building a high quality+ products with sca

19
uality Summit 2014 - SHANGHAI Building a High Quality+ Products with SCA Suman Sourav Senior Software Security Analyst

Upload: suman-sourav-csslp

Post on 07-Jan-2017

174 views

Category:

Software


2 download

TRANSCRIPT

Page 1: Building a high quality+ products with SCA

Quality Summit 2014 - SHANGHAI

Building a High Quality+ Products with SCASuman SouravSenior Software Security Analyst

Page 2: Building a high quality+ products with SCA

Quality Summit 2014 - SHANGHAI

Product with less crashes? Product with more features? Product with all of the above (everybody and my

wish too) But also product that are

What is Quality+ Product?

“as available, reliable and secure”

Page 3: Building a high quality+ products with SCA

Quality Summit 2014 - SHANGHAI

Secure SDLC

How?

Page 4: Building a high quality+ products with SCA

Quality Summit 2014 - SHANGHAI

Static Code Analysis – HP Fortify

Page 5: Building a high quality+ products with SCA

Quality Summit 2014 - SHANGHAI

Static Code Analyzer scans source code, identifies root causes of software security vulnerabilities and correlates and prioritizes results—giving you line–of–code guidance for closing gaps in your security.

Fortif Static Code Analyzer

Page 6: Building a high quality+ products with SCA

Quality Summit 2014 - SHANGHAI

In a Nutshell

BuildEnvironment

FixVulnerabilities

Integrate FortifyWith Build

Upload toServer

ExecuteScan

GenerateFPR

SA

Developers

Fortify sscServer

Audit andRe-upload

Login

Page 7: Building a high quality+ products with SCA

Quality Summit 2014 - SHANGHAI

Supported Platform, Languages

Page 8: Building a high quality+ products with SCA

Quality Summit 2014 - SHANGHAI

Supported Platform, Languages

Operating System

Architectures Versions

Linux x86: 32-bit or 64-bit (recommended; required for parallel mode)

Red Hat ES 5 and ES 6 Novell SUSE 10, Oracle EL 5.2

Windows x86: 32-bit or 64-bit (recommended; required for parallel mode)

2003 SP1, 2008, XP, Vista Business, Vista Ultimate, Windows 7

Mac OS x86: 64-bit 10.6, 10.7 Solaris SPARC 10

x86 10 HP-UX Itanium 11.31

Language Versions ABAP/BSP 6 ActionScript/MXML (Flex) 3, 4 ASP.NET, VB.NET, C# (.NET) 4.5 and earlier C/C++ See “Compilers” Classic ASP (with VBScript) 2, 3 COBOL IBM Enterprise Cobol for

z/OS 3.4.1 with IMS, DB2, CICS, MQ

ColdFusion CFML 5, 7, 8 HTML 5 and earlier Java (with Android) 1.3, 1.4, 1.5, 1.6, 1.7 JavaScript/AJAX 1.7 JSP 1.2, 2.1 Objective-C See “Compilers” PHP 5.0 – 5.3 PL/SQL 8.1.6 Python 2.6 T-SQL SQL Server 2005 and 2008 Visual Basic 6 VBScript 2.0, 5.0 XML 1.0

Compilers Operating Systems Clang 2.9, 3.0, 3.1 Mac OS LLVM-GCC 4.2, 4.3 Mac OS GNU gcc 2.9 – 4.7 Linux, HP-UX, Mac OS,

Solaris, Windows GNU g++ 3.2 – 4.7 Linux, HP-UX, Mac OS,

Solaris, Windows Intel icc 8.0 Linux Microsoft cl Windows Sun cc / Sun CC 5.9, 5.10, 5.11

Solaris

Sun javac 1.3 – 1.7 Linux, HP-UX, Mac OS, Solaris, Windows

Auditing and Scanning Plug-ins Eclipse 3.4, 3.5, 3.6, 3.7, 3.8, 4.2 RAD 7.5, 8.0, 8.5; RSA 7, 7.5, 8.0 Microsoft Visual Studio 2003 (scanning only) Microsoft Visual Studio 2005, 2008, 2010 Premium and Professional, and 2012 Premium and Professional. (Not compatible with MS Visual Studio 2010 Express)

Platforms & Architectures Languages

Integrated Development Environment

Compilers

Build Tool Versions Ant 1.5.x, 1.6.x, 1.7.x,

1.8.x

Maven 2.0.9 to 2.x.x MSBuild 2, 3.5, 4 Xcodebuild 4.1, 4.2, 4.2.1, 4.3,

4.3.1, 4.4, 4.5, 4.6

Build Tools

Page 9: Building a high quality+ products with SCA

Quality Summit 2014 - SHANGHAI

Fortify SCA AanlyzersTaint Propagation from external system (source) to vulnerable functions (sink)SQL Injection, Command Injection, Path Manipulation

Program Flow Pattern to identify insecure sequence of operationsUnreleased Resource, Memory Leakage, Null Dereference

Improper or insecure program structureEmpty Catch Block, Dead Code

Insecure Function callsInsecure calls; gets, etc, Uncheck Return Values

Insecure ConfigurationsWeb Server Configuration; web.config, web.xml

Insecure Buffer operationsBuffer Overflow, Format String

Data Flow

Control Flow

Structural

Semantic

Configuration

Buffer

Page 10: Building a high quality+ products with SCA

Quality Summit 2014 - SHANGHAI

Fortify Scanning PhaseTranslationSource code of the product is translated from high level language into normalized syntax tree format (.nst - intermediate files)

AnalysisIntermediate files are scannedAn analysis results file is generated, typically in the Fortify project (FPR) format

AuditThe fortify project report generated in analysis phase is inspected to identify real vulnerabilities

Page 11: Building a high quality+ products with SCA

Quality Summit 2014 - SHANGHAI

Fortify SCA executable/command: sourceanalyzer

Fortify Tool

Command line option Purpose-b <build-id> Specifies a unique name for the entire project

<build-id> is an alphanumeric string (e.g. testbuild1) not to be confused with the build version of the product

-classpath <classpath> Uses the specified class path value for Java -jdk <value> Indicates which version of the Java language to use-libdirs <dirs> Directories where systems DLLs are located-vsversion <value> Specifies the Visual Studio version-f <file> The file to which analysis results are written-format <format> Specifies output file format-scan Run an analysis

Page 12: Building a high quality+ products with SCA

Quality Summit 2014 - SHANGHAI

C/C++ .Net make/nmake> sourceanalyzer -b mybuild gcc -c test.c

> sourceanalyzer -b mybuild devenv myproj.msproj /REBUILD> sourceanalyzer -b mybuild cl.exe /o HelloWorld

HelloWorld.c> sourceanalyzer -b mybuild -vsversion 8.0 devenv

myproj.sln /REBUILD DEBUG

> CC = sourceanalyzer –b my_build gcc > DEVENV = sourceanalyzer –b my_build devenv> MSDEV = sourceanalyzer –b my_build msdev

Fortify Tool - Examples

Page 13: Building a high quality+ products with SCA

Quality Summit 2014 - SHANGHAI

> sourceanalyzer -b mybuild -cp “lib/**/*.jar” “src/**/*.java”

> sourceanalyzer -b mybuild -cp “lib/**/*.jar” “src/**/*.jsp”

> sourceanalyzer –b mybuild “src/**/*.js”> sourceanalyzer -b mybuild touchless ant

Scan with FPR file:> sourceanalyzer -b mybuild -scan -f results.fpr

Fortify Tool - Examples

Java

Page 14: Building a high quality+ products with SCA

Quality Summit 2014 - SHANGHAI

Install the target application in the local repository: > mvn install

Clean out the previous build using one of the following commands: > mvn com.fortify.ps.maven.plugin:sca-maven-

plugin:<ver>:clean

Translate the code: > mvn com.fortify.ps.maven.plugin:sca-maven-plugin:<

ver>:translate

Scan the code:> mvn com.fortify.ps.maven.plugin:sca-maven-

plugin:<ver>:scan

Fortify Tool - Examples

Maven Based Build

Page 15: Building a high quality+ products with SCA

Quality Summit 2014 - SHANGHAI

HP Fortify – Software Security Center

Page 16: Building a high quality+ products with SCA

Quality Summit 2014 - SHANGHAI

Software Security Center

Identify and prioritize a baseline of existing vulnerabilities

Prevent new vulnerabilities from being introduced

Ensure that your code is in compliance with internal and external security mandates

Remediate existing vulnerabilities and lower the baseline

Page 17: Building a high quality+ products with SCA

Quality Summit 2014 - SHANGHAI

HP Fortify – CI Integration

Page 18: Building a high quality+ products with SCA

Quality Summit 2014 - SHANGHAI

TeamCity Integration with CP

Integration with Jenkins Integration with TeamCity Integration with any other build tools

Page 19: Building a high quality+ products with SCA

Quality Summit 2014 - SHANGHAI

Thank you