The document discusses using static code analysis with HP Fortify to build high quality, secure products. It describes how Fortify scans source code to identify vulnerabilities and provides line-level guidance to developers. Examples are given of running Fortify from the command line and with tools like Maven. Fortify analyzes code for various types of vulnerabilities through taint analysis, control and data flow analysis, and checking for insecure functions, configurations, and buffer operations. Integration with continuous integration servers like Jenkins and TeamCity is also highlighted.

1. Quality Summit 2014 - SHANGHAI
Building a High Quality+
Products with SCA
Suman Sourav
Senior Software Security Analyst

2. Quality Summit 2014 - SHANGHAI
 Product with less crashes?
 Product with more features?
 Product with all of the above (everybody and my wish
too)
 But also product that are
What is Quality+ Product?

3. Quality Summit 2014 - SHANGHAI
 Secure SDLC
How?

4. Quality Summit 2014 - SHANGHAI
Static Code Analysis – HP Fortify

5. Quality Summit 2014 - SHANGHAI
 Static Code Analyzer scans source code, identifies root
causes of software security vulnerabilities and
correlates and prioritizes results—giving you line–of–
code guidance for closing gaps in your security.
Fortif Static Code Analyzer

6. Quality Summit 2014 - SHANGHAI
In a Nutshell
Build
Environment
Fix
Vulnerabilities
Integrate Fortify
With Build
Upload to
Server
Execute
Scan
Generate
FPR
SA
Developers
Fortify ssc
Server
Audit and
Re-upload
Login

7. Quality Summit 2014 - SHANGHAI
Supported Platform, Languages

8. Quality Summit 2014 - SHANGHAI
Supported Platform, Languages
Operating
System
Architectures Versions
Linux x86: 32-bit or
64-bit
(recommende
d; required for
parallel mode)
Red Hat ES 5
and ES 6
Novell SUSE
10, Oracle EL
5.2
Windows x86: 32-bit or
64-bit
(recommende
d; required for
parallel mode)
2003 SP1,
2008, XP, Vista
Business, Vista
Ultimate,
Windows 7
Mac OS x86: 64-bit 10.6, 10.7
Solaris SPARC 10
x86 10
HP-UX Itanium 11.31
Language Versions
ABAP/BSP 6
ActionScript/MXML (Flex) 3, 4
ASP.NET, VB.NET, C# (.NET) 4.5 and earlier
C/C++ See “Compilers”
Classic ASP (with VBScript) 2, 3
COBOL IBM Enterprise Cobol for
z/OS 3.4.1 with IMS, DB2,
CICS, MQ
ColdFusion CFML 5, 7, 8
HTML 5 and earlier
Java (with Android) 1.3, 1.4, 1.5, 1.6, 1.7
JavaScript/AJAX 1.7
JSP 1.2, 2.1
Objective-C See “Compilers”
PHP 5.0 – 5.3
PL/SQL 8.1.6
Python 2.6
T-SQL SQL Server 2005 and 2008
Visual Basic 6
VBScript 2.0, 5.0
XML 1.0
Compilers Operating Systems
Clang 2.9, 3.0, 3.1 Mac OS
LLVM-GCC 4.2, 4.3 Mac OS
GNU gcc 2.9 – 4.7 Linux, HP-UX, Mac OS,
Solaris, Windows
GNU g++ 3.2 – 4.7 Linux, HP-UX, Mac OS,
Solaris, Windows
Intel icc 8.0 Linux
Microsoft cl Windows
Sun cc / Sun CC 5.9, 5.10,
5.11
Solaris
Sun javac 1.3 – 1.7 Linux, HP-UX, Mac OS,
Solaris, Windows
Auditing and Scanning Plug-ins
Eclipse 3.4, 3.5, 3.6, 3.7, 3.8, 4.2
RAD 7.5, 8.0, 8.5; RSA 7, 7.5, 8.0
Microsoft Visual Studio 2003 (scanning only)
Microsoft Visual Studio 2005, 2008, 2010
Premium and Professional, and 2012 Premium
and Professional. (Not compatible with MS
Visual Studio 2010 Express)
Platforms & Architectures Languages
Integrated Development Environment
Compilers
Build Tool Versions
Ant 1.5.x, 1.6.x, 1.7.x,
1.8.x
Maven 2.0.9 to 2.x.x
MSBuild 2, 3.5, 4
Xcodebuild 4.1, 4.2, 4.2.1, 4.3,
4.3.1, 4.4, 4.5, 4.6
Build Tools

9. Quality Summit 2014 - SHANGHAI
Fortify SCA Aanlyzers
Taint Propagation from external system (source) to vulnerable functions
(sink)
SQL Injection, Command Injection, Path Manipulation
Program Flow Pattern to identify insecure sequence of operations
Unreleased Resource, Memory Leakage, Null Dereference
Improper or insecure program structure
Empty Catch Block, Dead Code
Insecure Function calls
Insecure calls; gets, etc, Uncheck Return Values
Insecure Configurations
Web Server Configuration; web.config, web.xml
Insecure Buffer operations
Buffer Overflow, Format String
Data Flow
Control Flow
Structural
Semantic
Configuration
Buffer

10. Quality Summit 2014 - SHANGHAI
Fortify Scanning Phase
Translation
Source code of the product is translated from
high level language into normalized syntax
tree format (.nst - intermediate files)
Analysis
Intermediate files are scanned
An analysis results file is generated, typically
in the Fortify project (FPR) format
Audit
The fortify project report generated in
analysis phase is inspected to identify real
vulnerabilities

11. Quality Summit 2014 - SHANGHAI
 Fortify SCA executable/command: sourceanalyzer
Fortify Tool
Command line option Purpose
-b <build-id> Specifies a unique name for the entire project
<build-id> is an alphanumeric string (e.g. testbuild1) not to be confused
the build version of the product
-classpath <classpath> Uses the specified class path value for Java
-jdk <value> Indicates which version of the Java language to use
-libdirs <dirs> Directories where systems DLLs are located
-vsversion <value> Specifies the Visual Studio version
-f <file> The file to which analysis results are written
-format <format> Specifies output file format
-scan Run an analysis

12. Quality Summit 2014 - SHANGHAI
> sourceanalyzer -b mybuild gcc -c test.c
> sourceanalyzer -b mybuild devenv myproj.msproj /REBUILD
> sourceanalyzer -b mybuild cl.exe /o HelloWorld
HelloWorld.c
> sourceanalyzer -b mybuild -vsversion 8.0 devenv
myproj.sln /REBUILD DEBUG
> CC = sourceanalyzer –b my_build gcc
> DEVENV = sourceanalyzer –b my_build devenv
> MSDEV = sourceanalyzer –b my_build msdev
Fortify Tool - Examples

13. Quality Summit 2014 - SHANGHAI
> sourceanalyzer -b mybuild -cp “lib/**/*.jar”
“src/**/*.java”
> sourceanalyzer -b mybuild -cp “lib/**/*.jar”
“src/**/*.jsp”
> sourceanalyzer –b mybuild “src/**/*.js”
> sourceanalyzer -b mybuild touchless ant
Scan with FPR file:
> sourceanalyzer -b mybuild -scan -f results.fpr
Fortify Tool - Examples

14. Quality Summit 2014 - SHANGHAI
Install the target application in the local repository:
> mvn install
Clean out the previous build using one of the following commands:
> mvn com.fortify.ps.maven.plugin:sca-maven-
plugin:<ver>:clean
Translate the code:
> mvn com.fortify.ps.maven.plugin:sca-maven-plugin:<
ver>:translate
Scan the code:
> mvn com.fortify.ps.maven.plugin:sca-maven-
plugin:<ver>:scan
Fortify Tool - Examples

15. Quality Summit 2014 - SHANGHAI
HP Fortify – Software Security Center

16. Quality Summit 2014 - SHANGHAI
Software Security Center
Identify and prioritize a baseline of
existing vulnerabilities
Prevent new vulnerabilities from
being introduced
Ensure that your code is in
compliance with internal and
external security mandates
Remediate existing vulnerabilities
and lower the baseline

17. Quality Summit 2014 - SHANGHAI
HP Fortify – CI Integration

18. Quality Summit 2014 - SHANGHAI
TeamCity Integration with CP
 Integration with Jenkins
 Integration with TeamCity
 Integration with any other build tools

19. Quality Summit 2014 - SHANGHAI
Thank you 