Micro Focus Fortify Software Security Center User Guide

Total Page:16

File Type:pdf, Size:1020Kb

Micro Focus Fortify Software Security Center User Guide Micro Focus Fortify Software Security Center Software Version: 20.2.0 User Guide Document Release Date: Revision 2 - January 5, 2021 Software Release Date: November 2020 User Guide Legal Notices Micro Focus The Lawn 22-30 Old Bath Road Newbury, Berkshire RG14 1QN UK https://www.microfocus.com Warranty The only warranties for products and services of Micro Focus and its affiliates and licensors (“Micro Focus”) are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Micro Focus shall not be liable for technical or editorial errors or omissions contained herein. The information contained herein is subject to change without notice. Restricted Rights Legend Confidential computer software. Except as specifically indicated otherwise, a valid license from Micro Focus is required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. Copyright Notice © Copyright 2008 - 2021 Micro Focus or one of its affiliates Trademark Notices All trademarks, service marks, product names, and logos included in this document are the property of their respective owners. Documentation Updates The title page of this document contains the following identifying information: l Software Version number l Document Release Date, which changes each time the document is updated l Software Release Date, which indicates the release date of this version of the software This document was produced on January 05, 2021. To check for recent updates or to verify that you are using the most recent edition of a document, go to: https://www.microfocus.com/support/documentation Micro Focus Fortify Software Security Center (20.2.0) Page 2 of 386 User Guide Contents Preface 15 Contacting Micro Focus Fortify Customer Support 15 For More Information 15 About the Documentation Set 15 Change Log 16 Chapter 1: Introduction 25 Intended Audience 25 Document Structure 25 Related Documents 25 All Products 26 Micro Focus Fortify ScanCentral DAST 26 Micro Focus Fortify ScanCentral SAST 27 Micro Focus Fortify Software Security Center 27 Micro Focus Fortify Static Code Analyzer 28 Micro Focus Fortify WebInspect 29 Micro Focus Fortify WebInspect Enterprise 31 What's New in Micro Focus Fortify Software Security Center 20.2.0 32 Webhooks 32 OPEN SOURCE Page 32 Susceptibility Analysis 33 ScanCentral DAST Module Available in Fortify Software Security Center 33 MySQL Server: No Need to Download JDBC Driver 34 Updating Customized Issue Templates 34 New ToolsConnectToken for Connecting Fortify Static Code Analyzer Applications to Fortify Software Security Center 34 Controller Page Shows the ScanCentral Controller Version 35 Reports Removed from Fortify Software Security Center 35 New Report Template 35 Creating a User Role that Allows the Addition of New Versions, but Prevents the Creation of New Applications 35 Micro Focus Fortify Software Security Center (20.2.0) Page 3 of 386 User Guide Part I: Deploying Fortify Software Security Center 37 Chapter 2: Providing for Secure Deployment 38 Securing Access to Facilities 38 Securing Tomcat Server 38 Setting Tomcat Server Attributes to Protect Sensitive Data in Cookies 38 About Using HTTPS and SSL Communications 39 Configuring Fortify Static Code Analyzer Tools to Communicate with Fortify Software Security Center Using HTTPS 39 About Securing Passwords and User Roles 40 Managing Computer Services and Accounts 40 Chapter 3: Preparing for Fortify Software Security Center Deployment 41 High-Level Deployment Tasks 41 Deployment Overview 42 Deploying Fortify Software Security Center to a Kubernetes Cluster 43 The Fortify Software Security Center Installation Environment 43 Downloading Fortify Software Security Center Files 45 Unpacking and Deploying Fortify Software Security Center Software 45 About the fortify.home Directory 48 Directory Structure 48 About the Fortify Software Security Center Database 49 About JDBC Drivers 50 JDBC Drivers for SQL Server and MySQL Server 50 (Oracle Only) Adding the JDBC Driver to Fortify Software Security Center 50 About Fortify Software Security Center Database Character Set Support 51 Installing and Configuring the Database Server Software 51 Database User Account Privileges 51 Database-Specific Configuration Requirements 52 Using a Microsoft SQL Server Database 52 Windows Domain Authentication 53 Configuring a MySQL Database 53 Configuring an Oracle Database 55 Preventing the “No more data to read from socket” Error 55 Partitioning an Oracle Database for Improved Performance 56 Preparing to Partition an Oracle Database 56 Partitioning the Database 56 Increasing the Number of Job Execution Threads 57 About the Fortify Software Security Center Database Tables and the Schema 57 Micro Focus Fortify Software Security Center (20.2.0) Page 4 of 386 User Guide About Seeding the Fortify Software Security Center Database 57 Permanently Deleting a Fortify Software Security Center Database 58 LDAP User Authentication 59 About Fortify Software Security Center User Authentication 59 Preparing to Configure LDAP Authentication 60 About the LDAP Server Referrals Feature 60 Disabling LDAP Referrals Support 61 Chapter 4: Configuring Fortify Software Security Center for the First Time 62 Chapter 5: Logging in to Fortify Software Security Center 67 About Session Logout 68 Inactive Session Timeout 69 Logout Screen 69 Chapter 6: Additional Fortify Software Security Center Configuration 71 Accessing the Configuration Settings in the ADMINISTRATION View 71 Configuring Issue Stats Thresholds 72 How Average Days to Review and Average Days to Remediate are Calculated 72 Setting the Issue Stats Thresholds 72 Configuration Options Available in the ADMINISTRATION View 73 Configuring Application Security Training 76 About Audit Assistant 76 Getting a Fortify Scan Analytics Authentication Token 77 Configuring Audit Assistant 78 About Audit Assistant Auto-Prediction 80 Mapping Audit Assistant Analysis Tag Values to Fortify Software Security Center Custom Tag Values 80 Configuring Security for BIRT Reporting 83 Enabling Java Security Manager 83 (Linux with OpenJDK only) Installing Required Fonts 83 Creating a Database Account for Reporting 83 Allocating Memory for Report Generation 84 Setting Report Generation Timeout 85 Configuring Core Settings 85 About Configuring a Proxy for Rulepack Updates 88 Configuring Email Alert Notification Settings 88 Setting the Strategy for Resolving Issue Audit Conflicts 91 Configuring Java Message Service Settings 92 Configuring LDAP Servers 93 Micro Focus Fortify Software Security Center (20.2.0) Page 5 of 386 User Guide Editing an LDAP Server Configuration 102 Importing an LDAP Server Configuration 102 Registering LDAP Entities 103 Refreshing LDAP Entities Manually 105 Deleting an LDAP Server Configuration 106 Configuring a Proxy for Fortify Software Security Center Integrations 106 Configuring ScanCentral SAST Monitoring in Fortify Software Security Center 108 Enabling the Running and Management of ScanCentral DAST Scans from Fortify Software Security Center 109 Configuring Job Scheduler Settings 109 Setting Job Execution Priority 113 Canceling Scheduled Jobs 114 Configuring Browser Access Security for Fortify Software Security Center 114 Configuring Fortify Software Security Center to Work with Single Sign-On 115 Restrictions on Configuration 116 Configuring Fortify Software Security Center to Work with a Central Authorization Server 117 Setting up Kerberos Authentication with Fortify Software Security Center 117 Troubleshooting 119 Configuring Fortify Software Security Center to Work with SAML 2.0- Compliant Single Sign-On Solutions 119 Troubleshooting SAML SSO Integration 122 Configuring Fortify Software Security Center to Work with Single Sign-On and Single Logout Solutions that use HTTP Headers 123 Configuring Fortify Software Security Center to Use X.509 Certification- based SSO 124 Enabling Username and Password Login if Fortify Software Security Center is Configured to Use the X.509 or Kerberos SSO Solution 125 Enabling Debug Logging for Single Sign-On Authentication 125 Configuring Web Services to Require Token Authentication 125 Changing Log Levels for Fortify Software Security Center 126 Configuring Federal Information Processing Standards (for integrating Fortify Software Security Center with Fortify WebInspect Enterprise only) 127 Customizing the Fortify Banner for Your Organization 127 Chapter 7: Additional Installation-Related Tasks 129 Blocking Data Export to CSV Files 129 About Bug Tracker Integration 129 Managing Bug Tracker Plugins 130 Micro Focus Fortify Software Security Center (20.2.0) Page 6 of 386 User Guide Adding Bug Tracker Plugins 130 Removing Bug Tracker Plugins 131 Securing Logon Credentials for Bug Tracking Systems 131 Bug Tracker Parameters 131 ALM Parameters 132 Configuring an Eclipse Plugin Update Site 132 Adding and Managing Parser Plugins 133 Preparing Fortify Software Security Center to Display Sonatype Results 134 About Fortify Software Security Center User Administration 136 Administrator Accounts 136 Fortify Software Security Center User Accounts 136 About Creating User Accounts 137 Preventing Destructive Library and Template Uploads to Fortify Software Security Center 138 Viewing Permission Information for Fortify Software Security Center Roles 138 About Managing LDAP User
Recommended publications
  • What's in the Cloud?
    WHAT’S IN THE CLOUD? PRODUCT GUIDE / MARCH 9, 2019 DISCLAIMER Oracle Commerce Cloud is a fully featured, extensible SaaS commerce solution, delivered in the Oracle Cloud, supporting B2C and B2B models in a single platform. Commerce Cloud grants greater agility and cost savings, with the extensibility and control required in the ultra-competitive digital commerce market. SIMPLIFY your technology footprint. INNOVATE to stay ahead of consumer demands and competitors in a low-risk way. DELIVER to every customer, every time to increase loyalty and revenue. Commerce Cloud has frequent releases. Please ensure you have the latest documentation. This content was updated for the 19A release (released in February 2019) 2 FEATURE GUIDE / WHAT’S IN THE CLOUD? Product Features Unified Admin ................................................................................................. 5 Core Platform and APIs ................................................................................. 5 Modular, Headless Options ............................................................................ 6 Responsive Storefront .................................................................................... 6 Guided Search................................................................................................ 7 SEO ................................................................................................................ 8 Drag-and-Drop Experience Creation ............................................................. 9 Catalog Management ..................................................................................
    [Show full text]
  • Voice.AI Gateway API Reference Guide Version
    Reference Guide AudioCodes Intuitive Human Communications for Chatbot Services Voice.AI Gateway API Version 2.2 Notice Voice.AI Gateway | API Reference Guide Notice Information contained in this document is believed to be accurate and reliable at the time of printing. However, due to ongoing product improvements and revisions, AudioCodes cannot guarantee accuracy of printed material after the Date Published nor can it accept responsibility for errors or omissions. Updates to this document can be downloaded from https://www.audiocodes.com/library/technical-documents. This document is subject to change without notice. Date Published: November-04-2020 WEEE EU Directive Pursuant to the WEEE EU Directive, electronic and electrical waste must not be disposed of with unsorted waste. Please contact your local recycling authority for disposal of this product. Customer Support Customer technical support and services are provided by AudioCodes or by an authorized AudioCodes Service Partner. For more information on how to buy technical support for AudioCodes products and for contact information, please visit our website at https://www.audiocodes.com/services-support/maintenance-and-support. Documentation Feedback AudioCodes continually strives to produce high quality documentation. If you have any comments (suggestions or errors) regarding this document, please fill out the Documentation Feedback form on our website at https://online.audiocodes.com/documentation-feedback. Stay in the Loop with AudioCodes - ii - Notice Voice.AI Gateway | API Reference Guide Notes and Warnings OPEN SOURCE SOFTWARE. Portions of the software may be open source software and may be governed by and distributed under open source licenses, such as the terms of the GNU General Public License (GPL), the terms of the Lesser General Public License (LGPL), BSD and LDAP, which terms are located at https://www.audiocodes.com/services-support/open-source/ and all are incorporated herein by reference.
    [Show full text]
  • Security and Privacy Issues in FHIR Subscription
    Security Working Group Security and Privacy Issues in FHIR Subscription Mohammad Jafari, Kathleen Connor, John M. Davis, Christopher Shawn Version 1.1 December 17 , 2019 (revised for publication on 1/20/2020) Security and Privacy Issues in FHIR Subscriptions December 17, 2019 Table of Contents 1 Introduction ................................................................................................................. 1 1.1 Related Technologies .................................................................................................... 2 2 Anatomy of a Subscription Service ............................................................................ 3 2.1 Subscription Topics ....................................................................................................... 3 2.2 Subscriptions Management ........................................................................................... 4 2.3 Event Monitor ................................................................................................................ 4 2.4 Notification Delivery ..................................................................................................... 4 2.5 Notification Processing ................................................................................................. 5 3 Security and Privacy Considerations ......................................................................... 6 3.1 Authorization for Subscription Management ................................................................ 6 3.2 Recipient’s Consent
    [Show full text]
  • Office365mon Subscription Management API
    Office365Mon Subscription Management API Office365Mon provides a set of APIs for managing subscriptions in our service. With it you can do things like create a subscription, change the details about the subscription, modify the list of administrators and notifications for a subscription, configure the resources being monitored for the subscription, and more. Using the subscription management API requires you to first create an application in your Azure Active Directory and add the Office365Mon applications to it. You’ll then reference your application information when requesting an access token that you can use to work with the subscription management API. This process is explained and illustrated in great detail in our API documentation for accessing report data, which you can download from https://www.office365mon.com/Office365Mon_AccessToken_And_API.pdf. It’s highly recommended to download that document first to ensure your environment is set up correctly before using this subscription management API. For resellers there are some special APIs just for you. You need to be registered with Office365Mon.Com to use the reseller APIs, which you can do by contacting us at [email protected]. Once you’re registered then you use the Reseller* APIs described at the end of this document to create new subscriptions and add and remove plans for those subscriptions. Once a subscription is actually created though, you can use the same Subscription Management APIs as everyone else to manage it – change the list of Admins, add or remove notification
    [Show full text]
  • Making Phone Calls from Blazor Webassembly with Twilio Voice
    © Niels Swimberghe https://swimburger.net - @RealSwimburger 1 About me • Niels Swimberghe aka Swimburger • Grew up in Belgium, working in USA • .NET Developer / Tech Content Creator • Blog at swimbuger.net • Twitter: @RealSwimburger • Company: 2 Programmatic communication using HTTP Webhooks Example TwiML Sample: https://demo.twilio.com/welcome/voice/ Based on in-depth guide on Twilio Blog Check out guide at Twilio Blog Application • Out of the box Blazor WebAssembly application • Phone dialer • Initiate phone calls from browser • Receive phone calls in browser Recommended architecture Demo architecture Demo architecture Auth flow 1. Ajax HTTP Request JWT token 2. Server generates JWT token and sends token in HTTP response 3. Twilio JavaScript SDK establishes bidirectional connection with Twilio over WebSocket Incoming call flow 1. Phone calls Twilio Phone Number 2. Twilio sends HTTP request to your webhook asking for instructions 3. Webhook responds with TwiML instructions Incoming call flow Webhook responds with TwiML instructions Incoming call flow 4. Twilio dials client 5. Client accepts incoming connection => VoIP established Outgoing call flow 1. Client connects to Twilio with To parameter 2. Twilio sends HTTP request to your webhook asking for instructions 3. Webhook responds with TwiML instructions Outgoing call flow Webhook responds with TwiML instructions Outgoing call flow 4. Twilio dials phone number 5. Phone accepts incoming connection => VoIP established Let’s see how its built Step 1: Create Twilio resources • You need to
    [Show full text]
  • What's in CX Commerce Cloud?
    What’s in CX Commerce Cloud? 20A release detail May 2020 | Version 1.00 Copyright © 2020, Oracle and/or its affiliates PURPOSE STATEMENT Oracle CX Commerce is a cloud-native, fully featured, extensible SaaS commerce solution, delivered in the Oracle Cloud, supporting B2C and B2B models in a single platform. CX Commerce grants greater agility and cost savings, with the extensibility and control required in the ultra-competitive digital commerce market. SIMPLIFY your technology footprint. INNOVATE to stay ahead of demands and competitors in a low-risk way. DELIVER to every customer, every time to increase loyalty and revenue. DISCLAIMER CX Commerce has frequent releases. Please ensure you have the latest documentation This document in any form, software or printed matter, contains proprietary information that is the exclusive property of Oracle. Your access to and use of this confidential material is subject to the terms and conditions of your Oracle software license and service agreement, which has been executed and with which you agree to comply. This document and information contained herein may not be disclosed, copied, reproduced or distributed to anyone outside Oracle without prior written consent of Oracle. This document is not part of your license agreement nor can it be incorporated into any contractual agreement with Oracle or its subsidiaries or affiliates. This document is for informational purposes only and is intended solely to assist you in planning for the implementation and upgrade of the product features described. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions.
    [Show full text]
  • Alibaba Cloud
    AAlliibbaabbaa CClloouudd Alibaba Cloud AlAiblibaabbaa CClloouud dS eSrveicrev iMces hMesh DaDtaa Ptlaan Pelane Document Version: 20210809 Document Version: 20210809 Alibaba Cloud Service Mesh Dat a Plane·Legal disclaimer Legal disclaimer Alibaba Cloud reminds you t o carefully read and fully underst and t he t erms and condit ions of t his legal disclaimer before you read or use t his document . If you have read or used t his document , it shall be deemed as your t ot al accept ance of t his legal disclaimer. 1. You shall download and obt ain t his document from t he Alibaba Cloud websit e or ot her Alibaba Cloud- aut horized channels, and use t his document for your own legal business act ivit ies only. The cont ent of t his document is considered confident ial informat ion of Alibaba Cloud. You shall st rict ly abide by t he confident ialit y obligat ions. No part of t his document shall be disclosed or provided t o any t hird part y for use wit hout t he prior writ t en consent of Alibaba Cloud. 2. No part of t his document shall be excerpt ed, t ranslat ed, reproduced, t ransmit t ed, or disseminat ed by any organizat ion, company or individual in any form or by any means wit hout t he prior writ t en consent of Alibaba Cloud. 3. The cont ent of t his document may be changed because of product version upgrade, adjust ment , or ot her reasons. Alibaba Cloud reserves t he right t o modify t he cont ent of t his document wit hout not ice and an updat ed version of t his document will be released t hrough Alibaba Cloud-aut horized channels from t ime t o t ime.
    [Show full text]
  • Developer Guide Amazon Chime Developer Guide
    Amazon Chime Developer Guide Amazon Chime Developer Guide Amazon Chime: Developer Guide Copyright © Amazon Web Services, Inc. and/or its affiliates. All rights reserved. Amazon's trademarks and trade dress may not be used in connection with any product or service that is not Amazon's, in any manner that is likely to cause confusion among customers, or in any manner that disparages or discredits Amazon. All other trademarks not owned by Amazon are the property of their respective owners, who may or may not be affiliated with, connected to, or sponsored by Amazon. Amazon Chime Developer Guide Table of Contents What is Amazon Chime? ..................................................................................................................... 1 Pricing ...................................................................................................................................... 1 Resources .................................................................................................................................. 1 Extending the Amazon Chime desktop client ......................................................................................... 2 User management ...................................................................................................................... 2 Invite multiple users ........................................................................................................... 2 Download user list ............................................................................................................
    [Show full text]
  • Using Azure Services from Webassembly Modules
    Using Azure services from WebAssembly modules Radu Matei May 11, 2021 This article originally appeared on the Microsoft DeisLabs blog1 WAGI, the WebAssembly Gateway Interface2, is a simple way of writing and executing HTTP response handlers as WebAssembly modules. We recently added new features to WAGI3, such as pulling modules from OCI registries and outbound HTTP connections from guest modules, which opened the possibility of using Azure services from Wasm modules, and in this article we explore building and running such modules. WAGI provides a very simple application model for building server-side HTTP response handlers using WebAssembly. Theoretically, any language that compiles to WASI, WebAssembly System Interface4, can be used build a WAGI handler, since WAGI is modeled after the CGI specification5 – read the request body from the process’ standard input and environment variables and write the response to standard output. Since the request bodies can be read as byte arrays, modules can perform any computation on them, with the advantage of running the modules in the WASI isolation sandbox, together with an experimental HTTP library6 that allows modules to send outbound HTTP connections. But besides raw HTTP connections, most real-world scenarios will also regularly need to use external services such blob storage, databases, or message-passing systems, which is why we are experimenting with using a subset of the Azure SDK for Rust from WebAssembly modules – specifically, Azure Blob Storage (reading and writing blobs), Cosmos DB (reading
    [Show full text]
  • Scalability of Push and Pull Based Event Notification
    DEGREE PROJECT IN TECHNOLOGY, FIRST CYCLE, 15 CREDITS STOCKHOLM, SWEDEN 2020 Scalability of push and pull based event notification MARCUS NILSSON DANIEL DUNÉR KTH ROYAL INSTITUTE OF TECHNOLOGY SCHOOL OF ELECTRICAL ENGINEERING AND COMPUTER SCIENCE Scalability of push and pull based event notification A comparison between webhooks and polling MARCUS NILSSON DANIEL DUNÉR Högskoleingenjör Datateknik Date: June 9, 2020 Supervisor: Peter Sjödin Examiner: Markus Hidell School of Electrical Engineering and Computer Science Swedish title: Skalbarhet hos push- och pullbaserad eventnotifikation Swedish subtitle: En jämförelse mellan webhooks och polling Scalability of push and pull based event notification / Skalbarhet hos push- och pullbaserad eventnotifikation © 2020 Marcus Nilsson and Daniel Dunér Abstract | i Abstract Today’s web applications make extensive use of APIs between server and client, or server to server in order to provide new information in the form of events. The question was whether the different methods of procuring events are different in how they scale. This study aims to compare performance between webhooks and polling, the two most commonly used pull and push based methods for event notification when scaling up traffic. The purpose is to create a basis for developers when choosing the method for event notification. The comparison has been developed through measurements of typical indicators of good performance for web applications: CPU usage, memory usage and response time. The tests gave indications that webhooks perform better in most circumstances, but further testing is needed in a more well-defined environment to draw a confident conclusion. Keywords Event notification, Webhooks, Polling, Scalability, Performance test, Web application ii | Abstract Sammanfattning | iii Sammanfattning Dagens webbapplikationer använder sig i stor utsträckning av API:er mellan server och klient, eller server till server för att inhämta ny information i form av events (händelser).
    [Show full text]
  • Webhooks Integration Guide
    Webhooks Integration Guide Version 2.1 Confidential Falconide Webhooks Integration Guide Version 2.1 Contents 1. Overview ................................................................................................................................................................................................................................................................ 3 2. How does Data transmission happen? .................................................................................................................................................................................................................. 4 3. How to Configure Webhooks ................................................................................................................................................................................................................................. 5 4. Events Data .......................................................................................................................................................................................................................................................... 12 5. How to collect the event data? ............................................................................................................................................................................................................................ 14 6. Track your Webhooks .........................................................................................................................................................................................................................................
    [Show full text]
  • Alerta Documentation Release 6.0
    alerta Documentation Release 6.0 Nick Satterly Oct 02, 2018 Contents 1 Demo Sites 3 1.1 Quickstart................................................3 1.2 Design Principles.............................................4 1.3 Server & API...............................................5 1.4 Alerta Web UI..............................................9 1.5 Alerta CLI................................................ 11 1.6 Integrations & Plugins.......................................... 19 1.7 Authentication.............................................. 23 1.8 Authorization............................................... 30 1.9 Configuration............................................... 31 1.10 Deployment............................................... 37 1.11 Customer Views............................................. 40 1.12 Conventions............................................... 41 1.13 Development............................................... 43 1.14 Getting Started.............................................. 44 1.15 Resources................................................. 45 1.16 API Reference.............................................. 46 1.17 Alert Format............................................... 77 1.18 Heartbeat Format............................................. 80 2 Contribute 81 3 Support 83 3.1 Frequently Asked Questions....................................... 83 4 License 87 4.1 Releases................................................. 87 4.2 About................................................... 91 5 Indices and tables
    [Show full text]