building a high quality+ products with sca
TRANSCRIPT
Quality Summit 2014 - SHANGHAI
Building a High Quality+ Products with SCASuman SouravSenior Software Security Analyst
Quality Summit 2014 - SHANGHAI
Product with less crashes? Product with more features? Product with all of the above (everybody and my
wish too) But also product that are
What is Quality+ Product?
“as available, reliable and secure”
Quality Summit 2014 - SHANGHAI
Secure SDLC
How?
Quality Summit 2014 - SHANGHAI
Static Code Analysis – HP Fortify
Quality Summit 2014 - SHANGHAI
Static Code Analyzer scans source code, identifies root causes of software security vulnerabilities and correlates and prioritizes results—giving you line–of–code guidance for closing gaps in your security.
Fortif Static Code Analyzer
Quality Summit 2014 - SHANGHAI
In a Nutshell
BuildEnvironment
FixVulnerabilities
Integrate FortifyWith Build
Upload toServer
ExecuteScan
GenerateFPR
SA
Developers
Fortify sscServer
Audit andRe-upload
Login
Quality Summit 2014 - SHANGHAI
Supported Platform, Languages
Quality Summit 2014 - SHANGHAI
Supported Platform, Languages
Operating System
Architectures Versions
Linux x86: 32-bit or 64-bit (recommended; required for parallel mode)
Red Hat ES 5 and ES 6 Novell SUSE 10, Oracle EL 5.2
Windows x86: 32-bit or 64-bit (recommended; required for parallel mode)
2003 SP1, 2008, XP, Vista Business, Vista Ultimate, Windows 7
Mac OS x86: 64-bit 10.6, 10.7 Solaris SPARC 10
x86 10 HP-UX Itanium 11.31
Language Versions ABAP/BSP 6 ActionScript/MXML (Flex) 3, 4 ASP.NET, VB.NET, C# (.NET) 4.5 and earlier C/C++ See “Compilers” Classic ASP (with VBScript) 2, 3 COBOL IBM Enterprise Cobol for
z/OS 3.4.1 with IMS, DB2, CICS, MQ
ColdFusion CFML 5, 7, 8 HTML 5 and earlier Java (with Android) 1.3, 1.4, 1.5, 1.6, 1.7 JavaScript/AJAX 1.7 JSP 1.2, 2.1 Objective-C See “Compilers” PHP 5.0 – 5.3 PL/SQL 8.1.6 Python 2.6 T-SQL SQL Server 2005 and 2008 Visual Basic 6 VBScript 2.0, 5.0 XML 1.0
Compilers Operating Systems Clang 2.9, 3.0, 3.1 Mac OS LLVM-GCC 4.2, 4.3 Mac OS GNU gcc 2.9 – 4.7 Linux, HP-UX, Mac OS,
Solaris, Windows GNU g++ 3.2 – 4.7 Linux, HP-UX, Mac OS,
Solaris, Windows Intel icc 8.0 Linux Microsoft cl Windows Sun cc / Sun CC 5.9, 5.10, 5.11
Solaris
Sun javac 1.3 – 1.7 Linux, HP-UX, Mac OS, Solaris, Windows
Auditing and Scanning Plug-ins Eclipse 3.4, 3.5, 3.6, 3.7, 3.8, 4.2 RAD 7.5, 8.0, 8.5; RSA 7, 7.5, 8.0 Microsoft Visual Studio 2003 (scanning only) Microsoft Visual Studio 2005, 2008, 2010 Premium and Professional, and 2012 Premium and Professional. (Not compatible with MS Visual Studio 2010 Express)
Platforms & Architectures Languages
Integrated Development Environment
Compilers
Build Tool Versions Ant 1.5.x, 1.6.x, 1.7.x,
1.8.x
Maven 2.0.9 to 2.x.x MSBuild 2, 3.5, 4 Xcodebuild 4.1, 4.2, 4.2.1, 4.3,
4.3.1, 4.4, 4.5, 4.6
Build Tools
Quality Summit 2014 - SHANGHAI
Fortify SCA AanlyzersTaint Propagation from external system (source) to vulnerable functions (sink)SQL Injection, Command Injection, Path Manipulation
Program Flow Pattern to identify insecure sequence of operationsUnreleased Resource, Memory Leakage, Null Dereference
Improper or insecure program structureEmpty Catch Block, Dead Code
Insecure Function callsInsecure calls; gets, etc, Uncheck Return Values
Insecure ConfigurationsWeb Server Configuration; web.config, web.xml
Insecure Buffer operationsBuffer Overflow, Format String
Data Flow
Control Flow
Structural
Semantic
Configuration
Buffer
Quality Summit 2014 - SHANGHAI
Fortify Scanning PhaseTranslationSource code of the product is translated from high level language into normalized syntax tree format (.nst - intermediate files)
AnalysisIntermediate files are scannedAn analysis results file is generated, typically in the Fortify project (FPR) format
AuditThe fortify project report generated in analysis phase is inspected to identify real vulnerabilities
Quality Summit 2014 - SHANGHAI
Fortify SCA executable/command: sourceanalyzer
Fortify Tool
Command line option Purpose-b <build-id> Specifies a unique name for the entire project
<build-id> is an alphanumeric string (e.g. testbuild1) not to be confused with the build version of the product
-classpath <classpath> Uses the specified class path value for Java -jdk <value> Indicates which version of the Java language to use-libdirs <dirs> Directories where systems DLLs are located-vsversion <value> Specifies the Visual Studio version-f <file> The file to which analysis results are written-format <format> Specifies output file format-scan Run an analysis
Quality Summit 2014 - SHANGHAI
C/C++ .Net make/nmake> sourceanalyzer -b mybuild gcc -c test.c
> sourceanalyzer -b mybuild devenv myproj.msproj /REBUILD> sourceanalyzer -b mybuild cl.exe /o HelloWorld
HelloWorld.c> sourceanalyzer -b mybuild -vsversion 8.0 devenv
myproj.sln /REBUILD DEBUG
> CC = sourceanalyzer –b my_build gcc > DEVENV = sourceanalyzer –b my_build devenv> MSDEV = sourceanalyzer –b my_build msdev
Fortify Tool - Examples
Quality Summit 2014 - SHANGHAI
> sourceanalyzer -b mybuild -cp “lib/**/*.jar” “src/**/*.java”
> sourceanalyzer -b mybuild -cp “lib/**/*.jar” “src/**/*.jsp”
> sourceanalyzer –b mybuild “src/**/*.js”> sourceanalyzer -b mybuild touchless ant
Scan with FPR file:> sourceanalyzer -b mybuild -scan -f results.fpr
Fortify Tool - Examples
Java
Quality Summit 2014 - SHANGHAI
Install the target application in the local repository: > mvn install
Clean out the previous build using one of the following commands: > mvn com.fortify.ps.maven.plugin:sca-maven-
plugin:<ver>:clean
Translate the code: > mvn com.fortify.ps.maven.plugin:sca-maven-plugin:<
ver>:translate
Scan the code:> mvn com.fortify.ps.maven.plugin:sca-maven-
plugin:<ver>:scan
Fortify Tool - Examples
Maven Based Build
Quality Summit 2014 - SHANGHAI
HP Fortify – Software Security Center
Quality Summit 2014 - SHANGHAI
Software Security Center
Identify and prioritize a baseline of existing vulnerabilities
Prevent new vulnerabilities from being introduced
Ensure that your code is in compliance with internal and external security mandates
Remediate existing vulnerabilities and lower the baseline
Quality Summit 2014 - SHANGHAI
HP Fortify – CI Integration
Quality Summit 2014 - SHANGHAI
TeamCity Integration with CP
Integration with Jenkins Integration with TeamCity Integration with any other build tools
Quality Summit 2014 - SHANGHAI
Thank you