SlideShare ist ein Scribd-Unternehmen logo

Fortify - Source Code Analyzer

n|u - The Open Security Community
n|u - The Open Security Community

null Bangalore January meet

Technologie
1 von 12
Downloaden Sie, um offline zu lesen
18/01/2014 FORTIFY Rupam Bhattacharya 1
Agenda • • • • • • Overview of Fortify Using Fortify Type of Analyzers Analysis Phases Analysis Commands Demo
Fortify Source Code Analyser • Fortify Source Code Analyzer (SCA) is a set of software security analyzers that search for violations of security‐specific coding rules and guidelines in a variety of languages. • The rich data provided by Fortify SCA language technology enables the analyzers to pinpoint and prioritize violations so that fixes can be fast and accurate. • The analysis information produced by SCA helps you deliver more secure software, as well as making security code reviews more efficient, consistent, and complete. 3
Using Fortify • At the highest level, using Fortify SCA involves: • Choosing to run SCA as a stand‐alone process or integrating Fortify SCA as part of the build tool • Translating the source code into an intermediate translated format, preparing the code base for scanning by the different analyzers • Scanning the translated code, producing security vulnerability reports • Auditing the results of the scan, either by transferring the resulting FPR file to Audit Workbench or Fortify 360 Server for analysis, or directly with the results displayed onscreen
Analyzers • Data Flow: The data flow analyzer detects potential vulnerabilities that involve tainted data (user‐controlled input) put to potentially dangerous use. Eg. Buffer overflow, SQL Injections. • Control Flow: The control flow analyzer detects potentially dangerous sequences of operations. Eg. time of check/time of use issues and uninitialized variables. • Semantic: The semantic analyzer detects potentially dangerous uses of functions and APIs at the intra‐procedural level. Eg. Deprecated functions, unsafe functions. • Structural: The structural analyzer detects potentially dangerous flaws in the structure or definition of the program. For Eg. Dead Code. • Configuration: The configuration analyzer searches for mistakes, weaknesses, and policy violations in an application's deployment configuration files.
Analysis Phases • Fortify SCA performs source code analysis • Build Integration: The first phase of source code analysis involves making a decision whether to integrate SCA into the build compiler system. • Translation: Source code gathered using a series of commands is translated into an intermediate format which is associated with a build ID. The build ID is usually the name of the project being scanned. • Analysis: Source files identified during the translation phase are scanned and an analysis results file, typically in the Fortify project (FPR) format, is generated. FPR files are indicated by the .fpr file extension. • Verification of the translation and analysis: Ensure that the source files were scanned using the correct rulepacks and that no significant errors were reported.
Analysis Commands • The following is an example of the sequence of commands you use to analyze code: • Clean and build  sourceanalyzer -b <build_id> -clean • Translation  sourceanalyzer -b <build_id> ... •Scan  sourceanalyzer -b <build_id> -scan -f results.fpr
Translation Options • Output Options: • • • • • • • -append : Appends results to the file specified with -f. If this option is not specified, Fortify SCA adds the new findings to the FPR file, and labels the older result as previous findings. -build-label <label> : The label of the project being scanned. -build-project <project> : The name of the project being scanned. -build-version <version> : The version of the project being scanned. -f <file> : The file to which results are written. -format <format> : Controls the output format. Valid options are fpr, fvdl, text, and auto. -html-report : Creates an HTML summary of the results produced.
Translation Options • Analysis Options: • • • • • • • • -disable-default-ruletype <type> : Disables all rules of the specified type in the default rulepacks. -encoding : Specifies the encoding for encoded source files. -filter <file_name> : Specifies a results filter file. -findbugs : Enables FindBugs analysis for Java code. -quick : Scans the project in Quick Scan Mode. -rules [<file>|<directory>] : Specifies a custom rulepack or directory. -disable-source-rendering : Source files are not included in the FPR file. -scan : Causes Fortify SCA to perform analysis for the specified build ID.
Translation Options • Build Integration Options • • • • -b <build_id> : Specifies the build ID. -bin <binary> : Used with -scan to specify a subset of source files to scan. Only the source files that were linked in the named binary at build time are included in the scan. -exclude <file_pattern> : Removes files from the list of files to translate. For example: sourceanalyzer –cp "**/*.jar"  "**/*" -exclude "**/Test.java“ -nc : When specified before a compiler command line.
Translation Options • Runtime Options • • • • • • -auth-silent : Available on Fortify SCA Per Use edition only.  Suppresses the prompt that displays the number of lines the scan requires to analyze the source code. -64 : Runs Fortify SCA under the 64‐bit JRE. -logfile <file_name> : Specifies the log file that is produced by Fortify SCA. -quiet : Disables the command line progress bar. -verbose : Sends verbose status messages to the console. -Xmx <size> : Specifies the maximum amount of memory used by Fortify SCA.
Demo

Empfohlen

Security testing presentation
Security testing presentationSecurity testing presentation
Security testing presentationConfiz
 
MindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetMindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetJuan F. Padilla
 
Understanding NMAP
Understanding NMAPUnderstanding NMAP
Understanding NMAPPhannarith Ou, G-CISO
 
Metasploit
MetasploitMetasploit
MetasploitParth Sahu
 
NMap
NMapNMap
NMapPritesh Raka
 
Burpsuite 101
Burpsuite 101Burpsuite 101
Burpsuite 101n|u - The Open Security Community
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
Hacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS securityHacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS securityChris Sistrunk
 

Empfohlen

Security testing presentation
Security testing presentationSecurity testing presentation
Security testing presentationConfiz
 
MindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetMindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetJuan F. Padilla
 
Understanding NMAP
Understanding NMAPUnderstanding NMAP
Understanding NMAPPhannarith Ou, G-CISO
 
Metasploit
MetasploitMetasploit
MetasploitParth Sahu
 
NMap
NMapNMap
NMapPritesh Raka
 
Burpsuite 101
Burpsuite 101Burpsuite 101
Burpsuite 101n|u - The Open Security Community
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
Hacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS securityHacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS securityChris Sistrunk
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxDARSHANBHAVSAR14
 
The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)PECB
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASPMarco Morana
 
Evil Twin
Evil TwinEvil Twin
Evil Twinn|u - The Open Security Community
 
Mobile Application Penetration Testing
Mobile Application Penetration TestingMobile Application Penetration Testing
Mobile Application Penetration TestingBGA Cyber Security
 
Burp suite
Burp suiteBurp suite
Burp suitehamdi_sevben
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration TestingSubho Halder
 
Splunk Enterprise Security
Splunk Enterprise SecuritySplunk Enterprise Security
Splunk Enterprise SecuritySplunk
 
Burp Suite Starter
Burp Suite StarterBurp Suite Starter
Burp Suite StarterFadi Abdulwahab
 
Battle of the Stream Processing Titans – Flink versus RisingWave
Battle of the Stream Processing Titans – Flink versus RisingWaveBattle of the Stream Processing Titans – Flink versus RisingWave
Battle of the Stream Processing Titans – Flink versus RisingWaveYingjun Wu
 
Security testing fundamentals
Security testing fundamentalsSecurity testing fundamentals
Security testing fundamentalsCygnet Infotech
 
Web PenTest Sample Report
Web PenTest Sample ReportWeb PenTest Sample Report
Web PenTest Sample ReportOctogence
 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterMichael Nickle
 
Security testing
Security testingSecurity testing
Security testingbaskar p
 
Pentesting Using Burp Suite
Pentesting Using Burp SuitePentesting Using Burp Suite
Pentesting Using Burp Suitejasonhaddix
 
Deep dive into ssrf
Deep dive into ssrfDeep dive into ssrf
Deep dive into ssrfn|u - The Open Security Community
 
Security Analyst Workshop - 20190314
Security Analyst Workshop - 20190314Security Analyst Workshop - 20190314
Security Analyst Workshop - 20190314Florian Roth
 
Security Analyst Workshop - 20200212
Security Analyst Workshop - 20200212Security Analyst Workshop - 20200212
Security Analyst Workshop - 20200212Florian Roth
 
The story of SonarQube told to a DevOps Engineer
The story of SonarQube told to a DevOps EngineerThe story of SonarQube told to a DevOps Engineer
The story of SonarQube told to a DevOps EngineerManu Pk
 
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Sam Bowne
 
Code Review with Sonar
Code Review with SonarCode Review with Sonar
Code Review with SonarMax Kleiner
 
Sonarqube
SonarqubeSonarqube
SonarqubeKalkey
 

Weitere ähnliche Inhalte

Was ist angesagt?

VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxDARSHANBHAVSAR14
 
The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)PECB
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASPMarco Morana
 
Mobile Application Penetration Testing
Mobile Application Penetration TestingMobile Application Penetration Testing
Mobile Application Penetration TestingBGA Cyber Security
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration TestingSubho Halder
 
Splunk Enterprise Security
Splunk Enterprise SecuritySplunk Enterprise Security
Splunk Enterprise SecuritySplunk
 
Battle of the Stream Processing Titans – Flink versus RisingWave
Battle of the Stream Processing Titans – Flink versus RisingWaveBattle of the Stream Processing Titans – Flink versus RisingWave
Battle of the Stream Processing Titans – Flink versus RisingWaveYingjun Wu
 
Security testing fundamentals
Security testing fundamentalsSecurity testing fundamentals
Security testing fundamentalsCygnet Infotech
 
Web PenTest Sample Report
Web PenTest Sample ReportWeb PenTest Sample Report
Web PenTest Sample ReportOctogence
 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterMichael Nickle
 
Security testing
Security testingSecurity testing
Security testingbaskar p
 
Pentesting Using Burp Suite
Pentesting Using Burp SuitePentesting Using Burp Suite
Pentesting Using Burp Suitejasonhaddix
 
Security Analyst Workshop - 20190314
Security Analyst Workshop - 20190314Security Analyst Workshop - 20190314
Security Analyst Workshop - 20190314Florian Roth
 
Security Analyst Workshop - 20200212
Security Analyst Workshop - 20200212Security Analyst Workshop - 20200212
Security Analyst Workshop - 20200212Florian Roth
 
The story of SonarQube told to a DevOps Engineer
The story of SonarQube told to a DevOps EngineerThe story of SonarQube told to a DevOps Engineer
The story of SonarQube told to a DevOps EngineerManu Pk
 
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Sam Bowne
 

Was ist angesagt? (20)

VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptx
 
The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASP
 
Evil Twin
Evil TwinEvil Twin
Evil Twin
 
Mobile Application Penetration Testing
Mobile Application Penetration TestingMobile Application Penetration Testing
Mobile Application Penetration Testing
 
Burp suite
Burp suiteBurp suite
Burp suite
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration Testing
 
Splunk Enterprise Security
Splunk Enterprise SecuritySplunk Enterprise Security
Splunk Enterprise Security
 
Burp Suite Starter
Burp Suite StarterBurp Suite Starter
Burp Suite Starter
 
Battle of the Stream Processing Titans – Flink versus RisingWave
Battle of the Stream Processing Titans – Flink versus RisingWaveBattle of the Stream Processing Titans – Flink versus RisingWave
Battle of the Stream Processing Titans – Flink versus RisingWave
 
Security testing fundamentals
Security testing fundamentalsSecurity testing fundamentals
Security testing fundamentals
 
Web PenTest Sample Report
Web PenTest Sample ReportWeb PenTest Sample Report
Web PenTest Sample Report
 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations Center
 
Security testing
Security testingSecurity testing
Security testing
 
Pentesting Using Burp Suite
Pentesting Using Burp SuitePentesting Using Burp Suite
Pentesting Using Burp Suite
 
Deep dive into ssrf
Deep dive into ssrfDeep dive into ssrf
Deep dive into ssrf
 
Security Analyst Workshop - 20190314
Security Analyst Workshop - 20190314Security Analyst Workshop - 20190314
Security Analyst Workshop - 20190314
 
Security Analyst Workshop - 20200212
Security Analyst Workshop - 20200212Security Analyst Workshop - 20200212
Security Analyst Workshop - 20200212
 
The story of SonarQube told to a DevOps Engineer
The story of SonarQube told to a DevOps EngineerThe story of SonarQube told to a DevOps Engineer
The story of SonarQube told to a DevOps Engineer
 
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
 

Ähnlich wie Fortify - Source Code Analyzer

Code Review with Sonar
Code Review with SonarCode Review with Sonar
Code Review with SonarMax Kleiner
 
Sonarqube
SonarqubeSonarqube
SonarqubeKalkey
 
devops ppt for hjs jsdjhjd hsdbusinees.pptx
devops ppt for hjs jsdjhjd hsdbusinees.pptxdevops ppt for hjs jsdjhjd hsdbusinees.pptx
devops ppt for hjs jsdjhjd hsdbusinees.pptxDeepakgupta273447
 
685163main 2 4-a-swat_extendingbenefitsofstaticcodeanalysistools_final
685163main 2 4-a-swat_extendingbenefitsofstaticcodeanalysistools_final685163main 2 4-a-swat_extendingbenefitsofstaticcodeanalysistools_final
685163main 2 4-a-swat_extendingbenefitsofstaticcodeanalysistools_finalŠumadin Šumić
 
Managing Open Source Software Supply Chains
Managing Open Source Software Supply ChainsManaging Open Source Software Supply Chains
Managing Open Source Software Supply ChainsnexB Inc.
 
Hp fortify source code analyzer(sca)
Hp fortify source code analyzer(sca)Hp fortify source code analyzer(sca)
Hp fortify source code analyzer(sca)Nagaraju Repala
 
Beginners guide on how to start exploring IoT 2nd session
Beginners guide on how to start exploring IoT 2nd sessionBeginners guide on how to start exploring IoT 2nd session
Beginners guide on how to start exploring IoT 2nd sessionveerababu penugonda(Mr-IoT)
 
GNAT Pro User Day: Latest Advances in AdaCore Static Analysis Tools
GNAT Pro User Day: Latest Advances in AdaCore Static Analysis ToolsGNAT Pro User Day: Latest Advances in AdaCore Static Analysis Tools
GNAT Pro User Day: Latest Advances in AdaCore Static Analysis ToolsAdaCore
 
Contain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidenceContain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidenceBlack Duck by Synopsys
 
Managing OSS license obligations
Managing OSS license obligationsManaging OSS license obligations
Managing OSS license obligationsnexB Inc.
 
EMBEDDED SYSTEMS SYBSC IT SEM IV UNIT V Embedded Systems Integrated Developme...
EMBEDDED SYSTEMS SYBSC IT SEM IV UNIT V Embedded Systems Integrated Developme...EMBEDDED SYSTEMS SYBSC IT SEM IV UNIT V Embedded Systems Integrated Developme...
EMBEDDED SYSTEMS SYBSC IT SEM IV UNIT V Embedded Systems Integrated Developme...Arti Parab Academics
 
Building Security into Your Workflow with InSpec
Building Security into Your Workflow with InSpecBuilding Security into Your Workflow with InSpec
Building Security into Your Workflow with InSpecMandi Walls
 
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...AlienVault
 
Introduction to DO-178B - Software Considerations in Airborne Systems and Equ...
Introduction to DO-178B - Software Considerations in Airborne Systems and Equ...Introduction to DO-178B - Software Considerations in Airborne Systems and Equ...
Introduction to DO-178B - Software Considerations in Airborne Systems and Equ...Swamy Shettru
 
Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseNetSPI
 
Managing Software Inventories & Automating Open Source Software Compliance
Managing Software Inventories & Automating Open Source Software ComplianceManaging Software Inventories & Automating Open Source Software Compliance
Managing Software Inventories & Automating Open Source Software CompliancenexB Inc.
 
OWASP Dependency-Track Introduction
OWASP Dependency-Track IntroductionOWASP Dependency-Track Introduction
OWASP Dependency-Track IntroductionSergey Sotnikov
 

Ähnlich wie Fortify - Source Code Analyzer (20)

Code Review with Sonar
Code Review with SonarCode Review with Sonar
Code Review with Sonar
 
Sonarqube
SonarqubeSonarqube
Sonarqube
 
devops ppt for hjs jsdjhjd hsdbusinees.pptx
devops ppt for hjs jsdjhjd hsdbusinees.pptxdevops ppt for hjs jsdjhjd hsdbusinees.pptx
devops ppt for hjs jsdjhjd hsdbusinees.pptx
 
685163main 2 4-a-swat_extendingbenefitsofstaticcodeanalysistools_final
685163main 2 4-a-swat_extendingbenefitsofstaticcodeanalysistools_final685163main 2 4-a-swat_extendingbenefitsofstaticcodeanalysistools_final
685163main 2 4-a-swat_extendingbenefitsofstaticcodeanalysistools_final
 
Managing Open Source Software Supply Chains
Managing Open Source Software Supply ChainsManaging Open Source Software Supply Chains
Managing Open Source Software Supply Chains
 
Hp fortify source code analyzer(sca)
Hp fortify source code analyzer(sca)Hp fortify source code analyzer(sca)
Hp fortify source code analyzer(sca)
 
Beginners guide on how to start exploring IoT 2nd session
Beginners guide on how to start exploring IoT 2nd sessionBeginners guide on how to start exploring IoT 2nd session
Beginners guide on how to start exploring IoT 2nd session
 
GNAT Pro User Day: Latest Advances in AdaCore Static Analysis Tools
GNAT Pro User Day: Latest Advances in AdaCore Static Analysis ToolsGNAT Pro User Day: Latest Advances in AdaCore Static Analysis Tools
GNAT Pro User Day: Latest Advances in AdaCore Static Analysis Tools
 
Contain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidenceContain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidence
 
Managing OSS license obligations
Managing OSS license obligationsManaging OSS license obligations
Managing OSS license obligations
 
EMBEDDED SYSTEMS SYBSC IT SEM IV UNIT V Embedded Systems Integrated Developme...
EMBEDDED SYSTEMS SYBSC IT SEM IV UNIT V Embedded Systems Integrated Developme...EMBEDDED SYSTEMS SYBSC IT SEM IV UNIT V Embedded Systems Integrated Developme...
EMBEDDED SYSTEMS SYBSC IT SEM IV UNIT V Embedded Systems Integrated Developme...
 
Building Security into Your Workflow with InSpec
Building Security into Your Workflow with InSpecBuilding Security into Your Workflow with InSpec
Building Security into Your Workflow with InSpec
 
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...
 
Sonar qube
Sonar qubeSonar qube
Sonar qube
 
Introduction to DO-178B - Software Considerations in Airborne Systems and Equ...
Introduction to DO-178B - Software Considerations in Airborne Systems and Equ...Introduction to DO-178B - Software Considerations in Airborne Systems and Equ...
Introduction to DO-178B - Software Considerations in Airborne Systems and Equ...
 
Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash Course
 
Managing Software Inventories & Automating Open Source Software Compliance
Managing Software Inventories & Automating Open Source Software ComplianceManaging Software Inventories & Automating Open Source Software Compliance
Managing Software Inventories & Automating Open Source Software Compliance
 
BRKSEC-3144.pdf
BRKSEC-3144.pdfBRKSEC-3144.pdf
BRKSEC-3144.pdf
 
OWF14 - Open Source & Software Supply Chain
OWF14 - Open Source & Software Supply ChainOWF14 - Open Source & Software Supply Chain
OWF14 - Open Source & Software Supply Chain
 
OWASP Dependency-Track Introduction
OWASP Dependency-Track IntroductionOWASP Dependency-Track Introduction
OWASP Dependency-Track Introduction
 

Mehr von n|u - The Open Security Community

Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...n|u - The Open Security Community
 

Mehr von n|u - The Open Security Community (20)

Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)
 
Osint primer
Osint primerOsint primer
Osint primer
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
 
Metasploit primary
Metasploit primaryMetasploit primary
Metasploit primary
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
Introduction to TLS 1.3
Introduction to TLS 1.3Introduction to TLS 1.3
Introduction to TLS 1.3
 
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
 
Owning a company through their logs
Owning a company through their logsOwning a company through their logs
Owning a company through their logs
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodan
 
Cloud security
Cloud security Cloud security
Cloud security
 
Detecting persistence in windows
Detecting persistence in windowsDetecting persistence in windows
Detecting persistence in windows
 
Frida - Objection Tool Usage
Frida - Objection Tool UsageFrida - Objection Tool Usage
Frida - Objection Tool Usage
 
OSQuery - Monitoring System Process
OSQuery - Monitoring System ProcessOSQuery - Monitoring System Process
OSQuery - Monitoring System Process
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
 
Extensible markup language attacks
Extensible markup language attacksExtensible markup language attacks
Extensible markup language attacks
 
Linux for hackers
Linux for hackersLinux for hackers
Linux for hackers
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
 

Kürzlich hochgeladen

Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesThousandEyes
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFMichael Gough
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...itnewsafrica
 
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...itnewsafrica
 
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Jeffrey Haguewood
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxAna-Maria Mihalceanu
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector
4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector
4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sectoritnewsafrica
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkPixlogix Infotech
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Kaya Weers
 

Kürzlich hochgeladen (20)

Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDF
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
 
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...
 
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance Toolbox
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector
4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector
4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App Framework
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)
 

Fortify - Source Code Analyzer

  • 2. Agenda • • • • • • Overview of Fortify Using Fortify Type of Analyzers Analysis Phases Analysis Commands Demo
  • 3. Fortify Source Code Analyser • Fortify Source Code Analyzer (SCA) is a set of software security analyzers that search for violations of security‐specific coding rules and guidelines in a variety of languages. • The rich data provided by Fortify SCA language technology enables the analyzers to pinpoint and prioritize violations so that fixes can be fast and accurate. • The analysis information produced by SCA helps you deliver more secure software, as well as making security code reviews more efficient, consistent, and complete. 3
  • 4. Using Fortify • At the highest level, using Fortify SCA involves: • Choosing to run SCA as a stand‐alone process or integrating Fortify SCA as part of the build tool • Translating the source code into an intermediate translated format, preparing the code base for scanning by the different analyzers • Scanning the translated code, producing security vulnerability reports • Auditing the results of the scan, either by transferring the resulting FPR file to Audit Workbench or Fortify 360 Server for analysis, or directly with the results displayed onscreen
  • 5. Analyzers • Data Flow: The data flow analyzer detects potential vulnerabilities that involve tainted data (user‐controlled input) put to potentially dangerous use. Eg. Buffer overflow, SQL Injections. • Control Flow: The control flow analyzer detects potentially dangerous sequences of operations. Eg. time of check/time of use issues and uninitialized variables. • Semantic: The semantic analyzer detects potentially dangerous uses of functions and APIs at the intra‐procedural level. Eg. Deprecated functions, unsafe functions. • Structural: The structural analyzer detects potentially dangerous flaws in the structure or definition of the program. For Eg. Dead Code. • Configuration: The configuration analyzer searches for mistakes, weaknesses, and policy violations in an application's deployment configuration files.
  • 6. Analysis Phases • Fortify SCA performs source code analysis • Build Integration: The first phase of source code analysis involves making a decision whether to integrate SCA into the build compiler system. • Translation: Source code gathered using a series of commands is translated into an intermediate format which is associated with a build ID. The build ID is usually the name of the project being scanned. • Analysis: Source files identified during the translation phase are scanned and an analysis results file, typically in the Fortify project (FPR) format, is generated. FPR files are indicated by the .fpr file extension. • Verification of the translation and analysis: Ensure that the source files were scanned using the correct rulepacks and that no significant errors were reported.
  • 7. Analysis Commands • The following is an example of the sequence of commands you use to analyze code: • Clean and build  sourceanalyzer -b <build_id> -clean • Translation  sourceanalyzer -b <build_id> ... •Scan  sourceanalyzer -b <build_id> -scan -f results.fpr
  • 8. Translation Options • Output Options: • • • • • • • -append : Appends results to the file specified with -f. If this option is not specified, Fortify SCA adds the new findings to the FPR file, and labels the older result as previous findings. -build-label <label> : The label of the project being scanned. -build-project <project> : The name of the project being scanned. -build-version <version> : The version of the project being scanned. -f <file> : The file to which results are written. -format <format> : Controls the output format. Valid options are fpr, fvdl, text, and auto. -html-report : Creates an HTML summary of the results produced.
  • 9. Translation Options • Analysis Options: • • • • • • • • -disable-default-ruletype <type> : Disables all rules of the specified type in the default rulepacks. -encoding : Specifies the encoding for encoded source files. -filter <file_name> : Specifies a results filter file. -findbugs : Enables FindBugs analysis for Java code. -quick : Scans the project in Quick Scan Mode. -rules [<file>|<directory>] : Specifies a custom rulepack or directory. -disable-source-rendering : Source files are not included in the FPR file. -scan : Causes Fortify SCA to perform analysis for the specified build ID.
  • 10. Translation Options • Build Integration Options • • • • -b <build_id> : Specifies the build ID. -bin <binary> : Used with -scan to specify a subset of source files to scan. Only the source files that were linked in the named binary at build time are included in the scan. -exclude <file_pattern> : Removes files from the list of files to translate. For example: sourceanalyzer –cp "**/*.jar"  "**/*" -exclude "**/Test.java“ -nc : When specified before a compiler command line.
  • 11. Translation Options • Runtime Options • • • • • • -auth-silent : Available on Fortify SCA Per Use edition only.  Suppresses the prompt that displays the number of lines the scan requires to analyze the source code. -64 : Runs Fortify SCA under the 64‐bit JRE. -logfile <file_name> : Specifies the log file that is produced by Fortify SCA. -quiet : Disables the command line progress bar. -verbose : Sends verbose status messages to the console. -Xmx <size> : Specifies the maximum amount of memory used by Fortify SCA.
  • 12. Demo