Fortify End User Training

Transcription

1 Fortify End User Training Day 2: Labs VA SOFTWARE ASSURANCE PROGRAM OFFICE 1

2 Class Logistics Please mute your phones; conference line muted, #6 to unmute, *6 to mute Breaks approximately each hour, with lunch break around noon Please IM questions during the presentation; lengthy questions may be addressed during day 2 open lab VA SOFTWARE ASSURANCE PROGRAM OFFICE 2

3 Day 1 Review Module 1: Software Analysis Overview Module 2: VA Secure Code Review SOP Overview Module 3: Fortify Overview Module 4: Analysis with Fortify Module 5: Fortify Installation Module 6: Scan for Vulnerabilities Module 7: Integration with IDEs Module 8: Fortify Rulepacks Module 9: Auditing Fortify Results Module 10: Integration into Build Process Module 11: Verifying V&V Code Review Package Module 12: Resolving Scan Issues Module 13: OWASP Top 10 and CWE/SANS Top 25 VA SOFTWARE ASSURANCE PROGRAM OFFICE 3

4 Course Outline - Day 2 Module 14: Auditing Lab 1: Scanning Java source code Lab 2: Scanning.NET source code Module 15: Reporting Lab 3: Scanning Objective-C source code Lab 4: Open Lab Day 2 Wrap Up VA SOFTWARE ASSURANCE PROGRAM OFFICE 4

5 Course Agenda Module 14: Auditing Lab 1: Scanning Java source code Lab 2: Scanning.NET source code Module 15: Reporting Lab 3: Scanning Objective-C source code Lab 4: Open Lab Day 2 Wrap Up VA SOFTWARE ASSURANCE PROGRAM OFFICE 5

6 Cost Types of Code Reviews Methods Description Considerations Manual Manually reviewing and scanning each source code file, line by line Prior to a visual scan of the source, an analyst(s) uses sizing, metrics, and textual-search tools High levels of accuracy Increased Costs & Levels of Effort Uses a combination of manual analysis and software tools designed to assist in the code inspection process Semi- Automated This software typically uses a combination of target word lists, databases, graphical user interfaces, and report generation engines When a target word is found, a visual inspection of the word and its context in the application is reviewed by the analyst(s) Accuracy Relies entirely on a software tool to test and report known coding vulnerabilities and malicious code. Fully Automated Code analysis tools use known, documented principles as their basis of identifying vulnerabilities and have the ability to discover attacks or mechanisms based on hostile characteristics Less accurate Decreased Costs & Levels of Effort VA SOFTWARE ASSURANCE PROGRAM OFFICE 6

7 Code Review Methodology Planning & Test Preparation Static Code Analysis Manual Review & Finding Categorization Documentation & Reporting Gather background information Determine objectives Set the constraints and goals Document the assumptions Define the vulnerability discovery strategy Identify appropriate tools Gather necessary source code and software libraries Validate code compiles correctly and can be accurately evaluated with automated tools Perform scan Identify preliminary vulnerabilities Review overall application architecture Analyze static code output to validate and/or eliminate false positives Manual review to identify false negatives Categorize findings by severity Document Findings Determine Impacts Develop Recommendations Submit and deliver a final customized report based on agreed upon deliverables Review findings with code developers to understand mitigating controls for vulnerabilities to help determine residual risk Request additional information or missing application components (if applicable) Re-scan as required VA SOFTWARE ASSURANCE PROGRAM OFFICE 7

8 Perform the Automated Code Scan Perform a scan of the code to find an initial set of security issues Discover hot spots where additional security issues are likely to be discovered in later steps. Security issues tend to cluster. If your scan finds a large number of security issues in a particular component or function, then you should carefully examine that area manually to discover security issues that may have been missed by the scanning tool VA SOFTWARE ASSURANCE PROGRAM OFFICE 8

9 False Positives and False Negatives Static analysis tools frequently identify false positives. All positive findings should be verified manually to confirm that they are true positive findings Static analysis tools produce false negatives, frequently failing to identify vulnerabilities The code should be reviewed manually to identify false negatives Static analysis tools can be tuned to significantly reduce the number of false positives and false negatives VA SOFTWARE ASSURANCE PROGRAM OFFICE 9

10 Manual Verification Input Data Validation Does the application have an input validation architecture? Is validation performed on the client, on the server, or both? Is there a centralized validation mechanism, or are validation routines spread throughout the code base? Check error handling to make sure that exceptions are caught consistently and caught close to their source. Check for appropriate use of cryptography Identify areas of the code that appear especially complex Identify architectural flaws Look for configuration issues Use checklists VA SOFTWARE ASSURANCE PROGRAM OFFICE 10

11 Manual Verification, Cont d Control flow analysis. Control flow analysis is the mechanism used to step through logical conditions in the code. The process is as follows: - Examine a function and determine each branch condition. These can include loops, switch statements, if statements, and try/catch blocks. Dataflow analysis. Trace data from the points of input to the points of output. Some common sources and sinks are: - Public interfaces - User interface - Database interaction - Socket interaction - File I/O - Pipes VA SOFTWARE ASSURANCE PROGRAM OFFICE 11

12 Classification of Vulnerabilities Vulnerabilities Input Validation Cross-site Scripting Unbound Sizes Injection Attacks Secure State and Session Management Sensitive Information in Test and Debug Code Non-Compiled Code Malicious Code Documentation / Comments Public Variables, Objects, User Authentication Methods Principle of Least Privilege Buffer Overflow/Underflow Error Handling Coding Best Practices Non-security related defects CRITICAL HIGH MEDIUM LOW INFO The finding must be mitigated immediately Failure to address the finding may have a serious adverse impact to the system The finding must be mitigated in the nearterm Failure to address the finding may have a considerable adverse impact to the system. The finding should be mitigated in the nearterm, but mid-term mitigation is acceptable Failure to address the finding may have an adverse impact to the system The finding should be mitigated as time permits Failure to address the finding may have a minimal adverse impact to the system The finding was included as information that developers should consider when writing code. VA SOFTWARE ASSURANCE PROGRAM OFFICE 12

13 Course Agenda Module 14: Auditing Lab 1: Scanning Java source code Lab 2: Scanning.NET source code Module 15: Reporting Lab 3: Scanning Objective-C source code Lab 4: Open Lab Day 2 Wrap Up VA SOFTWARE ASSURANCE PROGRAM OFFICE 13

14 OWASP WebGoat Open Web Application Security Project (OWASP) provides a deliberately insecure web application in Java: WebGoat J2EE VA SOFTWARE ASSURANCE PROGRAM OFFICE 14

15 Lab 1 Goals In this lab we will: Install the Eclipse plugin Scan WebGoat project using the plugin Explore the Fortify interface Explore how to audit issues with Fortify VA SOFTWARE ASSURANCE PROGRAM OFFICE 15

16 MORNING BREAK 1 VA SOFTWARE ASSURANCE PROGRAM OFFICE 16

17 Course Agenda Module 14: Auditing Lab 1: Scanning Java source code Lab 2: Scanning.NET source code Lab 3: Scanning Objective-C source code Module 15: Reporting Lab 4: Open Lab Day 2 Wrap Up VA SOFTWARE ASSURANCE PROGRAM OFFICE 17

18 OWASP WebGoat.NET Open Web Application Security Project (OWASP) provides a deliberately insecure web application written in.net: WebGoat.Net ASP.Net VA SOFTWARE ASSURANCE PROGRAM OFFICE 18

19 Lab 2 Goals In this lab we will: Scan WebGoat.NET using the Visual Studio plugin Explore the Fortify interface Demonstrate merging FPR files VA SOFTWARE ASSURANCE PROGRAM OFFICE 19

20 Course Agenda Module 14: Auditing Lab 1: Scanning Java source code Lab 2: Scanning.NET source code Module 15: Reporting Lab 3: Scanning Objective-C source code Lab 4: Open Lab Day 2 Wrap Up VA SOFTWARE ASSURANCE PROGRAM OFFICE 20

21 Reporting: How it Fits into the Process As described earlier, reporting the issues discovered in the code review is an important part of the process Planning & Test Preparation Static Code Analysis Manual Review & Finding Categorization Documentation & Reporting Gather background information Determine objectives Set the constraints and goals Document the assumptions Define the vulnerability discovery strategy Identify appropriate tools Gather necessary source code and software libraries Validate code compiles correctly and can be accurately evaluated with automated tools Perform scan Identify preliminary vulnerabilities Review overall application architecture Analyze static code output to validate and/or eliminate false positives Manual review to identify false negatives Categorize findings by severity Document Findings Determine Impacts Develop Recommendations Submit and deliver a final customized report based on agreed upon deliverables VA SOFTWARE ASSURANCE PROGRAM OFFICE 21

22 Report Information Information to include in a report: Type of vulnerability Severity Standards violated (CWE, STIG, etc) Location Code sample Description of why it is a vulnerability and its impact Recommendation to mitigate the issue Fortify has a built-in reporting feature that will generate reports from the FPR including this information VA SOFTWARE ASSURANCE PROGRAM OFFICE 22

23 Sample Report Cover VA SOFTWARE ASSURANCE PROGRAM OFFICE 23

24 Sample Report Table of Contents VA SOFTWARE ASSURANCE PROGRAM OFFICE 24

25 Sample Results - Introduction VA SOFTWARE ASSURANCE PROGRAM OFFICE 25

26 Sample Report Issue Reporting VA SOFTWARE ASSURANCE PROGRAM OFFICE 26

27 V&V Reporting A V&V secure code review report from the SwA Team will include: A description of any scanning errors Indications where the scanned code doesn t match the delivered code Lists of any unmitigated issues and associated comments: Issues that have not been audited Issues that have been hidden or suppressed Issues where the audit indicates they are true positives Issues where the team disagrees with a tag of Not an Issue Additional issues that may have been spotted during the review A description of any problems with custom rule files Other issues that may be noted as the code review package is reviewed VA SOFTWARE ASSURANCE PROGRAM OFFICE 27

28 MORNING BREAK 2 VA SOFTWARE ASSURANCE PROGRAM OFFICE 28

29 Course Agenda Module 14: Auditing Lab 1: Scanning Java source code Lab 2: Scanning.NET source code Module 15: Reporting Lab 3: Scanning Objective-C source code Lab 4: Open Lab Day 2 Wrap Up VA SOFTWARE ASSURANCE PROGRAM OFFICE 29

30 OWASP igoat Open Web Application Security Project (OWASP) provides a deliberately insecure ios application: igoat Contains a series of lessons to teach about security issues VA SOFTWARE ASSURANCE PROGRAM OFFICE 30

31 Lab 3 Goals In this lab we will: Load a pre-scanned igoat FPR into Audit Workbench Explore the Fortify interface Demonstrate report generation VA SOFTWARE ASSURANCE PROGRAM OFFICE 31

32 LUNCH VA SOFTWARE ASSURANCE PROGRAM OFFICE 32

33 Course Agenda Module 14: Auditing Lab 1: Scanning Java source code Lab 2: Scanning.NET source code Module 15: Reporting Lab 3: Scanning Objective-C source code Lab 4: Open Lab Day 2 Wrap Up VA SOFTWARE ASSURANCE PROGRAM OFFICE 33

34 Open Lab Open Lab forum Bring code to scan Demonstrate other features Integration in build systems Questions Samate - Fortify SCA BenchMark VA SOFTWARE ASSURANCE PROGRAM OFFICE 34

35 Samate Fortify SCA BenchMark NIST Software Assurance Metrics And Tool Evaluation (Samate) provides a number of test suites for static analysis tools. Fortify SCA BenchMark C & Java code Demo only looks at the Java VA SOFTWARE ASSURANCE PROGRAM OFFICE 35

36 Course Agenda Module 14: Auditing Lab 1: Scanning Java source code Lab 2: Scanning.NET source code Module 15: Reporting Lab 3: Scanning Objective-C source code Lab 4: Open Lab Day 2 Wrap Up VA SOFTWARE ASSURANCE PROGRAM OFFICE 36

37 Day 2 Wrap Up Summary: Writing secure code is every VA application developer s responsibility. Secure code reviews have been included as activities in the VA ProPath System Development Life Cycle (SDLC) Product Build (BLD) processes Fortify can be used to scan source code for vulnerabilities during development Fortify should be used according to the VA OIS Secure Code Review Standard Operating Procedures Fortify software that is licensed for VA use can be requested through the NSD help desk V&V secure code review validations of final scans during the A&A process can be requested through the NSD help desk Resources that you may find helpful: VA OIS Software Assurance Program Office support site: Fortify product documentation is included as part of Fortify software distribution OWASP Top Ten: CWE/SANS TOP 25: VA SOFTWARE ASSURANCE PROGRAM OFFICE 37

38 Additional Resources For more data sets to scan: Samples included with Fortify OWASP: Samate: More information on software vulnerabilities: VA SOFTWARE ASSURANCE PROGRAM OFFICE 38