Micro Focus Fortify Software Security Center User Guide
Total Page:16
File Type:pdf, Size:1020Kb
Micro Focus Fortify Software Security Center Software Version: 19.2.0 User Guide Document Release Date: December 2019 Software Release Date: November 2019 User Guide Legal Notices Micro Focus The Lawn 22-30 Old Bath Road Newbury, Berkshire RG14 1QN UK https://www.microfocus.com Warranty The only warranties for products and services of Micro Focus and its affiliates and licensors (“Micro Focus”) are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Micro Focus shall not be liable for technical or editorial errors or omissions contained herein. The information contained herein is subject to change without notice. Restricted Rights Legend Confidential computer software. Except as specifically indicated otherwise, a valid license from Micro Focus is required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. Copyright Notice © Copyright 2008 - 2019 Micro Focus or one of its affiliates Trademark Notices Adobe™ is a trademark of Adobe Systems Incorporated. Microsoft® and Windows® are U.S. registered trademarks of Microsoft Corporation. UNIX® is a registered trademark of The Open Group. Documentation Updates The title page of this document contains the following identifying information: l Software Version number l Document Release Date, which changes each time the document is updated l Software Release Date, which indicates the release date of this version of the software This document was produced on December 12, 2019. To check for recent updates or to verify that you are using the most recent edition of a document, go to: https://www.microfocus.com/support-and-services/documentation Micro Focus Fortify Software Security Center (19.2.0) Page 2 of 332 User Guide Contents Preface 14 Contacting Micro Focus Fortify Customer Support 14 For More Information 14 About the Documentation Set 14 Change Log 15 Chapter 1: Introduction 24 Intended Audience 24 Document Structure 24 What's New in Micro Focus Fortify Software Security Center 19.2.0 25 New PCI Basic Seed Bundle 25 Removal of Runtime Calls, Methods, and Parameters 25 Session Logout Screens 25 New Requirement for Audit Assistant Custom Tag Mapping 25 Exporting Data for All Application Versions 26 Additional File Formats Supported for Issue Attachments 26 Related Documents 26 All Products 26 Micro Focus Fortify CloudScan 27 Micro Focus Fortify Software Security Center 27 Micro Focus Fortify Static Code Analyzer 28 Micro Focus Fortify WebInspect 29 Micro Focus Fortify WebInspect Enterprise 31 Part I: Deploying Fortify Software Security Center 33 Chapter 2: Providing for Secure Deployment 34 Securing Access to Facilities 34 Securing Tomcat Server 34 Setting Tomcat Server Attributes to Protect Sensitive Data in Cookies 34 About Using HTTPS and SSL Communications 35 Micro Focus Fortify Software Security Center (19.2.0) Page 3 of 332 User Guide Configuring and Fortify Static Code Analyzer Tools to Communicate with Fortify Software Security Center Using HTTPS 35 About Securing Passwords and User Roles 36 Managing Computer Services and Accounts 36 Chapter 3: Preparing for Fortify Software Security Center Deployment 37 High-Level Deployment Tasks 37 Deployment Overview 38 The Fortify Software Security Center Installation Environment 40 Downloading Fortify Software Security Center Files 42 Unpacking and Deploying Fortify Software Security Center Software 42 About the Fortify Software Security Center Database 44 About JDBC Drivers 45 Adding the JDBC Driver to Fortify Software Security Center 45 About Fortify Software Security Center Database Character Set Support 45 Installing and Configuring the Database Server Software 46 Database User Account Privileges 46 Database-Specific Configuration Requirements 47 Using a Microsoft SQL Server Database 47 Configuring a MySQL Database 48 Configuring an Oracle Database 50 Preventing the “No more data to read from socket” Error 50 Partitioning an Oracle Database for Improved Performance 50 Preparing to Partition an Oracle Database 50 Partitioning the Database 51 Increasing the Number of Job Execution Threads 51 About the Fortify Software Security Center Database Tables and the Schema 51 About Seeding the Fortify Software Security Center Database 52 Permanently Deleting a Fortify Software Security Center Database 52 LDAP User Authentication 53 About Fortify Software Security Center User Authentication 53 Preparing to Configure LDAP Authentication 54 About the LDAP Server Referrals Feature 55 Disabling LDAP Referrals Support 55 Chapter 4: Deploying Fortify Software Security Center in Tomcat Server 56 About the fortify.home Directory 57 Directory Structure 57 About Secure Deployment 58 Micro Focus Fortify Software Security Center (19.2.0) Page 4 of 332 User Guide About Deploying Fortify Software Security Center in Apache Tomcat 58 Tomcat Memory Settings 58 About Configuring the Tomcat Connectors 59 Configuring Tomcat to Unpack WAR Files 59 Deploying Fortify Software Security Center in Tomcat Server 59 Chapter 5: Configuring Fortify Software Security Center for the First Time 61 Chapter 6: Logging in to Fortify Software Security Center 66 About Session Logout 67 Chapter 7: Additional Fortify Software Security Center Configuration 68 Accessing the Configuration Settings in the ADMINISTRATION View 68 Configuring Issue Stats Thresholds 69 How Average Days to Review and Average Days to Remediate are Calculated 69 Setting the Issue Stats Thresholds 69 Configuration Options Available in the ADMINISTRATION View 70 Configuring Application Security Training 73 About Audit Assistant 73 Getting a Fortify Scan Analytics Authentication Token 74 Configuring Audit Assistant 74 About Audit Assistant Auto-Prediction 76 Mapping Audit Assistant Analysis Tag Values to Fortify Software Security Center Custom Tag Values 77 Configuring Fortify Software Security Center for BIRT Reporting 80 Enabling Java Security Manager 80 Creating a Database Account for Reporting 80 Allocating Memory for Report Generation 81 Setting Report Generation Timeout 82 Configuring CloudScan Monitoring in Fortify Software Security Center 82 Configuring Core Settings 83 About Configuring a Proxy for Rulepack Updates 86 Configuring Email Alert Notification Settings 86 Setting the Strategy for Resolving Issue Audit Conflicts 88 Configuring Java Message Service Settings 89 Configuring LDAP Servers 90 Editing an LDAP Server Configuration 99 Importing an LDAP Server Configuration 99 Registering LDAP Entities 100 Refreshing LDAP Entities Manually 102 Micro Focus Fortify Software Security Center (19.2.0) Page 5 of 332 User Guide Deleting an LDAP Server Configuration 103 Configuring a Proxy for Fortify Software Security Center Integrations 103 Configuring Job Scheduler Settings 105 Setting Job Execution Priority 108 Canceling Scheduled Jobs 109 Configuring Browser Access Security for Fortify Software Security Center 109 Configuring Fortify Software Security Center to Work with Single Sign-On 111 Configuring Fortify Software Security Center to Work with a Central Authorization Server 112 Setting up Kerberos Authentication with Fortify Software Security Center 112 Configuring Fortify Software Security Center to Work with SAML 2.0- Compliant Single Sign-On Solutions 114 Troubleshooting 115 Configuring Fortify Software Security Center to Work with Single Sign-On and Single Logout Solutions that use HTTP Headers 116 Enabling Debug Logging for Single Sign-On Authentication 117 Configuring Fortify Software Security Center to Use X.509 Certification- based SSO 118 Enabling Local User Authentication if Fortify Software Security Center is Configured to Use X.509 Certification-Based SSO 118 Configuring Web Services to Require Token Authentication 118 Changing Log Levels for Fortify Software Security Center 119 Configuring Federal Information Processing Standards (for integrating Fortify Software Security Center with Fortify WebInspect Enterprise only) 119 Customizing the Fortify Banner for Your Organization 120 Chapter 8: Additional Installation-Related Tasks 121 Blocking Data Export to CSV Files 121 About Bug Tracker Integration 121 Managing Bug Tracker Plugins 122 Adding Bug Tracker Plugins 122 Removing Bug Tracker Plugins 123 Securing Logon Credentials for Bug Tracking Systems 123 Bug Tracker Parameters 123 ALM Parameters 124 Configuring an Eclipse Plugin Update Site 124 Adding and Managing Parser Plugins 125 About Fortify Software Security Center User Administration 126 Administrator Accounts 126 Micro Focus Fortify Software Security Center (19.2.0) Page 6 of 332 User Guide Fortify Software Security Center User Accounts 126 About Creating User Accounts 127 Preventing Destructive Library and Template Uploads to Fortify Software Security Center 128 Viewing Permission Information for Fortify Software Security Center Roles 128 About Managing LDAP User Roles 129 Group Membership in Fortify Software Security Center 129 Handling Failed LDAP User Logins 130 About Mapping Fortify Software Security Center Roles to LDAP Groups 130 Global Search Functionality in Fortify Software Security Center 131 About Global Search Functionality 131 Troubleshooting Search Index Issues 132 Placing Fortify Software Security Center in Maintenance Mode 132 About Fortify Software Security Content 133 Updating Rulepacks from the Micro Focus