Micro Focus Fortify Software Security Center User Guide
Total Page:16
File Type:pdf, Size:1020Kb
Micro Focus Fortify Software Security Center Software Version: 20.2.0 User Guide Document Release Date: Revision 2 - January 5, 2021 Software Release Date: November 2020 User Guide Legal Notices Micro Focus The Lawn 22-30 Old Bath Road Newbury, Berkshire RG14 1QN UK https://www.microfocus.com Warranty The only warranties for products and services of Micro Focus and its affiliates and licensors (“Micro Focus”) are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Micro Focus shall not be liable for technical or editorial errors or omissions contained herein. The information contained herein is subject to change without notice. Restricted Rights Legend Confidential computer software. Except as specifically indicated otherwise, a valid license from Micro Focus is required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. Copyright Notice © Copyright 2008 - 2021 Micro Focus or one of its affiliates Trademark Notices All trademarks, service marks, product names, and logos included in this document are the property of their respective owners. Documentation Updates The title page of this document contains the following identifying information: l Software Version number l Document Release Date, which changes each time the document is updated l Software Release Date, which indicates the release date of this version of the software This document was produced on January 05, 2021. To check for recent updates or to verify that you are using the most recent edition of a document, go to: https://www.microfocus.com/support/documentation Micro Focus Fortify Software Security Center (20.2.0) Page 2 of 386 User Guide Contents Preface 15 Contacting Micro Focus Fortify Customer Support 15 For More Information 15 About the Documentation Set 15 Change Log 16 Chapter 1: Introduction 25 Intended Audience 25 Document Structure 25 Related Documents 25 All Products 26 Micro Focus Fortify ScanCentral DAST 26 Micro Focus Fortify ScanCentral SAST 27 Micro Focus Fortify Software Security Center 27 Micro Focus Fortify Static Code Analyzer 28 Micro Focus Fortify WebInspect 29 Micro Focus Fortify WebInspect Enterprise 31 What's New in Micro Focus Fortify Software Security Center 20.2.0 32 Webhooks 32 OPEN SOURCE Page 32 Susceptibility Analysis 33 ScanCentral DAST Module Available in Fortify Software Security Center 33 MySQL Server: No Need to Download JDBC Driver 34 Updating Customized Issue Templates 34 New ToolsConnectToken for Connecting Fortify Static Code Analyzer Applications to Fortify Software Security Center 34 Controller Page Shows the ScanCentral Controller Version 35 Reports Removed from Fortify Software Security Center 35 New Report Template 35 Creating a User Role that Allows the Addition of New Versions, but Prevents the Creation of New Applications 35 Micro Focus Fortify Software Security Center (20.2.0) Page 3 of 386 User Guide Part I: Deploying Fortify Software Security Center 37 Chapter 2: Providing for Secure Deployment 38 Securing Access to Facilities 38 Securing Tomcat Server 38 Setting Tomcat Server Attributes to Protect Sensitive Data in Cookies 38 About Using HTTPS and SSL Communications 39 Configuring Fortify Static Code Analyzer Tools to Communicate with Fortify Software Security Center Using HTTPS 39 About Securing Passwords and User Roles 40 Managing Computer Services and Accounts 40 Chapter 3: Preparing for Fortify Software Security Center Deployment 41 High-Level Deployment Tasks 41 Deployment Overview 42 Deploying Fortify Software Security Center to a Kubernetes Cluster 43 The Fortify Software Security Center Installation Environment 43 Downloading Fortify Software Security Center Files 45 Unpacking and Deploying Fortify Software Security Center Software 45 About the fortify.home Directory 48 Directory Structure 48 About the Fortify Software Security Center Database 49 About JDBC Drivers 50 JDBC Drivers for SQL Server and MySQL Server 50 (Oracle Only) Adding the JDBC Driver to Fortify Software Security Center 50 About Fortify Software Security Center Database Character Set Support 51 Installing and Configuring the Database Server Software 51 Database User Account Privileges 51 Database-Specific Configuration Requirements 52 Using a Microsoft SQL Server Database 52 Windows Domain Authentication 53 Configuring a MySQL Database 53 Configuring an Oracle Database 55 Preventing the “No more data to read from socket” Error 55 Partitioning an Oracle Database for Improved Performance 56 Preparing to Partition an Oracle Database 56 Partitioning the Database 56 Increasing the Number of Job Execution Threads 57 About the Fortify Software Security Center Database Tables and the Schema 57 Micro Focus Fortify Software Security Center (20.2.0) Page 4 of 386 User Guide About Seeding the Fortify Software Security Center Database 57 Permanently Deleting a Fortify Software Security Center Database 58 LDAP User Authentication 59 About Fortify Software Security Center User Authentication 59 Preparing to Configure LDAP Authentication 60 About the LDAP Server Referrals Feature 60 Disabling LDAP Referrals Support 61 Chapter 4: Configuring Fortify Software Security Center for the First Time 62 Chapter 5: Logging in to Fortify Software Security Center 67 About Session Logout 68 Inactive Session Timeout 69 Logout Screen 69 Chapter 6: Additional Fortify Software Security Center Configuration 71 Accessing the Configuration Settings in the ADMINISTRATION View 71 Configuring Issue Stats Thresholds 72 How Average Days to Review and Average Days to Remediate are Calculated 72 Setting the Issue Stats Thresholds 72 Configuration Options Available in the ADMINISTRATION View 73 Configuring Application Security Training 76 About Audit Assistant 76 Getting a Fortify Scan Analytics Authentication Token 77 Configuring Audit Assistant 78 About Audit Assistant Auto-Prediction 80 Mapping Audit Assistant Analysis Tag Values to Fortify Software Security Center Custom Tag Values 80 Configuring Security for BIRT Reporting 83 Enabling Java Security Manager 83 (Linux with OpenJDK only) Installing Required Fonts 83 Creating a Database Account for Reporting 83 Allocating Memory for Report Generation 84 Setting Report Generation Timeout 85 Configuring Core Settings 85 About Configuring a Proxy for Rulepack Updates 88 Configuring Email Alert Notification Settings 88 Setting the Strategy for Resolving Issue Audit Conflicts 91 Configuring Java Message Service Settings 92 Configuring LDAP Servers 93 Micro Focus Fortify Software Security Center (20.2.0) Page 5 of 386 User Guide Editing an LDAP Server Configuration 102 Importing an LDAP Server Configuration 102 Registering LDAP Entities 103 Refreshing LDAP Entities Manually 105 Deleting an LDAP Server Configuration 106 Configuring a Proxy for Fortify Software Security Center Integrations 106 Configuring ScanCentral SAST Monitoring in Fortify Software Security Center 108 Enabling the Running and Management of ScanCentral DAST Scans from Fortify Software Security Center 109 Configuring Job Scheduler Settings 109 Setting Job Execution Priority 113 Canceling Scheduled Jobs 114 Configuring Browser Access Security for Fortify Software Security Center 114 Configuring Fortify Software Security Center to Work with Single Sign-On 115 Restrictions on Configuration 116 Configuring Fortify Software Security Center to Work with a Central Authorization Server 117 Setting up Kerberos Authentication with Fortify Software Security Center 117 Troubleshooting 119 Configuring Fortify Software Security Center to Work with SAML 2.0- Compliant Single Sign-On Solutions 119 Troubleshooting SAML SSO Integration 122 Configuring Fortify Software Security Center to Work with Single Sign-On and Single Logout Solutions that use HTTP Headers 123 Configuring Fortify Software Security Center to Use X.509 Certification- based SSO 124 Enabling Username and Password Login if Fortify Software Security Center is Configured to Use the X.509 or Kerberos SSO Solution 125 Enabling Debug Logging for Single Sign-On Authentication 125 Configuring Web Services to Require Token Authentication 125 Changing Log Levels for Fortify Software Security Center 126 Configuring Federal Information Processing Standards (for integrating Fortify Software Security Center with Fortify WebInspect Enterprise only) 127 Customizing the Fortify Banner for Your Organization 127 Chapter 7: Additional Installation-Related Tasks 129 Blocking Data Export to CSV Files 129 About Bug Tracker Integration 129 Managing Bug Tracker Plugins 130 Micro Focus Fortify Software Security Center (20.2.0) Page 6 of 386 User Guide Adding Bug Tracker Plugins 130 Removing Bug Tracker Plugins 131 Securing Logon Credentials for Bug Tracking Systems 131 Bug Tracker Parameters 131 ALM Parameters 132 Configuring an Eclipse Plugin Update Site 132 Adding and Managing Parser Plugins 133 Preparing Fortify Software Security Center to Display Sonatype Results 134 About Fortify Software Security Center User Administration 136 Administrator Accounts 136 Fortify Software Security Center User Accounts 136 About Creating User Accounts 137 Preventing Destructive Library and Template Uploads to Fortify Software Security Center 138 Viewing Permission Information for Fortify Software Security Center Roles 138 About Managing LDAP User