SlideShare une entreprise Scribd logo

Fortify - Source Code Analyzer

Télécharger en tant que PPTX, PDF
n|u - The Open Security Community
n|u - The Open Security Community

null Bangalore January meet

Technologie
1  sur  12
18/01/2014 FORTIFY Rupam Bhattacharya 1
Agenda • • • • • • Overview of Fortify Using Fortify Type of Analyzers Analysis Phases Analysis Commands Demo
Fortify Source Code Analyser • Fortify Source Code Analyzer (SCA) is a set of software security analyzers that search for violations of security‐specific coding rules and guidelines in a variety of languages. • The rich data provided by Fortify SCA language technology enables the analyzers to pinpoint and prioritize violations so that fixes can be fast and accurate. • The analysis information produced by SCA helps you deliver more secure software, as well as making security code reviews more efficient, consistent, and complete. 3
Using Fortify • At the highest level, using Fortify SCA involves: • Choosing to run SCA as a stand‐alone process or integrating Fortify SCA as part of the build tool • Translating the source code into an intermediate translated format, preparing the code base for scanning by the different analyzers • Scanning the translated code, producing security vulnerability reports • Auditing the results of the scan, either by transferring the resulting FPR file to Audit Workbench or Fortify 360 Server for analysis, or directly with the results displayed onscreen
Analyzers • Data Flow: The data flow analyzer detects potential vulnerabilities that involve tainted data (user‐controlled input) put to potentially dangerous use. Eg. Buffer overflow, SQL Injections. • Control Flow: The control flow analyzer detects potentially dangerous sequences of operations. Eg. time of check/time of use issues and uninitialized variables. • Semantic: The semantic analyzer detects potentially dangerous uses of functions and APIs at the intra‐procedural level. Eg. Deprecated functions, unsafe functions. • Structural: The structural analyzer detects potentially dangerous flaws in the structure or definition of the program. For Eg. Dead Code. • Configuration: The configuration analyzer searches for mistakes, weaknesses, and policy violations in an application's deployment configuration files.
Analysis Phases • Fortify SCA performs source code analysis • Build Integration: The first phase of source code analysis involves making a decision whether to integrate SCA into the build compiler system. • Translation: Source code gathered using a series of commands is translated into an intermediate format which is associated with a build ID. The build ID is usually the name of the project being scanned. • Analysis: Source files identified during the translation phase are scanned and an analysis results file, typically in the Fortify project (FPR) format, is generated. FPR files are indicated by the .fpr file extension. • Verification of the translation and analysis: Ensure that the source files were scanned using the correct rulepacks and that no significant errors were reported.
Analysis Commands • The following is an example of the sequence of commands you use to analyze code: • Clean and build  sourceanalyzer -b <build_id> -clean • Translation  sourceanalyzer -b <build_id> ... •Scan  sourceanalyzer -b <build_id> -scan -f results.fpr
Translation Options • Output Options: • • • • • • • -append : Appends results to the file specified with -f. If this option is not specified, Fortify SCA adds the new findings to the FPR file, and labels the older result as previous findings. -build-label <label> : The label of the project being scanned. -build-project <project> : The name of the project being scanned. -build-version <version> : The version of the project being scanned. -f <file> : The file to which results are written. -format <format> : Controls the output format. Valid options are fpr, fvdl, text, and auto. -html-report : Creates an HTML summary of the results produced.
Translation Options • Analysis Options: • • • • • • • • -disable-default-ruletype <type> : Disables all rules of the specified type in the default rulepacks. -encoding : Specifies the encoding for encoded source files. -filter <file_name> : Specifies a results filter file. -findbugs : Enables FindBugs analysis for Java code. -quick : Scans the project in Quick Scan Mode. -rules [<file>|<directory>] : Specifies a custom rulepack or directory. -disable-source-rendering : Source files are not included in the FPR file. -scan : Causes Fortify SCA to perform analysis for the specified build ID.
Translation Options • Build Integration Options • • • • -b <build_id> : Specifies the build ID. -bin <binary> : Used with -scan to specify a subset of source files to scan. Only the source files that were linked in the named binary at build time are included in the scan. -exclude <file_pattern> : Removes files from the list of files to translate. For example: sourceanalyzer –cp "**/*.jar"  "**/*" -exclude "**/Test.java“ -nc : When specified before a compiler command line.
Translation Options • Runtime Options • • • • • • -auth-silent : Available on Fortify SCA Per Use edition only.  Suppresses the prompt that displays the number of lines the scan requires to analyze the source code. -64 : Runs Fortify SCA under the 64‐bit JRE. -logfile <file_name> : Specifies the log file that is produced by Fortify SCA. -quiet : Disables the command line progress bar. -verbose : Sends verbose status messages to the console. -Xmx <size> : Specifies the maximum amount of memory used by Fortify SCA.
Demo

Recommandé

Hp fortify source code analyzer(sca)
Hp fortify source code analyzer(sca)Hp fortify source code analyzer(sca)
Hp fortify source code analyzer(sca)
Nagaraju Repala
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
n|u - The Open Security Community
 
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Black and Blue APIs: Attacker's and Defender's View of API VulnerabilitiesBlack and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Matt Tesauro
 
Deep dive into ssrf
Deep dive into ssrfDeep dive into ssrf
Deep dive into ssrf
n|u - The Open Security Community
 
Lfi
LfiLfi
Lfi
penetration Tester
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versions
neexemil
 
Source Code Scanners
Source Code ScannersSource Code Scanners
Source Code Scanners
Pawel Krawczyk
 
Suricata
SuricataSuricata
Suricata
tex_morgan
 

Recommandé

Hp fortify source code analyzer(sca)
Hp fortify source code analyzer(sca)Hp fortify source code analyzer(sca)
Hp fortify source code analyzer(sca)
Nagaraju Repala
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
n|u - The Open Security Community
 
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Black and Blue APIs: Attacker's and Defender's View of API VulnerabilitiesBlack and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Matt Tesauro
 
Deep dive into ssrf
Deep dive into ssrfDeep dive into ssrf
Deep dive into ssrf
n|u - The Open Security Community
 
Lfi
LfiLfi
Lfi
penetration Tester
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versions
neexemil
 
Source Code Scanners
Source Code ScannersSource Code Scanners
Source Code Scanners
Pawel Krawczyk
 
Suricata
SuricataSuricata
Suricata
tex_morgan
 
Secure code practices
Secure code practicesSecure code practices
Secure code practices
Hina Rawal
 
SSRF workshop
SSRF workshop SSRF workshop
SSRF workshop
Ivan Novikov
 
File inclusion
File inclusionFile inclusion
File inclusion
AaftabKhan14
 
API Security - Everything You Need to Know To Protect Your APIs
API Security - Everything You Need to Know To Protect Your APIsAPI Security - Everything You Need to Know To Protect Your APIs
API Security - Everything You Need to Know To Protect Your APIs
AaronLieberman5
 
Sigma and YARA Rules
Sigma and YARA RulesSigma and YARA Rules
Sigma and YARA Rules
Lionel Faleiro
 
Hacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning TechniquesHacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning Techniques
amiable_indian
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
Software Guru
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang Bhatnagar
OWASP Delhi
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
Soroush Dalili
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Brian Huff
 
Alfresco Certificates
Alfresco Certificates Alfresco Certificates
Alfresco Certificates
Angel Borroy López
 
Burp suite
Burp suiteBurp suite
Burp suite
SOURABH DESHMUKH
 
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021
Florian Roth
 
Jenkins with SonarQube
Jenkins with SonarQubeJenkins with SonarQube
Jenkins with SonarQube
Somkiat Puisungnoen
 
OWASP Top Ten 2017
OWASP Top Ten 2017OWASP Top Ten 2017
OWASP Top Ten 2017
Michael Furman
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
SecuRing
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 
13 palo alto url web filtering concept
13 palo alto url web filtering concept13 palo alto url web filtering concept
13 palo alto url web filtering concept
Mostafa El Lathy
 
Demo of security tool nessus - Network vulnerablity scanner
Demo of security tool nessus - Network vulnerablity scannerDemo of security tool nessus - Network vulnerablity scanner
Demo of security tool nessus - Network vulnerablity scanner
Ajit Dadresa
 
Malware Static Analysis
Malware Static AnalysisMalware Static Analysis
Malware Static Analysis
Hossein Yavari
 
Code Review with Sonar
Code Review with SonarCode Review with Sonar
Code Review with Sonar
Max Kleiner
 
Sonarqube
SonarqubeSonarqube
Sonarqube
Kalkey
 

Contenu connexe

Tendances

API Security - Everything You Need to Know To Protect Your APIs
API Security - Everything You Need to Know To Protect Your APIsAPI Security - Everything You Need to Know To Protect Your APIs
API Security - Everything You Need to Know To Protect Your APIs
AaronLieberman5
 
Hacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning TechniquesHacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning Techniques
amiable_indian
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
Software Guru
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
Soroush Dalili
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
SecuRing
 

Tendances (20)

Secure code practices
Secure code practicesSecure code practices
Secure code practices
 
SSRF workshop
SSRF workshop SSRF workshop
SSRF workshop
 
File inclusion
File inclusionFile inclusion
File inclusion
 
API Security - Everything You Need to Know To Protect Your APIs
API Security - Everything You Need to Know To Protect Your APIsAPI Security - Everything You Need to Know To Protect Your APIs
API Security - Everything You Need to Know To Protect Your APIs
 
Sigma and YARA Rules
Sigma and YARA RulesSigma and YARA Rules
Sigma and YARA Rules
 
Hacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning TechniquesHacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning Techniques
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang Bhatnagar
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
Alfresco Certificates
Alfresco Certificates Alfresco Certificates
Alfresco Certificates
 
Burp suite
Burp suiteBurp suite
Burp suite
 
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021
 
Jenkins with SonarQube
Jenkins with SonarQubeJenkins with SonarQube
Jenkins with SonarQube
 
OWASP Top Ten 2017
OWASP Top Ten 2017OWASP Top Ten 2017
OWASP Top Ten 2017
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
13 palo alto url web filtering concept
13 palo alto url web filtering concept13 palo alto url web filtering concept
13 palo alto url web filtering concept
 
Demo of security tool nessus - Network vulnerablity scanner
Demo of security tool nessus - Network vulnerablity scannerDemo of security tool nessus - Network vulnerablity scanner
Demo of security tool nessus - Network vulnerablity scanner
 
Malware Static Analysis
Malware Static AnalysisMalware Static Analysis
Malware Static Analysis
 

Similaire à Fortify - Source Code Analyzer

Sonarqube
SonarqubeSonarqube
Sonarqube
Kalkey
 
devops ppt for hjs jsdjhjd hsdbusinees.pptx
devops ppt for hjs jsdjhjd hsdbusinees.pptxdevops ppt for hjs jsdjhjd hsdbusinees.pptx
devops ppt for hjs jsdjhjd hsdbusinees.pptx
Deepakgupta273447
 
Contain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidenceContain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidence
Black Duck by Synopsys
 
Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash Course
NetSPI
 
Configuration management
Configuration managementConfiguration management
Configuration management
ashamarsha
 

Similaire à Fortify - Source Code Analyzer (20)

Code Review with Sonar
Code Review with SonarCode Review with Sonar
Code Review with Sonar
 
Sonarqube
SonarqubeSonarqube
Sonarqube
 
devops ppt for hjs jsdjhjd hsdbusinees.pptx
devops ppt for hjs jsdjhjd hsdbusinees.pptxdevops ppt for hjs jsdjhjd hsdbusinees.pptx
devops ppt for hjs jsdjhjd hsdbusinees.pptx
 
685163main 2 4-a-swat_extendingbenefitsofstaticcodeanalysistools_final
685163main 2 4-a-swat_extendingbenefitsofstaticcodeanalysistools_final685163main 2 4-a-swat_extendingbenefitsofstaticcodeanalysistools_final
685163main 2 4-a-swat_extendingbenefitsofstaticcodeanalysistools_final
 
Managing Open Source Software Supply Chains
Managing Open Source Software Supply ChainsManaging Open Source Software Supply Chains
Managing Open Source Software Supply Chains
 
Beginners guide on how to start exploring IoT 2nd session
Beginners guide on how to start exploring IoT 2nd sessionBeginners guide on how to start exploring IoT 2nd session
Beginners guide on how to start exploring IoT 2nd session
 
GNAT Pro User Day: Latest Advances in AdaCore Static Analysis Tools
GNAT Pro User Day: Latest Advances in AdaCore Static Analysis ToolsGNAT Pro User Day: Latest Advances in AdaCore Static Analysis Tools
GNAT Pro User Day: Latest Advances in AdaCore Static Analysis Tools
 
Contain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidenceContain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidence
 
Managing OSS license obligations
Managing OSS license obligationsManaging OSS license obligations
Managing OSS license obligations
 
EMBEDDED SYSTEMS SYBSC IT SEM IV UNIT V Embedded Systems Integrated Developme...
EMBEDDED SYSTEMS SYBSC IT SEM IV UNIT V Embedded Systems Integrated Developme...EMBEDDED SYSTEMS SYBSC IT SEM IV UNIT V Embedded Systems Integrated Developme...
EMBEDDED SYSTEMS SYBSC IT SEM IV UNIT V Embedded Systems Integrated Developme...
 
Building Security into Your Workflow with InSpec
Building Security into Your Workflow with InSpecBuilding Security into Your Workflow with InSpec
Building Security into Your Workflow with InSpec
 
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...
 
Sonar qube
Sonar qubeSonar qube
Sonar qube
 
Introduction to DO-178B - Software Considerations in Airborne Systems and Equ...
Introduction to DO-178B - Software Considerations in Airborne Systems and Equ...Introduction to DO-178B - Software Considerations in Airborne Systems and Equ...
Introduction to DO-178B - Software Considerations in Airborne Systems and Equ...
 
Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash Course
 
Managing Software Inventories & Automating Open Source Software Compliance
Managing Software Inventories & Automating Open Source Software ComplianceManaging Software Inventories & Automating Open Source Software Compliance
Managing Software Inventories & Automating Open Source Software Compliance
 
BRKSEC-3144.pdf
BRKSEC-3144.pdfBRKSEC-3144.pdf
BRKSEC-3144.pdf
 
OWF14 - Open Source & Software Supply Chain
OWF14 - Open Source & Software Supply ChainOWF14 - Open Source & Software Supply Chain
OWF14 - Open Source & Software Supply Chain
 
OWASP Dependency-Track Introduction
OWASP Dependency-Track IntroductionOWASP Dependency-Track Introduction
OWASP Dependency-Track Introduction
 
Configuration management
Configuration managementConfiguration management
Configuration management
 

Plus de n|u - The Open Security Community

Plus de n|u - The Open Security Community (20)

Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)
 
Osint primer
Osint primerOsint primer
Osint primer
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
 
Metasploit primary
Metasploit primaryMetasploit primary
Metasploit primary
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
Introduction to TLS 1.3
Introduction to TLS 1.3Introduction to TLS 1.3
Introduction to TLS 1.3
 
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
 
Owning a company through their logs
Owning a company through their logsOwning a company through their logs
Owning a company through their logs
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodan
 
Cloud security
Cloud security Cloud security
Cloud security
 
Detecting persistence in windows
Detecting persistence in windowsDetecting persistence in windows
Detecting persistence in windows
 
Frida - Objection Tool Usage
Frida - Objection Tool UsageFrida - Objection Tool Usage
Frida - Objection Tool Usage
 
OSQuery - Monitoring System Process
OSQuery - Monitoring System ProcessOSQuery - Monitoring System Process
OSQuery - Monitoring System Process
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
 
Extensible markup language attacks
Extensible markup language attacksExtensible markup language attacks
Extensible markup language attacks
 
Linux for hackers
Linux for hackersLinux for hackers
Linux for hackers
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
 
News bytes null 200314121904
News bytes null 200314121904News bytes null 200314121904
News bytes null 200314121904
 

Dernier

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 

Dernier (20)

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 

Fortify - Source Code Analyzer

  • 2. Agenda • • • • • • Overview of Fortify Using Fortify Type of Analyzers Analysis Phases Analysis Commands Demo
  • 3. Fortify Source Code Analyser • Fortify Source Code Analyzer (SCA) is a set of software security analyzers that search for violations of security‐specific coding rules and guidelines in a variety of languages. • The rich data provided by Fortify SCA language technology enables the analyzers to pinpoint and prioritize violations so that fixes can be fast and accurate. • The analysis information produced by SCA helps you deliver more secure software, as well as making security code reviews more efficient, consistent, and complete. 3
  • 4. Using Fortify • At the highest level, using Fortify SCA involves: • Choosing to run SCA as a stand‐alone process or integrating Fortify SCA as part of the build tool • Translating the source code into an intermediate translated format, preparing the code base for scanning by the different analyzers • Scanning the translated code, producing security vulnerability reports • Auditing the results of the scan, either by transferring the resulting FPR file to Audit Workbench or Fortify 360 Server for analysis, or directly with the results displayed onscreen
  • 5. Analyzers • Data Flow: The data flow analyzer detects potential vulnerabilities that involve tainted data (user‐controlled input) put to potentially dangerous use. Eg. Buffer overflow, SQL Injections. • Control Flow: The control flow analyzer detects potentially dangerous sequences of operations. Eg. time of check/time of use issues and uninitialized variables. • Semantic: The semantic analyzer detects potentially dangerous uses of functions and APIs at the intra‐procedural level. Eg. Deprecated functions, unsafe functions. • Structural: The structural analyzer detects potentially dangerous flaws in the structure or definition of the program. For Eg. Dead Code. • Configuration: The configuration analyzer searches for mistakes, weaknesses, and policy violations in an application's deployment configuration files.
  • 6. Analysis Phases • Fortify SCA performs source code analysis • Build Integration: The first phase of source code analysis involves making a decision whether to integrate SCA into the build compiler system. • Translation: Source code gathered using a series of commands is translated into an intermediate format which is associated with a build ID. The build ID is usually the name of the project being scanned. • Analysis: Source files identified during the translation phase are scanned and an analysis results file, typically in the Fortify project (FPR) format, is generated. FPR files are indicated by the .fpr file extension. • Verification of the translation and analysis: Ensure that the source files were scanned using the correct rulepacks and that no significant errors were reported.
  • 7. Analysis Commands • The following is an example of the sequence of commands you use to analyze code: • Clean and build  sourceanalyzer -b <build_id> -clean • Translation  sourceanalyzer -b <build_id> ... •Scan  sourceanalyzer -b <build_id> -scan -f results.fpr
  • 8. Translation Options • Output Options: • • • • • • • -append : Appends results to the file specified with -f. If this option is not specified, Fortify SCA adds the new findings to the FPR file, and labels the older result as previous findings. -build-label <label> : The label of the project being scanned. -build-project <project> : The name of the project being scanned. -build-version <version> : The version of the project being scanned. -f <file> : The file to which results are written. -format <format> : Controls the output format. Valid options are fpr, fvdl, text, and auto. -html-report : Creates an HTML summary of the results produced.
  • 9. Translation Options • Analysis Options: • • • • • • • • -disable-default-ruletype <type> : Disables all rules of the specified type in the default rulepacks. -encoding : Specifies the encoding for encoded source files. -filter <file_name> : Specifies a results filter file. -findbugs : Enables FindBugs analysis for Java code. -quick : Scans the project in Quick Scan Mode. -rules [<file>|<directory>] : Specifies a custom rulepack or directory. -disable-source-rendering : Source files are not included in the FPR file. -scan : Causes Fortify SCA to perform analysis for the specified build ID.
  • 10. Translation Options • Build Integration Options • • • • -b <build_id> : Specifies the build ID. -bin <binary> : Used with -scan to specify a subset of source files to scan. Only the source files that were linked in the named binary at build time are included in the scan. -exclude <file_pattern> : Removes files from the list of files to translate. For example: sourceanalyzer –cp "**/*.jar"  "**/*" -exclude "**/Test.java“ -nc : When specified before a compiler command line.
  • 11. Translation Options • Runtime Options • • • • • • -auth-silent : Available on Fortify SCA Per Use edition only.  Suppresses the prompt that displays the number of lines the scan requires to analyze the source code. -64 : Runs Fortify SCA under the 64‐bit JRE. -logfile <file_name> : Specifies the log file that is produced by Fortify SCA. -quiet : Disables the command line progress bar. -verbose : Sends verbose status messages to the console. -Xmx <size> : Specifies the maximum amount of memory used by Fortify SCA.
  • 12. Demo