HPE Security Fortify Software Security System and WebInspect

HPE Security Fortify Software
Security Center and WebInspect
Software Version: 16.10
System Requirements
Document Release Date: November 2016
Software Release Date: April 2016
System Requirements
Legal Notices
Warranty
The only warranties for Hewlett Packard Enterprise Development products and services are set forth in the
express warranty statements accompanying such products and services. Nothing herein should be
construed as constituting an additional warranty. HPE shall not be liable for technical or editorial errors or
omissions contained herein.
The information contained herein is subject to change without notice.
Restricted Rights Legend
Confidential computer software. Valid license from HPE required for possession, use or copying. Consistent
with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and
Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard
commercial license.
The software is restricted to use solely for the purpose of scanning software for security vulnerabilities that is
(i) owned by you; (ii) for which you have a valid license to use; or (iii) with the explicit consent of the owner of
the software to be scanned, and may not be used for any other purpose.
You shall not install or use the software on any third party or shared (hosted) server without explicit consent
from the third party.
Copyright Notice
© Copyright 2001 - 2016 Hewlett Packard Enterprise Development LP
Trademark Notices
Adobe™ is a trademark of Adobe Systems Incorporated.
Microsoft® and Windows® are U.S. registered trademarks of Microsoft Corporation.
UNIX® is a registered trademark of The Open Group.
Documentation Updates
The title page of this document contains the following identifying information:
l
Software Version number
l
Document Release Date, which changes each time the document is updated
l
Software Release Date, which indicates the release date of this version of the software
To check for recent updates or to verify that you are using the most recent edition of a document, go to:
https://www.protect724.hpe.com/community/fortify/fortify-product-documentation
You will receive updated or new editions if you subscribe to the appropriate product support service. Contact
your HPE sales representative for details.
HPE Security Fortify Software Security Center and WebInspect (16.10)
Page 2 of 42
System Requirements
Contents
Introduction
Version Numbering
Software Delivery
Software Licenses
5
5
5
5
HPE Security Fortify Software Security Center Server Requirements
Hardware Requirements
Java Heap Size
Platforms and Architectures
Application Servers
Databases
Browsers
Authentication Systems
BIRT Reporting
Service Integrations
6
6
6
6
7
7
9
9
9
10
Software Security Center Configuration Tool Requirements
Hardware Requirements
Platforms and Architectures
Java Virtual Machine
Graphical User Interface
10
10
10
11
11
HPE Security Fortify Static Code Analyzer Requirements
Hardware Requirements
Software Requirements
Platforms and Architectures
Supported Languages
iOS and Xcode Support
Build Tools
Compilers
Secure Code Plugins
Service Integrations for Secure Code Plugins
Security Content
11
11
11
11
12
13
13
14
14
15
15
HPE Security Fortify CloudScan Requirements
CloudScan Command-Line Interface Hardware Requirements
CloudScan Controller Hardware Requirements
16
16
16
HPE Security Fortify Runtime Requirements
Platforms and Architectures
Java Runtime Environments
Java Application Servers
.NET Frameworks
IIS for Windows Server
17
17
17
17
17
18
HPE Security WebInspect Requirements
Hardware Requirements
18
18
HPE Security Fortify Software Security Center and WebInspect (16.10)
Page 3 of 42
System Requirements
Software Requirements
Ports and Protocols
Required Connections
Optional Connections
Connections for Tools
Notes on Microsoft SQL Server Editions
Running as Administrator
HPE Security Fortify WebInspect Agent
HPE Security WebInspect Software Development Kit (SDK)
Software Integrations
18
19
19
20
22
23
23
23
24
24
HPE Security WebInspect Enterprise Requirements
WebInspect Enterprise Installation and Upgrade Requirements
Integrations for WebInspect Enterprise
Hardware Requirements
Software Requirements
Hardware Requirements for WebInspect Enterprise Administrative Console
Software Requirements for WebInspect Enterprise Administrative Console
Ports and Protocols
Required Connections
Optional Connections
Connections for Tools
WebInspect Enterprise Sensor
WebInspect Enterprise Notes and Limitations
24
24
24
25
25
26
26
27
27
28
29
30
30
HPE Security License and Infrastructure Manager (LIM) Requirements
Hardware Requirements
Software Requirements
31
31
31
Version Compatibility Matrix
Software Security Center Component Compatibility
FPR File Compatibility
Software Security Center Custom Process Templates
Software Security Center Support for Runtime Configuration Bundle and Template
Software Security Center Support for Virtual Machines
Virtual Machine Support
32
32
32
33
33
33
33
Technologies no Longer Supported in this Software Security Center Release
34
Technologies and Features to Lose Support in the Next Release of Software Security Center
34
Acquiring HPE Security Fortify Software
Downloading HPE Security Fortify Software
Verifying Software Downloads
35
39
39
HPE Assistive Technologies (Section 508)
Using JAWS with HPE Security Products
40
41
Send Documentation Feedback
HPE Security Fortify Software Security Center and WebInspect (16.10)
42
Page 4 of 42
Introduction
This document provides the details about the environments and products that HPE supports for this version
of HPE Security Fortify Software Security Center and its associated product suite, which includes:
l
HPE Security Fortify Software Security Center Server
l
HPE Security Fortify Static Code Analyzer l
HPE Security Fortify Audit Workbench and Secure Code Plugins
l
HPE Security Fortify CloudScan
l
HPE Security Fortify Runtime
l
HPE Security WebInspect
l
HPE Security WebInspect Enterprise
l
HPE Security License and Infrastructure Manager (LIM)
Version Numbering
The version numbering scheme for all HPE Security Fortify products has changed so that all products
released at the same time are more easily identified as belonging to the same release. The new version
number format is <year>.<release_number> where <year> is the two-digit year of the release and <release_
number> is a two-digit release number such as 10, 20, 30, and so on. The following table provides examples.
Year
Release Type
Release Number
Version Number
2016
Major
10
16.10
Minor, Patch, or Service Pack
11
16.11
Major
20
16.20
Major
10
17.10
Major
20
17.20
2017
Software Delivery
Software Security Center software is delivered only electronically. It is not available on disc. See "Acquiring
HPE Security Fortify Software" on page 35 for more information.
Software Licenses
Before you can start using HPE Security software, you must download the licenses for your purchases from
the Fortify Customer Portal (https://support.fortify.com). To access the site, use the credentials that
HPE Security Fortify Customer Support has provided.
HPE Security Fortify Software Security Center and WebInspect (16.10)
Page 5 of 42
System Requirements
HPE Security Fortify Software Security Center Server
Requirements
This section describes the system requirements for the HPE Security Fortify Software Security Center
(SSC) server.
Hardware Requirements
HPE Security Fortify Software Security Center requires the following:
Component
Requirement
Processor
2.0 GHz dual-core 64-bit or faster
RAM
8+ GB
Java Heap Size
The Java heap size for the Software Security Center server must be set to a minimum of 4 GB.
Platforms and Architectures
Software Security Center supports the platforms and architectures listed in the following table.
Operating System
Architectures
Versions
Linux
64-bit
Red Hat EL 6 update 5 and later
Red Hat EL 7.x
SUSE Linux ES 12
Oracle Linux 6 update 5 and later
Oracle Linux 7.x
Windows Server®
64-bit
Server 2012 R2
Oracle Solaris
x86, 64-bit
10.5 and later, 11.2, 11.3
Note: Although Software Security Center has not been tested on all Linux variants, most distributions
are not known to cause issues.
HPE Security Fortify Software Security Center and WebInspect (16.10)
Page 6 of 42
System Requirements
Application Servers
Software Security Center supports the application servers listed in the following table.
Application Server
Versions
Java Versions
Apache Tomcat
8.0
8
Oracle WebLogic 12c
12.1.3
8
IBM WebSphere 8
8.5.5
7
Red Hat JBoss Enterprise Application Platform
6.3.0
8
Note: Clustering in JBoss is not supported.
Databases
Software Security Center requires that all database schema collations be case-sensitive.
See the HPE Security Fortify Software Security Center Installation and Configuration Guide for detailed
instructions if either of the following apply:
l
l
You are using a Microsoft SQL Server or MySQL database. Additional database configuration might be
required.
You are already a Software Security Center user and your database is case-insensitive.
For a production environment, Software Security Center supports the databases listed in the following table.
Databases Supported Character Sets
Drivers
Microsoft
SQL
Server
2012, 2014
Make sure to use the case-sensitive (CS) option
when choosing your collation method. For example:
Microsoft JDBC Driver 4.0 for SQL
Server
SQL_Latin1_General_CP1_CS_AS
Driver class:
For performance reasons, you must append the
following string to the end of your jdbc URL:
com.microsoft.sqlserver.jdbc.
SQLServerDriver
sendStringParametersAsUnicode=false
Jar file: sqljdbc4.jar
Example:
jdbc:sqlserver://dbhost:1433;database=ssc;
sendStringParametersAsUnicode=false
MySQL
5.6
utf8_bin, latin1_general_cs
5.1.35 or later
You must append connectionCollation property
to the jdbc url.
Driver class:
com.mysql.jdbc.driver
Jar file:
mysql-connector-java<version>-bin.jar
HPE Security Fortify Software Security Center and WebInspect (16.10)
Page 7 of 42
System Requirements
Databases Supported Character Sets
Drivers
Example:
jdbc:mysql://localhost:3306/ssc?
connectionCollation=latin1_general_cs
jdbc:mysql://localhost:3306/ssc?
connectionCollation=utf8_bin
Oracle
Database
12.1
AL32UTF8 for all languages
WE8MSWIN1252 for US English
Oracle Database 12c Release 1 (12.1)
JDBC Drivers
Driver class:
oracle.jdbc.OracleDriver
Jar files:
ojdbc7.jar (for Java 7 or later)
IBM DB2
10.5
fixpack 6
UTF8, IBM-1252
Note: IBM DB2 drivers also
require that you add at least one of
the following driver license files to
the CLASSPATH before you load
the JDBC driver and seed your
database:
db2jcc_license_cisuz.jar
db2jcc_license_cu.jar
IBM DB2 JDBC Driver v10.5
Driver class:
com.ibm.db2.jcc.DB2Driver
Jar file: db2jcc4.jar
Note: Software Security Center Demonstration Server includes an Apache Derby database for
evaluation purposes only. The database cannot be expanded or upgraded. Do not use it to store critical
data.
Database Disk Space
Use the following formula to estimate the size (in GB) of the Software Security Center database disk space:
(<TotalIssues>*30 kb) + <TotalArtifacts in kb> ÷ 1,000,000
where:
<TotalIssues> is the total number of issues in the system
<TotalArtifacts> is the total size of all uploaded artifacts and scan results
Note: This equation produces only a rough estimate for database disk space allocation. The formula is
not intended for use in estimating disk space requirements for long-term projects. Disk requirements for
HPE Security Fortify Software Security Center and WebInspect (16.10)
Page 8 of 42
System Requirements
Software Security Center databases grow in proportion to the number of projects, scans, and issues in
the system.
Browsers
HPE recommends that you use one of the browsers listed in the following table and a minimum screen
resolution of 1280x1024.
Browser
Version
Adobe Flash Player
Mozilla Firefox
43.0 or later
10.2 or later, 11 (recommended)
Internet Explorer 9 (partially supported in
new UI), 10, 11
10.2 or later, 11 (recommended)
Google Chrome
48.0 or later
10.2 or later, 11 (recommended)
Safari
8
14
Note: To access Software Security Center Flex user
interface, you must have Adobe Flash Player version
16 or later installed.
JAWS
See "HPE Assistive
Technologies (Section
508)" on page 40
10.2 or later, 11 (recommended)
Authentication Systems
Software Security Center supports the following directory services:
l
LDAP: LDAP 3 compatible
l
Windows Active Directory Service
Single Sign-On (SSO)
Software Security Center supports:
l
HTTP SSO (Oracle SSO, CA SSO)
l
SAML SSO
l
SPNEGO/Kerberos SSO
l
PKI SSO (X.509)
l
CAS SSO
BIRT Reporting
Software Security Center reports support Business Intelligence and Reporting Technology (BIRT)
version 4.4.2.
HPE Security Fortify Software Security Center and WebInspect (16.10)
Page 9 of 42
System Requirements
Service Integrations
Software Security Center supports the service integrations listed in the following table.
Service
Applications
Versions
Bug tracking
Bugzilla
4.5
HPE Application Lifecycle Management (HPE ALM)/HP Quality
Center
11.5,
12.01
Note: HPE ALM 11 changeset mapping is only supported with
VisualSVN.
JIRA
6.4
Authentication
Active Directory
2008,
2012
Dynamic assessments
HPE Security WebInspect Enterprise
16.10
Software Security Center Configuration Tool
Requirements
This section describes the system requirements for the Software Security Center Configuration Tool.
Hardware Requirements
The Software Security Center Configuration Tool requires the following:
Component
Requirement
Processor
2.0 GHz or faster, 64-bit
RAM
4 GB or higher (minimum 3 GB available)
Note: The default heap memory size (Xmx) for the configuration tool is set at 1,024 MB and the
maximum permanent generation memory size (MaxPermSize) is also set to 1,024 MB. Because the
configuration tool relies on the Hibernate framework to communicate with the database and must open a
number of archive files to seed the database, it requires that no less than 3 GB RAM be freely available.
To determine how much free RAM is available, see the documentation for your operating system.
Platforms and Architectures
The Software Security Center Configuration Tool supports the same platforms and architectures as Software
Security Center. For details, see "Platforms and Architectures" on page 6.
HPE Security Fortify Software Security Center and WebInspect (16.10)
Page 10 of 42
System Requirements
Java Virtual Machine
The Software Security Center Configuration Tool supports Oracle JVM version 8. For the exact JVM version
supported on your operating system, see operating system-specific requirements.
Graphical User Interface
The Software Security Center Configuration Tool supports the following graphical user interfaces:
l
X Window System for Linux and Solaris
l
Desktop UI for Windows
Note: The system from which the configuration tool is run must also have network access to the
database and infrastructure servers.
HPE Security Fortify Static Code Analyzer
Requirements
This section describes the HPE Security Fortify Static Code Analyzer (SCA) system requirements.
Hardware Requirements
HPE recommends that you install HPE Security Fortify Static Code Analyzer (SCA) on a high-end processor
with at least 8 GB of RAM. If your software is complex, you might require more RAM. See the
HPE Security Fortify Static Code Analyzer Performance Guide for more information.
The minimum requirements for running SCA in parallel mode are:
l
16 GB RAM per core
l
4 cores
Increasing the number of processor cores and increasing memory both result in faster processing.
Software Requirements
SCA requires Java 8. The HPE Security Fortify SCA and Applications installer installs JVM 1.8.0_72.
Platforms and Architectures
SCA supports the platforms and architectures listed in the following table.
Operating System
Architectures
Platforms
Linux
64-bit
RedHat EL 6 update 5 and later
RedHat EL 7.x
Oracle Linux 6 update 5 and later
HPE Security Fortify Software Security Center and WebInspect (16.10)
Page 11 of 42
System Requirements
Operating System
Architectures
Platforms
Oracle Linux 7.x
SUSE Linux ES 12
Windows
64-bit
Windows Server 2012 R2
Windows 8.1
Windows 10
Oracle Solaris
x86, 64-bit
10.5 and later
11.2, 11.3
Oracle Solaris
SPARC 64-bit
10.5 and later
11.2, 11.3
HP-UX
Itanium 64-bit
11.31
AIX
64-bit
6.1, 7.1, 7.2
Mac OS
10.10, 10.11
Note: If an operating system that you require is not listed as supported, contact HPE Security Fortify
Support.
Note: Audit Workbench, Process Designer, Custom Rules Editor, and Scan Wizard are not supported
on AIX, HP-UX, or Oracle Solaris systems.
Supported Languages
SCA supports the programming languages listed in the following table.
Language
Versions
ABAP/BSP
6
ActionScript/MXML (Flex)
3, 4
ASP.NET, VB.NET, C# (.NET) 2.0, 3.0, 3.5, 4.5, 4.5.1, 4.5.2
C/C++
See "Compilers" on page 14
Classic ASP (with VBScript)
2, 3
COBOL
IBM Enterprise COBOL for z/OS 3.4.1 with CICS, IMS,
DB2 embedded SQL, and WebSphere MQ
ColdFusion CFML
8, 9, 10
HTML
5 and earlier
Java (including Android)
5.0, 6, 7, 8
HPE Security Fortify Software Security Center and WebInspect (16.10)
Page 12 of 42
System Requirements
Language
Versions
JavaScript/AJAX
1.7
JSP
1.2, 2.1
Objective-C
See "Compilers" on the next page
PHP
5.3
PL/SQL
8.1.6
Python
2.6 - 2.7
T-SQL
SQL Server 2005, 2008, 2012
Ruby
1.9.3
Swift
2.2
Visual Basic
6
VBScript
2, 5
XML
1.0
iOS and Xcode Support
SCA supports the iOS software development kit and Xcode versions listed in the following table.
Note: Xcode support is limited to Objective-C and does not apply to Objective-C++ or pure C/C++.
iOS SDK
Xcode Version
8
6
9
7
Build Tools
SCA supports the build tools listed in the following table.
Build Tool
Versions
Ant
1.9.6
Jenkins
1.6
Maven
3.0.5, 3.3.x
MSBuild
2, 3.5, 4.x
Xcodebuild
5.x, 6.x, 7.x
HPE Security Fortify Software Security Center and WebInspect (16.10)
Page 13 of 42
System Requirements
Compilers
SCA supports the compilers listed in the following table.
Platform
Compiler
Versions
Mac OS
LLVM
6.4, 7.0, 7.1, 7.2, 7.3
AIX, Linux, HP-UX, Mac OS, Solaris, Windows
gcc
GNU gcc 4.9 and 5.x
AIX, Linux, HP-UX, Mac OS, Solaris, Windows
g++
GNU g++ 4.9 through 5.x
Linux
Intel C++ Compiler
icc 8.0
Windows
cl
VS 2012, 2013, 2015
Solaris
Oracle Solaris Studio
12
AIX, Linux, HP-UX, Mac OS, Solaris, Windows
Oracle javac
7, 8
Secure Code Plugins
This section describes the supported IDE environments for Secure Code Plugins.
Plugin
IDE Versions
Eclipse
(Complete and Remediation)
Eclipse 4.5
IntelliJ/Android Studio
(Scanning and Remediation)
IntelliJ IDEA Ultimate 13, 14, 15
IntelliJ IDEA Community 13, 14, 15
Android Studio 1.5
JDeveloper Remediation
JDeveloper 12c
Visual Studio Packages
(Complete, Scanning, Remediation)
Visual Studio 2012 Premium, Professional, and Ultimate
Visual Studio 2013 Premium, Professional, and Ultimate
Visual Studio 2015 Community, Professional, and Enterprise
Note: SCA is not compatible with Visual Studio Express.
Security Assistant
Eclipse 4.5
Xcode Scanning
Xcode 6.4, 7.0, 7.2, 7.3
HPE Security Fortify Software Security Center and WebInspect (16.10)
Page 14 of 42
System Requirements
Service Integrations for Secure Code Plugins
HPE Security Fortify Audit Workbench and Secure Code Plugins support the following bug tracking
integration.
Bug Tracker Application
Versions Supported Tools
Bugzilla
4.5
Audit Workbench,
Eclipse Plugin, and
Visual Studio Package
HPE Application Lifecycle Management (HPE ALM)/HP Quality
Center
11.5,
12.0
Audit Workbench and
Eclipse Plugin
Microsoft Team Foundation Server (TFS)
2012,
2013,
2015
Visual Studio Package
JIRA
6.4
Audit Workbench and
Eclipse Plugin
Software Security Center Bugtracker
16.10
Audit Workbench,
Eclipse Plugin, and
Visual Studio Package
Note: To integrate with TFS, you must first install the Visual
Studio Team Explorer software. To integrate with TFS 2010, you
must install Visual Studio Package on a machine running Visual
Studio 2010 Premium or Professional.
Security Content
HPE Secure Coding Rulepacks (referred to as Rulepacks in the following table) are backward compatible
with all supported HPE Security Fortify Software Security Center versions. This ensures that Rulepacks
updates do not break any working Software Security Center installation.
The following table lists the Software Security Center versions supported by Rulepacks 2013.3.0 (and earlier)
and 2013.4.0 (and later).
Rulepacks
Software Security Center Versions
2013.3.0 and earlier
2.6.5, 3.0, 3.1, 3.20, 3.30, 3.40, 3.50, 3.60, 3.70, 3.80, 3.90, 4.00, 4.10, 4.21
2013.4.0 and later
3.80, 3.90, 4.00, 4.10, 4.21, 4.30, 4.40, 16.10
Note: New features in Rulepack releases might not be available in older Software Security Center
versions.
HPE Security Fortify Software Security Center and WebInspect (16.10)
Page 15 of 42
System Requirements
HPE Security Fortify CloudScan Requirements
HPE Security Fortify CloudScan has three major components: CloudScan Command Line Interface
(CloudScan CLI), CloudScan Controller, and CloudScan Cloud. This section describes the requirements for
each component.
CloudScan Command-Line Interface Hardware Requirements
CloudScan CLI runs on any machine that supports HPE Security Fortify Static Code Analyzer. Because
CloudScan CLI is installed on build machines running SCA, the hardware requirements are met.
CloudScan Controller Hardware Requirements
HPE recommends that you install CloudScan Controller on a high-end 64-bit processor running at 2 GHz with
at least 8 GB of RAM.
CloudScan Controller Platforms and Architectures
The CloudScan Controller supports the platforms and architectures listed in the following table.
Operating System
Architecture
Versions
Linux
64-bit
Red Hat EL 6 Update 5
Red Hat EL 7
SUSE Linux ES 12
Oracle ES 5 Update 6, ES 6 Update 4 and later
Windows
64-bit
Server 2012 R2
Windows 7 SP1
Windows 8.1
CloudScan Controller Disk Space Requirements
To estimate the amount of disk space required on the machine that runs CloudScan Controller, use the
following equation:
(Number of Jobs Per Day) x (Average Size of Mobile Build Session) x (Number of Days Data is Persisted)
100 MB is a conservative estimate of the average mobile build session size.
By default, data is persisted for seven days.
HPE Security Fortify Software Security Center and WebInspect (16.10)
Page 16 of 42
System Requirements
HPE Security Fortify Runtime Requirements
HPE Security Fortify Runtime is delivered as separate install images for HPE Security Fortify Runtime
Application Protection, HPE ArcSight Application View, and HPE Security Fortify WebInspect Agent.
Platforms and Architectures
HPE Security Fortify Runtime supports 32-bit and 64-bit applications written in Java 5, 6, 7, and 8.
Java Runtime Environments
HPE Security Fortify Runtime supports the Java runtime environments listed in the following table.
JRE
Major Versions
IBM J9
5 (SR10 and later)
6 (SR6 and later)
Oracle JDK
5, 6, 7, 8
Oracle JRockit
5 and 6 (Rev. 27.6 and later)
Note: Runtime for Java is supported on Unix, Linux, and Windows.
Java Application Servers
HPE Security Fortify Runtime supports the Java application servers listed in the following table.
Application Server
Versions
Apache Tomcat
6.0, 7.0, 8.0
Red Hat JBoss Enterprise Application Platform 5.1.2, 5.2.0, 6.0.1, 6.1.1, 6.2.0
Oracle WebLogic
10.0, 10.3, 11g, 11gR1, 12c
IBM WebSphere
7.0, 8.0, 8.5, 8.5.5
.NET Frameworks
HPE Security Fortify Runtime supports 32-bit and 64-bit applications using the following .NET frameworks:
2.0, 3.0, 3.5, 4.0, 4.5, and 4.5.1.
HPE Security Fortify Software Security Center and WebInspect (16.10)
Page 17 of 42
System Requirements
IIS for Windows Server
HPE Security Fortify Runtime supports Microsoft Internet Information Services (IIS) versions 6.0, 7.0, 7.5, 8
and 8.5.
HPE Security WebInspect Requirements
Before you install HPE Security WebInspect, check to make sure that your system meets the requirements
described here.
Hardware Requirements
HPE recommends that you install WebInspect on a system that conforms to the supported components
listed in the following table. Beta or pre-release versions of operating systems, service packs, and required
third-party components are not supported.
Component Requirement
Notes
Processor
2.5 GHz quad-core or faster
Recommended
2.0 GHz dual-core
Minimum
8+ GB (2 GB per core)
Recommended
4 GB
Minimum
100+ GB
Recommended
40 GB
Minimum
1980 x 1080
Recommended
1280 x 1024
Minimum
RAM
Hard disk
Display
Important: If you are running a WebInspect sensor with SQL Express, HPE recommends that you use
at least a 4-core CPU and a 64-bit operating system with at least 8 GB of RAM.
Software Requirements
WebInspect runs on and works with the software packages listed in the following table.
Note: WebInspect is available in both 32-bit and 64-bit installation versions.
HPE Security Fortify Software Security Center and WebInspect (16.10)
Page 18 of 42
System Requirements
Package
Versions
Notes
Windows
Windows 7 with SP1
Recommended
Windows 8 or 8.1
Windows Server 2008 R2 with SP1
Windows Server 2012 or 2012 R2
.NET
Microsoft .NET Framework 3.5 SP1
and 4.5.1
SQL Server
Microsoft SQL Server 2012 with SP2
Recommended
No scan database limit
SQL Server
Express
Browser
Microsoft SQL Server 2012 with SP1
No scan database limit
Microsoft SQL Server 2014 with SP1
No scan database limit
Microsoft SQL Server 2012 Express
with SP1
Recommended
Microsoft SQL Server 2012 Express
with SP2
10 GB scan database limit
Microsoft SQL Server 2008 R2 Express
R2 with SP3
10 GB scan database limit
Internet Explorer 11
Recommended
10 GB scan database limit
Recommended when installing
WebInspect as a sensor
Internet Explorer 10
Portable Document
Format
Adobe Acrobat Reader, version 11
Recommended
Adobe Acrobat Reader, version 8.1.2
Minimum
Ports and Protocols
This section describes the ports and protocols HPE Security WebInspect uses to make required and optional
connections.
Required Connections
The following table lists the ports and protocols HPE Security WebInspect uses to make required
connections.
Direction
Endpoint
WebInspect Target
to target
host
host
URL or Details
Port
Protocol Notes
Scan target host
Any
HTTP
HPE Security Fortify Software Security Center and WebInspect (16.10)
WebInspect must connect to the
web application or web service to
be scanned.
Page 19 of 42
System Requirements
Direction
Endpoint
URL or Details
Port
Protocol Notes
WebInspect MS SQL
to SQL
Express
database
or MS
SQL
Standard /
Enterprise
SQLEXPRESS
service on localhost or
SQL TCP service
locally installed or
remote host
1433 SQL
TCP
Used for maintaining the scan data
and generating reports within the
WebInspect application.
WebInspect Verisign
to
CRL
Certificate
Revocation
List (CRL)
http://crl.verisign.com/
pca3.crl
80
Offline installations of WebInspect
or WebInspect Enterprise require
you to manually download and
apply the CRL from Verisign.
WebInspect products prompt for
these lists from Windows and their
absence can cause problems with
the application. A one-time
download is sufficient, but regularly
repeating this CRL download
process is recommended as part of
regular maintenance.
HTTP
or
http://csc3-2004crl.verisign.com/
CSC3-2004.crl
Optional Connections
The following table lists the ports and protocols HPE Security WebInspect uses to make optional
connections.
Direction
Endpoint
URL or Details
WebInspect
to HPE
License
activation
server
Remote HPE https://licenseservice.
Licensing
HPSmartUpdate.com
Service
Port
Protocol Notes
443
HTTPS
For one-time activation of
over SSL a WebInspect Named
User license. May
optionally use the
following:
l
l
WebInspect
Remote
https://smartupdate.
to
SmartUpdate HPSmartUpdate.com
SmartUpdate service
server
443
An offline activation
process instead of
using this direct
connection
Upstream proxy with
authentication instead
of a direct connection
HTTPS
Used to automatically
over SSL SmartUpdate the
WebInspect product.
SmartUpdate is
automatic when opening
the product UI, but can
be disabled and run
manually. Can optionally
HPE Security Fortify Software Security Center and WebInspect (16.10)
Page 20 of 42
System Requirements
Direction
Endpoint
URL or Details
Port
Protocol Notes
use upstream proxy with
authentication instead of
a direct connection.
WebInspect
to HPE
Support
Channel
server
Remote HPE https://SupportChannel.
Support
HPSmartUpdate.com
Channel
service
443
HTTPS
Used to retrieve product
over SSL marketing messages as
well as to upload
WebInspect data or
product suggestions to
HPE Security Fortify
Support. Message check
is automatic when
opening the product UI,
but can be disabled and
run manually. Can
optionally use upstream
proxy with authentication
instead of a direct
connection.
WebInspect
to HPE
Telemetry
server
Remote HPE https://162.218.136.239
Telemetry
and
performance
reporting
service
443
HTTPS
The Telemetry service
over SSL provides an automated
process for collecting
and sending WebInspect
usage information to
HPE. HPE software
developers use this
information to help
improve the product.
WebInspect
to HPE
License and
Infrastructure
Manager
(LIM)
HPE LIM
Lease Concurrent User
license
443
Web
Required for WebInspect
services client to lease and use a
over SSL Concurrent User license
maintained in a LIM
license pool. You can
detach client license
from LIM once activated
to avoid a constant
connection.
WebInspect
API listener
Local
machine
API, or
network IP
address
http://localhost:8083/
webinspect/
UserHTTP
specified
port or
8083
(Local
Licensing
Service)
HPE Security Fortify Software Security Center and WebInspect (16.10)
Use to activate a
WebInspect API
Windows Service. This
opens a listening port on
your machine, which can
be used locally or
remotely to generate
scans and retrieve the
results programmatically.
This API can be SSL
Page 21 of 42
System Requirements
Direction
Endpoint
URL or Details
Port
Protocol Notes
enabled, and supports
Basic or Windows
authentication. WebInspect
to HPE
WebInspect
Enterprise
HPE WIE
server
User-specified
WebInspect server
ServerHTTP or The Enterprise Server
specified HTTPS
menu connects
port
over SSL WebInspect as a client to
the enterprise security
solution to transfer
findings as well as user
role and permissions
management.
WebInspect
Sensor
service to
HPE
WebInspect
Enterprise
HPE WIE
server
User-specified
WebInspect server
ServerHTTP or Separate from the
specified HTTPS
WebInspect UI, the local
port
over SSL installation may be
configured as a remote
scan engine for use by
the enterprise security
solution community. This
is done through a
Windows Service. This
constitutes a different
product from WebInspect
desktop and is
recommended to be run
on its own, non-userfocused machine.
Browser to
WebInspect
localhost
Manual Step-Mode
Scan
Dynamic HTTP or
or 8081
HTTPS
or userover SSL
specified
WebInspect
to HPE
Quality
Center (HPE
ALM)
HPE QC
server
User-specified HPE QC
server
ServerHTTP or Permits submission of
specified HTTPS
findings as defects to the
port
over SSL HPE ALM defect
management system.
WebInspect
to IBM
Rational
ClearQuest
IBM CQ
server
User-specified IBM CQ
server
ServerHTTP or Permits submission of
specified HTTPS
findings as defects to the
port
over SSL ClearQuest defect
management system.
WebInspect serves as a
web proxy to the
browser, enabling
manual testing of the
target web server through
WebInspect.
Connections for Tools
The following table lists the ports and protocols that the WebInspect tools use to make connections.
HPE Security Fortify Software Security Center and WebInspect (16.10)
Page 22 of 42
System Requirements
Tool
Direction
Endpoint Port
Protocol Notes
Web Proxy
To target host
localhost
8080 or
userspecified
HTTP or Intercepts and displays web traffic
HTTPS
over SSL
Web Form
Editor
To target host
localhost
Dynamic,
8100, or
userspecified
HTTP or Intercepts web traffic and captures
HTTPS
submitted forms
over SSL
Login or
Workflow
Web Macro
Recorders
To target host
localhost
Dynamic,
8081, or
userspecified
HTTP or Records browser sessions for
HTTPS
replay during scan
over SSL
Web
Discovery
WebInspect
machine to
targeted IP
range
Target
host
network
range
Userspecified
range
HTTP
Scanner for identifying rogue web
and
applications hosted among the
HTTPS
targeted scanned IP and port ranges
over SSL
Use to provide targets to
WebInspect (manually)
Notes on Microsoft SQL Server Editions
When using the Express edition of Microsoft SQL Server:
l
l
Scan data must not exceed the database size limit. If you require a larger database or you need to share
your scan data, use the full version of Microsoft SQL Server.
During installation you might want to enable “Hide advanced installation options.” Accept all default
settings. WebInspect requires the default instance be named SQLEXPRESS.
When using the full edition of Microsoft SQL Server:
l
You can install the full version of Microsoft SQL Server 2008 or 2012 on the local host or nearby
(co-located). You can configure this option within the WebInspect Application Settings (Edit >
Application Settings > Database).
Running as Administrator
WebInspect requires administrative privileges for proper operation of all features. Refer to your Windows
operating system documentation for instructions on changing the privilege level to run WebInspect as an
administrator.
HPE Security Fortify WebInspect Agent
For system requirements, see "HPE Security Fortify Runtime Requirements" on page 17.
HPE Security Fortify Software Security Center and WebInspect (16.10)
Page 23 of 42
System Requirements
HPE Security WebInspect Software Development Kit (SDK)
The WebInspect SDK requires the following software:
l
Microsoft Visual Studio 2013
l
Microsoft .NET Framework 4.5.1
Important: Visual Studio Express versions do not support third-party extensions such as the
WebInspect SDK. Therefore, these versions do not meet the software requirements for using the SDK.
Software Integrations
WebInspect can be integrated with the products listed in the following table.
Product
Versions
HPE Security WebInspect Enterprise
16.10
HPE Application Lifecycle Management (HPE ALM) 11.0, 11.52, 12
HPE Security Fortify Software Security Center
16.10
HPE Unified Functional Testing
11.5
HPE Security WebInspect Enterprise Requirements
Before you install WebInspect Enterprise, check to make sure that your systems meet the requirements
described here.
Note: Product versions that are not specifically listed in this document are not supported.
WebInspect Enterprise Installation and Upgrade Requirements
HPE Security Fortify Software Security Center 16.10 must be installed and running before you install a new
instance of WebInspect Enterprise, upgrade from WebInspect Enterprise 10.50, or migrate from AMP 9.2x.
You can install Software Security Center and WebInspect Enterprise on the same or different machines.
Using separate machines might improve performance.
Integrations for WebInspect Enterprise
HPE supports integration of WebInspect Enterprise with the following components:
l
HPE Security WebInspect sensors 16.10
l
HPE Security Fortify WebInspect Agent 16.3
HPE Security Fortify Software Security Center and WebInspect (16.10)
Page 24 of 42
System Requirements
Hardware Requirements
The following table lists the hardware requirements for the WebInspect Enterprise Server.
Component Requirement
Notes
Processor
3.0 GHz quad-core or faster
Recommended
2.5 GHz dual-core
Minimum
8+ GB (2 GB per core)
Recommended
4 GB
Minimum
100+ GB
Recommended
RAM
Hard disk
20+ GB if using a local database
5 GB if using a remote database
Display
1980 x 1080
Minimum
1280 x 1024
Recommended
Software Requirements
WebInspect Enterprise Server runs on and works with the software packages listed in the following table.
Package
Versions
Notes
Windows
Windows Server 2008 R2 with SP1
Recommended
Windows Server 2012 or 2012 R2
.NET
Microsoft .NET Framework 3.5 SP1 and
Microsoft .NET Framework 4.5.1
Platform
Microsoft IIS 8.5
Recommended
Microsoft IIS 7.5 or 8.0
SQL Server
Microsoft SQL Server 2012 with SP2
Recommended
No scan database limit
Microsoft SQL Server 2012 with SP1
No scan database limit
Microsoft SQL Server 2014 with SP1
No scan database limit
Microsoft SQL Server 2008 R2 with SP2
No scan database limit
HPE Security Fortify Software Security Center and WebInspect (16.10)
Page 25 of 42
System Requirements
Package
Versions
Notes
Browser
Internet Explorer 11
Recommended
Mozilla Firefox 40.0
Recommended
Mozilla Firefox 33.0
Plugins for Enterprise Servers
For Software Security Center: Flash
For WebInspect Enterprise: Silverlight 5.0 or 5.1
Note: Users who plan to perform Guided Scan or create reports while using the Mozilla Firefox browser
must download and install the Firefox add-on for the .NET Framework Assistant. To get it, users can
click Add-ons on the Mozilla Firefox Start Page in the Firefox browser and search for .NET.
Hardware Requirements for WebInspect Enterprise
Administrative Console
The following table lists the hardware requirements for the WebInspect Enterprise Administrative Console.
Component Requirement
Notes
Processor
2.5 GHz dual-core
Minimum
RAM
4 GB
Minimum
Hard disk
2 GB
Display
1980 x 1080
Recommended
1280 x 1024
Minimum
Software Requirements for WebInspect Enterprise Administrative
Console
The WebInspect Enterprise Administrative Console runs on and works with the software packages listed in
the following table.
Note: The WebInspect Enterprise Administrative Console is available in both 32-bit and 64-bit
installation versions.
Package
Versions
Notes
Windows
Windows 7 with SP1
Recommended
Windows 8 or 8.1
Windows Server 2008 R2 with SP1
Windows Server 2012 or 2012 R2
HPE Security Fortify Software Security Center and WebInspect (16.10)
Page 26 of 42
System Requirements
Package
Versions
Notes
.NET
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4.5.1
Ports and Protocols
This section describes the ports and protocols HPE Security WebInspect Enterprise uses to make required
and optional connections.
Required Connections
The following table lists the ports and protocols HPE Security WebInspect Enterprise uses to make required
connections.
Direction
Endpoint
URL or Details
Port
Protocol Notes
WebInspect
Enterprise
Manager
server to
SQL
database
MS SQL
Standard /
Enterprise
SQL TCP service on
locally installed or
remote host
1433
SQL
TCP
WebInspect
Enterprise
Manager
machine to
HPE SSC
server
SSC server
User-specified SSC
server
UserHTTP or
specified HTTPS
port or
over SSL
8180
As a modular add-on,
WebInspect Enterprise
requires a connection to its
core SSC server.
Sensor
machines to
WebInspect
Enterprise
Manager
server
WebInspect
Enterprise
server
User-specified
WebInspect
Enterprise server
UserHTTPS
specified over SSL
port or
443
Communication is two-way
HTTP traffic, initiated inbound by the Sensor
machine.
Browser
users to
WebInspect
Enterprise
server UI
WebInspect
Enterprise
server
User-specified
WebInspect
Enterprise server
UserHTTPS
specified over SSL
port or
443
You can configure
WebInspect Enterprise not
to use SSL, but tests have
indicated that it might affect
the usability of the product.
Browser
users to SSC
server UI
SSC server
User-specified SSC
server
UserHTTP or You can configure the SSC
specified HTTPS
server on any available port
port or
over SSL during installation.
8180
HPE Security Fortify Software Security Center and WebInspect (16.10)
Used for maintaining the
scan data and full
Enterprise environment.
Custom configurations of
MS SQL are permitted,
including port changes and
encrypted communication.
Page 27 of 42
System Requirements
Direction
Endpoint
URL or Details
Port
WebInspect
SmartUpdate https://smartupdate.
443
Enterprise
HPSmartUpdate.com
Manager
machine to
HPE
SmartUpdate
server
Protocol Notes
HTTPS
Used to acquire updates for
over SSL the product as well as all
connected clients (Sensors
and WebInspect Desktop).
The administrator manually
runs SmartUpdate, but
HPE recommends setting
up an automated schedule.
New client releases are
held in reserve until the
WebInspect Enterprise
administrator marks them
as Approved, at which time
they are automatically
distributed from the
WebInspect Enterprise
Manager server. Can
support the use of an
upstream proxy with
authentication instead of a
direct Internet connection.
Optional Connections
The following table lists the ports and protocols HPE Security WebInspect Enterprise uses to make optional
connections.
Direction
Endpoint
URL or Details
WebInspect
desktop
machines to
WIE Manager
server
HPE
User-specified HPE
WebInspect WebInspect
Enterprise
Enterprise server
server
UserHTTPS
specified over SSL
port or
443
WebInspect
Enterprise
Manager
machine to HPE
License
activation server
HPE
Licensing
Service
443
https://licenseservice.
HPSmartUpdate.com
Port
Protocol Notes
Communication is twoway HTTP traffic,
initiated in-bound by the
WebInspect desktop
machine.
HTTPS
For one-time activation
over SSL of WebInspect
Enterprise server license
as well as periodic
checks during updating.
You may optionally use
the following:
l
HPE Security Fortify Software Security Center and WebInspect (16.10)
An offline activation
process instead of
using this direct
connection
Page 28 of 42
System Requirements
Direction
Endpoint
URL or Details
Port
Protocol Notes
l
Upstream proxy with
authentication instead
of a direct Internet
connection
WebInspect
Enterprise
Manager
machine to mail
server
User’s mail
server
E-mail alerts
25 or
SMTP
userspecified
port
Used for SMTP alerts for
administration team. If
you want mobile TXT
alerts then you can use
an SMTP-to-SMS
gateway address.
WebInspect
Enterprise
Manager
machine to
SNMP
Community
User’s
SNMP
Community
SNMP alerts
162 or
SNMP
userspecified
port
Used for SNMP alerts
for administration team.
Connections for Tools
The following table lists the ports and protocols that the WebInspect tools use to make connections.
Tool
Direction
Endpoint Port
Web Proxy
To target
localhost
web
application
8080 or
user-specified
HTTP or Intercepts and displays web
HTTPS
traffic
over SSL
Web Form
Editor
To target
localhost
web
application
Dynamic,
8100, or
user-specified
HTTP or Intercepts web traffic and
HTTPS
captures submitted forms
over SSL
Login or
Workflow Web
Macro
Recorders
To target
localhost
web
application
Dynamic,
8081, or
user-specified
HTTP or Records browser sessions for
HTTPS
replay during scan
over SSL
Web Discovery
To
targeted
IP range
User-specified HTTP
range
and
HTTPS
over SSL
localhost
Protocol Notes
Scanner for identifying rogue web
applications hosted among the
targeted scanned IP and port
ranges
Use to provide targets to
WebInspect (manually)
HPE Security Fortify Software Security Center and WebInspect (16.10)
Page 29 of 42
System Requirements
WebInspect Enterprise Sensor
A WebInspect Enterprise sensor is a WebInspect sensor that runs scans on behalf of WebInspect
Enterprise. See "HPE Security WebInspect Requirements" on page 18 for more information.
WebInspect Enterprise Notes and Limitations
l
l
You can upgrade directly from WebInspect Enterprise 10.50 to WebInspect Enterprise 16.10. You cannot
upgrade directly from any other versions of WebInspect Enterprise. For detailed information about
upgrades, see the HPE Security WebInspect Enterprise Installation and Implementation Guide.
You can migrate directly from Assessment Management Platform (AMP) 9.2x to WebInspect Enterprise
10.20. You cannot migrate from any other version of AMP or to any other version of WebInspect
Enterprise.
If you migrate from AMP 9.2x, the Initialization Wizard part of installation will back up and copy the AMP
database, and then modify the copy as needed to make it compatible with the WebInspect Enterprise
10.20 database schema. For this process, the server that hosts the AMP database must have available
disk space at least three times the size of the current AMP database to be migrated. For example, if the
AMP database to be migrated is 500 GB, then the AMP database server must have at least 1.5 TB of free
space.
For detailed information, see the HPE Security WebInspect Enterprise Installation and Implementation
Guide.
l
l
l
l
l
l
Software Security Center 16.10 must be installed and running before you install a new instance of
WebInspect Enterprise, upgrade from WebInspect Enterprise 10.50, or migrate from AMP 9.2x. You can
install Software Security Center and WebInspect Enterprise on the same or different machines. Using
separate machines may improve performance.
Any instance of Software Security Center can be connected to only one instance of WebInspect
Enterprise, and any instance of WebInspect Enterprise can be connected to only one instance of Software
Security Center.
To run a scan from WebInspect Enterprise, at least one instance of WebInspect must be connected and
configured as a sensor.
The WebInspect Enterprise Administrative Console does not need to be installed on the same machine as
the Web Console of the WebInspect Enterprise server. The two consoles have different system
requirements, as described previously. In addition, you can install multiple Administrative Consoles on
different machines connected to the same WebInspect Enterprise server.
HPE recommends that you configure the database server on a separate machine from either Software
Security Center or WebInspect Enterprise.
The WebInspect Enterprise Server SQL database requires case-insensitive collation.
Note: This is opposite the requirement for Software Security Center databases as described in
"Databases" on page 7.
l
l
WebInspect Enterprise must not be installed on the same server with an instance of Assessment
Management Platform (AMP).
For a WebInspect Enterprise environment to support Internet Protocol version 6 (IPv6), the IPv6 protocol
must be deployed on each WebInspect Enterprise Administrative Console, each WebInspect Enterprise
sensor, and the WebInspect Enterprise server.
HPE Security Fortify Software Security Center and WebInspect (16.10)
Page 30 of 42
System Requirements
l
If you plan to perform Guided Scan or create reports while using the Mozilla Firefox browser, you must
download and install the Firefox add-on for the .NET Framework Assistant. To obtain it, click Add-ons on
the Mozilla Firefox Start Page in the Firefox browser and search for .NET.
HPE Security License and Infrastructure Manager
(LIM) Requirements
This section describes the hardware and software requirements for HPE Security License and Infrastructure
Manager (LIM).
Hardware Requirements
HPE recommends that you install the HPE Security License and Infrastructure Manager (LIM) on a system
that conforms to the supported components listed in following table. Beta or pre-release versions of operating
systems, service packs, and required third-party components are not supported.
Component Requirement
Processor
RAM
Hard disk
Display
Notes
2.5 GHz single-core or faster Recommended
1.5 GHz single-core
Minimum
2+ GB
Recommended
1 GB
Minimum
50+ GB
Recommended
20 GB
Minimum
1280 x 1024
Recommended
1024 x 768
Minimum
Software Requirements
HPE Security License and Infrastructure Manager (LIM) runs on and works with the software packages listed
in the following table.
Package
Versions
Windows Server
Windows Server 2012 or 2012 R2
Notes
Windows Server 2008 R2 with SP1
Windows Server 2008 with SP2
Microsoft Internet Information Server (IIS) Version 7 or later
Microsoft .NET Framework
4.5.1
HPE Security Fortify Software Security Center and WebInspect (16.10)
Page 31 of 42
System Requirements
Package
Versions
Notes
Browser
Internet Explorer 11
Recommended
Internet Explorer 10
Mozilla Firefox 33.0
Recommended
Mozilla Firefox 30.0
Version Compatibility Matrix
This section provides compatibility information for Software Security Center and its components.
Software Security Center Component Compatibility
HPE Security Fortify Software Security Center version 16.10 works with the component versions listed in the
following table.
Component
Versions
Static Code Analyzer
4.4x, 16.10
Audit Workbench
4.4x, 16.10
Secure Code Plugins
4.4x, 16.10
fortifyclient
4.4x, 16.10
HPE Security Fortify Runtime
4.4x, 16.10
Process Designer
4.4x, 16.10
JDeveloper Plugin
4.4x, 16.10
Visual Studio Remediation Package
4.4x, 16.10
IntelliJ and Android Studio Remediation Plugin 4.4x, 16.10
HPE Security Fortify WebInspect Agent
4.4x, 16.10
HPE Security WebInspect
16.10
HPE Security WebInspect Enterprise
16.10
FPR File Compatibility
Earlier versions of HPE Security Fortify products cannot open and read FPR files generated by later versions
of HPE Security Fortify products. For example, Audit Workbench 4.40 cannot read 16.10 FPR files.
However, later versions of HPE Security Fortify products can open and read FPR files generated by earlier
versions of HPE Security Fortify products. For example, Audit Workbench version 16.10 can read version
4.40 FPR files.
HPE Security Fortify Software Security Center and WebInspect (16.10)
Page 32 of 42
System Requirements
FPR version numbers are determined as follows:
l
l
The FPR version is the same as the version of the analyzer that initially generated it. For example, an FPR
generated by Software Security Center version 16.10 also has the version number 16.10.
If two FPRs are merged, the resulting FPR has the version of the more recently generated FPR. For
example, if a version 4.40 FPR and a version 16.10 FPR are merged, the resulting FPR has the version
number 16.10.
Caution Regarding Uploading FPRs to Software Security Center
HPE Security Fortify Software Security Center keeps a project file FPR that contains the latest scan results
and audit information for each project. Audit Workbench and the Secure Code Plugins also use this project
file for collaborative auditing.
Each time you upload an FPR to Software Security Center, it is merged with the project file. If the FPR has a
later version number than the project file, the project file version changes to match the FPR. For Audit
Workbench and the Secure Code Plugins to work with the updated FPR, they must be at least the same
version as the FPR. For example, Audit Workbench 4.31 cannot read a 4.40 FPR.
Software Security Center Custom Process Templates
Software Security Center 16.10 supports version 4.10, 4.21, and 4.30 process templates. If you have custom
process template versions earlier than 4.10, you might need to open them in Process Designer 16.10 and
make appropriate changes before you can use them with Software Security Center 16.10. Always use the
latest version of the process template bundle that ships with Software Security Center to load the standard
system templates.
Software Security Center Support for Runtime Configuration
Bundle and Template
Software Security Center 16.10 supports Runtime Configuration Bundle and Template 16.10.
Software Security Center Support for Virtual Machines
Software Security Center 16.10 supports running an approved operating system in a VM environment.
However, you must provide dedicated CPU and memory resources that meet the minimum hardware
requirements. Running Software Security Center 16.10 in a VM environment with shared CPU and memory
resources is not supported.
Virtual Machine Support
You can run HPE products in virtual machine environments, provided that the environment has sufficient
processing, memory, and disk resources dedicated to it that are consistent with the HPE hardware
requirements and supported platforms and architectures. If issues are found that cannot be reproduced on the
native environments with sufficient processing, memory and disk resources, you will need to work with the
provider of the virtual environment to get them resolved.
HPE Security Fortify Software Security Center and WebInspect (16.10)
Page 33 of 42
System Requirements
Technologies no Longer Supported in this Software
Security Center Release
The following technologies are no longer supported in Software Security Center:
l
Apache Tomcat 7
l
GNU gcc 3.x
l
IBM DB2 9.7
l
IBM Rational Application Developer (RAD) 9.1
l
IBM Rational Software Architect (RSA) 9.1
l
Java 7 (except for Websphere)
l
Red Hat JBoss Enterprise Application Platform 5.2
l
IntelliJ Ultimate 12
l
Mac OS 10.9
l
.NET 1.1
l
Oracle Database 11g
l
Oracle javac 6
l
Oracle Weblogic 11g
l
Visual Studio 2010
l
Windows 7
l
Xcode 5.x
Technologies and Features to Lose Support in the
Next Release of Software Security Center
The following technologies are scheduled for deprecation in the next Software Security Center release:
l
AIX 7.1
l
HPE ALM 11.5
l
Bugzilla 4.5
l
IntelliJ IDEA Ultimate and Community 13 and 14
l
Oracle Solaris (x86, 64-bit) 11.2
l
Oracle Solaris (SPARC) 11.2
l
Mac OS 10.10
l
Microsoft SQL Server 2012
l
Red Hat JBoss Enterprise Application Platform (for Software Security Center)
l
Xcode 6.x
The following SCA features are scheduled for deprecation in the next release:
HPE Security Fortify Software Security Center and WebInspect (16.10)
Page 34 of 42
System Requirements
l
Ant Integration—Build integration using the Sourceanalyzer Ant Task
Use the command sourceanalyzer <sca_options> ant <ant_options> with an unmodified ant build
file.
l
Non-native JSP parser
If you have either set the property com.fortify.sca.jsp.UseNativeParser to false or removed that
property entirely from the fortify-sca.properties file, you must migrate to the native JSP parser by
adding com.fortify.sca.jsp.UseNativeParser=true to the fortify-sca.properties file. In the next
release, the native parser will always execute regardless of how this property is set.
Acquiring HPE Security Fortify Software
HPE Security Fortify software is available as an electronic download. You must have a SAID access
account number to download HPE Security Fortify software from the HPE Security Software Support site.
The following table lists the available packages and describes their contents.
File Name
Description
HPE_Security_Fortify_SSC_
16.10_Windows.iso
(For Windows operating systems) Disc image of the entire
Software Security Center product line. After downloading,
you must either mount the ISO image or burn it to a DVD
before installation.
HPE_Security_Fortify_SSC_
16.10_Windows.iso.sig
(For Windows operating systems) Signature file for the
Software Security Center product line ISO
HPE_Security_Fortify_SSC_
16.10_Linux_Unix_Mac.iso
(For Linux, Unix, and Macintosh operating systems) Disc
image of the entire Software Security Center product line.
After downloading, you must either mount the ISO image or
burn it to a DVD before installation.
HPE_Security_Fortify_SSC_
16.10_Linux_Unix_Mac.iso.sig
(For Linux, Unix, and Macintosh operating systems)
Signature file for the Software Security Center product line
ISO
HPE_Security_Fortify_Scan_Wizard_
16.10_Windows.zip
HPE Security Fortify Scan Wizard for Windows
HPE_Security_Fortify_Scan_Wizard_
16.10_Windows.zip.sig
Signature file for HPE Security Fortify Scan Wizard for
Windows
HPE_Security_Fortify_Scan_Wizard_
16.10_MacOSX.tar.gz
HPE Security Fortify Scan Wizard for Mac OS X
HPE_Security_Fortify_Scan_Wizard_
16.10_MacOSX.tar.gz.sig
Signature file for HPE Security Fortify Scan Wizard for Mac
OS X
HPE_Security_Fortify_Scan_Wizard_
16.10_Linux.tar.gz
HPE Security Fortify Scan Wizard for Linux
HPE_Security_Fortify_Scan_Wizard_
16.10_Linux.tar.gz.sig
Signature file for HPE Security Fortify Scan Wizard for Linux
HPE Security Fortify Software Security Center and WebInspect (16.10)
Page 35 of 42
System Requirements
File Name
Description
HPE_Security_Fortify_SSC_Demo_Suite_ HPE Security Fortify Demo Suite for Windows (x64)
16.10_Windows_x64.zip
HPE_Security_Fortify_SSC_Demo_Suite_ Signature file for HPE Security Fortify Demo Suite for
16.10_Windows_x64.zip.sig
Windows (x64)
HPE_Security_Fortify_SSC_Demo_Suite_ HPE Security Fortify Demo Suite for Unix
16.10_Unix.tar.gz
HPE_Security_Fortify_SSC_Demo_Suite_ Signature file for HPE Security Fortify Demo Suite for Unix
16.10_Unix.tar.gz.sig
HPE_Security_Fortify_SSC_Server_
16.10.zip
HPE Security Fortify Software Security Center
HPE_Security_Fortify_SSC_Server_
16.10.zip.sig
Signature file for HPE Security Fortify Software Security
Center
HPE_Security_Fortify_CloudScan_
Controller_16.10.zip
HPE Security Fortify CloudScan Controller
HPE_Security_Fortify_CloudScan_
Controller_16.10.zip.sig
Signature file for HPE Security Fortify CloudScan Controller
HPE_Security_Fortify_Runtime_16.10.zip
HPE Security Fortify Runtime
HPE_Security_Fortify_Runtime_
16.10.zip.sig
Signature file for HPE Security Fortify Runtime
HPE_Security_Fortify_SCA_and_Apps_
16.10_Windows.zip
HPE Security Fortify SCA and Applications package for
Windows
This package includes the following components:
l
HPE Security Fortify Static Code Analyzer
l
HPE Security Fortify Audit Workbench
l
Custom Rules Editor
l
Process Designer
l
HPE Security Fortify Plugin for Eclipse
l
l
l
HPE Security Fortify Analysis Plugin for IntelliJ and
Android Studio
HPE Security Fortify Package for Visual Studio
HPE Security Fortify Remediation Package for Visual
Studio
l
HPE Security Fortify Scanning Package for Visual Studio
l
Scan Wizard
l
Product documentation (PDF)
l
Sample applications
HPE Security Fortify Software Security Center and WebInspect (16.10)
Page 36 of 42
System Requirements
File Name
Description
Note:
l
l
Security content (Rulepacks and external metadata)
can be downloaded during the installation.
HPE Security Fortify Remediation Extension for
JDeveloper, HPE Security Fortify Remediation
Plugin for Eclipse, HPE Security Fortify Security
Assistant Plugin for Eclipse, HPE Security Fortify
Remediation Plugin for IntelliJ and Android Studio,
and HPE Security Fortify Jenkins Plugin are included
as part of the HPE_Security_Fortify_SSC_16.10_
Windows package.
HPE_Security_Fortify_SCA_and_Apps_
16.10_Windows.zip.sig
Signature files for the HPE Security Fortify SCA and
Applications package for Windows
HPE_Security_Fortify_SCA_and_Apps_
16.10_Mac.tar.gz
HPE Security Fortify SCA and Applications package for
Macintosh
This package includes the following components:
l
HPE Security Fortify Static Code Analyzer
l
HPE Security Fortify Audit Workbench
l
Custom Rules Editor
l
Process Designer
l
HPE Security Fortify Plugin for Eclipse
HPE Security Fortify Analysis Plugin for IntelliJ and
Android Studio
l
l
Scan Wizard
l
HPE Security Fortify Scanning Plugin for Xcode
l
Product documentation (PDF)
l
Sample applications
Note:
l
l
HPE_Security_Fortify_SCA_and_Apps_
16.10_Linux.tar.gz
Security content (Rulepacks and external metadata)
can be downloaded during the installation.
HPE Security Fortify Remediation Extension for
JDeveloper, HPE Security Fortify Remediation
Plugin for Eclipse, HPE Security Fortify Security
Assistant Plugin for Eclipse, HPE Security Fortify
Remediation Plugin for IntelliJ and Android Studio,
and HPE Security Fortify Jenkins Plugin are included
as part of the HPE_Security_Fortify_SSC_16.10_
Linux_Unix_Mac package.
HPE Security Fortify SCA and Applications package for
Linux
HPE Security Fortify Software Security Center and WebInspect (16.10)
Page 37 of 42
System Requirements
File Name
Description
The package includes the following components:
l
HPE Security Fortify Static Code Analyzer
l
HPE Security Fortify Audit Workbench
l
Custom Rules Editor
l
Process Designer
l
HPE Security Fortify Plugin for Eclipse
HPE Security Fortify Analysis Plugin for IntelliJ and
Android Studio
l
l
Scan Wizard
l
Product documentation (PDF)
l
Sample applications
Note:
l
l
Security content (Rulepacks and external metadata)
can be downloaded during the installation.
HPE Security Fortify Remediation Extension for
JDeveloper, HPE Security Fortify Remediation
Plugin for Eclipse, HPE Security Fortify Security
Assistant Plugin for Eclipse, HPE Security Fortify
Remediation Plugin for IntelliJ and Android Studio,
and HPE Security Fortify Jenkins Plugin are included
as part of the HPE_Security_Fortify_SSC_16.10_
Linux_Unix_Mac package.
HPE_Security_Fortify_SCA_and_Apps_
16.10_Linux.tar.gz.sig
Signature file for HPE Security Fortify Static Code Analyzer
for Linux
HPE_Security_Fortify_SCA_
16.10_HPUX.tar.gz
HPE Security Fortify Static Code Analyzer for HP-UX
HPE_Security_Fortify_SCA_
16.10_HPUX.tar.gz.sig
Signature file for HPE Security Fortify Static Code Analyzer
for HP-UX
HPE_Security_Fortify_SCA_
16.10_Solaris.tar.gz
HPE Security Fortify Static Code Analyzer for Solaris
HPE_Security_Fortify_SCA_
16.10_Solaris.tar.gz.sig
Signature file for HPE Security Fortify Static Code Analyzer
for Solaris
HPE_Security_Fortify_SCA_
16.10_AIX.tar.gz
HPE Security Fortify Static Code Analyzer for AIX
HPE_Security_Fortify_SCA_
16.10_AIX.tar.gz.sig
Signature file for HPE Security Fortify Static Code Analyzer
for AIX
HPE Security Fortify Software Security Center and WebInspect (16.10)
Page 38 of 42
System Requirements
Downloading HPE Security Fortify Software
To download HPE Security Fortify software:
1. Open a browser window and go to https://softwaresupport.hp.com.
2. Click My Software Support Sign In, and then provide your HP Passport credentials.
3. From the HPE menu, select Product Information > Downloads.
The My software updates page opens and lists the software support contracts (SAIDs) linked to your
HP Passport Profile with their associated products.
Note: If you do not have SAID access to HPE Security products associated with your HP
Passport, select the Directly enter an SAID option, and then type in your HPE SAID account
number.
4. Select (or provide) your SAID.
5. View the term and conditions, and then click the Yes, I accept the terms and conditions check box.
6. Click View available products.
The My software updates - product list page opens in a new browser tab.
7. To see the HPE Security products available for download, expand the Fortify Software Security
Center node.
8. Select the check boxes for the products and versions to download, and then click Get software
updates.
The My software updates - downloads page opens.
9. On the Selected Products tab, in the Deliverables column, click Get Software for the product to
download.
10. On the Get Software tab, follow the instructions to complete the download.
Note: If your organization requires that you verify the download, you must also download the like-named
signature file. For example, if you download the HP_Fortify_SCA_and_Apps_16.10_Windows.zip file,
you must also download the associated signature file HP_Fortify_SCA_and_Apps_16.10_Windows.sig.
In rare cases, the signature file you download might have the wrong extension (either .zip or .gz). If this
is the case, change the final extension to sig.
Verifying Software Downloads
The following instructions walk you through the process of verifying the HPE package you downloaded from
the HPE Security Software Support site. Verification ensures that the downloaded package has not been
altered since it was signed by HPE and posted to the site. Before proceeding with verification, download the
HPE product files and their associated signature (*.sig) files. You are not required to verify the package to use
the software, but your organization might require it for security reasons.
Preparing Your System for Electronic Media Verification
To prepare your system for electronic media verification:
1. Navigate to the GnuPG site (http://www.gnupg.org).
2. Download and install GnuPG Privacy Guard version 1.4.x or 2.0.x.
HPE Security Fortify Software Security Center and WebInspect (16.10)
Page 39 of 42
System Requirements
3. Generate a private key, as follows:
a. Run the following command (on a Windows system, run the command without the $ prompt):
$ gpg --gen-key
b. When prompted for key type, select DSA and Elgamal.
c. When prompted for a key size, select 2048.
d. When prompted for the length of time the key should be valid, select key does not expire.
e. Answer the user identification questions and provide a passphrase to protect your private key.
4. Download the HPE public keys (compressed tar file) from the following location:
https://h20392.www2.hpe.com/portal/swdepot/displayProductInfo.do?productNumber=HPLinuxCodeS
igning
5. Extract the public keys using WinZip.
6. Import each downloaded key with GnuPG, as follows:
l
Run gpg --import <path_to_key>/<file_name_of_key>
Verifying Software Downloads
To verify that the signature file matches the downloaded software package:
1. Navigate to the directory where you stored the downloaded package and signature file.
2. Do one of the following:
l
On a Windows system, run gpg --verify <Signature_File_Name> <Downloaded_File_Name>
l
On a Unix or Linux system, run gpg --verify <Signature_File_Name> <Downloaded_File_Name>
3. Examine the output to insure you receive verification that the software you downloaded is signed by
HPE and is unaltered.
Note: A warning message might be displayed because the public key is not known to the system. You
can ignore this warning or set up your environment to trust the HPE public keys.
HPE Assistive Technologies (Section 508)
In accordance with section 508 of the Rehabilitation Act, HPE Security Fortify Software Security Center and
HPE Security Fortify Audit Workbench have been engineered to work with the JAWS screen reading
software package from Freedom Scientific. JAWS provides text-to-speech support for use by the visually
impaired. With JAWS, labels, text boxes, and other textual components can be read aloud, providing greater
access to these technologies.
HPE Security Fortify Software Security Center and WebInspect (16.10)
Page 40 of 42
System Requirements
Using JAWS with HPE Security Products
When using JAWS to generate text-to-speech translations of the text in the Audit Workbench or Software
Security Center graphical user interface, you can use several keyboard combinations to help you get the
most out of the interaction. These are described in the following table.
Note: For best results, run JAWS before launching your browser and logging on to your HPE Security
software.
Task
Keyboard Combination
To read values in combo boxes.
Press Ctrl + down arrow key to turn on Form
mode, or press Enter.
Tab through multiple line text boxes.
Press Ctrl + Tab to move from one multiple line
text box to another.
Read multiple line labels.
Press Insert + down arrow to read all lines in
label.
Read disabled (grayed-out) items.
Press Insert + b or Insert + down arrow.
Read disabled check boxes.
Press Insert to exit Forms mode and enter
Virtual Cursor mode.
Enable reading table headings.
Press Insert + F2.
The Run JAWS Manager dialog box opens.
Click OK.
Switch between pods or panels.
Press and hold Ctrl+ F7 as you select a different
pane.
Return focus to the application (JAWS is reading the
web browser application rather than the content of the
browser).
Press Ctrl+ R to refresh the display.
Note: If you refresh the display, your
session is aborted and any data you have
typed in the page is lost.
For more information about using JAWS, see the JAWS documentation.
For more information about the accessibility of HPE products, visit the Hewlett Packard Enterprise
Accessibility site at
http://www8.hp.com/us/en/hpe/hp-information/accessibility-aging/.
HPE Security Fortify Software Security Center and WebInspect (16.10)
Page 41 of 42
Send Documentation Feedback
If you have comments about this document, you can contact the documentation team by email. If an email
client is configured on this system, click the link above and an email window opens with the following
information in the subject line:
Feedback on System Requirements (Fortify Software Security Center and WebInspect 16.10)
Just add your feedback to the email and click send.
If no email client is available, copy the information above to a new message in a web mail client, and send
your feedback to HPFortifyTechpubs@hpe.com.
We appreciate your feedback!
HPE Security Fortify Software Security Center and WebInspect (16.10)
Page 42 of 42