1. No category

HP Fortify on Demand User Guide

HP Fortify on Demand
HP Fortify on Demand User Guide
FoD Release 3.2
Document
Release
Date: May
2014
HP
Fortify
on Demand
(3.2)
Page 1
HP Fortify on Demand 3.2 User Guide
Legal Notices
Software Release Date: May 2014
Legal Notices
Warranty
The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should
be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.
The information contained herein is subject to change without notice.
Restricted Rights Legend
This is confidential computer software. A valid license from HP is required for possession, use, or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for
Commercial Items are licensed to the U.S. Government under vendor's standard commercial license.
Copyright Notice
© Copyright 2014 Hewlett-Packard Development Company, L.P.
Documentation Updates
The title page of this document contains the following identifying information:
l
Software Version Number, which indicates the software version
l
Document Release Date, which changes each time the document is updated
l
Software Release Date, which indicates the release date of this version of the
software
HP Fortify on Demand (3.2)
Page 2
HP Fortify on Demand 3.2 User Guide
Preface
Preface
This guide describes how to use HP Fortify on Demand (FoD).
Contacting HP Fortify
If you have questions or comments about any part of this guide, contact HP Fortify in one of
the following ways.
Technical Support for Pronq
855.525.9252
[email protected]
Corporate Headquarters
Moffett Towers
1140 Enterprise Way
Sunnyvale, CA 94089
650.358.5600
FoD Sales
650.409.1611
[email protected]
Website
http://www.hpenterprisesecurity.com
HP Fortify on Demand (3.2)
Page 3
HP Fortify on Demand 3.2 User Guide
Contents
Contents
HP Fortify on Demand
Legal Notices
Warranty
1
2
2
Restricted Rights Legend
2
Copyright Notice
2
Documentation Updates
Preface
Contacting HP Fortify
2
3
3
Technical Support for Pronq
3
Corporate Headquarters
3
FoD Sales
3
Website
3
Contents
Chapter 1: Overview of HP Fortify on Demand
About HP Fortify on Demand Services
About HP Fortify on Demand File Categories for Static Assessments
About Analysis Files
About Source Code Files
4
9
9
9
9
10
About Static, Dynamic, and Mobile Assessments
10
About Testing
10
About Remediation Assessments
10
About the HP Fortify Security Rating System
About Fortify Priority Order
11
11
Critical
11
High
11
Medium
11
Low
11
Best Practices
11
Info
12
About Likelihood and Impact
Likelihood
HP Fortify on Demand (3.2)
12
12
Page 4
HP Fortify on Demand 3.2 User Guide
Contents
Impact
12
About the Fortify Five-Star Assessment Rating
12
About HP Fortify Terminology
13
Chapter 2: Static Assessments
About Static Assessments
15
15
Preparing Files for Upload
15
Preparing Java Application Files
15
Preparing Analysis Files (Required)
15
Preparing Source Code Files (Optional, but recommended)
16
Reviewing Files Before Clicking Submit
16
Preparing .NET Application Files
16
Preparing Analysis Files (Required)
16
Pre-compiling ASP.NET Pages—Preferred Method: Using the aspnet_compiler.exe Tool
18
Using the aspnet_compiler.exe Tool to Pre-compile ASP.NET Pages
18
Preparing Analysis Files (Required)
19
Preparing Source Code Files (Optional, but recommended)
19
Reviewing Files Before Clicking Submit
20
Pre-compiling ASP.NET Pages—Alternate Method: Using an Ancillary Solution in Visual Studio
20
Using an Ancillary Solution in MS Visual Studio to Pre-compile ASP.NET
Pages
Preparing C and C++ Application Files in a Linux Environment
20
21
Setting Up
21
Translating
22
Packaging
22
Preparing C and C++ Applications in a Windows Environment
23
Setting Up
23
Translating
23
Packaging
23
HP Fortify on Demand (3.2)
Page 5
HP Fortify on Demand 3.2 User Guide
Contents
Preparing COBOL Application Files
24
Preparing Analysis Files (Required)
24
Reviewing Files Before Clicking Submit
24
Preparing ColdFusion Markup Language (CFML) Application Files
25
Preparing Analysis Files (Required)
25
Reviewing Files Before Clicking Submit
25
Preparing Ruby or Ruby on Rails Application Files
25
Preparing Analysis Files (Required)
25
Reviewing Files Before Clicking Submit
25
Preparing Visual Basic 6 (VB6) Application Files
25
Preparing Analysis Files (Required)
25
Reviewing Files Before Clicking Submit
25
Preparing Python, Classic ASP, or PHP Application Files
26
Preparing Analysis Files (Required)
26
Reviewing Files Before Clicking Submit
26
Creating a PHP.ini File
26
Uploading Files to HP Fortify on Demand for Static Assessment
Chapter 3: Dynamic Assessments
About HP Fortify on Demand Service Levels for Dynamic Assessments
27
29
29
About Premium Dynamic Assessments
29
About Standard Dynamic Assessments
29
About Basic Dynamic Assessment
29
About Express Dynamic Assessments
29
Preparing for your HP Fortify on Demand Dynamic Assessment
30
Tips for Successful Dynamic Assessments
30
About Dynamic Testing Product Specifications
31
Initiating a First-Time Dynamic Assessment
31
About New Site Registration
32
Completing the Dynamic Set-Up Form
34
Submitting the Dynamic Set-Up Form
35
Changing a Dynamic Scan Request
38
HP Fortify on Demand (3.2)
Page 6
HP Fortify on Demand 3.2 User Guide
Contents
About Subsequent Dynamic Assessments
Submitting Applications for Follow-up Dynamic Testing
38
39
Subsequent Dynamic Testing Submissions: Method One
39
Subsequent Dynamic Testing Submissions: Method Two
39
Chapter 4: Mobile Assessments
About HP Fortify on Demand Mobile Assessments
41
41
Express
41
Basic
41
Standard
41
Premium
41
About Mobile Uploads
42
About Recommended Browsers for Mobile Uploads
42
Beginning a Mobile Assessment
42
Preparing Android Project Files
42
Preparing iOS Application Files
43
Preparing BlackBerry Project Files
43
Preparing Windows Project Files
44
Creating a New Mobile Application for Assessment
44
Initiating a Mobile Assessment
47
About New Site Registration
48
Completing the Mobile Set-Up Form
48
Starting Your Scan
51
Chapter 5: Completing an Assessment
About Completing the Assessment Process
55
55
Checking the Status of your Assessment
55
Communicating with the FoD Security Team
56
About When Your Assessment is Complete
57
HP Fortify on Demand (3.2)
Page 7
HP Fortify on Demand 3.2 User Guide
Contents
HP Fortify on Demand (3.2)
Page 8 of 58
HP Fortify on Demand 3.2 User Guide
Chapter 1: Overview of HP Fortify on Demand
Chapter 1: Overview of HP Fortify on
Demand
About HP Fortify on Demand Services
HP Fortify on Demand (FoD) is a Software-as-a-Service (SaaS) solution enabling your
organization to test the security of software quickly, accurately, affordably, and
without the necessity of installing software to manage the process.
FoD is available for static, dynamic, and mobile assessments, and we offer multiple
options within each of those. You also have the option to purchase individual assessments or a one-year subscription for unlimited assessments of a particular application.
About HP Fortify on Demand File Categories for Static
Assessments
When you use HP Fortify on Demand (FoD) to do a static assessment of your application, you must upload at least one zip file, which contains your analysis files. This zip
file may or may not also contain source code files.
For a static analysis to provide maximum value to you, it is best if the files you submit
also contain debug compiled libraries and source code. The FoD static analyzer uses
the debug compiled binaries to identify and isolate vulnerabilities. Because automated tools have the potential to over-report vulnerabilities, our auditors use your
source code to do a manual confirmation of the validity of vulnerabilities.
Your submitted zip should not contain additional compressed files, such as ZIP, TAR,
or GZIP. The types of files to upload are:
1. Analysis files (required)
2. Source code files (optional, but strongly recommended)
Also note that any code you submit for assessment must be fully deployable. This
means, for example, that any .jar file must have executable code in it.
About Analysis Files
Analysis files are:
A. The debug-compiled executable files produced by compiling your application’s
source code files
B. The executable library and resource files produced and delivered by third parties
that are used by your application
HP Fortify on Demand (3.2)
Page 9
HP Fortify on Demand 3.2 User Guide
Chapter 1: Overview of HP Fortify on Demand
About Source Code Files
Source code files are the text files you compile to produce the application files.
To enhance the ability of HP Fortify on Demand to customize the assessment to your
application, you may upload all the source code files used to produce the analysis
files for HP Fortify on Demand.
The purpose of analyzing an application with HP Fortify on Demand is to identify
security issues in the executable files you created by compiling your application’s
source code. In order to get complete and accurate assessment results you must
upload all of your application’s files to HP Fortify on Demand. Whenever possible, it is
best if you include debug built binaries. Debug build files enable FoD to provide the
exact line numbers where vulnerabilities exist in your code. If we do not have your
debug library, your report will refer only to file names.
About Static, Dynamic, and Mobile Assessments
In HP Fortify on Demand, you can upload files and initiate an assessment of your
code for a static assessment. If you have purchased a dynamic assessment, you can
test your URL, and if you are working in a mobile environment, you can have several
different types of files analyzed. Detailed instructions for each assessment type are
provided throughout this User Guide.
About Testing
Our expert team conducts a thorough audit of your application for security vulnerabilities. This includes at least two steps:
l
l
Security Assessment: You provide HP Fortify on Demand with the analysis files,
source code, or URL and external access for your application, and FoD performs
automatic testing.
Expert Review: Software security experts at HP Fortify on Demand manually
review the results of our assessment to ensure the highest possible degree of
accuracy.
About Remediation Assessments
All single assessment purchases include one remediation assessment, which can be
performed within a 90-day window of the initial scan.
For static assessments, FoD will reassess your code after you have remediated issues
revealed by the initial scan.
For dynamic assessments, FoD will recheck the vulnerabilities discovered during the
initial assessment to ensure that they have been resolved.
Note that releases are deleted from FoD after 90 days, so any remediation assessments must be performed within that time frame.
HP Fortify on Demand (3.2)
Page 10
HP Fortify on Demand 3.2 User Guide
Chapter 1: Overview of HP Fortify on Demand
About the HP Fortify Security Rating System
Fortify on Demand, like all HP Fortify products, is designed to provide useful information about the vulnerability of your applications. To ensure that the results we give
you are consistent, understandable, and actionable we have developed a set of reporting conventions, described in the following sections.
About Fortify Priority Order
HP Fortify has defined the following six levels of priority as a way to categorize the
severity of vulnerabilities (also known as “issues”).
Critical
Critical issues are those that have both a high potential impact and a high likelihood
of occurring. Critical issues are easy to detect and exploit, and they can result in significant damage to your assets. These issues should be remediated immediately. (SQL
injection is an example of a critical issue.)
High
High-priority issues have the potential for high impact, but have a low likelihood of
occurring. High-priority issues are often difficult for outsiders to detect and exploit,
but they can result in large damage to your assets, so they represent a high security
risk to an application. High priority issues should be remediated in your next scheduled patch release. (A hard-coded password is an example of a high-priority issue.)
Medium
Medium-priority issues have a low potential impact but a high likelihood. Medium-priority issues are easy to detect and exploit, but they typically result in small asset damage. These issues represent a moderate security risk to your application. Mediumpriority issues should be remediated in the next scheduled product update. (Path
manipulation is an example of a medium issue.)
Low
Low-priority issues have low potential impact and a low likelihood of occurring. Lowpriority issues can be difficult for others to detect and exploit, and they typically result in small asset damage. These issues represent a minor security risk to your application. Low priority issues should be remediated as time allows. (Dead code is an
example of a low issue.)
Best Practices
If you are notified that your application has “best practices” shortcomings, that means
there are no significant vulnerabilities; just minor issues that may be less than ideal
for applications of your type.
HP Fortify on Demand (3.2)
Page 11
HP Fortify on Demand 3.2 User Guide
Chapter 1: Overview of HP Fortify on Demand
Info
“Info” is the lowest level of warning. HP Fortify may provide you with information
about your application that does not represent a vulnerability but might be of
interest for some reason.
About Likelihood and Impact
Likelihood
Likelihood is the probability that a vulnerability will be identified by an outsider and
successfully exploited.
Impact
Impact is the potential damage an attacker could do to your assets by successfully
exploiting a vulnerability. This damage could be in the form of financial loss, compliance violation, loss of brand reputation, negative publicity, and more.
About the Fortify Five-Star Assessment Rating
A Fortify security assessment analyzes an application for a variety of software security vulnerabilities. The results of that assessment are communicated to you in a number of ways, including comprehensive onscreen details and a suite of customizable
reports. The most efficient snapshot of your application’s safety, though, is the Fortify five-star
rating system, which provides quick information on the likelihood and impact of
defects present in your application. A perfect rating within this system would be five
complete stars, indicating that no high-impact vulnerabilities were discovered.
1. A rating of one star means the application has critical vulnerabilities. Any
application that gets scanned automatically gets at least one star.
2. Applications receive two stars if the security review identifies any vulnerabilities that either have a high likelihood of being exploited, or would have
a high impact if they were (but not both).
3. A three-star rating means an application has only low- to medium-severity vulnerabilities.
4. Fortify awards four stars to applications with only low-severity vulnerabilities
(even if those have a high likelihood of occurring).
Note that vulnerabilities which have a low impact but are easy to exploit
should be considered carefully, as they may pose a greater threat if an
attacker exploits many of them as part of a concerted effort.
5. Five stars is Fortify’s highest rating, awarded only to applications that have
undergone a Fortify security review that identified no vulnerabilities.
HP Fortify on Demand (3.2)
Page 12
HP Fortify on Demand 3.2 User Guide
Chapter 1: Overview of HP Fortify on Demand
About HP Fortify Terminology
In an ongoing effort to make Fortify on Demand clear and accessible, and respond to
customer feedback, we occasionally update terminology used in the program. Below
are a few notes that we hope will help alleviate confusion:
l
Generally speaking, a project is the same thing as an application.
l
And an application is sometimes referred to as an app.
l
A release is the same as a project version.
l
A lookup is the same thing as an attribute.
l
An issue is another word for a vulnerability, or “vuln.”
l
An assessment is sometimes referred to as an analysis, a scan, or a test.
l
Fortify Priority Order is the same thing as Severity. Both terms refer to the hierarchy of seriousness among vulnerabilities (Critical, High, Medium, Low, Best
Practices, Info).
l
Fixed is sometimes used as a synonym for remediated.
l
The person Assigned to an issue or application is the same as the Owner of it.
l
l
l
l
l
l
l
l
l
Assessments that used to have a status of Rejected are now referred to as
Canceled.
The area that used to be called Manage Users is now called Access.
The attributes that used to be called Tenant Lookups are now Attributes with
“Text” as their value type.
Vendor Management replaces the former Shared Reports. To access this function, use the word Vendor in the Administration menu.
A Ticket means a request for support. Sometimes it is called a Request.
Within the Help Center, the terms Open and New mean a question is in the
hands of the FoD team, in the process of being researched or resolved. The term
Pending means that action is required from you or your company.
A status of Pending for a test means the same thing as Waiting for a help ticket,
which is: the FoD team is waiting for a response from you before it can proceed.
A missing dependency means that code you submitted for analysis contains references to files not included in the payload. When the FoD software scans each
line of your code, it looks for the source of each reference; if it does not find them,
it flags a missing dependency.
An operation (also called a method), is an action that a web service performs.
For instance, one web service may have one WSDL that contains four operations.
HP Fortify on Demand (3.2)
Page 13
HP Fortify on Demand 3.2 User Guide
Chapter 1: Overview of HP Fortify on Demand
Those might be, for example, Update, Create, Delete, and Diagnostic.
HP Fortify on Demand (3.2)
Page 14
HP Fortify on Demand 3.2 User Guide
Chapter 2: Static Assessments
Chapter 2: Static Assessments
About Static Assessments
The first step in a static assessment is to prepare your code for upload to the Fortify
on Demand portal. The preparation process differs depending on which programming language your application is in.
The sections below, under Preparing Files for Upload explain the process for each
type of code.
Notes on file size:
l The normal size limit for files, if you are uploading manually, using the procedures described in Preparing Files for Upload is 250 MB.
l
You may upload up to 75 MB of code using the instructions for any type of code.
l
If your file is larger than 75 MB, contact your TAM before uploading.
l
To remove the size limit altogether, you can use the Build Server Integration
tool, called FodUpload.jar, which is explained below.
Preparing Files for Upload
In order to ensure an effective analysis of your application, we ask that you prepare
your files as described in the following sections.
Preparing Java Application Files
For Java applications, package your analysis and source code files for upload to HP
Fortify on Demand in a single zip file, as follows.
Preparing Analysis Files (Required)
Web application: Package in a .WAR or .EAR file. If you have multiple .WAR files, you
can package them into a zip and call it a .EAR. (You cannot have .JAR files inside other
.JAR files or .EAR files inside other .EAR files in the zip.) For example, your file structure may look like one of these:
1. Zip File
EAR
WAR
JAR
2. Zip File
WAR1
JAR
WAR2
JAR
HP Fortify on Demand (3.2)
Page 15
HP Fortify on Demand 3.2 User Guide
Chapter 2: Static Assessments
l
l
l
Non-web applications: Package in a single zip file. (HP Fortify on Demand cannot
recursively process zip files contained within a zip package.) Ensure that there
are no precompiled JSPs.
Ensure that all JARs are included, including third-party JAR files.
Ensure that all files are compiled in DEBUG mode. If they are not, the assessment
will still run but the results will not include line-of-code details for each issue.
Preparing Source Code Files (Optional, but recommended)
To improve the quality of results, HP Fortify recommends that you upload all of your
application’s source code files to HP Fortify on Demand. Package the application
source code files together with your analysis files in a single zip package.
If no source code is uploaded, HP Fortify auditors have nothing to look at and can
only send back results; therefore, it is important that you send source code to be analyzed.
Reviewing Files Before Clicking Submit
l
l
Make sure you have resolved all warnings presented in the HP Fortify on Demand
interface after upload.
Select only JARs that are part of the application code. Do not select JARs that are
part of third-party libraries.
Preparing .NET Application Files
For .NET applications, package analysis and source code files for upload to HP Fortify
on Demand as follows.
Preparing Analysis Files (Required)
l
l
l
l
l
l
Rebuild the application in DEBUG mode to ensure that a .PDB file is produced.
Only DLLs that are compiled in DEBUG mode will present filename and line number resolution in the results.
Ensure that all ASP.NET pages are precompiled. See the section below, “Pre-compiling ASP.NET Files,” for guidance.
Package the analysis files in a single zip file. HP Fortify on Demand cannot recursively process zip files contained within a zip package.
Ensure that all DLLs are present in the upload.
Also ensure that executables and .config files for web applications, websites, and
other files produced during the deployment process are present in the upload
file.
Ensure that the associated .PDB files are included in the upload file.
HP Fortify on Demand (3.2)
Page 16
HP Fortify on Demand 3.2 User Guide
Chapter 2: Static Assessments
7. Go back to FoD and navigate to the BSI page for your application:
a. Click Applications.
b. From the list that appears, click the name of your application.
c. Click the icon in the bottom left part of the screen, called BSI.
That brings you to the screen shown below.
8. Copy the binary URL. (Highlighted in red, below.)
9. Go to MS Visual Studio.
10. Paste the URL you have just copied into the plug-in’s BSI URL text box.
HP Fortify on Demand (3.2)
Page 17
HP Fortify on Demand 3.2 User Guide
Chapter 2: Static Assessments
11. Check the box beside Save Package After Send.
This saves a copy of your zip file on your local machine.
The plug-in zips your application’s analysis files, along with any additional files you
selected.
By default, the plug-in packages both analysis (binary) files and source files.
12. If you want to include only binary files, check they box beside Binaries Only.
In most cases, however, you will want to include source files a well as binaries,
in order to get more complete results. Therefore, we recommend leaving Binaries Only unchecked.
13. Click Add Extra Files.
A dialog box opens. Here, you can select additional files for inclusion in the upload
zip file. These may be either source files or meta-data to assist in manual analysis.
14. Click Send.
Pre-compiling ASP.NET Pages—Preferred Method: Using the aspnet_compiler.exe Tool
There are two ways to prepare ASP.Net pages. The preferred method is to use the
aspnet_compiler.exe tool. To do it that way, follow the instructions immediately below.
For an alternative method, see Pre-compiling ASP.NET Pages—Alternate Method:
Using an Ancillary Solution in Visual Studio.
Using the aspnet_compiler.exe Tool to Pre-compile ASP.NET Pages
1. Make sure the debug attribute of the compilation tag is set to true; that is,
HP Fortify on Demand (3.2)
Page 18
HP Fortify on Demand 3.2 User Guide
Chapter 2: Static Assessments
<compilation debug=true /> in your web.config.
2. Locate the aspnet_compiler.exe, which can be found in the %SYSTEMROOT%\Microsoft.NET\Framework\<version> directory.
3. Open the command prompt with administrator privileges (right-click Command
Prompt and choose Run as Administrator), and then run the asp_netcompiler.exe with the following options:
l
>aspnet_compiler.exe -v <virtualPath> -p <physicalPath> -c
-d -f <targetDir>
l
<virtualPath>: Specifies the virtual path of the application to be compiled.
l
<physicalPath>: Specifies the full path of the root directory that contains
the application to be compiled.
l
<targetDir>: The full path to the root directory that will contain the com-
piled application.
4. Once the compilation is complete, check the <targetDir> to make sure that both
dll and pdb files are present. The file names should be something like App_Web_
xxxx.dll and App_Web_xxxx.pdb. Package all .dll and .pdb files along with the
other .dll and .pdb files from your application as a single zip file.
Note: If any file fails compilation, the entire site fails compilation.
Reference: http://msdn.microsoft.com/en-us/library/ms229863(v=VS.100).aspx
You can verify that all your .aspx/.ascx files have been precompiled by opening the
generated App_Web_xxxx.dll file using the ildasm.exe program from the .NET
Framework installation. This can generally be found in the directory called C:\Program Files\Microsoft SDKs\Windows\v7.1\Bin. After loading the file, look for a _ASP
and ASP namespace. Under that, you should see the .aspx files. Make sure that all are
present (this can span multiple files), and include all of them in the payload (both the
.dll and .pdb files).
To view a video about ASP.NET precompilation, go to:
http://www.asp.net/web-forms/videos/how-do-i/how-do-i-precompile-an-aspnet-website
Preparing Analysis Files (Required)
To ensure that HP Fortify on Demand can resolve “Include” and “Library” files,
ensure that the directory structure in the zip file matches the deployment directory
structure.
Preparing Source Code Files (Optional, but recommended)
To improve the quality of results, HP Fortify recommends that you upload all of your
application’s source code files to FoD. To do this, include the application's source code
files in the zip file you are submitting to FoD, along with your other files.
HP Fortify on Demand (3.2)
Page 19
HP Fortify on Demand 3.2 User Guide
Chapter 2: Static Assessments
If no source code is uploaded, HP Fortify auditors have nothing to look at and can
only send back results; therefore, it is important that you send source code to be analyzed.
Reviewing Files Before Clicking Submit
Make sure you resolve any warnings that appear in the HP Fortify on Demand interface after upload.
Note: If the web.config is wrong, then you will see errors. For example, you cannot
have a site under (that is, subordinate to) another site.
Pre-compiling ASP.NET Pages—Alternate Method: Using an Ancillary Solution in Visual Studio
There are two ways to prepare ASP.NET pages. For the preferred method, see Precompiling ASP.NET Pages—Preferred Method: Using the aspnet_compiler.exe Tool.
For the alternative method, follow the instructions below.
Using an Ancillary Solution in MS Visual Studio to Pre-compile ASP.NET Pages
1. Clear out any old files. To do this:
a. Close any running instances of Visual Studio.
Visual Studio precompiles the ASP.NET pages of each of your website applications to
a directory named Temporary ASP.NET Files.
b. In order to clear out potentially outdated files, delete:
SYSTEMROOT%\Microsoft.NET\Framework\<version>\Temporary ASP.NET
Files
<version>:
For .NET 1.1 applications, fill <version> in with v1.1.xxxx. For .NET 2.0/3.0/3.5
applications, fill it in with v2.0.xxxx. (In either case, replace xxxx with the actual
digits found on your system.)
2. Create an ancillary solution to hold website applications. To do this:
a. Create an empty solution. (MS Visual Studio precompiles the website applications of your original solution as part of the solution build. Visual Studio will
not do the same for your web applications, so you must create website applications for each of them and add them to this empty solution.)
b. Set the solution configuration of the empty solution you just created to debug.
c. Repeat for each web application inside your original solution:
HP Fortify on Demand (3.2)
Page 20
HP Fortify on Demand 3.2 User Guide
Chapter 2: Static Assessments
n
In Solution Explorer, right-click your solution and select Add -> Existing
Web Site....
n
In the Add Existing Application pop-up, navigate to the directory of your
web application and click Open.
n
Once the website application has been added, make sure that inside web.config you have <compilation debug="true"/>. (You may have
other attributes or even sub-elements. Just make sure that debug is set to
true.)
1. Repeat for each website application inside your original solution (for which you
did not have to create a new application in the ancillary solution). Ensure that,
in web.config, the debug attribute of the compilation tag is set to true; that is:
<compilation debug="true"/>
2. Make sure that debug information is omitted as part of the precompilation.
3. Perform precompilation and add the precompilation output to the upload
archive(s).
a. Rebuild both your original solution and the solution that you created while
following these steps.
b. After precompilation, each website application ends up with its own folder
inside the Temporary ASP.NET Files directory containing precompilation
output. For each website application, package the contents of its folder
alongside the other items in its output folder.
Preparing C and C++ Application Files in a Linux Environment
HP Fortify on Demand offers a Remote C/C++ Translator, which simplifies the packaging and processing of C/C++ source code for analysis by FoD. If you install this
translator utility, you no longer need to manually package and deliver all the files
necessary to submit your application for analysis by Fortify on Demand.
Setting Up
To set up the translator utility:
1. Obtain the FoD Remote C/C++ Translator from your Technical Account Manager
(TAM).
2. Copy the archive to your Linux build machine.
3. Extract the translator. (The bundle is a Gzipped tarball.)
4. Make a note of the path to the translator (sourceanalyzer).
HP Fortify on Demand (3.2)
Page 21
HP Fortify on Demand 3.2 User Guide
Chapter 2: Static Assessments
Translating
1. Change the directory to your normal build directory.
2. Execute the sourceanalyzer command as follows, substituting your build script
(or make) for “build_command”: /path_to_translator/sourceanalyzer -b
fod_remote touchless build_command
Example: ~/fod_remote/bin/sourceanalyzer -b fod_remote touchless
make all
3. Verify that the project builds correctly.
4. Make sure the name of your build session is exactly the same as the name of your
build.
Packaging
Option 1:(Recommended) Mobile Build Session
A mobile build session lets you translate a project on one machine and analyze it on
another. When you create a mobile build session, a .mbs file that includes the files
needed for the analysis phase is created in the build session directory. The .mbs file
is then moved to a different machine for analysis. To do this:
1. On the machine where the translation was done, issue the following command
to generate a mobile build session:
sourceanalyzer -b <build-id> -export-build-session <file.mbs>
where <file.mbs> is the file name you assign for the mobile build session.
Option 2: Workaround
Use Option 2 if your export fails, but the build and translation works.
Note: If you begin Option 2 and run into any difficulties, please file a ticket through
the FoD Help Center. We may be able to save you some time if we know what problems you experience.
1. Copy the FoD_remote build directory to a working directory.
The build directory is located here: ~/.fortify/sca5.12/build/fod_remote
Example: cp -R ~/.fortify/sca<<highestversion>>/build/fod_remote
~/work/
2. Copy the source code into the work directory.
3. At this point, the work directory should look as follows:
/work
HP Fortify on Demand (3.2)
Page 22
HP Fortify on Demand 3.2 User Guide
Chapter 2: Static Assessments
fod_remote
src
4. Zip the work directory and submit it to Fortify on Demand.
Be sure to use technology stack payload type: .mbs.
Preparing C and C++ Applications in a Windows Environment
HP Fortify on Demand offers a Remote C/C++ Translator, which simplifies the packaging and processing of C/C++ source code for analysis by FoD. If you install this
translator utility, you no longer need to manually package and deliver all the files
necessary to submit your application for analysis by Fortify on Demand.
Setting Up
To set up the translator utility:
1. Obtain the FoD Remote C/C++ Translator from your Technical Account Manager
(TAM).
2. Copy the archive to your Windows build machine.
3. Extract the translator. (The bundle is a Gzipped tarball.)
4. Make a note of the path to the translator (sourceanalyzer).
Translating
1. Change the directory to your normal build directory.
2. Execute the sourceanalyzer command as follows, substituting your build script (or
make) for “build_command”: /path_to_translator/sourceanalyzer -b fod_remote
touchless build_command
Example: ~/fod_remote/bin/sourceanalyzer -b fod_remote touchless make all
3. Verify that the project builds correctly.
4. Make sure the name of your build session is exactly the same as the name of your
build.
Packaging
Option 1: (Recommended) Mobile Build Session
A mobile build session lets you translate a project on one machine and analyze it on
another. When you create a mobile build session, a .mbs file that includes the files
needed for the analysis phase is created in the build session directory. The .mbs file
is then moved to a different machine for analysis. To do this:
1. On the machine where the translation was done, issue the following command
to generate a mobile build session:
HP Fortify on Demand (3.2)
Page 23
HP Fortify on Demand 3.2 User Guide
Chapter 2: Static Assessments
sourceanalyzer -b <build-id> -export-build-session <file.mbs>
where <file.mbs> is the file name you assign for the mobile build session.
Option 2: Workaround
Use Option 2 if your export fails, but the build and translation works.
Note: If you begin Option 2 and run into any difficulties, please file a ticket through
the FoD Help Center. We may be able to save you some time if we know what problems you experience.
1. Copy the FoD_remote build directory to a working directory.
The build directory is located here: %LOCALAPPDATA%\Fortify\sca<<highestversion>>\build\fod_remote
Example: cp -R C:\Users\exampleuser\AppData\Local\Fortify\sca<<highestversion>>\fod_
remote C:\Users\exampleuser\work
2. Copy the source code into the work directory.
3. At this point, the work directory should look as follows:
/work
fod_remote
src
4. Zip the work directory and submit it to Fortify on Demand.
Be sure to use technology stack payload type: .mbs.
Preparing COBOL Application Files
For COBOL applications, package your source code files for upload to HP Fortify on
Demand as follows.
Preparing Analysis Files (Required)
Prepare a single zip file that includes both the source code for your application and
the copy books.
In the Upload Files for Analysis wizard, you will be asked to upload this in the section called Files for Analysis.
Reviewing Files Before Clicking Submit
Ensure that all warnings presented in the HP Fortify on Demand interface after
upload are resolved.
HP Fortify on Demand (3.2)
Page 24
HP Fortify on Demand 3.2 User Guide
Chapter 2: Static Assessments
Preparing ColdFusion Markup Language (CFML) Application Files
For CFML applications, package the application and source code files for upload to HP
Fortify on Demand as follows.
Preparing Analysis Files (Required)
Prepare one zip file containing the source code files of your application. In the Upload
Files for Analysis wizard, you will be asked to upload it into the Files for Analysis section.
Reviewing Files Before Clicking Submit
Ensure that all warnings presented in the HP Fortify on Demand interface after
upload are resolved.
Preparing Ruby or Ruby on Rails Application Files
For applications create in either Ruby or Ruby on Rails, package your application and
source code files for upload to HP Fortify on Demand as follows.
Preparing Analysis Files (Required)
Prepare one zip file containing your entire application, as it would be deployed, and
include all source code.
In the Upload Files for Analysis wizard, you will be asked to upload this into the
Files for Analysis section.
Reviewing Files Before Clicking Submit
Ensure that all warnings presented in the HP Fortify on Demand interface after
upload are resolved.
Preparing Visual Basic 6 (VB6) Application Files
For VB6 applications, package your application and source code files for upload to HP
Fortify on Demand as follows.
Preparing Analysis Files (Required)
Prepare one zip file containing the source code files of your application. In the
Upload Files for Analysis wizard, you will be asked to upload it into the Files for
Analysis section.
Reviewing Files Before Clicking Submit
Ensure that all warnings presented in the HP Fortify on Demand interface after
upload are resolved.
HP Fortify on Demand (3.2)
Page 25
HP Fortify on Demand 3.2 User Guide
Chapter 2: Static Assessments
Preparing Python, Classic ASP, or PHP Application Files
For Python, Classic ASP, or PHP applications, package the application and source code
files for upload to HP Fortify on Demand as follows.
Preparing Analysis Files (Required)
Prepare one zip file containing the source code files of your application. In the
Upload Files for Analysis wizard, you will be asked to upload it into the Files for
Analysis section.
If yours is a PHP application file, make sure to include your php.ini file with your package. This file helps HP Fortify on Demand identify where dependencies reside, and
helps improve the accuracy of results.
Reviewing Files Before Clicking Submit
Make sure you resolve any warnings that appear in the HP Fortify on Demand interface after upload.
Note: The only version of Python fully supported by HP Fortify at this time is 2.6. If
you have another version of Python, please speak with your TAM about options.
Creating a PHP.ini File
A php.ini file is a configuration file that a server looks at to see what options have
been turned on or off, or set to a number different from the defaults you have set for
the server. It's simply a text file with the name php.ini.
You can construct a custom php.ini file and place it in your web account. You can create a php.ini file using any text editor. To create a php.ini file, open a text editor, (such
as Microsoft Notepad), add the lines you need, and save the file. You can name the file
anything you want. After you have saved it, upload the file to the directory where
your script is located, and then rename it php.ini.
Once again, you create a php.ini file with custom settings that will override the default
server settings. For example, you can turn off the php setting "file_uploads" or
"magic_quotes_gpc" with these lines in php.ini:
file_uploads = off
magic_quotes_gpc = no
Your php.ini file should contain only the custom settings, each on its own line as in
the above example.
To see a list and description of the directive settings that can be set in a custom
php.ini file (where value = 1, sets value in php.ini to ON; where value = 0, sets value
in php.ini to OFF) click this link:
http://php.net/manual/en/ini.core.php
HP Fortify on Demand (3.2)
Page 26
HP Fortify on Demand 3.2 User Guide
Chapter 2: Static Assessments
Uploading Files to HP Fortify on Demand for Static
Assessment
Once you have prepared your files properly, as described in one of the sections
above, you are ready to upload them to Fortify on Demand. The steps to do that are
as follows.
1.
On your system, find the analysis files to be uploaded. These are the application
files in either .jar or .ear format; or, if yours is a web application, packaged in a
.war
2. Create one zip file that includes all files to be submitted to FoD. This should
include both application files and source files.
HP Fortify on Demand (3.2)
Page 27
HP Fortify on Demand 3.2 User Guide
Chapter 2: Static Assessments
3. In this case, your zip file would include the .java files from the src directory.
HP Fortify on Demand (3.2)
Page 28
HP Fortify on Demand 3.2 User Guide
Chapter 3: Dynamic Assessments
Chapter 3: Dynamic Assessments
About HP Fortify on Demand Service Levels for Dynamic Assessments
An HP Fortify on Demand dynamic assessment tests your website for vulnerabilities.
For your dynamic assessment, you can choose among four testing levels: Premium,
Standard, Basic, or Express. A description of these is below.
About Premium Dynamic Assessments
Appropriate for business-critical applications; any applications that host proprietary
data or contain financial data, PII, or other sensitive information; and applications that
perform financial transactions. This is also the right choice for applications that have
rigorous compliance requirements, and/or multi-step, form-based processes.
l
Begins with expert use of HP Fortify’s security scanner, WebInspect
l
Includes extensive manual testing
l
Includes testing for both technical and business logic vulnerabilities
l
Results are manually reviewed by website security experts who examine account
structures and contextual logic in web applications to remove false positives and
assure quality results
About Standard Dynamic Assessments
An automated and manual solution for websites that are a regular feature of your customers’ online experience and have multi-step, form-based processes, but are not necessarily business-critical.
l
Includes testing for technical vulnerabilities
l
Includes the use of multiple automated and manual testing solutions
l
Results are manually reviewed by security experts to remove any false positives
and assure quality results
About Basic Dynamic Assessment
An automated solution for websites that are seasonal or temporary in nature.
l
l
Includes an assessment via WebInspect’s security scanner
All results are manually reviewed by security experts to remove false positives
and assure quality results
About Express Dynamic Assessments
Appropriate for companies with a large number of websites who need to do fast, efficient testing for the most serious and prevalent vulnerabilities. Express assessments can
be a good first step, to help you identify applications that require more in-depth
HP Fortify on Demand (3.2)
Page 29
HP Fortify on Demand 3.2 User Guide
Chapter 3: Dynamic Assessments
assessments. Express assessments are also recommended for websites you update frequently; since they recur at regular intervals they can alert you to new threats that
arise over time.
l
Tests only for cross-site scripting errors, SQL injection errors, and a limited list of
other highly prevalent issues
l
Tests unauthenticated pages only
l
Includes expert use of HP Fortify’s security scanner, WebInspect
l
Recurs at regular intervals of your choosing (weekly, monthly, or quarterly)
Preparing for your HP Fortify on Demand Dynamic Assessment
For all assessments, you must confirm that your web application and user credentials
are functioning before you initiate security testing. In addition, you should complete
all functional and performance testing beforehand and make sure to freeze your
application’s code for the duration of the security test engagement. As a standard precaution, we recommend that you back up all of your data before beginning the testing
process. We also recommend that, when testing is complete, you restore your data
from a backup which you know to be good, to avoid any chance of data corruption.
Note that you do not need to open any additional ports in order to begin your assessment. As long as your website is accessible through the http/https default ports
(80/443), that is sufficient.
Tips for Successful Dynamic Assessments
Many users run premium dynamic assessments on applications that are hosted
within their company’s network(s). These internal applications are usually in development, QA, or pre-production environments which are not generally exposed on the
internet. However, most companies do not want to run an assessment of their publicly facing production websites, because of the risks associated with dynamic scanning.
Therefore, to plan effectively for an assessment of an internal application, we recommend:
l
l
Deliver all information requested by the audit team in advance of the planned
start date for your assessment.
Budget the time appropriately. Assume you will need three weeks for the test
window.
HP Fortify on Demand (3.2)
Page 30
HP Fortify on Demand 3.2 User Guide
Chapter 3: Dynamic Assessments
l
l
l
l
o
The first week is used by the FoD team to ensure that they have all
necessary access to your application. This includes configuring firewall rules to allow tester IP’s access to your application, implementing and debugging a VPN, and verifying your account
credentials.
o
The actual scanning of your application happens in the second
week. A premium scan usually takes a full business week, assuming
no interruptions.
o
The third week is a buffer in case something requires additional
attention. (This could be because of accessibility issues, credentials
lock-out, an accidental block of the audit by your security team,
hardware problems anywhere in the process, or other unexpected
issues.)
Assume that your assessment will identify vulnerabilities that need remediation, and that you will then want to retest the application before your site
goes live. A retest usually requires about two additional weeks.
Ensure that all your teams know no changes should be made to the test environment while security testing is going on. Neither code nor data can be altered
during the course of the assessment. This code freeze must be in effect
throughout all of week two (and typically part of week three as well).
Ensure that you have everything possible prepared well in advance. Set up all
your test accounts (multiple sets) and inform your development and security
teams.
If your application is not internal, most of the same guidelines still apply. You
may not need three weeks, but be sure to budget at least two.
About Dynamic Testing Product Specifications
For dynamic testing, an application is defined as a fully qualified domain name with
one host name, one user type, and one user access level. A premium assessment
should have two user access levels: one low-privileged user and one high-privileged
user.
Initiating a First-Time Dynamic Assessment
Before you initiate your assessment, please make sure your application is fully accessible by an external entity. We require access and authentication to the application in
order to perform a dynamic assessment. If at any point that access is not present, the
assessment stops until access can be granted or restored. We cannot meet a five-day
estimated turnaround on assessments without full undisturbed access to a stable
application.
HP Fortify on Demand (3.2)
Page 31
HP Fortify on Demand 3.2 User Guide
Chapter 3: Dynamic Assessments
Before you begin a dynamic assessment, you must create an application and at least
one release. For each new URL, you need a new application. For information on how
to create applications and releases within FoD, see Creating New Applications.
To begin your assessment of a given release:
1. At the top of your screen, click Applications.
A new screen appears, with a list of all your applications.
2. Find the application you wish to assess, go to the first column on the left, and click
the green bar labeled Start Scan.
A brief new menu appears, with the choice of Static or Dynamic.
3. Click Dynamic.
If this is the first time you are submitting this application for assessment, you will
be directed to the Setup Dynamic Scans form.
About New Site Registration
When you begin a dynamic assessment of a new application, you begin by supplying
detailed information about your application to the FoD testing team through the
online form, which is titled Setup Dynamic Scans.
HP Fortify on Demand (3.2)
Page 32
HP Fortify on Demand 3.2 User Guide
Chapter 3: Dynamic Assessments
Notes:
l
l
l
l
This online form replaces the former New Site Registration Form. You no
longer need to fill out that information on paper, as the online form collects the
same information.
The Setup Dynamic Scan form must be completed only for new applications,
and some new releases, being submitted to FoD for the first time. Subsequent
tests of the same data or URL bypass this step.
If you are submitting a new release, but that release is associated with an application that has already been tested, and you created your new release using
“Copy Release Data," you will not have to go through this registration process
again.
When you register an application for the first time the information required
may seem lengthy. However, you do not have to complete the form all at once:
you may stop and start without losing data.
l
A red star beside any field means a response is required.
l
If you have any difficulty completing the form, contact your TAM.
HP Fortify on Demand (3.2)
Page 33
HP Fortify on Demand 3.2 User Guide
Chapter 3: Dynamic Assessments
Completing the Dynamic Set-Up Form
The information you will need to complete the online form is as follows:
a. Your site’s URL
b. Assessment Type (Basic, Standard, Premium, or Remediation)
c. Geolocation: Select from a menu of countries
d. Environment Type: Production, Development, or QA
e. Environment Facing: Internal or External
f. Exclusions: Any URLs within your website which you do not want to
test
Note: By default, FoD does not test URLs that are located outside your
application’s domain. However, it is still safest to list such URLs here if you
are aware of any embedded in your site.
Also note: If you do request that FoD test a URL belonging to another
vendor, it is your responsibility to ensure that you have the owner’s consent before submitting it.
g. Web Services Location (for Premium assessments only): The exact URL
of your WSDL file.
h. Site availability: Specify when your application is available for testing.
Use the local time in the time zone you specified on this page.
By default, all boxes are checked, which means FoD may test your application any time, without restrictions. To alter that, start by unchecking the
box beside a day of the week.
Any time the All Day box beside a day is checked, that means your application is available any time that day. For example, you cannot check
Sunday and then uncheck certain hours on Sunday. To indicate that your
app is available at some times on Sunday, but not all: first, uncheck the All
Day box, and then add checkmarks beside any hours that day when the
app is available.
i. Repeat frequency: If this is a one-time scan, leave the menu on “Do not
repeat.” If you would like to set up automatic re-scans of this application on a periodic basis, use this menu to select the frequency.
j. Time zone: Select the time zone where your application is located.
k. Authentication: Select the option that is true for your site: No authentication, Generate unique authentication, or Authentication required.
HP Fortify on Demand (3.2)
Page 34
HP Fortify on Demand 3.2 User Guide
Chapter 3: Dynamic Assessments
If authentication is required, enter user names and passwords for at least
two users.
Note: If you would like to enter more credentials than this space allows, list
them in the Additional Notes box at the bottom of this form.
l. VPN Required: If yes, put a check in the box. Then fill in the VPN User
Name and Password. If you do not wish to require a VPN, leave the box
blank.
m. Multi-factor Authentication: Click yes or no. If yes, provide more information in the box below.
n. External Devices: Check the boxes if you have any of these: IDS, IPS,
WAF, Proxy servers, and/or a Load Balancer.
o. Upload Documents: If you would like to attach any documents relevant
to your application that may be useful to the FoD testers, you can do
that here. Click Choose File to browse to the document you want to
attach. Then click Upload. Note that only files with the following extensions can be attached here: .doc, .docx, .ppt, .txt, .pdf, .pptx.
p. Additional Notes: At the bottom of the final page is a box for you to add
any more information you want the FoD testing team to know about
before they begin your dynamic assessment.
q. Request for call: If you would like to speak to a TAM or other FoD personnel before your assessment begins, check the final box here to
request a conference call.
Submitting the Dynamic Set-Up Form
If you need to pause before all the information is complete, click Save in the upperright corner of the form.
1. When the form is complete and ready for submission, click Start Scan.
If anything in your form is incomplete or invalid, you will see the word Incomplete
in the upper-right corner, and an explanation of the issue will appear near the
upper left. In the example below, the problem is that we checked Authentication
Required and then did not list any user names or passwords for authentication.
HP Fortify on Demand (3.2)
Page 35
HP Fortify on Demand 3.2 User Guide
Chapter 3: Dynamic Assessments
This can be remedied either by selecting No Authentication or by entering user
credentials.
When all information is complete and useable, the status at the top changes to
Valid.
2. If necessary, click Save again, after correcting any errors.
3. When you see the word Valid, you may then click Start Scan.
A pop-up appears, with the heading Start Dynamic Scan. The URL to be tested
appears, followed by a small box with the current date and time.
3. Click inside the date and time box.
A calendar appears.
HP Fortify on Demand (3.2)
Page 36
HP Fortify on Demand 3.2 User Guide
Chapter 3: Dynamic Assessments
4. Select the date and time you would like your assessment to begin.
5. Click Done.
6. Click Next.
A new box appears, headed Start Dynamic Scan. This box shows a summary of
the information you have entered on the Setup Dynamic Scans form.
7. If all information here is correct, click Start Scan.
8. If anything is not correct, click Back and change your answers on previous
screens.
Your assessment will begin at one of the times you selected when you filled out the
form. If you schedule recurring assessments, this release will be scanned again at the
intervals you defined until such time as you return to the Setup Dynamic Scans
form and change your request.
Once your Dynamic Scan Set-up Form has been submitted, with a specific date and
time requested, the status for your assessment changes to Scheduled.
This status also shows up in the list on the main Applications page.
HP Fortify on Demand (3.2)
Page 37
HP Fortify on Demand 3.2 User Guide
Chapter 3: Dynamic Assessments
Your dynamic assessment will be completed approximately five business days after
the date you scheduled it, if access to the application has been properly documented
and granted.
Note: If you have restrictions about the time of day for your assessment, this could
have a significant effect on the turnaround time. For example, you can expect a potential doubling of the testing window if you restrict the testing times to half the day. If
you have any questions about this, please contact your TAM.
Changing a Dynamic Scan Request
As soon as you click Start Scan to submit your application for a dynamic assessment,
your information is transferred immediately to the FoD testing team.
Important Note: If you then return to the form to change the schedule or any other
details about your request, that information will not be transmitted to the testing
team.
If you need to make a change after you have submitted a request:
1. Click Help Center.
2. Click Submit a Ticket.
3. Enter your request on the form that appears there.
If the testing team has any questions for you after receiving that request, they will
respond directly to the ticket.
Note, also, that you are free to go back to your original Setup Dynamic Scan form at
any time. Any changes you make will be submitted effectively the next time you
request a new scan of the same application and release. They just will not change the
one you have already submitted.
About Subsequent Dynamic Assessments
After the first time you submit a given application and release for dynamic testing,
the process is shorter. The Setup Dynamic Scans form described above, which
provides the FoD testing team with details about your application, usually needs to be
completed only once.
HP Fortify on Demand (3.2)
Page 38
HP Fortify on Demand 3.2 User Guide
Chapter 3: Dynamic Assessments
Submitting Applications for Follow-up Dynamic Testing
Subsequent Dynamic Testing Submissions: Method One
After the first time, if you want to submit the same application for follow-up assessments, follow these steps:
1. At the top of your screen, click Applications.
A new screen appears, with a list of all your applications.
2. Find the application you wish to assess, go to the first column on the left, and
click the green bar labeled Start Scan.
A brief new menu appears, with the choice of Static or Dynamic.
3. Click Dynamic.
Subsequent Dynamic Testing Submissions: Method Two
Another easy way to submit an application and release for testing, after at least one
assessment of the same URL has been completed, is through the Application Details
area for that application. To follow this method:
1. At the top of your screen, click Applications.
A new screen appears, with a list of all your applications.
2. Click the name of the application you wish you assess.
A new screen appears, with the name of your application at the top, and a
series of tabs, arranged vertically, on the left-hand side.
3. Click the sixth tab, labeled Dynamic.
HP Fortify on Demand (3.2)
Page 39
HP Fortify on Demand 3.2 User Guide
Chapter 3: Dynamic Assessments
The screen headed Setup Dynamic Scans appears, with the data already filled
in for the application you have selected. The information in this form is based
on the answers you submitted the first time you requested an assessment of
this application.
4. Before submitting the application again, you may change information on any of
the form’s three pages, if you wish.
5. If you wish to submit a new scan using the same application and release, and
the same answers in the form, just click Start Scan.
HP Fortify on Demand (3.2)
Page 40
HP Fortify on Demand 3.2 User Guide
Chapter 4: Mobile Assessments
Chapter 4: Mobile Assessments
About HP Fortify on Demand Mobile Assessments
For mobile assessments, Fortify on Demand supports all of the following upload
types: Android, BlackBerry, iOS, and Windows.
The following levels of mobile service are available. (Note that these terms do not
mean the same thing for mobile that they do for FoD Dynamic Scans.)
l
Express
l
Basic
l
Standard
l
Premium
Express
An Express mobile assessment is an automated test, focused only the binary file(s)
you provide to FoD. Express assessments are available for iOS and Android platforms
only.
Express testing focuses primarily on privacy issues; for example, we test whether
your application is sharing geo-location and enabling access to calendars and contacts.
Basic
A Basic mobile assessment is a static scan; that is, it tests your code. You will be
required to upload one zip file, with your source code only.
Standard
A Standard assessment for mobile is a dynamic run-time test focused on OWASP Top
Ten vulnerabilities. For a Standard test, you will be required to upload binary files
only. Our live team of security experts performs all tests covered under Express plus
hands-on manual testing, specific testing at the network level, and a personalized
review of the results.
Premium
Premium mobile assessments include both static and dynamic testing of your mobile
application. This is our top level of service and includes all of the above--that is, all
tests covered under Express Basic, and Standard assessments--plus hands-on attention from our expert team. Our live team of security experts performs an analysis of
your client, network, and back-end server testing, and gives you a personalized
review of the results.
HP Fortify on Demand (3.2)
Page 41
HP Fortify on Demand 3.2 User Guide
Chapter 4: Mobile Assessments
Note that it is not necessary to submit source code for a premium mobile assessment.
If you submit both source code and binary files, FoD will do both static and dynamic
testing. However, if for any reason you wish to submit binary files only, we will perform a Premium dynamic mobile scan.
As with other types of assessments, the first step is to prepare your code for submission. See About Mobile Uploads for instructions on that process.
About Mobile Uploads
FoD recommends that you create a separate application for each mobile platform you
are using. Also note that both binary and source code files are required for most
mobile uploads. (If yours is a Premium mobile scan, you will be asked whether you
want to include source files.) The files you send to FoD must include everything
needed to build the project, and also information on what software you are using for
the build environment; for example, which IDE you are using.
About Recommended Browsers for Mobile Uploads
For best results when submitting code for a mobile assessment, we recommend that
you use one of the following web browsers:
l
Firefox 26, 27, and higher
l
Chrome 32 and higher
l
Safari 5.1.7 for Windows and 7.0.1 for Mac
l
Internet Explorer 9, 10, or 11
Beginning a Mobile Assessment
The process to begin a mobile assessment is:
1. Prepare your files as described in the following sections.
2. Notify your TAM of your desire for a mobile application assessment
3. Follow the instructions under Initiating a Mobile Assessment.
Preparing Android Project Files
For Android applications, package your files for upload as follows.
l For an Express Mobile Assessment, send your application's binary (.apk).
l
l
For a Basic Mobile Assessment, package your application's source code, including all third-party libraries, in a single zip file.
For a Standard Mobile Assessment, send your application’s binary (.ipa)
HP Fortify on Demand (3.2)
Page 42
HP Fortify on Demand 3.2 User Guide
Chapter 4: Mobile Assessments
l
For a Premium Assessment prepare two separate files:
l
l
Your application’s .APK file.
A zip file containing your application's source code (Java) and all thirdparty libraries related to your application.
Preparing iOS Application Files
For iOS applications, package your analysis and source code files as follows.
l For an Express Mobile Assessment, send your application's binary (.ipa).
l
For a Basic Mobile Assessment, package your application source code (Objective C), including all third-party libraries, in a single zip file.
l
For a Standard Mobile Assessment, send your application’s binary (.ipa)
l
For a Premium Mobile Assessment, prepare two separate files:
l
l
Your application's binary .ipa file.
A zip file containing your application's source code and all third-party libraries related to your application.
Preparing BlackBerry Project Files
For BlackBerry applications, package your binary and source code files for upload as
follows:
l For an Express Mobile Assessment, package your application's binary code into
one file.
l
For a Basic Mobile Assessment, package your application's source code, including all third-party libraries, in a single zip file.
l
For a Standard Mobile Assessment, send your application’s binary files.
l
For a Premium Assessment, prepare two separate files:
l
l
Package your application’s binary in one.
Package your application's source code into a separate zip file, and
include all third-party libraries related to your application in this same
zip file.
HP Fortify on Demand (3.2)
Page 43
HP Fortify on Demand 3.2 User Guide
Chapter 4: Mobile Assessments
Preparing Windows Project Files
For Windows applications, contact your TAM and ask for specific instructions on how
to prepare your files.
Creating a New Mobile Application for Assessment
If you want to do a security assessment of a mobile application you have never tested
in Fortify on Demand before:
1. Click Applications.
A new screen appears, with the heading Applications.
2. On the right-hand side of the Applications screen, click + New Application.
A box appears, with the heading Create Application Wizard – Step 1 of 3.
HP Fortify on Demand (3.2)
Page 44
HP Fortify on Demand 3.2 User Guide
Chapter 4: Mobile Assessments
3. In the box labeled Name, type a name for your new application.
4. If you like, you may add a description of the application in the box below the
name. (This is optional.)
5. Beside the question: Is this a mobile application? click the box.
6. Click Next.
The next screen (Step 2 of 3) in the wizard is the place to enter information about
your release. The “release” is the particular version of your application that you
want to test now. Note that every application must have at least one release.
7. Give that release a unique name.
8. To see the list of users registered in your tenant, click the arrow beside the
second box.
HP Fortify on Demand (3.2)
Page 45
HP Fortify on Demand 3.2 User Guide
Chapter 4: Mobile Assessments
9. Select one of those users to be the “owner” of this release.
10. In the box labeled Email Notifications, fill in the email address of anyone who
should be notified of issues related to this assessment.
11. Again, the Description field is optional. Provide more detail about your release
here only if you wish.
12. Click Next.
Step 3 of the wizard appears: the Additional attributes screen. Here, a series of
menus enables you to select appropriate attributes for your release.
All attributes are optional. If you do not want to use them, leave the menu selections at the default setting: (Choose one).
HP Fortify on Demand (3.2)
Page 46
HP Fortify on Demand 3.2 User Guide
Chapter 4: Mobile Assessments
Note that all application attributes are customizable. If you would like to change or
add attribute types, add additional choices to any of the attribute categories, or
hide attributes you are not using, see Managing Attributes (Lookups).
13. When you are finished defining attributes, go to the bottom of the page and click
Save.
The dialog box closes and you are returned to the main Applications page, where
you now see your new application, and its associated release(s), in the list.
Initiating a Mobile Assessment
To begin your assessment of a given release:
1. Click Applications.
A new screen appears, with a list of all your applications.
2. Find the mobile application you wish to assess, go to the first column on the left,
and click the green bar labeled Start Scan.
A brief new menu appears, with the word Mobile.
3. Click Mobile.
A new page appears, with the heading Setup Mobile Scan.
HP Fortify on Demand (3.2)
Page 47
HP Fortify on Demand 3.2 User Guide
Chapter 4: Mobile Assessments
About New Site Registration
When you begin a mobile assessment of a new application, you must first supply
detailed information about your application to the FoD testing team through the
online form, which is titled Setup Mobile Scan.
l
l
l
l
The Setup Mobile Scan form must be completed only for new applications,
and some new releases, being submitted to FoD for the first time. Subsequent
tests of the same data bypass this step.
When you register an application for the first time the information required
may seem lengthy. However, you do not have to complete the form all at once:
you may stop and start without losing data. To do that, you just click Save
before exiting the form.
An orange outline around any field, or a red star beside a set of radio buttons,
means a response is required.
If you have any difficulty completing the form, contact your TAM.
Completing the Mobile Set-Up Form
Note that your Mobile Set-up Form will vary depending on which type of assessment
you choose to start. If yours is an Express or Basic assessment, the form will be brief
and your options are limited. If you are doing a Standard or Premium assessment,
you have additional options, including the ability to upload relevant documents for
use by the FoD testing team, and the ability to schedule your assessment for a future
date and time.
To begin your assessment:
HP Fortify on Demand (3.2)
Page 48
HP Fortify on Demand 3.2 User Guide
Chapter 4: Mobile Assessments
1. Fill out the Setup Mobile Scan form.
The information you will need to complete this online form is as follows:
a. Assessment Type (Express, Basic, Standard, Premium)
b. Framework Type (iOS, Android, Windows, BlackBerry)
c. Application Platform (Phone, Tablet, Both)
Then, depending on which Assessment Type you selected, additional information may
be requested. The following information pertains to Standard and Premium Mobile
assessments (but not Basic or Express).
d. User Accounts (We need at least one user name, password, and role, unless
you choose not to require this.)
Note: This form provides space to enter two sets of credentials. If you would like to
enter more, list them in the Add Build Information Or Notes box, below the
User Account area.
HP Fortify on Demand (3.2)
Page 49
HP Fortify on Demand 3.2 User Guide
Chapter 4: Mobile Assessments
e. Any other notes you want to add in the box headed Add Build Information
Or Notes are also welcome; this section is optional.
f. Environment (Development, Quality Assurance, User Acceptance Testing, Production)
g. VPN Required: Check this box if the answer is yes. If yes, add credentials in
the boxes that appear below.
h. Multi-factor Authentication: Check this box if the answer is yes. If yes, provide
more information in the box that appears below.
i. External Devices: Check any that apply. (Intrusion Detection System, Intrusion
Prevention System, Web Application Firewall, Proxy Servers, Load Balancer)
j. Upload Documents: If you would like to attach any documents relevant to your
application that may be useful to the FoD testers, you can do that here. Click
Choose File to browse to the document you want to attach. Then click Upload.
Note that only documents of up to 30 MB can be attached here, and only files
with the following extensions: .doc, .docx, .ppt, .txt, .pdf, .pptx.
k. Additional Notes: At the bottom of the final page is a box for you to add any
more information you want the FoD testing team to know about before they
begin your dynamic assessment.
l. Pre-Assessment Call: Check this box if you would like to schedule a telephone
call with FoD personnel before submitting your application for assessment.
When you have completed the form, go to the upper-right corner of your screen,
and click Save. If the form is complete, the Setup Status will change from Incomplete to Valid.
2. If, instead of submitting the form now, you would like to save your information
and come back to it later, click Save at the top of the screen. HP Fortify on Demand (3.2)
Page 50
HP Fortify on Demand 3.2 User Guide
Chapter 4: Mobile Assessments
The data you have entered into the Setup Mobile Scan form will be saved and
ready for use at a later time.
3. When you are ready to begin your assessment, click Start Scan.
Starting Your Scan
After you click Start Scan, a new series of questions begin, so that you may set your
preferences for timing and other details.
First a pop-up appears titled Start Mobile Scan – Step 1 of 2 (or Step 1 of 3). The
center of this box says Scan Date.
1. Put your cursor in the small box in the center, click once, and a calendar appears,
as illustrated below.
2. Using that calendar, select the date and time most optimal for your assessment.
3. Click Done.
4. If yours is a remediation scan, click the box beside: Is this a remediation scan?
If it is not, leave that checkbox blank.
5. Click Next.
6. Then follow the instructions below under A., B., or C., depending on whether you
want a Basic, Express, Standard, or Premium scan.
HP Fortify on Demand (3.2)
Page 51
HP Fortify on Demand 3.2 User Guide
Chapter 4: Mobile Assessments
A. If yours is a Basic scan:
A new pop-up box appears, with the heading Start Mobile Scan – Step 2 of 2.
1. Browse to the .zip file you want to upload.
2. When the file is uploaded, click Start Scan.
A Summary box appears, informing you that your scan has started.
B. If yours is an Express or a Standard scan, follow the steps above, but upload a
file with the extension .ipa or .apk.
C. If yours is a Premium scan:
The pop-up box says Start Mobile Scan – Step 2 of 3. That is because there are
two sets of files to be uploaded.
1. Browse to the file you want to upload, which must have an extension of .ipa or
.apk.
2. Click Next.
You see progress bar(s) indicating that your upload is in process.
When the .ipa or .apk is fully uploaded, a new pop-up appears with the heading
Start Mobile Scan – Step 3 of 3.
HP Fortify on Demand (3.2)
Page 52
HP Fortify on Demand 3.2 User Guide
Chapter 4: Mobile Assessments
3. Browse to your .zip file and upload that.
4. Click Start Scan.
Progress bar(s) indicate that your upload is in process.
If you choose not to upload source code for your Premium Mobile scan, you see
this message:
5. Make your selection, and continue.
When the upload process is complete, a Summary screen appears, informing you
that your scan has started.
Unless you are otherwise notified, your assessment will begin at the time you selected when you filled out the form. If you schedule recurring assessments, this
release will be scanned again at the intervals you defined until such time as you
return to the Setup Mobile Scan form and change your request.
HP Fortify on Demand (3.2)
Page 53
HP Fortify on Demand 3.2 User Guide
Chapter 4: Mobile Assessments
Your mobile assessment will be completed approximately five business days after
the date you scheduled it, if access to the application has been properly documented and granted.
Note: If you have restrictions about the time of day for your assessment, this could
have a significant effect on the turnaround time. For example, you can expect a
potential doubling of the testing window if you restrict the testing times to half the
day. If you have any questions about this, please contact your TAM.
You will receive email notifications when your application has been received and
when the assessment is complete. At those points, the status on the Applications
page will change from Not Started to In Progress and then to Completed.
HP Fortify on Demand (3.2)
Page 54
HP Fortify on Demand 3.2 User Guide
Chapter 5: Completing an Assessment
Chapter 5: Completing an Assessment
About Completing the Assessment Process
When your assessment is complete, there are several steps you can follow to access
and use the information learned from the test. This chapter includes information on
how to check on the status of your assessment and what to do when your assessment
is complete.
Checking the Status of your Assessment
To check the status of an assessment:
1. Click Applications.
2. Find your application in the list that appears on your screen.
Three columns on this page are headed Static, Dynamic, and Mobile.
Each of those columns shows one of the following statuses: Not Started, In Progress, Canceled, Waiting, or Completed.
The columns headed Static Exp Comp and Dynamic Exp Comp tell you the
expected completion date for your assessment(s).
The column labeled Last Completed tells you when the most recent assessment of
a particular release was finished.
Note that the dates here are listed with the year first, then the month, and then the
day.
Note: If you do not see one or more of the columns described above, you can cause
them to show up (or otherwise change the display of this Applications grid). For
instructions on how to do that, see Selecting Rows and Columns for Display.
HP Fortify on Demand (3.2)
Page 55
HP Fortify on Demand 3.2 User Guide
Chapter 5: Completing an Assessment
Communicating with the FoD Security Team
If the status of one of your assessments is Waiting, that means a member of the FoD
security team has a question for you, or needs more information before she can continue.
If you see a status of Waiting:
1. Click Applications.
A new screen appears, with a list of all your applications.
2. Click the name of the application you wish to work on.
This takes you to the Application Overview screen.
Near the top of the page, in the box for either static or dynamic assessment summaries, you may see a purple button labeled Waiting.
If so, that means the FoD testing team needs a response of some kind from you
before they can proceed. To respond:
3. Click Help Center.
4. Click View Tickets.
A new screen appears, with a list of tickets submitted. Each ticket has a status, listed in the left-hand column. Possible statuses are New, Open, Pending, and
Solved.
5. Click Show Pending.
The list now shows only tickets that require action from your organization.
Note, also, that your total number of Pending tickets appears as a red numeral
above the Help Center link at the top of the page.
6. Click Reply and type your response to the question.
As soon as you send a response, your assessment’s status reverts to In Progress.
HP Fortify on Demand (3.2)
Page 56
HP Fortify on Demand 3.2 User Guide
Chapter 5: Completing an Assessment
About When Your Assessment is Complete
At the completion of the assessment, FoD checks the results for accuracy and then
releases them to your account. At that point:
l
You receive a confirmation email saying that your assessment is complete.
l
You can log on to FoD to view your results.
l
You can check the status, as described above, to see the completion date.
HP Fortify on Demand (3.2)
Page 57
HP Fortify on Demand 3.2 User Guide
Chapter 5: Completing an Assessment
HP Fortify on Demand (3.2)
Page 58 of 58

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz