Development Phase
From this list, select the current development phase of the new
version.
HPE Security Fortify Software Security Center (16.10)
Page 57 of 134
User Guide
Chapter 4: Applications and Application Versions
Field
Description
Development Strategy
Select the strategy used to develop the application version.
Accessibility
Select the value that specifies how the application is to be accessed.
Application Type
Select the application type.
Target Deployment Platform
Select the target deployment platform.
Interfaces
Select the check boxes for the interfaces available to access the
application.
Development Languages
Select the check boxes for the languages used to develop the
application version.
Authentication System
Select the check boxes for the authentication systems used to
access the application.
9. Click Organization Attributes, and then provide the information described in the following table.
Field
Description
Business Unit
Select the business unit for which the application version is being
developed.
Industry
Select the industry sector to which the application version applies.
Region
Select the region for which the application version is being
developed.
10. Click Business Risk Attributes, and then provide the information described in the following table.
Field
Description
Known Compliance
Select the check boxes for all of the known compliance obligations
Obligations
that the application version must meet.
Data Classification
Select the check boxes for all of the data classifications that apply
to the application version.
HPE Security Fortify Software Security Center (16.10)
Page 58 of 134
User Guide
Chapter 4: Applications and Application Versions
Field
Description
Application Classification
Select the check boxes for all of the application classifications that
apply to this application version.
11. To advance to Step 3. Choose Templates, click Next Step.
12. In the Issue Template section, select the check box for a template to set the minimum thresholds for
issue detection. To see a description of each template, select its check box.
A thumbs-up icon is displayed next to the issue template that HPE recommends based on your
selections.
(Also see "Template Selection" on page 53.)
13. To advance to Step 4. Assign Responsibilities and Team section, click Next Step.
14. In the Assign Responsibilities section, select one or more of the following roles:
l
Project Manager
l
Security Manager
l
Development Manager
l
Team
15. In the Assign Team section, do one of the following:
a. To assign a user from the SSC database, leave Local selected.
b. Select the check box for the team member or members you want to assign.
Note: To find a specific user, type a user name into the Search by User Name box, and then click
Find.
Alternatively,
a. To assign a user from the LDAP directory (if LDAP authentication is configured for your
SSC server), click LDAP, and then, from the View by list, select the attribute to use to display
LDAP entities.
b. Select the check box for the team member or members you want to assign.
Note: To find a specific user, type a username into the Search by User Name box, and then click
Find.
16. Click Finish.
SSC indicates that the version was successfully created and adds the new application version to the
application versions list.
HPE Security Fortify Software Security Center (16.10)
Page 59 of 134
User Guide
Chapter 4: Applications and Application Versions
Searching Applications and Application Versions
from the Applications View
To search for a specific application or application version from the Applications view:
1. In the Search Apps and Versions box above the Applications table, type at least part of the
application name or version name for the application or version you want to find.
2. Click Find.
The Applications table lists all application versions that match your search string.
3. To return to the complete Applications table, clear the text in the search box.
See Also
"Searching Globally in Software Security Center" on page 112
Updating the Application Overview Page
If an application version has pending audit information, its Overview page heading displays the "more
information" icon.
To recalculate the metrics for the application:
l
Click the icon, and then, in the Refresh application metrics dialog box, click Refresh now.
The metrics refresh may take some time, depending on current system activity. After the refresh is complete,
the Overview page displays the latest data for the application.
Note: Metrics are also refreshed automatically according to the system schedule.
Editing Application Version Details
To edit the details of an application version:
1. From the Dashboard, click Applications.
2. In the Applications table, select the version you want to edit.
3. To the right of the Overview heading, click the pencil icon.
The Edit Version wizard opens.
HPE Security Fortify Software Security Center (16.10)
Page 60 of 134
User Guide
Chapter 4: Applications and Application Versions
4. Edit values in any of the fields described in "Adding a New Version to an Application" on page 56.
5. After you make your changes, advance to Step 4, and then click Finish.
See Also
"Changing the Template Associated with an Application Version" on page 68
About Deleting Application Versions
You cannot directly delete an application in Software Security Center. An application is removed
automatically only after all of its versions are deleted.
If you are assigned the Administrator role in Software Security Center, you can delete any application
version. If you are in the Security Lead or Manager role, then you can delete any application version to which
you are assigned.
If you would rather not delete a version, but prefer instead to remove it from display on the Dashboard and
Applications pages, you can deactivate it. For instructions on how to deactivate an application version, see
"Deactivating Application Versions " below.
See Also
"Deleting an Application Version " on the next page
Deactivating Application Versions
Deactivating an application version hides that version on the Applications page. If you delete all versions of
an application, SSC automatically deletes the application.
To deactivate an SSC application version:
1. From the Applications page, select the version name for the application version you want to deactivate.
SSC opens the Overview page for the selected version.
2. On the application version toolbar, click Profile.
3. In the Application Profile dialog box, click Application Settings.
4. In the Version Settings panel, click Deactivate.
SSC prompts you to confirm that you want to deactivate the version.
5. Click OK.
The Deactivate button is now the Activate button. If you need to, you can re-activate the version later.
6. Close the Application Profile dialog box.
See Also
"Deleting an Application Version " on the next page
HPE Security Fortify Software Security Center (16.10)
Page 61 of 134
User Guide
Chapter 4: Applications and Application Versions
Reactivating Application Versions
If a specific application version has been deactivated and is not listed on the Dashboard or in the Applications
view, you can reactivate it to make it visible again.
If the deactivated application version was the only version of the application that exists, you can do one of the
following to access and reactivate it:
l
Return to the legacy user interface and reactivate it there. (For instructions, see the HP Fortify Software
Security Center User Guide: Legacy User Interface.
l
Create a new version of the deactivated application, and then follow the procedure described below.
To reactivate an application version when another version of the application exists:
1. On the Hewlett Packard Enterprise header, click Applications.
2. In the Applications view, click an application version name.
The Overview page for the selected application version opens.
3. On the application version toolbar, click Profile.
The Application Profile dialog box opens.
4. Click Application Settings.
5. In the Other Versions section, next to the inactive version you want to reactivate, click Activate.
SSC prompts you to confirm the activation.
6. Click OK.
7. Close the Application Profile dialog box.
The application version is now again represented on the SSC Dashboard and in the Applications view.
Deleting an Application Version
If you would rather not delete an application version, but prefer instead to remove it from display on the
SSC Dashboard and on the Applications page, see "Deactivating Application Versions " on the previous page
Important: If you delete all versions of an application, SSC automatically deletes the application.
To delete an SSC application version:
1. From the Applications page, select the version name for the application version you want to delete.
SSC opens the Overview page for the selected version.
2. On the application version toolbar, click Profile.
3. In the Application Profile dialog box, click Application Settings.
4. In the Version Settings panel, click Delete.
HPE Security Fortify Software Security Center (16.10)
Page 62 of 134
User Guide
Chapter 4: Applications and Application Versions
SSC prompts you to confirm that you want to delete the version.
5. Click OK.
SSC removes the version from the database.
Using Bug Tracking Systems to Help Manage
Security Vulnerabilities
Developers fixing software defects often use a bug tracking system to help manage their workload. Security
vulnerabilities are a type of bug, and getting vulnerability information into the bug tracking system helps
developers take appropriate remediation measures, in line with other development activities. The result is
more security awareness and faster remediation of security issues.
From Software Security Center, you can map to any of several bug tracking systems, so that your
development team can file bugs into the bug tracking system you already use.
When a developer files a bug, Software Security Center populates bug tickets with the following basic
vulnerability information:
l
Details that describe the type of issue uncovered
l
Remediation guidance, with instructions on the action to take
l
A link back to Software Security Center for complete issue details
Topics covered in this section:
Bug Tracker Configuration
63
Configuring Bug Tracking for an Application Version
64
Submitting Exploitable Bugs in a Batch
66
Bug Tracker Configuration
To enable a team to access and use a bug tracking system from Software Security Center, a security lead or
development manager must configure SSC to connect to a bug tracker instance. Either the developer or
security lead can then submit bugs to address important security issues.
If you are a security lead or development manager, you can enable team access to your bug tracking system
as follows:
1. Edit the application version details.
2. Configure the bug tracker.
Important: If you are using JIRA, you must make sure that the Accept remote API calls option is
enabled.
HPE Security Fortify Software Security Center (16.10)
Page 63 of 134
User Guide
Chapter 4: Applications and Application Versions
Configuring Bug Tracking for an Application Version
For a given application version, you can specify a bug tracker to use to submit bugs against the version and,
optionally, enable bug state management. With bug state management enabled, SSC can update bugs as the
states of the issues within those bugs change. (For information about batch bug submission, see "Submitting
Exploitable Bugs in a Batch" on page 66.)
To configure bug tracking for an application version:
1. Log on to SSC (as an administrator, a security lead, manager, or a developer), and then in the Hewlett
Packard Enterprise header, click Applications.
2. In the Applications view, click an application version.
The application version Overview page opens.
3. On the application version toolbar, click Profile.
The Application Profile - <application_version> dialog box opens.
4. Click the Bug Tracker tab.
HPE Security Fortify Software Security Center (16.10)
Page 64 of 134
User Guide
Chapter 4: Applications and Application Versions
5. From the Bug Tracker Configuration list, select the application to use for tracking bugs for this
application version.
The Bug Tracker tab displays additional fields, which vary, depending on the bug tracker application
you select.
Important: If you select TFS/Visual Studio Online, make sure that, in the Bug Tracker URL box,
you type the TFS server domain name, and not the IP address.
6. Complete the required fields, and then click Test Connection.
The Test Bug Tracker Configuration dialog box opens.
7. Type your bug tracker authentication credentials, and then click Test.
After SSC verifies your connection to your bug tracker, you can enable bug state management for the
application version. With bug state management enabled, SSC can update bugs as the states of the
issues within those bugs change.
8. (Optional) To enable bug state management:
a. Select the Bug state management check box.
Note: For information about bug state management, see "Bug State Management" on page 68.
HPE Security Fortify Software Security Center (16.10)
Page 65 of 134
User Guide
Chapter 4: Applications and Application Versions
b. In the Username and Password boxes, type your username and password, respectively.
Note: If you change an existing bug tracker configuration, SSC displays a message to advise
you that your changes could invalidate external bug links already filed for the application
version, and prompts you to verify that you want to save your changes.
9. Click Apply.
The Success dialog box advises you that the bug tracker was successfully configured.
10. Click OK.
See Also
"Bug State Management" on page 68
"Submitting Exploitable Bugs in a Batch" below
Submitting Exploitable Bugs in a Batch
If a bug tracker has been specified for an application version ("Configuring Bug Tracking for an Application
Version " on page 64), you can submit a batch of issues as a single bug.
To submit multiple issues as a single bug:
1. From the SSC Dashboard, click Applications.
2. In the Version column of the Applications table, click the application version of interest.
SSC displays the Overview page for the application version.
3. On the Overview page toolbar, click Audit.
The Audit page opens.
4. To filter the issues listed:
a. From the Group by list, select the attribute to use to group the issues in the issues table.
b. From the Filter by list, select the attributes to use to filter the issues for display in the issues table.
Note that you can select multiple attributes from this list.
c. To refine the issues table further, click Advanced, and then select one or more additional filter
categories from the Advanced Issue Filters list.
5. After you review the issues, select the check boxes for the issues tagged as exploitable and that you
want to submit as a batch.
6. Click file issues
.
Note: If, after you select one or more check boxes, file issues
is not enabled, you first need
to set up a bug tracker for the application version. (See "Configuring Bug Tracking for an Application
Version " on page 64.)
HPE Security Fortify Software Security Center (16.10)
Page 66 of 134
User Guide
Chapter 4: Applications and Application Versions
The File Issues dialog box opens.
7. Provide your credentials for your bug tracking system, and then click LOGIN.
After SSC connects to the bug tracking server, the File Issues dialog box displays the required bug
tracker fields.
8. Provide the required information, and then click Submit.
About Using State Management to File Many Issues
The combined analysis techniques of SCA and HPE Security WebInspect can produce a high volume of
issues that can be assigned and tracked in aggregate. Filing issues in batches enables developers or security
leads to group issues into closeable units to avoid overloading the bug tracking system.
Your selection criteria for batch bug tracking specify how the system determines which security findings to
file and manage as bugs. The default selection criterion is “Analysis: Exploitable” (issues with the custom tag
Analysis value set to Exploitable) to focus on issues that have been manually reviewed and prioritized.
Decide on an issue grouping strategy. Determine how all issues that match your selection criteria are to be
grouped together to prevent a potentially large number of them becoming individual (granular) bugs. The
default grouping strategy of “Category, File” enables teams to assign and track bugs such as “Fix all
<vulnerability_name> in <file_name>” instead of tracking groups that are too general (such as “Fix all
security issues”) or too granular (“Fix the line of code at ##”).
After filing the issues, development teams typically run scans through SCA and WebInspect. SSC merges
the scan results (as described in " Applications and Application Versions" on page 46) and updates the bug,
as follows:
l
If the scan results indicate that one of more security issues associated with the bug are still present (and
match the selection criteria), SSC checks the bug tracking system to ensure that the bug is in a valid open
state and, if necessary, reopens the bug.
HPE Security Fortify Software Security Center (16.10)
Page 67 of 134
User Guide
Chapter 4: Applications and Application Versions
l
If all issues associated with a bug are removed (either because the issues were remediated or no longer
match the selection criteria), SSC updates the bug to indicate that stakeholders may resolve or close this
ticket. To enable auditing and traceability, SSC does not automatically resolve or close bugs.
Bug State Management
Bug state management enables SSC to make specific updates to bugs as the states of the issues within
those bugs change. SSC checks new security scans to determine whether filed bugs are to remain open, or
can be closed.
For instructions on how enable bug state management for an application version, see "Configuring Bug
Tracking for an Application Version " on page 64.
Changing the Template Associated with
an Application Version
You can modify many settings for an existing application version, including its issue template. However,
keep in mind that assigning a different issue template to an application version or updating an issue template
on the server results in loss of synchronization between the database cache and existing audit sessions.
After you assign an application version a different template, SSC calculates metrics based on the new issue
template. Any in-progress audits are saved and then restarted with the new issue template.
To change the template associated with an application version:
1. Log on to SSC as either an Administrator or Security Lead.
2. Click the Applications tab.
3. From the list of application versions, select the version you want to modify.
4. On the application version toolbar, click Profile.
The Application Profile <application_version> dialog box opens.
5. Click Application Settings.
HPE Security Fortify Software Security Center (16.10)
Page 68 of 134
User Guide
Chapter 4: Applications and Application Versions
6. In the Version Settings section, click the edit icon
.
The Edit Version wizard opens.
Note: Changing the template can alter the metrics calculated for the application version. Existing
metrics will not be recalculated.
7. Advance to Step 3. Choose Templates (use Next Step).
In the templates list, the currently assigned template is marked as selected (with a green check mark). A
thumbs-up icon is displayed next to the template that HPE recommends based on your application
settings.
8. Select the check box for the template you prefer to use for the application version.
9. Click Next Step, and then click Finish.
HPE Security Fortify Software Security Center (16.10)
Page 69 of 134
User Guide
Chapter 4: Applications and Application Versions
After you change the template, SSC invalidates any auditing session of the affected application version (for
example, by a different user) and displays an error message to advise you that the application version audit
session must be restarted.
Note: An HPE Security Fortify Audit Workbench user auditing the affected application version does not
see this information.
Setting Analysis Result Processing Rules for
Application Versions
Analysis results processing rules enable management approval and oversight of code scans. You can
configure the rules to be followed when analysis results for an application version are processed during scan
artifact uploads.
To configure the analysis results processing rules for an application version:
1. Log on to SSC as an administrator, and then click the Applications tab.
2. Click the application version for which you want to configure the analysis results processing rules.
The Overview page for the application version opens.
3. On the application version toolbar, click Profile.
The Application Profile dialog box opens and displays the default processing rules for the application
version.
4. Select the Processing Rules tab.
5. Review the listed processing rules.
6. Select or clear the check boxes for the rules described in the following table, and then click Apply.
Rule
Description
Require approval if the Build
SSC compares the Build Project for the scan and the scan that
Project is different between
preceded it. If the Build Projects differ, management approval is
scans
required.
Check external metadata file
SSC checks the externalmedata.xml files in the SCA and SSC
versions in scan against
installations to determine whether they are the same. If they are
versions on server
identical, the data that an Audit WorkBench user sees on an SCA
and Apps installation will match the data for the same output file
results viewed in SSC.
Require approval if file count
SSC compares the file count for the scan and the scan that
differs by more than 10%
preceded it. If the count differs by more than ten percent,
HPE Security Fortify Software Security Center (16.10)
Page 70 of 134
User Guide
Chapter 4: Applications and Application Versions
Rule
Description
management approval is required.
Require approval if result has
SSC checks the results to determine whether they include Fortify
Fortify Java Annotations
Java annotations. If SSC find any of the annotations, management
approval is required.
Require approval if line count
SSC compares the line count for the scan and the scan that
differs by more than 10%
preceded it. If the count differs by more than ten percent,
management approval is required.
Automatically perform Instance
A newer version of SCA or a Rulepack can change an instance ID
ID migration on upload
from an instance ID created in a previous scan by an older version
of SCA or a Rulepack. In reality, both instance IDs identify the
same issue. When enabled, this rule automatically migrates old
instance IDs to the corresponding new instance IDs to preserve the
history of the issues. It is sometimes useful to disable this rule as a
troubleshooting measure for customer support.
Require approval if the engine
SSC checks to determine whether any scan engine (SCA,
version of a scan is newer than
WebInspect, WebInspect Agent) version is newer than the one
the engine version of the
already used in the application. If it detects newer versions, it flags
previous scan
the upload for management approval.
Ignore SCA scans performed in
Blocks the processing of SCA scans done in Quick Scan Mode,
Quick Scan mode
which searches for high-confidence, high-severity issues.
Require approval if the
SSC checks to determine whether you have added or removed a
Rulepacks used in the scan do
Rulepack, and whether a Rulepack version has changed. If it
not match the Rulepacks used
detects that a Rulepack has been added, removed, or updated, it
in the previous scan
flags the upload for management approval.
Require approval if SCA or
SSC checks to see that a SCA or WebInspect Agent scan has
WebInspect Agent scan does
valid certification. If the certification is not valid, then someone may
not have valid certification
have tampered with the results in the upload. If the certification is
missing, it is not possible to detect tampering. If certification is
missing or is not valid, the rule requires management approval.
Require approval if result has
SSC checks to see that a SCA or WebInspect Agent scan contains
analysis warnings
analysis warnings. If it detects analysis warnings, the rule requires
management approval.
Warn if audit information
If audit information includes an unknown custom tag, the rule
HPE Security Fortify Software Security Center (16.10)
Page 71 of 134
User Guide
Chapter 4: Applications and Application Versions
Rule
Description
includes unknown custom tag
requires management approval.
Disallow upload of analysis
If an analysis result still requires approval, this rule blocks its
results if there is one pending
upload.
approval
SSC prompts you to confirm that you want to save the settings for analysis result processing rules.
7. Click OK.
See Also
"Uploading Scan Artifacts" on page 89
Custom Tags
In Software Security Center, code auditing involves the security team’s examining HPE Security analysis
results (FPR) and assigning values to “tags” that are associated with application issues. The development
team can then use these tag values to determine which issues they must address and in what order.
SSC provides a single default tag named “Analysis” to enable application auditing out of the box. Valid values
for the Analysis tag are Exploitable, Not an Issue, Suspicious, Reliability Issue, and Bad Practice. You can
modify the Analysis tag attributes, revise the tag values, or add new tag values based on your auditing needs.
To refine your auditing process, you can define your own custom tags. Like the Analysis tag, your custom tag
definitions are stored in an issue template that can be associated with an SSC application version. For
example, you could create a custom tag that can be used to track the sign-off process for an issue. After a
developer audits his own issues, a security expert can review those same issues and mark each as
“approved” or “not approved.”
Note: HPE Security Fortify Audit Workbench (AWB) users can add custom tags to their projects as they
audit them. However, if these custom tags are not defined in SSC for the issue template associated with
the corresponding application version, then the new custom tags are lost after the AWB user uploads an
FPR file to SSC.
Topics covered in this section:
Adding Custom Tags to the System
73
Modifying Custom Tag Attributes
74
Globally Hiding Custom Tags
74
Deleting Custom Tags
75
Adding Custom Tag Values
75
Editing Custom Tag Values
76
HPE Security Fortify Software Security Center (16.10)
Page 72 of 134
User Guide
Chapter 4: Applications and Application Versions
Deleting Custom Tag Values
76
Associating Custom Tags with Issue Templates
77
Viewing the Custom Tags Associated with an Issue Template
78
Removing Custom Tags from Issue Templates
78
Assigning Custom Tags to Application Versions
79
Disassociating a Custom Tag from an Application Version
80
Managing Custom Tags Through Issue Templates
80
Managing Custom Tags Through an Issue Template in an FPR File
80
Adding Custom Tags to the System
If you are an Administrator-level user, you can add custom tags to the system.
To add a custom tag:
1. From the left panel in the Administration page, click Templates, and then click Custom Tags.
The Custom Tags page opens.
2. In the Custom Tags toolbar, click New.
3. In the Name box, type a name for the new tag.
Important: Make sure that the name you specify for a custom tag is not a database reserved word.
4. (Optional) In the Description box, type content that tells users what the custom tag is to be used for.
5. Select any or all of the following optional tag features:
l
To allow only users with specific permission (managers, security leads, administrators) to modify the
tag, select the Restricted check box.
l
To enable users to add new values to the tag during audits, select the Extensible check box.
l
To prevent the display of the tag in the Assign dialog box or in HPE Security Fortify Audit Workbench
(AWB), select the Hidden check box.
6. To specify a value for the new tag:
a. Click + Add value.
The Add Value dialog box opens.
b. In the Name box, type a value.
A value can be a discrete attribute for the issue that this tag addresses. For example, you might
specify that this custom tag addresses a due date or server quality issue.
c. (Optional) In the Description box, type a description of what the value represents.
d. To prevent the tag from being displayed in the Assign dialog box or in HPE Security Fortify Audit
HPE Security Fortify Software Security Center (16.10)
Page 73 of 134
User Guide
Chapter 4: Applications and Application Versions
Workbench (AWB), select the Hidden check box.
e. Click Apply.
7. Repeat the previous step until you have defined all of the values you need for the new custom tag.
8. From the Default Value list, select the default value for the tag.
If the custom tag has a default value, then issues with no value set for the tag acquire that default value.
If no default value is defined, then the tag value becomes “Not Set.”
9. Click Save.
Note: To use a new custom tag to audit application version issues, you must first assign the tag to the
application version. For instructions, see "Assigning Custom Tags to Application Versions" on page 79.
See Also
"Custom Tags" on page 72
"Editing Custom Tag Values" on page 76
"Globally Hiding Custom Tags " below
"Associating Custom Tags with Issue Templates" on page 77
"Managing Custom Tags Through Issue Templates" on page 80
"Managing Custom Tags Through an Issue Template in an FPR File" on page 80
"Deleting Custom Tags" on the next page
Modifying Custom Tag Attributes
To modify the attributes of a custom tag:
1. Select Administration > Templates > Custom Tags.
2. On the Custom Tags page, click the row that displays the tag you want to modify.
The row expands to reveal the details.
3. Click Edit.
4. Modify the tag attributes and save your changes.
Important: Make sure that the name you specify for a custom tag is not a database reserved word.
Globally Hiding Custom Tags
To globally hide a custom tag:
1. From the left panel in the Administration view, click Templates, and then select Custom Tags.
The Custom Tags page opens and lists all existing custom tags.
HPE Security Fortify Software Security Center (16.10)
Page 74 of 134
User Guide
Chapter 4: Applications and Application Versions
2. Click the row for the tag you want to hide.
The row expands to display the details for the tag.
3. Click Edit.
4. Under the Description box, select Hidden.
5. Click Save.
The custom tag no longer appears on the Audit page or in HPE Security Fortify Audit Workbench.
Deleting Custom Tags
If you are an Administrator or a Security Lead, you can delete custom tags.
Note: You cannot delete a custom tag if:
l
The tag is currently set as the primary tag.
l
The tag is currently associated with an application version or issue template.
l
If an issue has been audited using the custom tag.
You can never delete the Analysis tag.
To delete custom tags:
1. From the left panel in the Administration page, click Templates, and then click Custom Tags.
The Custom Tags page opens. Existing custom tags are listed on the right.
2. Select the check boxes for the custom tags you want to delete.
3. In the Custom Tags toolbar, click Delete.
4. When prompted to confirm that you want to delete the tag (or tags), click OK.
Adding Custom Tag Values
If you are an Administrator-level user, you can add values to the custom tags added to the system.
Note: The custom tag to which you add a value in the following procedure must be assigned the
Extensible attribute. Otherwise you cannot add a value while auditing an issue.
To add a new value to a custom tag:
1. From the left panel in the Administration page, click Templates, and then click Custom Tags.
The Custom Tags page opens. Existing custom tags are listed on the right.
2. Click the row for the tag to which you want to add a value.
The row expands to display the details for the tag.
3. Below the table of values, click Edit.
HPE Security Fortify Software Security Center (16.10)
Page 75 of 134
User Guide
Chapter 4: Applications and Application Versions
4. Above the table of values, click + Add value.
5. In the Add Value dialog box, type a name and, optionally, a description for the new value.
6. To make the value unavailable in the SSC Audit page and in HPE Security Fortify Audit Workbench,
select the Hidden check box.
7. Click Apply.
8. In the Custom Tags panel, click Save.
9. To hide the custom tag details, click the row that displays the tag name.
See Also
"Adding Custom Tags to the System" on page 73
"Assigning Custom Tags to Application Versions" on page 79
"Editing Custom Tag Values" below
"Deleting Custom Tag Values" below
Editing Custom Tag Values
If you are an Administrator-level user, you can change the values of the custom tags added to the system.
To edit a custom tag value:
1. From the left panel in the Administration view, click Templates, and then select Custom Tags.
The Custom Tags page opens and lists all custom tags in the system.
2. Click the row for the tag you want to edit.
The row expands to display the tag details.
3. Below the table of values, click Edit.
4. In the table of values, click the Edit value icon
in the row for the value you want to edit.
The Add Value dialog box opens.
5. Make any changes you require, and then click Apply.
6. On the Custom Tags page, click Save.
See Also
"Adding Custom Tag Values" on the previous page
"Deleting Custom Tag Values" below
Deleting Custom Tag Values
If you are an Administrator or a Security Lead, you can delete custom tag values.
To delete a value for a custom tag:
HPE Security Fortify Software Security Center (16.10)
Page 76 of 134
User Guide
Chapter 4: Applications and Application Versions
Note: You cannot delete a custom tag value that is currently associated with an application version,
issue template, or if an issue is audited using the value.
1. From the left panel in the Administration view, click Templates, and then click Custom Tags.
The Custom Tags page opens and lists all custom tags in the system.
2. Click the row for the tag from which you want to delete a value.
The row expands to display the details for the tag.
3. Below the table of values, click Edit.
4. In the table of values, click the Remove issue icon
in the row for the value you want to delete.
5. Click Save.
Associating Custom Tags with Issue Templates
After you first create an issue template and upload an issue template file, the custom tags defined in that
issue template file are the custom tags that are initially associated with the issue template. Updates to
existing custom tags are ignored because tags are designed to be updated using the procedures described in
previous sections, but newly-defined custom tags in that issue template file are added to the system and
associated with the issue template.
Note: The custom tags associated with an issue template are the default tag set assigned to an
application version when it is first created using that issue template.
To associate a custom tag with an issue template:
1. From the left panel in the Administration page, click Templates, and then select Issue.
The table on the right lists all of the issue templates in the system.
2. Click the row that displays the issue template to associate with the custom tag.
The row expands to reveal the issue template detail.
3. Click Edit.
The editable fields of the details section become writable and the + Add Custom Tag button is now
visible.
4. Click + Add Custom Tag.
The Add Custom Tag dialog box opens.
5. Select the check box for the custom tag to associate with the issue template, and then click Add.
6. Click Save.
See Also
"Disassociating a Custom Tag from an Application Version" on page 80
HPE Security Fortify Software Security Center (16.10)
Page 77 of 134
User Guide
Chapter 4: Applications and Application Versions
Viewing the Custom Tags Associated with an Issue Template
To see which custom tags are associated with an issue template:
1. In the Hewlett Packard Enterprise header, click Administration.
2. In the left panel of the Administration view, click Templates, and then select Issue.
The Issue page lists all issue templates.
3. Click the row for the project template of interest.
The row expands to reveal
4. Click View Details.
5. Click the Custom Tags tab.
You can also edit or delete a custom tag from this project template from the Custom Tags tab.
Removing Custom Tags from Issue Templates
To remove a custom tag from an issue template:
1. From the left panel in the Administration page, click Templates, and then select Issue.
The table on the right lists all of the issue templates in the system.
2. Click the row that displays the issue template associated with the custom tag you want to remove.
The row expands to reveal the issue template details. The Custom Tags section lists the custom tags
associated with the template.
3. Scroll to the bottom of the expanded row and click Edit.
HPE Security Fortify Software Security Center (16.10)
Page 78 of 134
User Guide
Chapter 4: Applications and Application Versions
4. In the last column, click the remove icon
for the custom tag that you want to remove from the
template.
5. Click Save.
See Also
"Custom Tags" on page 72
Assigning Custom Tags to Application Versions
To use a new custom tag to audit application version issues, you must first assign the tag to the application
version.
To assign a custom tag to an application version:
1. From the Applications view, select the version name for the application version you plan to audit.
SSC opens the Overview page for the selected version.
2. In the application version toolbar, click Profile.
3. In the Application Profile dialog box, click Custom Tags.
4. Click Assign / Remove.
The Assign Custom Tags dialog box opens and lists the tags available for auditing issues.
5. Select the check box for the custom tag you want to assign to the application version, and then click
Done.
To successfully complete the audit of an issue in SSC, you must specify a value for the custom tag that
is designated as the primary tag. By default, the Analysis tag is the primary tag.
During an audit, the primary tag is listed first. If custom tags other than Analysis exist in your SSC
instance and are assigned to the application version, you can select one of these (instead of Analysis)
as the primary tag.
6. (Optional) To assign a tag other than the current primary tag as primary:
a. Click Select Primary.
The Select Primary Tag dialog box opens.
b. From the Select Primary Tag list, select the tag that you want to set as the primary custom tag.
c. Click Done.
7. Close the Application Profile dialog box.
The assigned custom tag will be available the next time a team member audits issues for the application
version.
See Also
"Adding Custom Tags to the System" on page 73
"Adding Custom Tag Values" on page 75
HPE Security Fortify Software Security Center (16.10)
Page 79 of 134
User Guide
Chapter 4: Applications and Application Versions
"Auditing Issues" on page 102
Disassociating a Custom Tag from an Application Version
You can disassociate a custom tag from an application version if it has not been used in auditing that
application version.
To disassociate a custom tag from an application version:
1. From the Software Security Center Dashboard, click Applications.
2. Click the application version name to which the custom tag is assigned.
The Overview page opens.
3. On the application version toolbar, click Profile.
The Application Profile window opens.
4. Select Custom Tags.
5. Click Assign/Remove.
The Assign Custom Tags dialog box opens.
6. Clear the check box for the custom tag that you want to remove, and then click Done.
See Also
"Adding Custom Tags to the System" on page 73
"Assigning Custom Tags to Application Versions" on the previous page
Managing Custom Tags Through Issue Templates
Custom tags defined in an issue template file are assigned to that specific issue template. You cannot update
existing custom tags through direct issue template upload. If Software Security Center detects an updated
custom tag, it displays a warning and prompts you to confirm that you want to continue.
You must update existing custom tags through the custom tag administration section of Software Security
Center. From the Software Security Center Dashboard, select Administration > Templates > Custom
Tags and complete the update.
You can add a new custom tag through an issue template upload. This could, for example, allow a member of
a security team who is not part of a software audit to define the issue template and the custom tags in the
issue template.
Managing Custom Tags Through an Issue Template in an FPR File
FPR files typically contain an issue template. If an FPR file uploaded to Software Security Center contains
an issue template with a custom tag that has been set as editable, you can add a value to the tag.
HPE Security Fortify Software Security Center (16.10)
Page 80 of 134
Chapter 5: Variables, Performance
Indicators, and Alerts
Software Security Center lets you store measured values and event conditions for application versions as
variables. An SSC variable is a definition of a metric that is to be evaluated periodically for each application
version. Variables count issues, conditions, and other categories of numeric data.
Performance indicators combine variables into metrics that are normalized across application version
boundaries, and that can represent complex higher-level abstractions such as monetary costs. SSC variables
and performance indicators provide the building blocks that you can use to create customized metrics, which
you can then incorporate into customized alert definitions. You can use the values of variables to trigger
alerts, which SSC then displays on the dashboards of users specified as recipients in alert definitions.
SSC can also email alert notifications to members of an application version team.
This section contains the following topics:
Working with Variables
81
Performance Indicators
83
Alert Definitions
84
Viewing and Marking Alerts
87
Working with Variables
If you have a Manager-level or higher user account, you can define variables for your applications. The
following topics provide information about SSC variable syntax and search strings, and include instructions
on how to create variables.
Topics covered in this section:
Creating Variables
81
Variable Syntax
82
Creating Variables
To create a Software Security Center variable:
1. Log on as a Manager-level or higher user, and then click Administration.
Note: Users who have Developer accounts cannot create Software Security Center variables.
HPE Security Fortify Software Security Center (16.10)
Page 81 of 134
User Guide
Chapter 5: Variables, Performance Indicators, and Alerts
2. In the Administration panel on the left, under Metrics & Tracking, select Variables.
3. In the Variables toolbar, click New.
The Create New Variable dialog box opens.
4. Provide the information described in the following table.
Field
Description
Name
Type a variable name that begins with a letter (a-z, A-Z), and that contains only letters,
numerals (0-9), and the underscore character (_).
Description (Optional) Type a description so that other users can understand what the variable is
used for.
Search
Type a valid SSC variable search string. (For information about how to construct search
String
strings, see "Variable Syntax" below.)
Folder
From this list, select a folder from the default filter set to associate with the variable.
The Folder list displays the unique folder names associated with all available issue
templates. The variable value is calculated if the folder name is associated with the
issue template for the application version.
5. Click Validate.
Software Security Center displays the variable validation result.
6. After SSC validates the variable, click Save.
The Variables table now lists your new variable.
Variable Syntax
The Software Security Center variable format is as follows:
modifier:searchstring
Example: [Fortify Priority Order]:critical audited:false
The following table lists the Software Security Center relational operators.
Relational
Operator
Description
Search
String
Searches for string without qualification.
"Search
String"
Searches for an exact match of the string enclosed in
Number
A comma-separated pair of numbers used to specify the
Example
quotation marks (" ").
HPE Security Fortify Software Security Center (16.10)
(2,4]
Page 82 of 134
User Guide
Chapter 5: Variables, Performance Indicators, and Alerts
Relational
Operator
Description
Example
range
Indicates a range of greater
beginning and end of a range of numbers.
Use a left or right bracket (“[ ]”) to specify that the range
includes the adjoining number.
than two, and less than or equal
to four
Use a begin or end parenthesis (“( )”) to specify that the
range excludes (is greater than or less than) the adjoining
number.
! (not
Negate a modifier with an exclamation character (!).
equal)
!file:Main.java
Returns all issues that are not
in Main.java.
Performance Indicators
Software Security Center performance indicators enable you to combine variables into metrics that are
normalized across application version boundaries, and that can represent complex, high-level abstractions
such as monetary costs. This section provides information about performance indicator syntax and
instructions on how to create performance indicators.
The general format of a Software Security Center performance indicator formula is as follows:
Variable[operator]Variable
where operator is a standard mathematical operator (+, -, *, /)
For instructions on how to create performance indicators, see "Creating Performance Indicators" below.
See Also
"Key Performance Indicators Report" on page 126
Creating Performance Indicators
To create a Software Security Center performance indicator:
1. Log on to SSC as a Security Lead, and then click the Administration tab.
Note: Users who have Manager and Developer accounts cannot create SSC performance
indicators.
2. In the panel on the left, select Metrics & Tracking, and then select Performance Indicators.
The table to the right lists existing Performance Indicators.
3. Click New.
HPE Security Fortify Software Security Center (16.10)
Page 83 of 134
User Guide
Chapter 5: Variables, Performance Indicators, and Alerts
The Create New Performance Indicator dialog box opens.
4. Provide the information described in the following table.
Field
Description
Name
Type a performance indicator name.
Description
Type a description so that other users know what this performance indicator is used
for.
Equation
Type a valid SSC performance indicator equation.
A Software Security Center performance indicator formula is formatted as follows:
Variable[operator]Variable
where operator is a standard mathematical operator (+, -, *, /)
Return Type From this list, select the value type to return.
5. Click Validate.
SSC displays the performance indicator validation result.
6. After you configure and successfully validate the new performance indicator, click Save.
The Performance Indicators table lists your new indicator.
Alert Definitions
Alert definitions can include variable or performance indicator to determine when Software Security Center is
to generate an alert notification in the Todo List on the Dashboard.
Note: This functionality is available only if a SSC administrator has enabled email notifications from the
legacy user interface. For information about how to access the legacy user interface, see "Switching
Between the New User Interface and the Legacy User Interface " on page 19. For instructions on how to
enable email notifications from the legacy UI, see the HP Fortify Software Security Center Installation
and Configuration Guide: Legacy User Interface.
You can configure alert notifications to send email messages about one or more alert notifications to
members of a given application version.
Next
Creating Alerts
See Also
Deleting Alerts
HPE Security Fortify Software Security Center (16.10)
Page 84 of 134
User Guide
Chapter 5: Variables, Performance Indicators, and Alerts
Creating Alerts
You can define alerts for any application versions to which you have been granted access.
To create an SSC alert:
1. In the Hewlett Packard Enterprise header, click Administration.
2. In the panel on the left, click Templates, and then select Alerts.
The Alerts page displays any alerts defined to date.
3. In the Alerts toolbar, click New.
The Create New Alert dialog box opens.
4. In the Name box, type a name for the alert.
5. (Optional) In the Description box, type text that describes what the alert is for.
6. Next to Type, select the type of alert you want to create.
Note: The process type alert is not available in this release.
7. Provide the information for the alert type you selected, as shown in one of the following tables.
Performance Indicator
a. From the Alert When list, select a performance indicator.
b. From the list of operators, select an operator.
c. Type a numeric value. The type of performance indicator selected determines whether the value
represents an integer or a percentage.
Variable
a. From the Alert When list, select a variable.
b. From the list of operators, select the appropriate operator.
c. Type a numeric value. The type of performance indicator you selected determines whether the
value represents an integer or a percentage.
System Event
l
From the Alert When list, select the SSC system event to trigger the alert.
8. If you are creating a performance indicator alert or variable alert, do one of the following:
l
To use this alert for all application versions to which you have been granted access, select the
Monitor All Applications check box.
Otherwise, to use this alert for specific application versions:
HPE Security Fortify Software Security Center (16.10)
Page 85 of 134
User Guide
Chapter 5: Variables, Performance Indicators, and Alerts
a. Click + Add.
The Select Application Version dialog box opens.
b. In the Application list, select an application for which you want to use the alert.
c. To include inactive versions of the application in the Versions list, select the Show Inactive
Versions check box.
d. To use the alert for all application versions, select the check box next to Versions. Otherwise, in the
Versions list, select the check boxes for the versions for which you want to use the alert.
e. Click Done.
9. In the Recipients section, select one of the following recipient preferences:
Note: Regardless of the option you select, you will receive the notification.
l
To have the notification sent only to you, select Me Only.
l
To have the notification sent to all SSC users who have access to the application versions you
specified (in the Select Application Version dialog box), select All Application Version Users.
10. To enable this alert definition, leave the Enabled Alert check box selected.
11. Click Save.
If you selected All Application Version Users as recipients, SSC displays the following alert:
"Are you sure you want to notify all application versions users? This could potentially notify a large
amount of users every time the alert triggers."
12. To proceed, click OK. Otherwise, click Cancel, and then select Me Only as a recipient.
Software Security Center displays the details for your new alert.
Editing Alerts
To edit an SSC alert:
1. Log on to SSC as an Administrator, and then click the Administration tab.
2. In the panel on the left, click Templates, and then select Alerts.
The Alerts page displays all alerts you have defined.
3. In the Alerts table, locate and select the row for the alert you want to edit.
The row expands to reveal the alert settings.
4. Click Edit.
5. Make the necessary changes and then click Save.
Deleting Alerts
To delete an SSC alert:
HPE Security Fortify Software Security Center (16.10)
Page 86 of 134
User Guide
Chapter 5: Variables, Performance Indicators, and Alerts
1. Log on to SSC as an Administrator, and then click the Administration tab.
2. In the panel on the left, click Templates, and then select Alerts.
The Alerts page displays all alerts you have defined.
3. In the Alerts table, select the check box to the left of the alert you want to delete.
4. In the Alerts toolbar, click Delete.
SSC prompts you to confirm that you want to proceed with the deletion.
5. Click OK.
Viewing and Marking Alerts
SSC flags any unread alerts that either you or another user has set up for you to receive. These flags are
visible in the collapsible panel on the right of the SSC Dashboard, and on the right end of the Hewlett Packard
Enterprise header in every view.
To view your unread alerts, do one of the following:
l
At the right end of the Hewlett Packard Enterprise header, click the red circle that shows the number of
unread alerts for you.
l
On the Dashboard, in the Todo List section of the collapsible panel, click the red circle that shows the
number of unread alerts for you.
The Alerts window opens and lists your unread alerts.
To mark an alert as having been read:
l
In the Alerts window, select the check box to the left of the alert name, and then click Mark as Read.
To view alerts that you have already read:
l
From the View list, select Read.
To mark an alert you have read as unread:
l
Select the check box to the left of the alert name, and then click Mark as Unread.
To view all of your alerts (read and unread):
l
From the View list, select All.
HPE Security Fortify Software Security Center (16.10)
Page 87 of 134
User Guide
Chapter 5: Variables, Performance Indicators, and Alerts
If you have marked all of your alerts as read, the read alert flag is no longer displayed. To see these alerts, go
to the Dashboard and, in the Todo List section of the collapsible panel, click Show all alert notifications.
HPE Security Fortify Software Security Center (16.10)
Page 88 of 134
Chapter 6: About Working with Scan
Artifacts
This section contains the following topics:
Uploading Scan Artifacts
89
Uploading Third-Party Results to Software Security Center
92
Uploading SAP NetWeaver Data to an SSC Application Version
93
Viewing Scan Errors
94
Downloading Scan Artifacts
95
Viewing High-Level Summary Results
96
Displaying Additional Application Versions on the Dashboard
97
Viewing Issue Metadata
98
Mapping Scan Results to External Lists
99
Purging Scan Artifacts
99
Deleting Artifacts
100
Uploading Scan Artifacts
Important: The files you upload to SSC must be no larger than 2GB.
Note: For information about uploading third-party scan results, see "Uploading Third-Party Results to
Software Security Center" on page 92.
To upload a scan artifact to the SSC database:
1. In the Hewlett Packard Enterprise header, click Applications.
2. On the Applications page, click the link for the application version associated with the artifact you want
to upload.
3. On the application version toolbar, click Artifacts.
The Artifacts History table lists all scan artifacts uploaded for the application.
4. Click Upload Artifact.
The Upload Artifact dialog box opens.
5. Click +Add Files.
HPE Security Fortify Software Security Center (16.10)
Page 89 of 134
User Guide
Chapter 6: About Working with Scan Artifacts
6. Navigate to and select one or more artifact files to upload.
The Upload Artifact dialog box lists the selected files.
7. To remove a file from the list, click the trash icon
for that file.
8. To remove all of the listed files, click Clear.
9. After you select all of the files that you want to upload, click Start upload.
The dialog box displays a green progress bar as each file is uploaded.
HPE Security Fortify Software Security Center (16.10)
Page 90 of 134
User Guide
Chapter 6: About Working with Scan Artifacts
10. After your files are successfully uploaded, click Close.
Viewing File Processing Errors
If there was an error in processing an uploaded artifact, the Status column of the Scan History table displays
Error Processing, along with a circled number that indicates the number of processing rules violated.
To view information about the processing rules violated:
l
Click the circled number.
The Artifact Processing Messages box opens to display details about problems encountered during the
upload.
See Also
"Uploading Third-Party Results to Software Security Center" on the next page
"Downloading Scan Artifacts" on page 95
"Deleting Artifacts" on page 100
HPE Security Fortify Software Security Center (16.10)
Page 91 of 134
User Guide
Chapter 6: About Working with Scan Artifacts
"Setting Analysis Result Processing Rules for Application Versions" on page 70
Uploading Third-Party Results to Software Security
Center
To upload third-party results to SSC, you must implement a third-party parser.
Important: The files you upload to SSC must be no larger than 2GB.
To upload third-party results to SSC:
1. Implement your custom parser.
The Fortify Public API documentation (located in the <ssc_install_
dir>/Samples/advanced/JavaDoc/public-api directory) contains descriptions of the classes
included in the com.fortify.pub.issueparsing package. This package details all of the available
interfaces to use in your custom parser code.
You can use the SampleParser.java file, which is located in the <sca_install>/Samples directory, as
a starting point for your parser implementation.
Note: For detailed information about all classes and interfaces, see the documentation in the <ssc_
install>/Samples/advanced/JavaDoc/public-api directory.
2. Use the Java compiler to compile the custom parser code with the <ssc.war>/WEB-INF/lib/fortifypublic-xx.yy.jar file in its classpath. (Where xx.yy is the public API library version. This is typically
the same version as SSC.)
3. Package the custom parser classes into a JAR file, and then use one of the following methods to place
that file in the <ssc.war>/WEBINF/lib directory.
Note: An SSC Administrator must perform this step.
l
To do this manually, extract the ssc.war file contents, place the new jar file into the \WEB-INF\lib
folder located inside the WAR file, and then compress the war file again.
l
To do this using the SSC configuration wizard, add the jar file that contains the custom parser to SSC
war on the Plugins page of the configuration wizard.
4. Check to make sure that both of the following are true:
l
The main parser class implements either AnalysisFileParser, AnalysisSingleFileParser, or both of
these interfaces.
l
The main parser class is annotated using the spring @Component(parser_name) annotation.
SSC goes through the list of parsers registered in the application file until it finds the parser for your uploaded
results.
HPE Security Fortify Software Security Center (16.10)
Page 92 of 134
User Guide
Chapter 6: About Working with Scan Artifacts
Uploading SAP NetWeaver Data to an
SSC Application Version
If your organization uses SAP NetWeaver Code Vulnerability Analyzer (CVA) to search for vulnerabilities in
ABAP source code, you can use the NetWeaver plugin to map your CVA scans to an SSC application
version, and then import the results for investigation from SSC.
If your SSC administrator has configured a connection with NetWeaver, you can download NetWeaver
results to an SSC application version.
To download NetWeaver CVA results to an SSC application version:
1. From SAP NetWeaver, determine the display ID for the NetWeaver CVA run that produced the results
you want to download to SSC.
2. Create a file with the NWV extension, open your <file_name>.nwv file in a text editor, and then add the
following line:
resultDisplayId=<display_ID>
where <display_ID> is the display ID you found in step 1.
3. From the Dashboard, open the Overview page for the application version for which you want to upload
the NetWeaver data.
4. On the Overview toolbar, click Artifacts.
5. On the Artifact History page, click Upload Artifact.
The Upload Artifact dialog box opens.
6. Click + Add Files.
7. Browse to and select your <file_name>.nwv file.
HPE Security Fortify Software Security Center (16.10)
Page 93 of 134
User Guide
Chapter 6: About Working with Scan Artifacts
8. In the Upload Artifact dialog box, click Start Upload.
After a successful upload, SSC displays the individual CVA findings, and identifies their source code file
names and line numbers, assigns each a Fortify Priority Order, and displays them in the SSC user interface
for auditing.
Viewing Scan Errors
If errors occurred during a code scan, this information is included in the uploaded scan artifact and made
available for viewing through the Scan Errors window.
To view scan errors:
1. In the Hewlett Packard Enterprise header, click Applications.
2. On the Applications page, click the link for the application version you are interested in.
3. On the application version toolbar, click Artifacts.
The Artifact History table lists all scan artifacts uploaded for the application. If errors occurred during a
scan, SSC displays a circled number next to the scan artifact name to indicate the number of errors
encountered.
4. To open the Scan Errors window and view detailed information about the errors that occurred, click the
number in the red circle.
See Also
HPE Security Fortify Software Security Center (16.10)
Page 94 of 134
User Guide
Chapter 6: About Working with Scan Artifacts
"Purging Scan Artifacts" on page 99
Downloading Scan Artifacts
From the Artifact History page, you can download the latest merged FPR file for an application version or you
can download FPR files that result from individual scans.
Downloading the Merged FPR File for an Application Version
To download the latest merged scan results for an application version in FPR format:
1. In the Hewlett Packard Enterprise header, click Applications.
2. On the Applications page, click the link for the application version you are interested in.
3. On the application version toolbar, click Artifacts.
The Artifact History table lists all scan artifacts uploaded for the application.
4. Click Download Application File.
5. Note the file name, and then Save the file.
6. Open the saved file from HPE Security Fortify Audit Workbench or other application.
Downloading Individual Scan Results
1. In the Hewlett Packard Enterprise header, click Applications.
2. On the Applications page, click the link for the application version you are interested in.
3. On the application version toolbar, click Artifacts.
The Artifact History table lists all artifacts uploaded for the application.
4. Click the row that displays the artifact you want to download.
The row expands to reveal detailed information about the scan.
5. Click Download.
6. Save the file, and then open the saved file from HPE Security Fortify Audit Workbench or other
application.
See Also
"Uploading Scan Artifacts" on page 89
"Deleting Artifacts" on page 100
"Viewing Scan Errors " on the previous page
HPE Security Fortify Software Security Center (16.10)
Page 95 of 134
User Guide
Chapter 6: About Working with Scan Artifacts
Viewing High-Level Summary Results
You can view high-level summary results for an application version from the SSC Dashboard or from the
Overview page.
To view high-level summary results for an application version from the SSC Dashboard:
l
On the SSC Dashboard, in the Top Risk Makers section, move your cursor to a colored bar for an
application version.
SSC shows the status of findings for the version. In the example shown here, the pie chart of the left shows
the security ratings for the 32% of findings (54 of 171) that have been audited to date for this application
version. The chart on the right shows the percentage of findings audited (32) and the percentage of the total
that has yet to be audited (68).
Note: To go from here to the Audit page for the application version, click Audit.
To view high-level summary results for an application version
from the Overview page:
1. In the Hewlett Packard Enterprise header, click Applications.
2. On the Applications page, click the link for the version you are interested in.
3. On the Overview page, if the panel on the right is collapsed, expand it.
HPE Security Fortify Software Security Center (16.10)
Page 96 of 134
User Guide
Chapter 6: About Working with Scan Artifacts
The Version Progress section displays summary information with trending arrows.
4. To display a metric other than Fortify Security Rating, click the edit icon
, and then select a different
metric to display from the list.
5. To cancel your selection and leave edit mode, click the X next to the list.
See Also
"Auditing Issues" on page 102
Displaying Additional Application Versions on the
Dashboard
To display up to five more application versions on the Application Dashboard:
HPE Security Fortify Software Security Center (16.10)
Page 97 of 134
User Guide
Chapter 6: About Working with Scan Artifacts
To display up to five more application versions on the Application Dashboard:
l
From the Application Dashboard, .
See Also
"Searching Applications and Application Versions from the Applications View" on page 60
Viewing Issue Metadata
To view metadata for an issue:
1. Navigate to the Audit page for the application version of interest.
2. In the issues table, if you have selected a grouping, expand a group to view issues it contains.
3. Click the row that displays the issue name.
The Code tab displays an overview of the issue, the Analysis value (if set), the stack trace, and the
section of code in which the issue was uncovered.
4. At the bottom of the issue details section, click Metadata.
The Metadata box displays the unique issue identifier (Instance ID), the unique identifier for the rule that
generated the issue (Primary Rule ID), priority metadata values, and legacy priority metadata values.
5. To go to the website that provides detailed information about software security errors, select the HPE
Security Fortify Taxonomy: Software Security errors link.
HPE Security Fortify Software Security Center (16.10)
Page 98 of 134
User Guide
Chapter 6: About Working with Scan Artifacts
Mapping Scan Results to External Lists
HPE Security distributes an external metadata document with Rulepacks. This document includes mappings
from the HPE Security categories to alternative categories (such as OWASP 2010, PCI DSS 3.1, or CWE).
Security leads can customize this mapping or create their own files to map HPE Security issues to different
taxonomies, such as internal application security standards or additional compliance obligations.
You can either modify the existing external metadata document (externalmetadata.xml), or create your
own document (recommended). The existing mapping file is located in the <sca_and_apps_install_
dir>\Core\config\ExternalMetadata directory of SCA and Applications.
Use any XML editor to make your changes or create a new document. HPE recommends that you save your
new or modified document to the \Core\config\CustomExternalMetadata directory with a new name so
that your changes are not lost during security content updates.
To validate your modified or new mapping, use the externalmetadata.xsd file, which is located in the <sca_
and_apps_install_dir>\Core\config\schemas directory.
To apply the modified or new external metadata document across all applications, you must first import it into
Software Security Center.
To import a new or modified external metadata document into Software Security Center:
1. Log on as Administrator, and then click the Administration tab.
2. In the Administration panel, under Metrics &Tracking, click Rulepacks.
3. In the Rulepacks panel on the right, click Import.
The Import Rulepack dialog box opens.
4. Click +Add Files.
5. Navigate to and select your document, and then click Start Upload.
If you are conducting a collaborative audit between SSC and Audit Workbench, you can import the changed
mapping document to SSC, and then open the FPR file in Audit Workbench to see how the mapping works
with the scan results.
Purging Scan Artifacts
Purging an artifact recovers space from the SSC database by removing the uploaded artifact, the temporary
results of artifact processing, and the cross-reference information for source files.
Before you purge artifacts for an application version, consider the following:
l
After the purge, neither the purged artifacts, nor the earliest artifact not purged, can be deleted.
l
Purging does not affect any issue-base metrics in the system.
HPE Security Fortify Software Security Center (16.10)
Page 99 of 134
User Guide
Chapter 6: About Working with Scan Artifacts
l
If you have custom reports, consult HPE Security Technical Support first to determine whether an artifact
purge will affect them.
To purge a scan artifact from the SSC database:
1. From the <application_version> Overview page, click Artifacts.
The Artifact History table lists all scan artifacts uploaded for the application version.
2. Click the row that displays the artifact you want to purge from the database.
The table expands to show the details for the selected artifact.
3. Below the artifact details, click Purge.
SSC prompts you to confirm that you intend to purge the artifact.
4. Click OK.
Deleting Artifacts
Deleting an artifact removes all traces of an uploaded artifact. Use this option if an artifact is uploaded by
mistake.
To delete a scan artifact from the SSC database:
1. In the Hewlett Packard Enterprise header, click Applications.
2. On the Applications page, click the link for the version you are interested in.
3. On the application version toolbar, click Artifacts.
The Artifact History table lists all artifacts uploaded for the application.
4. Click the row that displays the scan artifact you want to delete.
The table expands to show the details for the selected artifact.
5. Below the artifact details, click Delete.
SSC prompts you to confirm that you want to delete the artifact.
6. Click OK.
HPE Security Fortify Software Security Center (16.10)
Page 100 of 134
Chapter 7: Collaborative Auditing
Software Security Center provides a web-based collaborative environment for auditing issues associated
with SSC applications. The following sections provide an overview of the auditing process and instructions on
how to display and use the auditing interface.
The information in these topics is presented based on the assumption that you know how to create and
configure SSC application versions. (For information about SSC applications and application versions, see "
Applications and Application Versions" on page 46.
This section contains the following topics:
About Auditing
101
Auditing Issues
102
Setting Issue Viewing Preferences
110
Searching Globally in Software Security Center
112
Software Security Center and WebInspect Enterprise Integration
114
About Auditing
Issue audits, whether performed in Software Security Center or Audit Workbench accomplish the following:
l
Condense and focus application information
l
Enable the security team to collaboratively decide which issues represent real vulnerabilities
l
Enable the security team to collaboratively prioritize issues based on vulnerability
SSC uses issue templates to categorize and display issues.
Topics covered in this section:
About Current Issues State
101
Audit Conflicts
102
About Current Issues State
Software Security Center keeps track of which analysis engine uncovers each issue in an application version
and merges any new information into the existing body of results for the application version. After new audit
information is uploaded to the server or entered on the Audit page, SSC merges that information into any
existing audit information for a given issue. SSC also marks an issue as removed after the analysis engine no
longer finds the issue.
HPE Security Fortify Software Security Center (16.10)
Page 101 of 134
User Guide
Chapter 7: Collaborative Auditing
Audit Conflicts
If, as you audit an issue, another user updates that issue before you submit your audit information, SSC
notifies you and prompts you to re-submit your audit.
Auditing Issues
To audit issues:
1. Upload scan result for the application version you want to audit. For instructions, see "Uploading Scan
Artifacts" on page 89.
2. Open the Audit page for the application version of interest. (For instructions, see "Accessing the Audit
Page from the Dashboard" on page 106 or "Accessing the Audit Page from the Applications Tab" on
page 106.)
3. To selectively display the issues you want to audit, apply filters to the issues list. (See "Filtering Issues
for Display on the Overview and Audit Pages" on page 107.)
4. In the issues table, if you have selected a grouping, expand a group to view the issues it contains.
5. To expand an issue and view its details, click its row in the table.
HPE Security Fortify Software Security Center (16.10)
Page 102 of 134
User Guide
Chapter 7: Collaborative Auditing
Note: This screen capture shows the details for an issue uncovered during an HPE Security Fortify
Static Code Analyzer scan. For information about viewing WebInspect results, see "Viewing
WebInspect Scan Results in Software Security Center" on page 114.
In the left panel of the Code tab, the Overview section displays a summary of the issue, the analysis
value (if set), and the analysis trace. The panel on the right displays the primary section of code in which
the issue was discovered.
6. To see view summary details about a step along the course tainted data has taken, in Analysis Trace
HPE Security Fortify Software Security Center (16.10)
Page 103 of 134
User Guide
Chapter 7: Collaborative Auditing
section, move your cursor to that step. To view code associated with that step, click the step in the
Analysis Trace section.
7. To search for a specific string in the code associated with the issue, click the Search in source code
icon, type the character string, and then use the next
and previous
icons to move through the
results.
8. To view the issue history and any comments related to the issue, click Comments & History.
9. To add a comment, type it into the Comments box, and then click Post Comment.
You can mark an issue as suppressed to exclude it from display either because it is not of high priority or
of immediate concern. This might include issues that you know to be fixed, or issues that you plan not to
fix.
10. (Optional) To mark the issue as suppressed, click Suppress.
11. Do one of the following:
l
At the bottom of the issue details section, click Assign.
Alternatively,
l
In the left panel, to the right of the Analysis field, click the Assign Issue icon.
HPE Security Fortify Software Security Center (16.10)
Page 104 of 134
User Guide
Chapter 7: Collaborative Auditing
The Assign dialog box opens.
12. From the Analysis list in the left panel, select a value that reflects your assessment of this issue.
13. To locate a user to assign to the issue, in the Find user box, type part or all of a user's name, and then
click Find. Alternatively, to list all users in the system, click Find all users.
HPE Security Fortify Software Security Center (16.10)
Page 105 of 134
User Guide
Chapter 7: Collaborative Auditing
14. In the list of returned names, click the name of the user to assign to the issue.
The Assigned section now displays the selected user name and avatar (if available).
15. Click Apply.
16. To collapse the issue details view, click the row again.
Accessing the Audit Page from the Dashboard
To access the Audit page from the SSC Dashboard:
1. On the SSC Dashboard, in the Results by Application Version section, move your cursor to a colored
bar that represents results that you want to audit.
SSC shows the status of findings for the version. The pie chart of the left shows the security ratings for
the findings that have been audited to date for this application version. The chart on the right shows the
percentage of findings audited and the percentage of the total that has yet to be audited.
2. Click Audit.
SSC displays the Audit page for the application version.
Next
"Auditing Issues" on page 102
See Also
"Accessing the Audit Page from the Applications Tab" below
Accessing the Audit Page from the Applications Tab
To access the Audit page from the Applications view:
HPE Security Fortify Software Security Center (16.10)
Page 106 of 134
User Guide
Chapter 7: Collaborative Auditing
1. From the SSC Dashboard, click Applications.
2. In the Version column of the Applications table, click the application version of interest.
SSC displays the Overview page for the application version.
3. On the application version toolbar, click Audit.
The Audit page opens.
Next
"Auditing Issues" on page 102
See Also
"Accessing the Audit Page from the Dashboard" on the previous page
Filtering Issues for Display on the Overview and Audit Pages
Use the following steps to filter issues for display for an application version from either the Overview page or
from the Audit page.
Note: You can also select a filter set to change the issues displayed on the Overview and Audit pages. For
information and instructions, see "Changing Displayed Issues Using Filter Sets" on page 109.
To filter issues for display on the Overview or Audit page:
1. From the Group by list, select the attribute to use to group the issues in the issues table.
2. From the Filter by list, select the attributes to use to filter the issues for display in the issues table.
(Note that you can select multiple attributes from this list, although you must select them one at a time.)
HPE Security Fortify Software Security Center (16.10)
Page 107 of 134
User Guide
Chapter 7: Collaborative Auditing
3. To refine the issues table further:
a. Click Advanced.
The Advanced Issue Filters window opens.
b. From the Select filter category list, select a category.
The Select filters list is populated with the filters available for the selected category.
c. To refine the Select filters list further, type a text string in the text box.
The Select filters list displays the filters that contain the text that matches the text you typed.
d. In the Select filters list, click each of the filters you want to add to the Selected filters list to the
right.
e. To add filters for another filter category, repeat these steps.
f. Click Apply.
HPE Security Fortify Software Security Center (16.10)
Page 108 of 134
User Guide
Chapter 7: Collaborative Auditing
The Filter by box now displays all of the filters you have selected.
4. To remove one of the filters, click the close symbol to its left.
5. To clear all selected filters, click the Clear all icon.
See Also
"Searching Globally in Software Security Center" on page 112
Changing Displayed Issues Using Filter Sets
SSC provides the following filter sets for changing the display of application version issues on the Overview
and Audit pages:
l
Quick View
The Quick View filter set provides a view only of issues in the Critical folder (these have a potentially high
impact and a high likelihood of occurring) and the High folder (these have a potentially high impact and a
low likelihood of occurring). The Quick View filter set provides a useful first look at results that enables you
to quickly address the most pressing issues.
l
Security Auditor View
This view reveals a broad set of security issues to be audited. The Security Auditor View filter contains no
visibility filters, so all issues are shown.
HPE Security Fortify Software Security Center (16.10)
Page 109 of 134
User Guide
Chapter 7: Collaborative Auditing
l
PCI Auditor View
This view is defined for individuals responsible for auditing an application with respect to its compliance
with Payment Card Industry Security Standards.
Setting Issue Viewing Preferences
You can set certain viewing preferences for individual application versions from the Application Profile dialog
box.
Topics covered in this section:
Viewing Suppressed Issues
110
Viewing Removed Issues
111
Viewing Hidden Issues
111
Viewing Suppressed Issues
To view the suppressed issues associated with an application version:
1. From the Applications view, select the version name for the application version you are interested in.
SSC opens the Overview page for the selected version.
2. On the application version toolbar, click Profile.
The Application Profile dialog box opens to the Advanced Options tab.
The number in parentheses (N) next to Show suppressed issues represents the total number of
suppressed issues in the database associated with the selected application version.
Note: The filter set you have selected does not affect the number of suppressed issues shown. For
example, if a suppressed issue is hidden in the selected filter set, it is still included in the count of
suppressed issues.
3. Select the Show suppressed issues (N) check box.
4. Click Apply.
See Also
"Viewing Removed Issues" on the next page
HPE Security Fortify Software Security Center (16.10)
Page 110 of 134
User Guide
Chapter 7: Collaborative Auditing
Viewing Removed Issues
When SSC merges uploaded scan results, it removes issues that were uncovered in the previous analysis
but are no longer evident in the most recent results.
To view the issues that were removed for an application version:
1. From the Applications view, select the version name for the application version you are interested in.
SSC opens the Overview page for the selected version.
2. On the application version toolbar, click Profile.
The Application Profile dialog box opens to the Advanced Options tab.
The number in parentheses (N) next to Show removed issues represents the total number of removed
issues in the database associated with the selected application version.
Note: The filter set you have selected does not affect the number of removed issues shown. For
example, if a suppressed issue is hidden in the selected filter set, it is still included in the count of
removed issues.
3. Select the Show removed issues (N) check box.
4. Click Apply.
See Also
"Viewing Hidden Issues" below
"Viewing Suppressed Issues" on the previous page
Viewing Hidden Issues
In Software Security Center, hidden issues are the issues not shown because of the filter set rules currently
applied.
To reveal any hidden issues associated with an application version:
1. From the Applications view, select the version name for the application version you are interested in.
SSC opens the Overview page for the selected version.
2. On the application version toolbar, click Profile.
The Application Profile dialog box opens to the Advanced Options tab.
The number in parentheses (N) next to Show hidden issues represents the total number of hidden
issues in the database associated with the selected application version.
3. Select the Show hidden issues (N) check box.
4. Click Apply.
HPE Security Fortify Software Security Center (16.10)
Page 111 of 134
User Guide
Chapter 7: Collaborative Auditing
Searching Globally in Software Security Center
Regardless of where you are in the SSC user interface, you have access to the global Search field in the
Hewlett Packard Enterprise header. Any search string you type here is applied across all application
versions, issues, reports, comments, and users.
To use the global Search field:
1. From any view, type a search string into the Search box.
SSC displays the first several items that match your search string, grouped by category.
2. To go to a specific item listed, click the item.
SSC opens the user interface where you can view or work on the item.
3. To see a list off all search results, click See All Results.
Example: Finding issues
HPE Security Fortify Software Security Center (16.10)
Page 112 of 134
User Guide
Chapter 7: Collaborative Auditing
After you select a single issue from the listed results, SSC takes you to the corresponding version page with
the issue expanded to full view.
If you select See All Results, SSC takes you to the Search Results page. From here, you can open the the
first match with the issue expanded to full view. From there, you can use the next and previous buttons
to page through all of the findings.
Example: Finding users
After you select a single user from the listed results, assuming rou have the required permission, SSC takes
you to the details for the user account in the Administration view.
If you select See All Results, SSC takes you to the Search Results page.
See Also
"Searching Applications and Application Versions from the Applications View" on page 60
HPE Security Fortify Software Security Center (16.10)
Page 113 of 134
User Guide
Chapter 7: Collaborative Auditing
Software Security Center and WebInspect Enterprise
Integration
Software Security Center and HPE Security WebInspect are closely integrated and can share scan results.
Administrators can also submit requests for WebInspect dynamic scans from the Software Security Center
interface. This section describes how to view WebInspect results in Software Security Center and provides
instructions for Software Security Center users on how to request scans.
Topics covered in this section:
Viewing WebInspect Scan Results in Software Security Center
114
WebInspect Audit Data
116
False Positives
117
Viewing WebInspect Scan Results in Software Security Center
WebInspect saves scan results (results data and audit data) in FPR format, which you can upload to SSC.
(See "Uploading Scan Artifacts" on page 89.) WebInspect issue details differ somewhat from those shown
for issues uncovered by other analyzers, such as SCA.
The screen capture on the following page shows the details displayed in the SSC Audit page for an issue
uncovered during a WebInspect scan.
HPE Security Fortify Software Security Center (16.10)
Page 114 of 134
User Guide
Chapter 7: Collaborative Auditing
In the left panel of the Code tab, the Overview section displays summary information about the finding, the
analysis value (if set), and the Implications section.The Additional References section lists any pertinent
references available.
The panel on the right displays the following information:
HPE Security Fortify Software Security Center (16.10)
Page 115 of 134
User Guide
Chapter 7: Collaborative Auditing
URL: Website page on which the vulnerability was detected
Method: HTTP method used for the attack (for example GET, PUT, and POST)
Vulnerable Parameter: Name of the vulnerable parameter
Attack Payload: Shellcode used as the payload for exploiting the vulnerability
Below this information, the Request section displays the request made, with the attack highlighted. The
Response section displays the response to the request, with the trigger highlighted.
Note: The Steps tab is available only if the steps are included in the WebInspect results file.
Viewing Additional Details and Recommendations
To view additional details and recommendations for the issue,on the issue toolbar, click one of the following:
l
Open in new tab
l
Expand to full screen
On the right, the Detailed Advice panel opens to the Details section, which provides suggestions on what to
look for in this issue.
To view recommendations and tips on how to address the issue, from the Details list, select
Recommendations.
For information about how to audit the issue, see "Auditing Issues" on page 102.
WebInspect Audit Data
In addition to screen shots, the following types of audit data are transferred from WebInspect to Software
Security Center:
l
Vulnerability Notes. Vulnerability notes in WebInspect are transferred to SSC as issue comments.
l
Ignored Vulnerabilities. Vulnerabilities marked as “Ignored” in WebInspect are marked “Suppressed”
upon transfer to SSC.
l
False Positives. See "False Positives" on the next page.
HPE Security Fortify Software Security Center (16.10)
Page 116 of 134
User Guide
Chapter 7: Collaborative Auditing
False Positives
Software Security Center does not have a direct equivalent of the WebInspect “false positive” status. If a
WebInspect user marks a vulnerability as a false positive, the vulnerability is hidden from the vulnerability
lists and is removed from the vulnerability counts.
To emulate the false positive status in SSC, you can use the default Analysis custom tag. A WebInspect
false positive is assigned the Analysis value “Not an Issue” in SSC. To emulate the WebInspect behavior of
hiding the issue from lists and counts, the issue is marked as Suppressed.
Note: If the selected value for Analysis has changed from “Not an Issue” or is missing, or if the
Analysis list has been removed from your application version, then the false positive status of the issue
is lost. The issue is marked as “Suppressed.”
See Also
"Viewing Suppressed Issues" on page 110
HPE Security Fortify Software Security Center (16.10)
Page 117 of 134
User Guide
Chapter 7: Software Security Center and CloudScan Integration
Chapter 7: Software Security Center and
CloudScan Integration
If SSC is configured to communicate with HPE Security Fortify CloudScan, then the SSC user interface
includes the Scans view, which contains the Scan Requests, Sensors, and Controller pages for CloudScan.
The following sections describe these pages and their functionality. For information about how to configure
the connection between SSC and CloudScan, see the HPE Security Software Security Center Installation
and Configuration Guide.
This section contains the following topics:
Viewing CloudScan Scan Request Details
118
Exporting CloudScan Scan Request Details
119
Canceling CloudScan Scan Requests
120
Viewing CloudScan Sensor Information
120
Viewing CloudScan Controller Information
121
Viewing CloudScan Scan Request Details
To view details on CloudScan scan requests:
1. On the Hewlett Packard Enterprise header, click Scans.
The Scans view opens to the Scan Requests page, which lists all scan requests and details for each,
including the job token for the request, the build ID, status, application version, and more.
2. To filter the displayed requests based on current state, from the Filter by list, select a state.
3. To expand a row and see more detail about a given scan, click the row.
HPE Security Fortify Software Security Center (16.10)
Page 118 of 134
User Guide
Chapter 7: Software Security Center and CloudScan Integration
4. To update the data displayed, click Refresh Table.
See Also
"Exporting CloudScan Scan Request Details" below
"Canceling CloudScan Scan Requests" on the next page
"Viewing CloudScan Sensor Information" on the next page
"Viewing CloudScan Controller Information" on page 121
Exporting CloudScan Scan Request Details
To export the details for a CloudScan scan request:
1. On the Hewlett Packard Enterprise header, click Scans.
The Scans view opens to the Scan Requests page, which lists all scan requests and the details for
each, including the job token for the request, the build ID, status, application version, and more.
2. To filter the displayed requests based on current state, from the Filter by list, select a state.
3. To see the details for a scan, click its row.
4. Do one of the following:
HPE Security Fortify Software Security Center (16.10)
Page 119 of 134
User Guide
Chapter 7: Software Security Center and CloudScan Integration
l
If the scan was completed and you want to export the resulting FPR file, click Export, select FPR,
and then specify the directory to which you want to save the file.
l
To export the log for the scan (with any status except for Scan Faulted), click Export, select Log, and
then specify the directory to which you want to save the file.
See Also
"Viewing CloudScan Sensor Information" below
"Viewing CloudScan Controller Information" on the next page
Canceling CloudScan Scan Requests
To cancel a prepared CloudScan scan request:
1. On the Hewlett Packard Enterprise header, click Scans.
The Scans view opens to the Scan Requests page, on which a table lists all scan requests and the
details for each.
2. To filter the displayed requests based on current state, from the Filter by list, select a state.
3. Expand the row for the prepared scan request that you want to cancel.
4. At the bottom right, click Cancel Scan.
SSC prompts you to confirm that you want to cancel the request.
5. Confirm the cancellation.
6. To update the data displayed on the Scan Requests page, click Refresh Table.
See Also
"Exporting CloudScan Scan Request Details" on the previous page
Viewing CloudScan Sensor Information
To view current information about CloudScan sensor states and activities:
1. On the Hewlett Packard Enterprise header, click Scans.
The Scans view opens to the Scan Requests page, on which a table lists all scan requests and the
details for each.
2. In the left panel, select CloudScan, and then select Sensors.
HPE Security Fortify Software Security Center (16.10)
Page 120 of 134
User Guide
Chapter 7: Software Security Center and CloudScan Integration
3. To filter the displayed sensors based on current state (Active, Inactive, or Stale) from the Filter by list,
select a state.
4. To expand a row and see more detail about a given sensor, click the row.
See Also
"Viewing CloudScan Scan Request Details" on page 118
"Canceling CloudScan Scan Requests" on the previous page
Viewing CloudScan Controller Information
To view CloudScan Controller information:
HPE Security Fortify Software Security Center (16.10)
Page 121 of 134
User Guide
Chapter 7: Software Security Center and CloudScan Integration
1. On the Hewlett Packard Enterprise header, click Scans.
The Scans view opens to the Scan Requests page, on which a table lists all scan requests and the
details for each.
2. In the left panel, select CloudScan, and then select Controller.
3. For descriptions about the information displayed, click the information icons
.
See Also
"Viewing CloudScan Scan Request Details" on page 118
"Canceling CloudScan Scan Requests" on page 120
"Viewing CloudScan Sensor Information" on page 120
HPE Security Fortify Software Security Center (16.10)
Page 122 of 134
Chapter 8: BIRT Reports in Software
Security Center
SSC reports are based on the Business Intelligence and Reporting Technology (BIRT) system. BIRT is an
open source reporting system based on Eclipse.
For information about BIRT, see the following page on the Eclipse website:
http://www.eclipse.org/birt/phoenix/intro
This section contains the following topics:
Software Security Center Issue Reports
123
Software Security Center Portfolio Reports
126
Application Summary Report
127
Generating and Viewing Reports
127
Preventing Destructive Libraries and Templates from being Uploaded to Software Security Center
129
BIRT Libraries
129
Importing Report Libraries
130
Customizing Software Security Center BIRT Reports
130
Acquiring the BIRT Report Designer
131
Exporting Report Definitions from Software Security Center
131
Importing Report Definitions into Software Security Center
132
Software Security Center Issue Reports
The Issue report group summarizes the presence of specific vulnerability categories in a single SSC
application version.
Topics covered in this section:
CWE/SANS Top 25 Reports
124
Developer Workbook Report
124
DISA STIG 3, 3.4, 3.5, 3.7, and 3.9 Reports
124
FISMA Compliance: FIPS - 200 Report
124
OWASP Mobile Top 10 Reports
124
HPE Security Fortify Software Security Center (16.10)
Page 123 of 134
User Guide
Chapter 8: BIRT Reports in Software Security Center
OWASP Top 10 Reports
125
PCI DSS Compliance: Application Security Report
125
Penetration Testing Correlation Report
125
Seven Pernicious Kingdoms Report
125
Vulnerability Report
125
CWE/SANS Top 25 Reports
The CWE/SANS Top 25 reports detail findings related to the CWE/SANS top 25 most dangerous
programming errors uncovered for an application version, and provide information about where and how to
address the findings.
Developer Workbook Report
The Developer Workbook report, which is targeted at project managers and developers, contains all of the
information needed to understand and fix issues discovered during an application version audit.
DISA STIG 3, 3.4, 3.5, 3.7, and 3.9 Reports
The DISA STIG 3, 3.4, 3.5, 3.7, and 3.9 reports, which are targeted at project managers, security auditors,
and developers, address DISA compliance through STIG 3, 3.4, 3.5, 3.7, and 3.9 violations found in an
application version. They provide information about where and how to fix the issues, and details about the
technical risks posed by unremediated violations. The reports also include an estimate of the effort required to
fix, verify, and test the findings.
FISMA Compliance: FIPS - 200 Report
The FISMA Compliance: FIPS - 200 report, which is targeted at project managers, security auditors, and
developers, addresses FISMA compliance through FIPS-200 violations detected in an application version. It
provides information about where and how to fix the issues, as well as details about the technical risks posed
by unremediated violations. The report also includes an estimate of the effort required to fix, verify, and test
the findings.
OWASP Mobile Top 10 Reports
The OWASP Mobile Top 10 reports, which are targeted at project managers, security auditors, and software
developers, detail the top ten OWASP mobile-related findings for an application version. They provide
information on where and how to fix specific issues and on the technical risk posed by the unremediated
HPE Security Fortify Software Security Center (16.10)
Page 124 of 134
User Guide
Chapter 8: BIRT Reports in Software Security Center
findings discovered during analysis. The reports also provide estimates of the effort required to fix, verify, and
test the findings.
OWASP Top 10 Reports
The OWASP 2004, 2007, 2010, and 2013 reports, which are targeted at project managers, security auditors,
and developers, detail the top ten OWASP- related findings for an application version. They include
information about where and how to fix the issues, as well as details about the technical risks posed by
unremediated violations. The reports also provide estimates of the effort required to fix, verify, and test the
findings.
PCI DSS Compliance: Application Security Report
The PCI Compliance: Application Security Requirements report is targeted at project managers, security
auditors, and compliance auditors. It summarizes the application security portions of PCI DSS v2.0 and 3.0.
Software Security Center tests for 21 application security-related requirements across sections 3, 4, 6, 7, 8,
and 10 of PCI DSS and reports on whether each requirement is either “in place” or “not in place.”
Penetration Testing Correlation Report
Use the Penetration Testing Correlation Report to correlate results from third-party penetration testing tools
with issues detected by WebInspect Agent, Runtime Application Protection, and Source Code Analyzer
issues for a Software Security Center application version.
Seven Pernicious Kingdoms Report
The Seven Pernicious Kingdoms Report is directed at project managers, security auditors, and developers.
This report summarizes the findings related to the presence of several HPE Security-defined issues (see
http://www.hpenterprisesecurity.com/vulncat/en/docs/Fortify_TaxonomyofSoftwareSecurityErrors.pdf) in an
application version. It includes information about where and how to fix the issues, and details about the
technical risks posed by unremediated issues. The report also provides estimates of the effort required to fix,
verify, and test the findings.
Vulnerability Report
The Vulnerability Report provides an analysis of the security risk posed by an application version’s current
status. It presents the vulnerability category and severity level distributions across the entire application. The
report data enable managers to evaluate the security posture of an application and prioritize outstanding
issues that require immediate attention.
HPE Security Fortify Software Security Center (16.10)
Page 125 of 134
User Guide
Chapter 8: BIRT Reports in Software Security Center
Software Security Center Portfolio Reports
The Portfolio report group contains reports that enable you to compare issues trends and indicators across
multiple Software Security Center application versions.
Topics covered in this section:
Hierarchical Summary Report
126
Issue Trending Report
126
Key Performance Indicators Report
126
Security at a Glance Report
127
Hierarchical Summary Report
The Hierarchical Summary Report presents a three-level, hierarchical summary for all applications you select
to include in the report. It provides the following information:
l
Overview statistics for all selected applications
l
A specific application attribute
l
Applications grouped by owner
You can choose to exclude the project summary and owner details from the report.
Issue Trending Report
Use the Issue Trending Report to create an historical summary of issues by:
l
Application version
l
Issue categorization (Fortify Priority Order, Kingdom, or OWASP 2004, 2007, 2010, or 2013)
l
Date range
The charts in this report show the number of issues found in each application you selected to include. They
display the total number of issues, as well as a breakdown of High Priority and Critical Exposure issues per
application.
Key Performance Indicators Report
The Key Performance Indicators Report summarizes multiple security performance indicators based on
application attributes. Project managers and security officers can use this view of the application portfolio to
perform basic comparisons between attribute groupings. This report permits indicators to be grouped by
application type or other cross-application categories.
HPE Security Fortify Software Security Center (16.10)
Page 126 of 134
User Guide
Chapter 8: BIRT Reports in Software Security Center
Security at a Glance Report
Use the Security at a Glance Report to produce a high-level overview of the security of your application
portfolio. The data included in the report directs portfolio owners towards the top risk concerns within the
portfolio. These concerns are presented in the form of riskiest applications and the most pervasive
vulnerability types found.
Combined with the enterprise business risk data, this information helps you prioritize resources in your
remediation efforts. The information is presented so that it is most useful for security officers and project
managers.
Application Summary Report
Use the Application Summary report to summarize a single version of an application. This report includes a
high-level look at the outstanding issues associated with the application version and detailed information
related to its risk profile. It also includes a summary of the user activities.
Generating and Viewing Reports
To generate and view a Software Security Center report:
1. Log on to SSC and click Reports.
The Reports page opens.
2. On the Reports page toolbar, click + New Report.
The Create New Report dialog box opens.
HPE Security Fortify Software Security Center (16.10)
Page 127 of 134
User Guide
Chapter 8: BIRT Reports in Software Security Center
3. To see a description of the report that results from a listed template, move your cursor to the report
listing, and then move it to the information icon .
4. Navigate to and select the report template you want to use.
The panels on the right display the configuration fields for the template you select.
5. Specify the required report settings, including the report name, output format, and application versions to
include in the report.
Depending on the report type, additional settings might be required or available.
6. If multiple editions of a report template are available, from the Options list, select the edition you want to
generate.
7. Click Generate.
Software Security Center adds the report to the Reports table, which lists all reports, based on
category. After the report generation is completed, the Status field displays the value Processing
Complete.
Note: If you typed content in the Notes box when you configured the report, the Notes column
displays a special icon for the report.
HPE Security Fortify Software Security Center (16.10)
Page 128 of 134
User Guide
Chapter 8: BIRT Reports in Software Security Center
8. To view the report, move your cursor over the row that displays the report name, and then click
Download.
9. After the download is complete, in the lower left corner of your screen, open the shortcut menu for the
downloaded report file, and then select an option to open the report.
Preventing Destructive Libraries and Templates from
being Uploaded to Software Security Center
Caution: A malicious user might modify a report library or template so that it contains arbitrary and
potentially destructive SQL queries and commands. Only upload libraries and templates that have been
written by a trusted user and that have been reviewed for malicious queries and commands.
Only users with permission to manage report definitions and libraries can upload custom report libraries and
templates to SSC. To prevent templates that execute arbitrary and potentially destructive SQL queries and
commands from being uploaded to SSC:
l
Make sure to assign these permissions only to trusted users.
l
Make sure to check all custom templates for arbitrary SQL queries and commands before uploading them
to SSC.
BIRT Libraries
With BIRT Libraries, commonly required functions and report items can be encapsulated. These libraries can
then be imported into any number of BIRT reports for reuse. In addition, the concept of libraries helps
segment report development tasks, as opposed to requiring a single report developer to create all
components for each report by himself.
HPE Security Fortify Software Security Center (16.10)
Page 129 of 134
User Guide
Chapter 8: BIRT Reports in Software Security Center
Note: Before you use the BIRT report libraries, you must acquire the BIRT Report Designer. For
instructions, see "Acquiring the BIRT Report Designer" on the next page.
Reports that reference libraries are automatically updated during report execution. This is useful in cases
where business or technical changes would otherwise require report rework. For example, if a library
component such as a corporate logo is used in a large number of report designs, then a change to the logo
would only require a change to the library. All referencing reports would reflect the change automatically.
Importing Report Libraries
If you are an Administrator-level user, you can add report libraries to the SSC server.
To add a report library:
1. In the left panel of the Administration view, select Templates, and then select Report Libraries.
The Report Libraries page lists all of the report libraries in the system.
2. In the Report Libraries toolbar, click Import.
The Import New Library Template dialog box opens.
3. (Optional) In the Description box, type a description of the library you are importing.
4. Click Browse, and then navigate to and select the report library resource.
5. Click Save.
The Report Libraries list now includes the library you added.
Customizing Software Security Center BIRT Reports
Customizing BIRT reports is not a beginner-level activity. Customizing SSC reports requires an
understanding of database operation and design, SQL syntax, and report design.
To customize an SSC BIRT report:
1. Acquire a supported version of Eclipse BIRT Report Designer (Report Designer).
For information about the BIRT Report Designer versions supported for SSC reports, see the
HPE Security Fortify Software Security Center System Requirements document.
For information about downloading Eclipse BIRT Report Designer, see "Acquiring the BIRT Report
Designer" on the next page.
2. Load an SSC report definition into Report Designer.
You typically first export a report definition from SSC, and then upload that report definition into Report
Designer. For information about how to export an SSC report definition, see "Exporting Report
Definitions from Software Security Center" on the next page.
HPE Security Fortify Software Security Center (16.10)
Page 130 of 134
User Guide
Chapter 8: BIRT Reports in Software Security Center
3. Connect Report Designer to a running instance of the SSC database.
Connecting Report Designer to the SSC database enables you to load and verify the database queries
you add to a BIRT report.
4. Use the Report Designer to add report design elements to the report definition, and add database queries
to those design elements.
5. Use a local instance of SSC to test the operation of a customized BIRT report.
6. Import the customized report definition into SSC.
For information about importing report definitions into SSC, see "Importing Report Definitions into Software
Security Center" on the next page.
Acquiring the BIRT Report Designer
To customize Software Security Center reports, you must use a supported version of the Eclipse BIRT
Report Designer (Report Designer). For information about supported versions, see the HPE Security Fortify
Software Security Center System Requirements document.
To download the Eclipse BIRT Report Designer:
1. Open a web browser window and go to the following download page:
http://download.eclipse.org/birt/downloads/build_list.php
2. Download the Report Designer Full Eclipse Install for your operating system.
Exporting Report Definitions from Software Security
Center
Perform the procedure in this section to export an existing SSC report definition.
To export an SSC report definition:
1. Click Reports.
2. Click Report Definitions.
SSC displays the Reports Definition page, which lists all defined reports.
3. To export a report definition:
a. On the Report Definitions page, select a report definition.
In the right-side details panel, SSC displays details about the selected report. The details include a
link to the selected report’s definition (rptdesign filename extension).
b. In the right-side report details panel, click the download link for the selected report to export the
report definition file.
HPE Security Fortify Software Security Center (16.10)
Page 131 of 134
User Guide
Chapter 8: BIRT Reports in Software Security Center
SSC exports the report to the selected location.
Importing Report Definitions into Software Security
Center
SSC reports are based on the open-source Business Intelligence and Reporting Tools (BIRT) system.
BIRT enables you to add import report definitions files to SSC.
To complete the procedure in this section, you need an SSC BIRT definition (with the rptdesign filename
extension).
To create an SSC report definition:
1. Click Reports.
2. Click Report Definitions.
SSC displays the Reports Definition page.
3. Click Add.
SSC displays the Create Report Definition panel.
4. Configure the new report definition as follows:
l
Type or choose the Name, Description, Report Engine, and Category settings.
l
In the Template area, browse to the SSC BIRT definition (with the rptdesign filename extension).
5. Add one or more optional parameters to the new SSC report definition.
l
In the Parameters area, click Add.
l
Type or choose the Name, Description, Identifier, and Data Type settings that correspond to those
values in the BIRT template you are uploading.
6. To add the new report definition to the list of definitions, click Save.
HPE Security Fortify Software Security Center (16.10)
Page 132 of 134
Chapter 9: Authentication Tokens
Authentication tokens are unique keys that enable users to automate actions within SSC without using
passwords. The user requests a token, authenticates to the SSC, and receives back a string that is
permissioned for a small set of time-limited actions.
For example, the AnalysisUploadToken token does not allow the user to log on to the interface or view
results.
Common actions include uploading scan results and downloading reports.
This section contains the following topics:
Generating Authentication Tokens
133
Generating Authentication Tokens
To generate a token, run the following HPE Security Fortify Static Code Analyzer command:
fortifyclient token -gettoken <token_name> -url SSC_URL -user USERNAME -password
The following table lists the available token_name options.
Option
Description
AnalysisUploadToken
Upload scan results to SSC and list applications
AuditToken
Load details about current security issues and apply analysis tags
AnalysisDownloadToken
Download merged result files
ReportToken
Enables users to:
Request list of saved reports
Request saved report based on the report ID
Delete saved reports
Return list of saved reports associated with a specific application version
Generate new reports
Authentication tokens are defined at runtime in WEB-INF/internal/serviceContext.xml.
HPE Security Fortify Software Security Center (16.10)
Page 133 of 134
Send Documentation Feedback
If you have comments about this document, you can contact the documentation team by email. If an email
client is configured on this system, click the link above and an email window opens with the following
information in the subject line:
Feedback on User Guide (Fortify Software Security Center 16.10)
Just add your feedback to the email and click send.
If no email client is available, copy the information above to a new message in a web mail client, and send
your feedback to HPFortifyTechPubs@hpe.com.
We appreciate your feedback!
HPE Security Fortify Software Security Center (16.10)
Page 134 of 134