SlideShare ist ein Scribd-Unternehmen logo

Hp fortify source code analyzer(sca)

Als PPTX, PDF herunterladen
N
Nagaraju Repala

Static code analysis using hp fortify sca.

Software
1 von 12
HP-FORTIFY SCA Source Code Analyzer
CONTENTS • Use of it. • System Specifications. • Installation. • How it works. • Report generation.
USE OF FORTIFY • HPE Security Fortify Static Code Analyzer (SCA) is used by development groups and security professionals to analyze the source code of an application for security issues. • It identifies root causes of software security vulnerabilities. • It supports Java, .Net , Action script ,ABAP, Coldfusion,Ruby,Python,Php languages. • There are various types of filter sets ,based on it we can generate report. • There are 7 kingdoms associated with securtity defects in source code ,based on those kingdoms it generates the security issues. • Input Validation, API abuse, Security Features , Time and state ,Errors, Code Quality and Encapsulation.
SYSTEM SPECIFICATION Size (LOC) <100k 100k to 500k 500k to 1M 1M+ Java 32- bit machine 2GB RAM 32-bit machine 4GB RAM 64- bit machine 8GB RAM 64-bit machine 16GB RAM .Net 32- bit machine 2GB RAM 32- bit machine 2GB RAM 64- bit machine 8GB RAM 64-bit machine 16GB RAM C/C++ 32- bit machine 2GB RAM 64-bit machine 16GB RAM 64-bit machine 16GB RAM 64-bit machine 16GB RAM
SYSTEM SPECIFICATION Application Complexity CPU Cores RAM Average Scan time Notes Simple 2 4 GB 0.5 hours A system that runs on a server or desktop in a standalone manner like a Batch job or a command line utility Medium 4 16 GB 4 hours A standalone system, which works with Complex computer models like a tax Calculation system or a scheduling system Complex 8 64 GB 2 days A three tiered business system with transactional data processing like a Financial system or a commercial website Very Complex 16 256 GB 4 days A application like a cms.
INSTALLATION It is supported in windows and linux .Make sure you have jre installed. Windows :- 1.Extract the iso and install the HP_Fortify_SCA_and_Apps_16.11.exe 2.During installation , in the update security configuration module give server url as https://update.fortify.com 3.Give the path of license file fortify.license when prompted. 4.In the plugin dialgox box ,check java ide and visual studio .net plugins. 5.After Installation, fortify is ready to use in Graphical and CLI Mode.
INSTALLATION …. Linux Installation : 1.Download the fortify.xx.xx.tar.gz package from hp website. 2.Extract it and run the installation file. 3.While prompt give the fortify.license key for license version and https://update.fortify.com for security configuration update. 4.After installation is done, Open the terminal and type sourceanalyzer to run fortify sca.
TIPS FOR HIGH PERFORMANCE • Better Use SSD Disk for faster performance. • Increase Heap Size by <SCA Install Directory>Coreconfigfortify-sca.properties Forexample com.fortify.sca.RmiWorkerMaxHeap=1G • In Scan option use the options –Xmx=1G and –j 4 (where enables the parallel processing 4 is the no.of cores we want assign) • Increase the session file size <SCA Install Directory>Coreconfigfortify- sca.properties Forexample com.fortify.sca.IncrementFileMaxSizeMB=1024 or 1G
HOW IT WORKS • It starts with a Command mode and Gui mode . • For small file size we use gui . • Start->Audit WorkBench->New Project->Locate the source code->Configure the rules- >For java projects (select framework version). • We can remove the third party plugin codes for faster output. • Give the path to output file(Ex.sampleoutput.fpr) • At one point we can see one dialog box where it shows translation phase and scan phase. • At this we can give commands for log storage for separate phases, and commands to increase the performance of tool (-Xmx,-Xss)
REPORT GENERATION • After Completion we can see .fpr file opened in Audit workbench. • There are different types of templates 1)Owasp Top 10 2013 2)Sans top 25 3)Pci-Dss 4)Owasp Top 10 Mobile 5)Developer WorkBook etc. • Developer Workbook shows you the detailed report with every instance reported. • You can customize the report template by adding workbook and owasp top 10 categories. • After selecting the template click on generate report.
FILTER SET • Filter set is used to differentiate high , medium and low priority issues. • By Default fortify enables two filters for viewing the issues 1)Quick View 2)Security Audit View. • Quick View -> 1.Hide Issue if impact is not in range [2.5,5.0] 2.Hide Issue if Likelihood is not in range [1,5] • Security Audit View -> Show every issue based on category specified. • We can add our customized filter set
COMMAND SET • Scan : sourceanalyzer –b <buildid> -scan –f results.fpr sourceanalyzer -b "Build ID" -Xmx1280M -Xss8M -debug -logfile scan.log -scan -f Results.fpr -html-report Parallel Processing : -j 4 (4 no.of cores) -Xmx heap size, -Xss Stack size

Empfohlen

Fortify - Source Code Analyzer
Fortify - Source Code AnalyzerFortify - Source Code Analyzer
Fortify - Source Code Analyzer
n|u - The Open Security Community
 
Local File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code ExecutionLocal File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code Execution
n|u - The Open Security Community
 
Finding Bugs FASTER with Fuzzing
Finding Bugs FASTER with FuzzingFinding Bugs FASTER with Fuzzing
Finding Bugs FASTER with Fuzzing
Alper Başaran
 
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Ajin Abraham
 
Burp Suite Starter
Burp Suite StarterBurp Suite Starter
Burp Suite Starter
Fadi Abdulwahab
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile Applications
Denim Group
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
Mohammed Danish Amber
 
Fortify technology
Fortify technologyFortify technology
Fortify technology
Imad Nom de famille
 

Empfohlen

Fortify - Source Code Analyzer
Fortify - Source Code AnalyzerFortify - Source Code Analyzer
Fortify - Source Code Analyzer
n|u - The Open Security Community
 
Local File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code ExecutionLocal File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code Execution
n|u - The Open Security Community
 
Finding Bugs FASTER with Fuzzing
Finding Bugs FASTER with FuzzingFinding Bugs FASTER with Fuzzing
Finding Bugs FASTER with Fuzzing
Alper Başaran
 
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Ajin Abraham
 
Burp Suite Starter
Burp Suite StarterBurp Suite Starter
Burp Suite Starter
Fadi Abdulwahab
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile Applications
Denim Group
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
Mohammed Danish Amber
 
Fortify technology
Fortify technologyFortify technology
Fortify technology
Imad Nom de famille
 
The OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyThe OWASP Zed Attack Proxy
The OWASP Zed Attack Proxy
Aditya Gupta
 
Burp suite
Burp suiteBurp suite
Burp suite
SOURABH DESHMUKH
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
n|u - The Open Security Community
 
security misconfigurations
security misconfigurationssecurity misconfigurations
security misconfigurations
Megha Sahu
 
Mobile Application Penetration Testing
Mobile Application Penetration TestingMobile Application Penetration Testing
Mobile Application Penetration Testing
BGA Cyber Security
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware Analysis
Andrew McNicol
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa Workshop
Paul Ionescu
 
DevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security SuccessDevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security Success
Puma Security, LLC
 
Burp suite
Burp suiteBurp suite
Burp suite
hamdi_sevben
 
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionGoing Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Soroush Dalili
 
Learn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAPLearn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAP
Paul Ionescu
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug Bounties
OWASP Nagpur
 
Deep dive into ssrf
Deep dive into ssrfDeep dive into ssrf
Deep dive into ssrf
n|u - The Open Security Community
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...
Codemotion
 
Pentesting Using Burp Suite
Pentesting Using Burp SuitePentesting Using Burp Suite
Pentesting Using Burp Suite
jasonhaddix
 
Burp suite
Burp suiteBurp suite
Burp suite
Yashar Shahinzadeh
 
Metasploit
MetasploitMetasploit
Metasploit
Lalith Sai
 
Pentesting Android Apps
Pentesting Android AppsPentesting Android Apps
Pentesting Android Apps
Abdelhamid Limami
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
n|u - The Open Security Community
 
Bug Bounty for - Beginners
Bug Bounty for - BeginnersBug Bounty for - Beginners
Bug Bounty for - Beginners
Himanshu Kumar Das
 
Ensure Software Security already during development
Ensure Software Security already during developmentEnsure Software Security already during development
Ensure Software Security already during development
IT Weekend
 
Hp Fortify Mobile Application Security
Hp Fortify Mobile Application SecurityHp Fortify Mobile Application Security
Hp Fortify Mobile Application Security
Ed Wong
 

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

The OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyThe OWASP Zed Attack Proxy
The OWASP Zed Attack Proxy
 
Burp suite
Burp suiteBurp suite
Burp suite
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
security misconfigurations
security misconfigurationssecurity misconfigurations
security misconfigurations
 
Mobile Application Penetration Testing
Mobile Application Penetration TestingMobile Application Penetration Testing
Mobile Application Penetration Testing
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware Analysis
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa Workshop
 
DevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security SuccessDevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security Success
 
Burp suite
Burp suiteBurp suite
Burp suite
 
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionGoing Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
 
Learn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAPLearn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAP
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug Bounties
 
Deep dive into ssrf
Deep dive into ssrfDeep dive into ssrf
Deep dive into ssrf
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...
 
Pentesting Using Burp Suite
Pentesting Using Burp SuitePentesting Using Burp Suite
Pentesting Using Burp Suite
 
Burp suite
Burp suiteBurp suite
Burp suite
 
Metasploit
MetasploitMetasploit
Metasploit
 
Pentesting Android Apps
Pentesting Android AppsPentesting Android Apps
Pentesting Android Apps
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
 
Bug Bounty for - Beginners
Bug Bounty for - BeginnersBug Bounty for - Beginners
Bug Bounty for - Beginners
 

Andere mochten auch

Hp Fortify Mobile Application Security
Hp Fortify Mobile Application SecurityHp Fortify Mobile Application Security
Hp Fortify Mobile Application Security
Ed Wong
 
Fortify On Demand and ShadowLabs
Fortify On Demand and ShadowLabsFortify On Demand and ShadowLabs
Fortify On Demand and ShadowLabs
jasonhaddix
 
Flex Remoting and Messaging (2010)
Flex Remoting and Messaging (2010)Flex Remoting and Messaging (2010)
Flex Remoting and Messaging (2010)
Christopher Grant
 
Hp Fortify Pillar
Hp Fortify PillarHp Fortify Pillar
Hp Fortify Pillar
Ed Wong
 
RIPS - static code analyzer for vulnerabilities in PHP
RIPS - static code analyzer for vulnerabilities in PHPRIPS - static code analyzer for vulnerabilities in PHP
RIPS - static code analyzer for vulnerabilities in PHP
Sorina Chirilă
 

Andere mochten auch (20)

Ensure Software Security already during development
Ensure Software Security already during developmentEnsure Software Security already during development
Ensure Software Security already during development
 
Hp Fortify Mobile Application Security
Hp Fortify Mobile Application SecurityHp Fortify Mobile Application Security
Hp Fortify Mobile Application Security
 
Fortify On Demand and ShadowLabs
Fortify On Demand and ShadowLabsFortify On Demand and ShadowLabs
Fortify On Demand and ShadowLabs
 
Poster Analysis Source Code
Poster Analysis Source CodePoster Analysis Source Code
Poster Analysis Source Code
 
Static Code Analysis
Static Code AnalysisStatic Code Analysis
Static Code Analysis
 
Static Code Analysis
Static Code AnalysisStatic Code Analysis
Static Code Analysis
 
Axcel Campus Programmes
Axcel Campus ProgrammesAxcel Campus Programmes
Axcel Campus Programmes
 
Brakeman Gem
Brakeman GemBrakeman Gem
Brakeman Gem
 
AMF Testing Made Easy! DeepSec 2012
AMF Testing Made Easy! DeepSec 2012AMF Testing Made Easy! DeepSec 2012
AMF Testing Made Easy! DeepSec 2012
 
滲透測試 Talk @ Nisra
滲透測試 Talk @ Nisra滲透測試 Talk @ Nisra
滲透測試 Talk @ Nisra
 
Flex Remoting and Messaging (2010)
Flex Remoting and Messaging (2010)Flex Remoting and Messaging (2010)
Flex Remoting and Messaging (2010)
 
Fortify dev ops (002)
Fortify dev ops (002)Fortify dev ops (002)
Fortify dev ops (002)
 
Source Code Scanners
Source Code ScannersSource Code Scanners
Source Code Scanners
 
Building a high quality+ products with SCA
Building a high quality+ products with SCABuilding a high quality+ products with SCA
Building a high quality+ products with SCA
 
Hp Fortify Pillar
Hp Fortify PillarHp Fortify Pillar
Hp Fortify Pillar
 
Best Practices of Static Code Analysis in the SDLC
Best Practices of Static Code Analysis in the SDLCBest Practices of Static Code Analysis in the SDLC
Best Practices of Static Code Analysis in the SDLC
 
Static Analysis and Code Optimizations in Glasgow Haskell Compiler
Static Analysis and Code Optimizations in Glasgow Haskell CompilerStatic Analysis and Code Optimizations in Glasgow Haskell Compiler
Static Analysis and Code Optimizations in Glasgow Haskell Compiler
 
Source Code Analysis with SAST
Source Code Analysis with SASTSource Code Analysis with SAST
Source Code Analysis with SAST
 
RIPS - static code analyzer for vulnerabilities in PHP
RIPS - static code analyzer for vulnerabilities in PHPRIPS - static code analyzer for vulnerabilities in PHP
RIPS - static code analyzer for vulnerabilities in PHP
 
網站程式資安白箱與黑箱檢測處理經驗分享
網站程式資安白箱與黑箱檢測處理經驗分享網站程式資安白箱與黑箱檢測處理經驗分享
網站程式資安白箱與黑箱檢測處理經驗分享
 

Ähnlich wie Hp fortify source code analyzer(sca)

XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...
XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...
XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...
The Linux Foundation
 
ops300 Project(3)
ops300 Project(3)ops300 Project(3)
ops300 Project(3)
trayyoo
 
ops300 Project(4)
ops300 Project(4)ops300 Project(4)
ops300 Project(4)
trayyoo
 

Ähnlich wie Hp fortify source code analyzer(sca) (20)

Finer Things Club - Lesser known zOSMF SW Mgmt Functions.pdf
Finer Things Club - Lesser known zOSMF SW Mgmt Functions.pdfFiner Things Club - Lesser known zOSMF SW Mgmt Functions.pdf
Finer Things Club - Lesser known zOSMF SW Mgmt Functions.pdf
 
Creating an Embedded System Lab
Creating an Embedded System LabCreating an Embedded System Lab
Creating an Embedded System Lab
 
100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf
 
SOC-BlueTEam.pdf
SOC-BlueTEam.pdfSOC-BlueTEam.pdf
SOC-BlueTEam.pdf
 
100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf
 
100 Security Operation Center Tools EMERSON EDUARDO RODRIGUES
100 Security Operation Center Tools EMERSON EDUARDO RODRIGUES100 Security Operation Center Tools EMERSON EDUARDO RODRIGUES
100 Security Operation Center Tools EMERSON EDUARDO RODRIGUES
 
soctool.pdf
soctool.pdfsoctool.pdf
soctool.pdf
 
Prizm Installation Guide
Prizm Installation GuidePrizm Installation Guide
Prizm Installation Guide
 
Beginners guide on how to start exploring IoT 2nd session
Beginners guide on how to start exploring IoT 2nd sessionBeginners guide on how to start exploring IoT 2nd session
Beginners guide on how to start exploring IoT 2nd session
 
Aci dp
Aci dpAci dp
Aci dp
 
Android Penetration testing - Day 2
Android Penetration testing - Day 2 Android Penetration testing - Day 2
Android Penetration testing - Day 2
 
OSDC 2017 - Mandi Walls - Building security into your workflow with inspec
OSDC 2017 - Mandi Walls - Building security into your workflow with inspecOSDC 2017 - Mandi Walls - Building security into your workflow with inspec
OSDC 2017 - Mandi Walls - Building security into your workflow with inspec
 
Adding Security to Your Workflow with InSpec (MAY 2017)
Adding Security to Your Workflow with InSpec (MAY 2017)Adding Security to Your Workflow with InSpec (MAY 2017)
Adding Security to Your Workflow with InSpec (MAY 2017)
 
XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...
XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...
XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...
 
How to Use EXAchk Effectively to Manage Exadata Environments
How to Use EXAchk Effectively to Manage Exadata EnvironmentsHow to Use EXAchk Effectively to Manage Exadata Environments
How to Use EXAchk Effectively to Manage Exadata Environments
 
Microsoft System center Configuration manager 2012 sp1
Microsoft System center Configuration manager 2012 sp1Microsoft System center Configuration manager 2012 sp1
Microsoft System center Configuration manager 2012 sp1
 
OSDC 2017 | Building Security Into Your Workflow with InSpec by Mandi Walls
OSDC 2017 | Building Security Into Your Workflow with InSpec by Mandi WallsOSDC 2017 | Building Security Into Your Workflow with InSpec by Mandi Walls
OSDC 2017 | Building Security Into Your Workflow with InSpec by Mandi Walls
 
ops300 Project(3)
ops300 Project(3)ops300 Project(3)
ops300 Project(3)
 
ops300 Project(4)
ops300 Project(4)ops300 Project(4)
ops300 Project(4)
 
Open Audit
Open AuditOpen Audit
Open Audit
 

Kürzlich hochgeladen

%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
masabamasaba
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
Health
 
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
masabamasaba
 
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
masabamasaba
 
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Medical / Health Care (+971588192166) Mifepristone and Misoprostol tablets 200mg
 
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
VictoriaMetrics
 
What Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the SituationWhat Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the Situation
Juha-Pekka Tolvanen
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
Presentation.STUDIO
 
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Medical / Health Care (+971588192166) Mifepristone and Misoprostol tablets 200mg
 

Kürzlich hochgeladen (20)

WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
 
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand
 
WSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaSWSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaS
 
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
 
WSO2CON 2024 - How to Run a Security Program
WSO2CON 2024 - How to Run a Security ProgramWSO2CON 2024 - How to Run a Security Program
WSO2CON 2024 - How to Run a Security Program
 
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
 
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
 
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
 
%in Benoni+277-882-255-28 abortion pills for sale in Benoni
%in Benoni+277-882-255-28 abortion pills for sale in Benoni%in Benoni+277-882-255-28 abortion pills for sale in Benoni
%in Benoni+277-882-255-28 abortion pills for sale in Benoni
 
WSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go PlatformlessWSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go Platformless
 
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
 
What Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the SituationWhat Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the Situation
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
 
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
 
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
 
Artyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptxArtyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptx
 
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open SourceWSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
 

Hp fortify source code analyzer(sca)

  • 2. CONTENTS • Use of it. • System Specifications. • Installation. • How it works. • Report generation.
  • 3. USE OF FORTIFY • HPE Security Fortify Static Code Analyzer (SCA) is used by development groups and security professionals to analyze the source code of an application for security issues. • It identifies root causes of software security vulnerabilities. • It supports Java, .Net , Action script ,ABAP, Coldfusion,Ruby,Python,Php languages. • There are various types of filter sets ,based on it we can generate report. • There are 7 kingdoms associated with securtity defects in source code ,based on those kingdoms it generates the security issues. • Input Validation, API abuse, Security Features , Time and state ,Errors, Code Quality and Encapsulation.
  • 4. SYSTEM SPECIFICATION Size (LOC) <100k 100k to 500k 500k to 1M 1M+ Java 32- bit machine 2GB RAM 32-bit machine 4GB RAM 64- bit machine 8GB RAM 64-bit machine 16GB RAM .Net 32- bit machine 2GB RAM 32- bit machine 2GB RAM 64- bit machine 8GB RAM 64-bit machine 16GB RAM C/C++ 32- bit machine 2GB RAM 64-bit machine 16GB RAM 64-bit machine 16GB RAM 64-bit machine 16GB RAM
  • 5. SYSTEM SPECIFICATION Application Complexity CPU Cores RAM Average Scan time Notes Simple 2 4 GB 0.5 hours A system that runs on a server or desktop in a standalone manner like a Batch job or a command line utility Medium 4 16 GB 4 hours A standalone system, which works with Complex computer models like a tax Calculation system or a scheduling system Complex 8 64 GB 2 days A three tiered business system with transactional data processing like a Financial system or a commercial website Very Complex 16 256 GB 4 days A application like a cms.
  • 6. INSTALLATION It is supported in windows and linux .Make sure you have jre installed. Windows :- 1.Extract the iso and install the HP_Fortify_SCA_and_Apps_16.11.exe 2.During installation , in the update security configuration module give server url as https://update.fortify.com 3.Give the path of license file fortify.license when prompted. 4.In the plugin dialgox box ,check java ide and visual studio .net plugins. 5.After Installation, fortify is ready to use in Graphical and CLI Mode.
  • 7. INSTALLATION …. Linux Installation : 1.Download the fortify.xx.xx.tar.gz package from hp website. 2.Extract it and run the installation file. 3.While prompt give the fortify.license key for license version and https://update.fortify.com for security configuration update. 4.After installation is done, Open the terminal and type sourceanalyzer to run fortify sca.
  • 8. TIPS FOR HIGH PERFORMANCE • Better Use SSD Disk for faster performance. • Increase Heap Size by <SCA Install Directory>Coreconfigfortify-sca.properties Forexample com.fortify.sca.RmiWorkerMaxHeap=1G • In Scan option use the options –Xmx=1G and –j 4 (where enables the parallel processing 4 is the no.of cores we want assign) • Increase the session file size <SCA Install Directory>Coreconfigfortify- sca.properties Forexample com.fortify.sca.IncrementFileMaxSizeMB=1024 or 1G
  • 9. HOW IT WORKS • It starts with a Command mode and Gui mode . • For small file size we use gui . • Start->Audit WorkBench->New Project->Locate the source code->Configure the rules- >For java projects (select framework version). • We can remove the third party plugin codes for faster output. • Give the path to output file(Ex.sampleoutput.fpr) • At one point we can see one dialog box where it shows translation phase and scan phase. • At this we can give commands for log storage for separate phases, and commands to increase the performance of tool (-Xmx,-Xss)
  • 10. REPORT GENERATION • After Completion we can see .fpr file opened in Audit workbench. • There are different types of templates 1)Owasp Top 10 2013 2)Sans top 25 3)Pci-Dss 4)Owasp Top 10 Mobile 5)Developer WorkBook etc. • Developer Workbook shows you the detailed report with every instance reported. • You can customize the report template by adding workbook and owasp top 10 categories. • After selecting the template click on generate report.
  • 11. FILTER SET • Filter set is used to differentiate high , medium and low priority issues. • By Default fortify enables two filters for viewing the issues 1)Quick View 2)Security Audit View. • Quick View -> 1.Hide Issue if impact is not in range [2.5,5.0] 2.Hide Issue if Likelihood is not in range [1,5] • Security Audit View -> Show every issue based on category specified. • We can add our customized filter set
  • 12. COMMAND SET • Scan : sourceanalyzer –b <buildid> -scan –f results.fpr sourceanalyzer -b "Build ID" -Xmx1280M -Xss8M -debug -logfile scan.log -scan -f Results.fpr -html-report Parallel Processing : -j 4 (4 no.of cores) -Xmx heap size, -Xss Stack size