SlideShare a Scribd company logo

Hp fortify source code analyzer(sca)

Download as PPTX, PDF
N
Nagaraju Repala

The document provides information on HP Fortify Source Code Analyzer (SCA). It can analyze source code for various languages like Java, .NET, PHP etc. to identify security vulnerabilities. The installation process involves extracting files and providing a license key. System requirements vary based on the size and complexity of the code being analyzed. Reports can be generated in different templates like OWASP Top 10. Filter sets help classify issues by priority. Commands are available to customize and optimize scans.

Software
1 of 12
HP-FORTIFY SCA Source Code Analyzer
CONTENTS • Use of it. • System Specifications. • Installation. • How it works. • Report generation.
USE OF FORTIFY • HPE Security Fortify Static Code Analyzer (SCA) is used by development groups and security professionals to analyze the source code of an application for security issues. • It identifies root causes of software security vulnerabilities. • It supports Java, .Net , Action script ,ABAP, Coldfusion,Ruby,Python,Php languages. • There are various types of filter sets ,based on it we can generate report. • There are 7 kingdoms associated with securtity defects in source code ,based on those kingdoms it generates the security issues. • Input Validation, API abuse, Security Features , Time and state ,Errors, Code Quality and Encapsulation.
SYSTEM SPECIFICATION Size (LOC) <100k 100k to 500k 500k to 1M 1M+ Java 32- bit machine 2GB RAM 32-bit machine 4GB RAM 64- bit machine 8GB RAM 64-bit machine 16GB RAM .Net 32- bit machine 2GB RAM 32- bit machine 2GB RAM 64- bit machine 8GB RAM 64-bit machine 16GB RAM C/C++ 32- bit machine 2GB RAM 64-bit machine 16GB RAM 64-bit machine 16GB RAM 64-bit machine 16GB RAM
SYSTEM SPECIFICATION Application Complexity CPU Cores RAM Average Scan time Notes Simple 2 4 GB 0.5 hours A system that runs on a server or desktop in a standalone manner like a Batch job or a command line utility Medium 4 16 GB 4 hours A standalone system, which works with Complex computer models like a tax Calculation system or a scheduling system Complex 8 64 GB 2 days A three tiered business system with transactional data processing like a Financial system or a commercial website Very Complex 16 256 GB 4 days A application like a cms.
INSTALLATION It is supported in windows and linux .Make sure you have jre installed. Windows :- 1.Extract the iso and install the HP_Fortify_SCA_and_Apps_16.11.exe 2.During installation , in the update security configuration module give server url as https://update.fortify.com 3.Give the path of license file fortify.license when prompted. 4.In the plugin dialgox box ,check java ide and visual studio .net plugins. 5.After Installation, fortify is ready to use in Graphical and CLI Mode.
INSTALLATION …. Linux Installation : 1.Download the fortify.xx.xx.tar.gz package from hp website. 2.Extract it and run the installation file. 3.While prompt give the fortify.license key for license version and https://update.fortify.com for security configuration update. 4.After installation is done, Open the terminal and type sourceanalyzer to run fortify sca.
TIPS FOR HIGH PERFORMANCE • Better Use SSD Disk for faster performance. • Increase Heap Size by <SCA Install Directory>Coreconfigfortify-sca.properties Forexample com.fortify.sca.RmiWorkerMaxHeap=1G • In Scan option use the options –Xmx=1G and –j 4 (where enables the parallel processing 4 is the no.of cores we want assign) • Increase the session file size <SCA Install Directory>Coreconfigfortify- sca.properties Forexample com.fortify.sca.IncrementFileMaxSizeMB=1024 or 1G
HOW IT WORKS • It starts with a Command mode and Gui mode . • For small file size we use gui . • Start->Audit WorkBench->New Project->Locate the source code->Configure the rules- >For java projects (select framework version). • We can remove the third party plugin codes for faster output. • Give the path to output file(Ex.sampleoutput.fpr) • At one point we can see one dialog box where it shows translation phase and scan phase. • At this we can give commands for log storage for separate phases, and commands to increase the performance of tool (-Xmx,-Xss)
REPORT GENERATION • After Completion we can see .fpr file opened in Audit workbench. • There are different types of templates 1)Owasp Top 10 2013 2)Sans top 25 3)Pci-Dss 4)Owasp Top 10 Mobile 5)Developer WorkBook etc. • Developer Workbook shows you the detailed report with every instance reported. • You can customize the report template by adding workbook and owasp top 10 categories. • After selecting the template click on generate report.
FILTER SET • Filter set is used to differentiate high , medium and low priority issues. • By Default fortify enables two filters for viewing the issues 1)Quick View 2)Security Audit View. • Quick View -> 1.Hide Issue if impact is not in range [2.5,5.0] 2.Hide Issue if Likelihood is not in range [1,5] • Security Audit View -> Show every issue based on category specified. • We can add our customized filter set
COMMAND SET • Scan : sourceanalyzer –b <buildid> -scan –f results.fpr sourceanalyzer -b "Build ID" -Xmx1280M -Xss8M -debug -logfile scan.log -scan -f Results.fpr -html-report Parallel Processing : -j 4 (4 no.of cores) -Xmx heap size, -Xss Stack size

Recommended

Fortify - Source Code Analyzer
Fortify - Source Code AnalyzerFortify - Source Code Analyzer
Fortify - Source Code Analyzer
n|u - The Open Security Community
 
[DataUs]클라우드 입문자를 위한 보안 가이드
[DataUs]클라우드 입문자를 위한 보안 가이드[DataUs]클라우드 입문자를 위한 보안 가이드
[DataUs]클라우드 입문자를 위한 보안 가이드
DataUs
 
Container security
Container securityContainer security
Container security
Anthony Chow
 
Open Source Malware Lab
Open Source Malware LabOpen Source Malware Lab
Open Source Malware Lab
ThreatConnect
 
OSMC 2022 | VictoriaMetrics: scaling to 100 million metrics per second by Ali...
OSMC 2022 | VictoriaMetrics: scaling to 100 million metrics per second by Ali...OSMC 2022 | VictoriaMetrics: scaling to 100 million metrics per second by Ali...
OSMC 2022 | VictoriaMetrics: scaling to 100 million metrics per second by Ali...
NETWAYS
 
High Availability Content Caching with NGINX
High Availability Content Caching with NGINXHigh Availability Content Caching with NGINX
High Availability Content Caching with NGINX
NGINX, Inc.
 
Présentation ELK/SIEM et démo Wazuh
Présentation ELK/SIEM et démo WazuhPrésentation ELK/SIEM et démo Wazuh
Présentation ELK/SIEM et démo Wazuh
Aurélie Henriot
 
Secure code practices
Secure code practicesSecure code practices
Secure code practices
Hina Rawal
 

Recommended

Fortify - Source Code Analyzer
Fortify - Source Code AnalyzerFortify - Source Code Analyzer
Fortify - Source Code Analyzer
n|u - The Open Security Community
 
[DataUs]클라우드 입문자를 위한 보안 가이드
[DataUs]클라우드 입문자를 위한 보안 가이드[DataUs]클라우드 입문자를 위한 보안 가이드
[DataUs]클라우드 입문자를 위한 보안 가이드
DataUs
 
Container security
Container securityContainer security
Container security
Anthony Chow
 
Open Source Malware Lab
Open Source Malware LabOpen Source Malware Lab
Open Source Malware Lab
ThreatConnect
 
OSMC 2022 | VictoriaMetrics: scaling to 100 million metrics per second by Ali...
OSMC 2022 | VictoriaMetrics: scaling to 100 million metrics per second by Ali...OSMC 2022 | VictoriaMetrics: scaling to 100 million metrics per second by Ali...
OSMC 2022 | VictoriaMetrics: scaling to 100 million metrics per second by Ali...
NETWAYS
 
High Availability Content Caching with NGINX
High Availability Content Caching with NGINXHigh Availability Content Caching with NGINX
High Availability Content Caching with NGINX
NGINX, Inc.
 
Présentation ELK/SIEM et démo Wazuh
Présentation ELK/SIEM et démo WazuhPrésentation ELK/SIEM et démo Wazuh
Présentation ELK/SIEM et démo Wazuh
Aurélie Henriot
 
Secure code practices
Secure code practicesSecure code practices
Secure code practices
Hina Rawal
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container security
John Kinsella
 
Container Security
Container SecurityContainer Security
Container Security
Salman Baset
 
OpenTelemetry For Architects
OpenTelemetry For ArchitectsOpenTelemetry For Architects
OpenTelemetry For Architects
Kevin Brockhoff
 
What is Jenkins | Jenkins Tutorial for Beginners | Edureka
What is Jenkins | Jenkins Tutorial for Beginners | EdurekaWhat is Jenkins | Jenkins Tutorial for Beginners | Edureka
What is Jenkins | Jenkins Tutorial for Beginners | Edureka
Edureka!
 
Container Security
Container SecurityContainer Security
Container Security
Amazon Web Services
 
John the ripper & hydra password cracking tool
John the ripper & hydra password cracking toolJohn the ripper & hydra password cracking tool
John the ripper & hydra password cracking tool
Md. Raquibul Hoque
 
The story of SonarQube told to a DevOps Engineer
The story of SonarQube told to a DevOps EngineerThe story of SonarQube told to a DevOps Engineer
The story of SonarQube told to a DevOps Engineer
Manu Pk
 
Container Runtime Security with Falco
Container Runtime Security with FalcoContainer Runtime Security with Falco
Container Runtime Security with Falco
Michael Ducy
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
Abu Sadat Mohammed Yasin
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Coding
bilcorry
 
The Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secureThe Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secure
Kaspersky
 
What is Penetration & Penetration test ?
What is Penetration & Penetration test ?What is Penetration & Penetration test ?
What is Penetration & Penetration test ?
Bhavin Shah
 
Building layers of defense for your application
Building layers of defense for your applicationBuilding layers of defense for your application
Building layers of defense for your application
VMware Tanzu
 
Containers and workload security an overview
Containers and workload security an overview Containers and workload security an overview
Containers and workload security an overview
Krishna-Kumar
 
Penetration testing & Ethical Hacking
Penetration testing & Ethical HackingPenetration testing & Ethical Hacking
Penetration testing & Ethical Hacking
S.E. CTS CERT-GOV-MD
 
Threat modeling web application: a case study
Threat modeling web application: a case studyThreat modeling web application: a case study
Threat modeling web application: a case study
Antonio Fontes
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
Mohammed Danish Amber
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
Narudom Roongsiriwong, CISSP
 
Vulnerability Assessment Report
Vulnerability Assessment ReportVulnerability Assessment Report
Vulnerability Assessment Report
Harshit Singh Bhatia
 
Malware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringMalware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineering
bartblaze
 
Ensure Software Security already during development
Ensure Software Security already during developmentEnsure Software Security already during development
Ensure Software Security already during development
IT Weekend
 
Hp Fortify Mobile Application Security
Hp Fortify Mobile Application SecurityHp Fortify Mobile Application Security
Hp Fortify Mobile Application Security
Ed Wong
 

More Related Content

What's hot

Understanding container security
Understanding container securityUnderstanding container security
Understanding container security
John Kinsella
 
Container Security
Container SecurityContainer Security
Container Security
Salman Baset
 
OpenTelemetry For Architects
OpenTelemetry For ArchitectsOpenTelemetry For Architects
OpenTelemetry For Architects
Kevin Brockhoff
 
What is Jenkins | Jenkins Tutorial for Beginners | Edureka
What is Jenkins | Jenkins Tutorial for Beginners | EdurekaWhat is Jenkins | Jenkins Tutorial for Beginners | Edureka
What is Jenkins | Jenkins Tutorial for Beginners | Edureka
Edureka!
 
Container Security
Container SecurityContainer Security
Container Security
Amazon Web Services
 
John the ripper & hydra password cracking tool
John the ripper & hydra password cracking toolJohn the ripper & hydra password cracking tool
John the ripper & hydra password cracking tool
Md. Raquibul Hoque
 
The story of SonarQube told to a DevOps Engineer
The story of SonarQube told to a DevOps EngineerThe story of SonarQube told to a DevOps Engineer
The story of SonarQube told to a DevOps Engineer
Manu Pk
 
Container Runtime Security with Falco
Container Runtime Security with FalcoContainer Runtime Security with Falco
Container Runtime Security with Falco
Michael Ducy
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
Abu Sadat Mohammed Yasin
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Coding
bilcorry
 
The Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secureThe Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secure
Kaspersky
 
What is Penetration & Penetration test ?
What is Penetration & Penetration test ?What is Penetration & Penetration test ?
What is Penetration & Penetration test ?
Bhavin Shah
 
Building layers of defense for your application
Building layers of defense for your applicationBuilding layers of defense for your application
Building layers of defense for your application
VMware Tanzu
 
Containers and workload security an overview
Containers and workload security an overview Containers and workload security an overview
Containers and workload security an overview
Krishna-Kumar
 
Penetration testing & Ethical Hacking
Penetration testing & Ethical HackingPenetration testing & Ethical Hacking
Penetration testing & Ethical Hacking
S.E. CTS CERT-GOV-MD
 
Threat modeling web application: a case study
Threat modeling web application: a case studyThreat modeling web application: a case study
Threat modeling web application: a case study
Antonio Fontes
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
Mohammed Danish Amber
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
Narudom Roongsiriwong, CISSP
 
Vulnerability Assessment Report
Vulnerability Assessment ReportVulnerability Assessment Report
Vulnerability Assessment Report
Harshit Singh Bhatia
 
Malware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringMalware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineering
bartblaze
 

What's hot (20)

Understanding container security
Understanding container securityUnderstanding container security
Understanding container security
 
Container Security
Container SecurityContainer Security
Container Security
 
OpenTelemetry For Architects
OpenTelemetry For ArchitectsOpenTelemetry For Architects
OpenTelemetry For Architects
 
What is Jenkins | Jenkins Tutorial for Beginners | Edureka
What is Jenkins | Jenkins Tutorial for Beginners | EdurekaWhat is Jenkins | Jenkins Tutorial for Beginners | Edureka
What is Jenkins | Jenkins Tutorial for Beginners | Edureka
 
Container Security
Container SecurityContainer Security
Container Security
 
John the ripper & hydra password cracking tool
John the ripper & hydra password cracking toolJohn the ripper & hydra password cracking tool
John the ripper & hydra password cracking tool
 
The story of SonarQube told to a DevOps Engineer
The story of SonarQube told to a DevOps EngineerThe story of SonarQube told to a DevOps Engineer
The story of SonarQube told to a DevOps Engineer
 
Container Runtime Security with Falco
Container Runtime Security with FalcoContainer Runtime Security with Falco
Container Runtime Security with Falco
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Coding
 
The Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secureThe Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secure
 
What is Penetration & Penetration test ?
What is Penetration & Penetration test ?What is Penetration & Penetration test ?
What is Penetration & Penetration test ?
 
Building layers of defense for your application
Building layers of defense for your applicationBuilding layers of defense for your application
Building layers of defense for your application
 
Containers and workload security an overview
Containers and workload security an overview Containers and workload security an overview
Containers and workload security an overview
 
Penetration testing & Ethical Hacking
Penetration testing & Ethical HackingPenetration testing & Ethical Hacking
Penetration testing & Ethical Hacking
 
Threat modeling web application: a case study
Threat modeling web application: a case studyThreat modeling web application: a case study
Threat modeling web application: a case study
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
 
Vulnerability Assessment Report
Vulnerability Assessment ReportVulnerability Assessment Report
Vulnerability Assessment Report
 
Malware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringMalware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineering
 

Viewers also liked

Ensure Software Security already during development
Ensure Software Security already during developmentEnsure Software Security already during development
Ensure Software Security already during development
IT Weekend
 
Hp Fortify Mobile Application Security
Hp Fortify Mobile Application SecurityHp Fortify Mobile Application Security
Hp Fortify Mobile Application Security
Ed Wong
 
Fortify On Demand and ShadowLabs
Fortify On Demand and ShadowLabsFortify On Demand and ShadowLabs
Fortify On Demand and ShadowLabs
jasonhaddix
 
Poster Analysis Source Code
Poster Analysis Source CodePoster Analysis Source Code
Poster Analysis Source Code
kirstysals
 
Static Code Analysis
Static Code AnalysisStatic Code Analysis
Static Code Analysis
Annyce Davis
 
Static Code Analysis
Static Code AnalysisStatic Code Analysis
Static Code Analysis
Geneva, Switzerland
 
Axcel Campus Programmes
Axcel Campus ProgrammesAxcel Campus Programmes
Axcel Campus Programmes
Wynce Low
 
Brakeman Gem
Brakeman GemBrakeman Gem
Brakeman Gem
Creston Jamison
 
Fortify technology
Fortify technologyFortify technology
Fortify technology
Imad Nom de famille
 
AMF Testing Made Easy! DeepSec 2012
AMF Testing Made Easy! DeepSec 2012AMF Testing Made Easy! DeepSec 2012
AMF Testing Made Easy! DeepSec 2012
Luca Carettoni
 
滲透測試 Talk @ Nisra
滲透測試 Talk @ Nisra滲透測試 Talk @ Nisra
滲透測試 Talk @ Nisra
Orange Tsai
 
Flex Remoting and Messaging (2010)
Flex Remoting and Messaging (2010)Flex Remoting and Messaging (2010)
Flex Remoting and Messaging (2010)
Christopher Grant
 
Fortify dev ops (002)
Fortify dev ops (002)Fortify dev ops (002)
Fortify dev ops (002)
Madhavan Marimuthu
 
Source Code Scanners
Source Code ScannersSource Code Scanners
Source Code Scanners
Pawel Krawczyk
 
Building a high quality+ products with SCA
Building a high quality+ products with SCABuilding a high quality+ products with SCA
Building a high quality+ products with SCA
Suman Sourav
 
Hp Fortify Pillar
Hp Fortify PillarHp Fortify Pillar
Hp Fortify Pillar
Ed Wong
 
Best Practices of Static Code Analysis in the SDLC
Best Practices of Static Code Analysis in the SDLCBest Practices of Static Code Analysis in the SDLC
Best Practices of Static Code Analysis in the SDLC
Parasoft_Mitchell
 
Static Analysis and Code Optimizations in Glasgow Haskell Compiler
Static Analysis and Code Optimizations in Glasgow Haskell CompilerStatic Analysis and Code Optimizations in Glasgow Haskell Compiler
Static Analysis and Code Optimizations in Glasgow Haskell Compiler
Ilya Sergey
 
Source Code Analysis with SAST
Source Code Analysis with SASTSource Code Analysis with SAST
Source Code Analysis with SAST
Blueinfy Solutions
 
RIPS - static code analyzer for vulnerabilities in PHP
RIPS - static code analyzer for vulnerabilities in PHPRIPS - static code analyzer for vulnerabilities in PHP
RIPS - static code analyzer for vulnerabilities in PHP
Sorina Chirilă
 

Viewers also liked (20)

Ensure Software Security already during development
Ensure Software Security already during developmentEnsure Software Security already during development
Ensure Software Security already during development
 
Hp Fortify Mobile Application Security
Hp Fortify Mobile Application SecurityHp Fortify Mobile Application Security
Hp Fortify Mobile Application Security
 
Fortify On Demand and ShadowLabs
Fortify On Demand and ShadowLabsFortify On Demand and ShadowLabs
Fortify On Demand and ShadowLabs
 
Poster Analysis Source Code
Poster Analysis Source CodePoster Analysis Source Code
Poster Analysis Source Code
 
Static Code Analysis
Static Code AnalysisStatic Code Analysis
Static Code Analysis
 
Static Code Analysis
Static Code AnalysisStatic Code Analysis
Static Code Analysis
 
Axcel Campus Programmes
Axcel Campus ProgrammesAxcel Campus Programmes
Axcel Campus Programmes
 
Brakeman Gem
Brakeman GemBrakeman Gem
Brakeman Gem
 
Fortify technology
Fortify technologyFortify technology
Fortify technology
 
AMF Testing Made Easy! DeepSec 2012
AMF Testing Made Easy! DeepSec 2012AMF Testing Made Easy! DeepSec 2012
AMF Testing Made Easy! DeepSec 2012
 
滲透測試 Talk @ Nisra
滲透測試 Talk @ Nisra滲透測試 Talk @ Nisra
滲透測試 Talk @ Nisra
 
Flex Remoting and Messaging (2010)
Flex Remoting and Messaging (2010)Flex Remoting and Messaging (2010)
Flex Remoting and Messaging (2010)
 
Fortify dev ops (002)
Fortify dev ops (002)Fortify dev ops (002)
Fortify dev ops (002)
 
Source Code Scanners
Source Code ScannersSource Code Scanners
Source Code Scanners
 
Building a high quality+ products with SCA
Building a high quality+ products with SCABuilding a high quality+ products with SCA
Building a high quality+ products with SCA
 
Hp Fortify Pillar
Hp Fortify PillarHp Fortify Pillar
Hp Fortify Pillar
 
Best Practices of Static Code Analysis in the SDLC
Best Practices of Static Code Analysis in the SDLCBest Practices of Static Code Analysis in the SDLC
Best Practices of Static Code Analysis in the SDLC
 
Static Analysis and Code Optimizations in Glasgow Haskell Compiler
Static Analysis and Code Optimizations in Glasgow Haskell CompilerStatic Analysis and Code Optimizations in Glasgow Haskell Compiler
Static Analysis and Code Optimizations in Glasgow Haskell Compiler
 
Source Code Analysis with SAST
Source Code Analysis with SASTSource Code Analysis with SAST
Source Code Analysis with SAST
 
RIPS - static code analyzer for vulnerabilities in PHP
RIPS - static code analyzer for vulnerabilities in PHPRIPS - static code analyzer for vulnerabilities in PHP
RIPS - static code analyzer for vulnerabilities in PHP
 

Similar to Hp fortify source code analyzer(sca)

Finer Things Club - Lesser known zOSMF SW Mgmt Functions.pdf
Finer Things Club - Lesser known zOSMF SW Mgmt Functions.pdfFiner Things Club - Lesser known zOSMF SW Mgmt Functions.pdf
Finer Things Club - Lesser known zOSMF SW Mgmt Functions.pdf
Marna Walle
 
Creating an Embedded System Lab
Creating an Embedded System LabCreating an Embedded System Lab
Creating an Embedded System Lab
Nonamepro
 
100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf
MAHESHUMANATHGOPALAK
 
SOC-BlueTEam.pdf
SOC-BlueTEam.pdfSOC-BlueTEam.pdf
SOC-BlueTEam.pdf
BeratAkit
 
100 Security Operation Center Tools EMERSON EDUARDO RODRIGUES
100 Security Operation Center Tools EMERSON EDUARDO RODRIGUES100 Security Operation Center Tools EMERSON EDUARDO RODRIGUES
100 Security Operation Center Tools EMERSON EDUARDO RODRIGUES
EMERSON EDUARDO RODRIGUES
 
100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf
EMERSON EDUARDO RODRIGUES
 
soctool.pdf
soctool.pdfsoctool.pdf
soctool.pdf
nitinscribd
 
Prizm Installation Guide
Prizm Installation GuidePrizm Installation Guide
Prizm Installation Guide
vjvarenya
 
Beginners guide on how to start exploring IoT 2nd session
Beginners guide on how to start exploring IoT 2nd sessionBeginners guide on how to start exploring IoT 2nd session
Beginners guide on how to start exploring IoT 2nd session
veerababu penugonda(Mr-IoT)
 
Aci dp
Aci dpAci dp
Aci dp
Zchabar Jhie
 
Android Penetration testing - Day 2
Android Penetration testing - Day 2 Android Penetration testing - Day 2
Android Penetration testing - Day 2
Mohammed Adam
 
OSDC 2017 - Mandi Walls - Building security into your workflow with inspec
OSDC 2017 - Mandi Walls - Building security into your workflow with inspecOSDC 2017 - Mandi Walls - Building security into your workflow with inspec
OSDC 2017 - Mandi Walls - Building security into your workflow with inspec
NETWAYS
 
Adding Security to Your Workflow with InSpec (MAY 2017)
Adding Security to Your Workflow with InSpec (MAY 2017)Adding Security to Your Workflow with InSpec (MAY 2017)
Adding Security to Your Workflow with InSpec (MAY 2017)
Mandi Walls
 
XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...
XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...
XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...
The Linux Foundation
 
How to Use EXAchk Effectively to Manage Exadata Environments
How to Use EXAchk Effectively to Manage Exadata EnvironmentsHow to Use EXAchk Effectively to Manage Exadata Environments
How to Use EXAchk Effectively to Manage Exadata Environments
Sandesh Rao
 
Microsoft System center Configuration manager 2012 sp1
Microsoft System center Configuration manager 2012 sp1Microsoft System center Configuration manager 2012 sp1
Microsoft System center Configuration manager 2012 sp1
solarisyougood
 
OSDC 2017 | Building Security Into Your Workflow with InSpec by Mandi Walls
OSDC 2017 | Building Security Into Your Workflow with InSpec by Mandi WallsOSDC 2017 | Building Security Into Your Workflow with InSpec by Mandi Walls
OSDC 2017 | Building Security Into Your Workflow with InSpec by Mandi Walls
NETWAYS
 
ops300 Project(3)
ops300 Project(3)ops300 Project(3)
ops300 Project(3)
trayyoo
 
ops300 Project(4)
ops300 Project(4)ops300 Project(4)
ops300 Project(4)
trayyoo
 
Open Audit
Open AuditOpen Audit
Open Audit
ncspa
 

Similar to Hp fortify source code analyzer(sca) (20)

Finer Things Club - Lesser known zOSMF SW Mgmt Functions.pdf
Finer Things Club - Lesser known zOSMF SW Mgmt Functions.pdfFiner Things Club - Lesser known zOSMF SW Mgmt Functions.pdf
Finer Things Club - Lesser known zOSMF SW Mgmt Functions.pdf
 
Creating an Embedded System Lab
Creating an Embedded System LabCreating an Embedded System Lab
Creating an Embedded System Lab
 
100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf
 
SOC-BlueTEam.pdf
SOC-BlueTEam.pdfSOC-BlueTEam.pdf
SOC-BlueTEam.pdf
 
100 Security Operation Center Tools EMERSON EDUARDO RODRIGUES
100 Security Operation Center Tools EMERSON EDUARDO RODRIGUES100 Security Operation Center Tools EMERSON EDUARDO RODRIGUES
100 Security Operation Center Tools EMERSON EDUARDO RODRIGUES
 
100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf
 
soctool.pdf
soctool.pdfsoctool.pdf
soctool.pdf
 
Prizm Installation Guide
Prizm Installation GuidePrizm Installation Guide
Prizm Installation Guide
 
Beginners guide on how to start exploring IoT 2nd session
Beginners guide on how to start exploring IoT 2nd sessionBeginners guide on how to start exploring IoT 2nd session
Beginners guide on how to start exploring IoT 2nd session
 
Aci dp
Aci dpAci dp
Aci dp
 
Android Penetration testing - Day 2
Android Penetration testing - Day 2 Android Penetration testing - Day 2
Android Penetration testing - Day 2
 
OSDC 2017 - Mandi Walls - Building security into your workflow with inspec
OSDC 2017 - Mandi Walls - Building security into your workflow with inspecOSDC 2017 - Mandi Walls - Building security into your workflow with inspec
OSDC 2017 - Mandi Walls - Building security into your workflow with inspec
 
Adding Security to Your Workflow with InSpec (MAY 2017)
Adding Security to Your Workflow with InSpec (MAY 2017)Adding Security to Your Workflow with InSpec (MAY 2017)
Adding Security to Your Workflow with InSpec (MAY 2017)
 
XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...
XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...
XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...
 
How to Use EXAchk Effectively to Manage Exadata Environments
How to Use EXAchk Effectively to Manage Exadata EnvironmentsHow to Use EXAchk Effectively to Manage Exadata Environments
How to Use EXAchk Effectively to Manage Exadata Environments
 
Microsoft System center Configuration manager 2012 sp1
Microsoft System center Configuration manager 2012 sp1Microsoft System center Configuration manager 2012 sp1
Microsoft System center Configuration manager 2012 sp1
 
OSDC 2017 | Building Security Into Your Workflow with InSpec by Mandi Walls
OSDC 2017 | Building Security Into Your Workflow with InSpec by Mandi WallsOSDC 2017 | Building Security Into Your Workflow with InSpec by Mandi Walls
OSDC 2017 | Building Security Into Your Workflow with InSpec by Mandi Walls
 
ops300 Project(3)
ops300 Project(3)ops300 Project(3)
ops300 Project(3)
 
ops300 Project(4)
ops300 Project(4)ops300 Project(4)
ops300 Project(4)
 
Open Audit
Open AuditOpen Audit
Open Audit
 

Recently uploaded

42 Ways to Generate Real Estate Leads - Sellxpert
42 Ways to Generate Real Estate Leads - Sellxpert42 Ways to Generate Real Estate Leads - Sellxpert
42 Ways to Generate Real Estate Leads - Sellxpert
vaishalijagtap12
 
Refactoring legacy systems using events commands and bubble contexts
Refactoring legacy systems using events commands and bubble contextsRefactoring legacy systems using events commands and bubble contexts
Refactoring legacy systems using events commands and bubble contexts
Michał Kurzeja
 
Microsoft-Power-Platform-Adoption-Planning.pptx
Microsoft-Power-Platform-Adoption-Planning.pptxMicrosoft-Power-Platform-Adoption-Planning.pptx
Microsoft-Power-Platform-Adoption-Planning.pptx
jrodriguezq3110
 
The Power of Visual Regression Testing_ Why It Is Critical for Enterprise App...
The Power of Visual Regression Testing_ Why It Is Critical for Enterprise App...The Power of Visual Regression Testing_ Why It Is Critical for Enterprise App...
The Power of Visual Regression Testing_ Why It Is Critical for Enterprise App...
kalichargn70th171
 
The Role of DevOps in Digital Transformation.pdf
The Role of DevOps in Digital Transformation.pdfThe Role of DevOps in Digital Transformation.pdf
The Role of DevOps in Digital Transformation.pdf
mohitd6
 
Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...
Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...
Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...
The Third Creative Media
 
Boost Your Savings with These Money Management Apps
Boost Your Savings with These Money Management AppsBoost Your Savings with These Money Management Apps
Boost Your Savings with These Money Management Apps
Jhone kinadey
 
Upturn India Technologies - Web development company in Nashik
Upturn India Technologies - Web development company in NashikUpturn India Technologies - Web development company in Nashik
Upturn India Technologies - Web development company in Nashik
Upturn India Technologies
 
Strengthening Web Development with CommandBox 6: Seamless Transition and Scal...
Strengthening Web Development with CommandBox 6: Seamless Transition and Scal...Strengthening Web Development with CommandBox 6: Seamless Transition and Scal...
Strengthening Web Development with CommandBox 6: Seamless Transition and Scal...
Ortus Solutions, Corp
 
A Comprehensive Guide on Implementing Real-World Mobile Testing Strategies fo...
A Comprehensive Guide on Implementing Real-World Mobile Testing Strategies fo...A Comprehensive Guide on Implementing Real-World Mobile Testing Strategies fo...
A Comprehensive Guide on Implementing Real-World Mobile Testing Strategies fo...
kalichargn70th171
 
Superpower Your Apache Kafka Applications Development with Complementary Open...
Superpower Your Apache Kafka Applications Development with Complementary Open...Superpower Your Apache Kafka Applications Development with Complementary Open...
Superpower Your Apache Kafka Applications Development with Complementary Open...
Paul Brebner
 
Hyperledger Besu 빨리 따라하기 (Private Networks)
Hyperledger Besu 빨리 따라하기 (Private Networks)Hyperledger Besu 빨리 따라하기 (Private Networks)
Hyperledger Besu 빨리 따라하기 (Private Networks)
wonyong hwang
 
ACE - Team 24 Wrapup event at ahmedabad.
ACE - Team 24 Wrapup event at ahmedabad.ACE - Team 24 Wrapup event at ahmedabad.
ACE - Team 24 Wrapup event at ahmedabad.
Maitrey Patel
 
Penify - Let AI do the Documentation, you write the Code.
Penify - Let AI do the Documentation, you write the Code.Penify - Let AI do the Documentation, you write the Code.
Penify - Let AI do the Documentation, you write the Code.
KrishnaveniMohan1
 
Migration From CH 1.0 to CH 2.0 and Mule 4.6 & Java 17 Upgrade.pptx
Migration From CH 1.0 to CH 2.0 and Mule 4.6 & Java 17 Upgrade.pptxMigration From CH 1.0 to CH 2.0 and Mule 4.6 & Java 17 Upgrade.pptx
Migration From CH 1.0 to CH 2.0 and Mule 4.6 & Java 17 Upgrade.pptx
ervikas4
 
ppt on the brain chip neuralink.pptx
ppt on the brain chip neuralink.pptxppt on the brain chip neuralink.pptx
ppt on the brain chip neuralink.pptx
Reetu63
 
Going AOT: Everything you need to know about GraalVM for Java applications
Going AOT: Everything you need to know about GraalVM for Java applicationsGoing AOT: Everything you need to know about GraalVM for Java applications
Going AOT: Everything you need to know about GraalVM for Java applications
Alina Yurenko
 
Hands-on with Apache Druid: Installation & Data Ingestion Steps
Hands-on with Apache Druid: Installation & Data Ingestion StepsHands-on with Apache Druid: Installation & Data Ingestion Steps
Hands-on with Apache Druid: Installation & Data Ingestion Steps
servicesNitor
 
Computer Science & Engineering VI Sem- New Syllabus.pdf
Computer Science & Engineering VI Sem- New Syllabus.pdfComputer Science & Engineering VI Sem- New Syllabus.pdf
Computer Science & Engineering VI Sem- New Syllabus.pdf
chandangoswami40933
 
14 th Edition of International conference on computer vision
14 th Edition of International conference on computer vision14 th Edition of International conference on computer vision
14 th Edition of International conference on computer vision
ShulagnaSarkar2
 

Recently uploaded (20)

42 Ways to Generate Real Estate Leads - Sellxpert
42 Ways to Generate Real Estate Leads - Sellxpert42 Ways to Generate Real Estate Leads - Sellxpert
42 Ways to Generate Real Estate Leads - Sellxpert
 
Refactoring legacy systems using events commands and bubble contexts
Refactoring legacy systems using events commands and bubble contextsRefactoring legacy systems using events commands and bubble contexts
Refactoring legacy systems using events commands and bubble contexts
 
Microsoft-Power-Platform-Adoption-Planning.pptx
Microsoft-Power-Platform-Adoption-Planning.pptxMicrosoft-Power-Platform-Adoption-Planning.pptx
Microsoft-Power-Platform-Adoption-Planning.pptx
 
The Power of Visual Regression Testing_ Why It Is Critical for Enterprise App...
The Power of Visual Regression Testing_ Why It Is Critical for Enterprise App...The Power of Visual Regression Testing_ Why It Is Critical for Enterprise App...
The Power of Visual Regression Testing_ Why It Is Critical for Enterprise App...
 
The Role of DevOps in Digital Transformation.pdf
The Role of DevOps in Digital Transformation.pdfThe Role of DevOps in Digital Transformation.pdf
The Role of DevOps in Digital Transformation.pdf
 
Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...
Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...
Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...
 
Boost Your Savings with These Money Management Apps
Boost Your Savings with These Money Management AppsBoost Your Savings with These Money Management Apps
Boost Your Savings with These Money Management Apps
 
Upturn India Technologies - Web development company in Nashik
Upturn India Technologies - Web development company in NashikUpturn India Technologies - Web development company in Nashik
Upturn India Technologies - Web development company in Nashik
 
Strengthening Web Development with CommandBox 6: Seamless Transition and Scal...
Strengthening Web Development with CommandBox 6: Seamless Transition and Scal...Strengthening Web Development with CommandBox 6: Seamless Transition and Scal...
Strengthening Web Development with CommandBox 6: Seamless Transition and Scal...
 
A Comprehensive Guide on Implementing Real-World Mobile Testing Strategies fo...
A Comprehensive Guide on Implementing Real-World Mobile Testing Strategies fo...A Comprehensive Guide on Implementing Real-World Mobile Testing Strategies fo...
A Comprehensive Guide on Implementing Real-World Mobile Testing Strategies fo...
 
Superpower Your Apache Kafka Applications Development with Complementary Open...
Superpower Your Apache Kafka Applications Development with Complementary Open...Superpower Your Apache Kafka Applications Development with Complementary Open...
Superpower Your Apache Kafka Applications Development with Complementary Open...
 
Hyperledger Besu 빨리 따라하기 (Private Networks)
Hyperledger Besu 빨리 따라하기 (Private Networks)Hyperledger Besu 빨리 따라하기 (Private Networks)
Hyperledger Besu 빨리 따라하기 (Private Networks)
 
ACE - Team 24 Wrapup event at ahmedabad.
ACE - Team 24 Wrapup event at ahmedabad.ACE - Team 24 Wrapup event at ahmedabad.
ACE - Team 24 Wrapup event at ahmedabad.
 
Penify - Let AI do the Documentation, you write the Code.
Penify - Let AI do the Documentation, you write the Code.Penify - Let AI do the Documentation, you write the Code.
Penify - Let AI do the Documentation, you write the Code.
 
Migration From CH 1.0 to CH 2.0 and Mule 4.6 & Java 17 Upgrade.pptx
Migration From CH 1.0 to CH 2.0 and Mule 4.6 & Java 17 Upgrade.pptxMigration From CH 1.0 to CH 2.0 and Mule 4.6 & Java 17 Upgrade.pptx
Migration From CH 1.0 to CH 2.0 and Mule 4.6 & Java 17 Upgrade.pptx
 
ppt on the brain chip neuralink.pptx
ppt on the brain chip neuralink.pptxppt on the brain chip neuralink.pptx
ppt on the brain chip neuralink.pptx
 
Going AOT: Everything you need to know about GraalVM for Java applications
Going AOT: Everything you need to know about GraalVM for Java applicationsGoing AOT: Everything you need to know about GraalVM for Java applications
Going AOT: Everything you need to know about GraalVM for Java applications
 
Hands-on with Apache Druid: Installation & Data Ingestion Steps
Hands-on with Apache Druid: Installation & Data Ingestion StepsHands-on with Apache Druid: Installation & Data Ingestion Steps
Hands-on with Apache Druid: Installation & Data Ingestion Steps
 
Computer Science & Engineering VI Sem- New Syllabus.pdf
Computer Science & Engineering VI Sem- New Syllabus.pdfComputer Science & Engineering VI Sem- New Syllabus.pdf
Computer Science & Engineering VI Sem- New Syllabus.pdf
 
14 th Edition of International conference on computer vision
14 th Edition of International conference on computer vision14 th Edition of International conference on computer vision
14 th Edition of International conference on computer vision
 

Hp fortify source code analyzer(sca)

  • 2. CONTENTS • Use of it. • System Specifications. • Installation. • How it works. • Report generation.
  • 3. USE OF FORTIFY • HPE Security Fortify Static Code Analyzer (SCA) is used by development groups and security professionals to analyze the source code of an application for security issues. • It identifies root causes of software security vulnerabilities. • It supports Java, .Net , Action script ,ABAP, Coldfusion,Ruby,Python,Php languages. • There are various types of filter sets ,based on it we can generate report. • There are 7 kingdoms associated with securtity defects in source code ,based on those kingdoms it generates the security issues. • Input Validation, API abuse, Security Features , Time and state ,Errors, Code Quality and Encapsulation.
  • 4. SYSTEM SPECIFICATION Size (LOC) <100k 100k to 500k 500k to 1M 1M+ Java 32- bit machine 2GB RAM 32-bit machine 4GB RAM 64- bit machine 8GB RAM 64-bit machine 16GB RAM .Net 32- bit machine 2GB RAM 32- bit machine 2GB RAM 64- bit machine 8GB RAM 64-bit machine 16GB RAM C/C++ 32- bit machine 2GB RAM 64-bit machine 16GB RAM 64-bit machine 16GB RAM 64-bit machine 16GB RAM
  • 5. SYSTEM SPECIFICATION Application Complexity CPU Cores RAM Average Scan time Notes Simple 2 4 GB 0.5 hours A system that runs on a server or desktop in a standalone manner like a Batch job or a command line utility Medium 4 16 GB 4 hours A standalone system, which works with Complex computer models like a tax Calculation system or a scheduling system Complex 8 64 GB 2 days A three tiered business system with transactional data processing like a Financial system or a commercial website Very Complex 16 256 GB 4 days A application like a cms.
  • 6. INSTALLATION It is supported in windows and linux .Make sure you have jre installed. Windows :- 1.Extract the iso and install the HP_Fortify_SCA_and_Apps_16.11.exe 2.During installation , in the update security configuration module give server url as https://update.fortify.com 3.Give the path of license file fortify.license when prompted. 4.In the plugin dialgox box ,check java ide and visual studio .net plugins. 5.After Installation, fortify is ready to use in Graphical and CLI Mode.
  • 7. INSTALLATION …. Linux Installation : 1.Download the fortify.xx.xx.tar.gz package from hp website. 2.Extract it and run the installation file. 3.While prompt give the fortify.license key for license version and https://update.fortify.com for security configuration update. 4.After installation is done, Open the terminal and type sourceanalyzer to run fortify sca.
  • 8. TIPS FOR HIGH PERFORMANCE • Better Use SSD Disk for faster performance. • Increase Heap Size by <SCA Install Directory>Coreconfigfortify-sca.properties Forexample com.fortify.sca.RmiWorkerMaxHeap=1G • In Scan option use the options –Xmx=1G and –j 4 (where enables the parallel processing 4 is the no.of cores we want assign) • Increase the session file size <SCA Install Directory>Coreconfigfortify- sca.properties Forexample com.fortify.sca.IncrementFileMaxSizeMB=1024 or 1G
  • 9. HOW IT WORKS • It starts with a Command mode and Gui mode . • For small file size we use gui . • Start->Audit WorkBench->New Project->Locate the source code->Configure the rules- >For java projects (select framework version). • We can remove the third party plugin codes for faster output. • Give the path to output file(Ex.sampleoutput.fpr) • At one point we can see one dialog box where it shows translation phase and scan phase. • At this we can give commands for log storage for separate phases, and commands to increase the performance of tool (-Xmx,-Xss)
  • 10. REPORT GENERATION • After Completion we can see .fpr file opened in Audit workbench. • There are different types of templates 1)Owasp Top 10 2013 2)Sans top 25 3)Pci-Dss 4)Owasp Top 10 Mobile 5)Developer WorkBook etc. • Developer Workbook shows you the detailed report with every instance reported. • You can customize the report template by adding workbook and owasp top 10 categories. • After selecting the template click on generate report.
  • 11. FILTER SET • Filter set is used to differentiate high , medium and low priority issues. • By Default fortify enables two filters for viewing the issues 1)Quick View 2)Security Audit View. • Quick View -> 1.Hide Issue if impact is not in range [2.5,5.0] 2.Hide Issue if Likelihood is not in range [1,5] • Security Audit View -> Show every issue based on category specified. • We can add our customized filter set
  • 12. COMMAND SET • Scan : sourceanalyzer –b <buildid> -scan –f results.fpr sourceanalyzer -b "Build ID" -Xmx1280M -Xss8M -debug -logfile scan.log -scan -f Results.fpr -html-report Parallel Processing : -j 4 (4 no.of cores) -Xmx heap size, -Xss Stack size