HP Fortify Software Security Center v3.70 System Requirements. HP Fortify Software Licenses. HP Fortify Software Security Center Server Requirements

Part Number: 1-184-2012-11-370-01 HP Fortify Software Security Center v3.70 System Requirements The HP Fortify Technical Communications team strives to provide the most comprehensive and accurate documentation possible. To ensure that your documents are up to date, visit the HP Software Product Manuals site at http://support.openview.hp.com/selfsolve/manuals. HP Fortify Software Licenses Before you begin working in HP Fortify software, you will need to download the appropriate licenses for your purchases. To do this, go to https://support.fortify.com. You will need the user name and password provided to you by HP Fortify Customer Support. Hardware Requirements HP Fortify Software Security Center Server Requirements HP Fortify Software Security Center requires the following: 2 GHz+ processor, 32-bit, or 64-bit (recommended) 4 GB+ RAM Platforms and Architectures HP Fortify Software Security Center supports the following platforms and architectures: Operating System Versions Architectures Linux Red Hat ES 4, ES 5 x86: 32-bit or Novell SUSE 10, Oracle EL 5.2 64-bit (recommended) Windows 2003 SP2, 2008, 2008 R2 x86: 32-bit or Oracle Solaris 10 SPARC Application Servers 64-bit (recommended) HP Fortify Software Security Center supports application servers listed in the following table. Application Server Versions Java Versions Tomcat WebLogic WebSphere 6.0 or 7.0 (recommended) 10.3.4 or 10.3.5 (recommended) 6.1 (to be deprecated in future HP Fortify versions) or 7.0 (recommended) Java 6 or 7 Java 6 or 7 Java 6 or 7 JBoss 5.0.1 Java 6 or 7 MOFFETT TOWERS, 1140 ENTERPRISE WAY, SUNNYVALE, CA 94089 USA 650.735.2215 1

Databases HP Fortify Software Security Center supports the following databases in a production environment: Databases Character Sets Drivers MS SQL Server 2005 or 2008 (recommended) SQL_Latin1_General_CP1 _CI_AS, Unicode JTDS (Recommended) JDBC 3.0 Type 4 driver for Microsoft SQL Server version 1.2.2 Driver class: net.sourceeforge.jtds.jdbc.driver Jar file: jtds-1.2.2.jar MySQL 5.0.x: 5.0.45 and higher MySQL 5.1.x: 5.1.30 or 5.1.39 and higher (recommended) Oracle 10g and 11g DB2 9.5, 9.7 Microsoft Microsoft SQL Server JDBC Driver 2.0 Type 4 Driver class: com.microsoft.sqlserver.jdbc.sqlserve rdriver Jar files: sqljdbc4.jar (Java 6) sqljdbc.jar (Java 5) UTF8, Latin1 MySQL Connector/J 5.1 or 5.1.11 AL32UTF8 for all languages WE8MSWIN1252 for US English UTF8, IBM-1252 Driver class: com.mysql.jdbc.driver Jar file: mysql-connector-java- <Version_Number>-bin.jar Oracle Database 11g Release 1 (11.1.0.7.0) JDBC Drivers Driver class: oracle.jdbc.oracledriver Jar files: jdbc6.jar (Java 6) jdbc5.jar (Java 5) Note: IBM DB2 drivers also require that you add at least one of the following driver license files to the CLASSPATH before loading the JDBC driver and seeding your database. db2jcc_license_cisuz.jar db2jcc_license_cu.jar IBM DB2 JDBC Driver v9.5 FP4 3.53.95 Driver class: Jar files: com.ibm.db2.jcc.db2driver db2jcc.jar (Java 5) db2jcc4.jar (Java 6) MOFFETT TOWERS, 1140 ENTERPRISE WAY, SUNNYVALE, CA 94089 USA 650.735.2215 2

Databases Character Sets Drivers Note: If SQL Server is configured to use any character encoding other than unicode, you must append "sendstringparametersasunicode=false" to the end of your jdbc URL. For example: jdbc:jtds:sqlserver://dbhost:1433/ssc;sendstringparametersasunicode=false HP Fortify Software Security Center Demonstration Server includes an Apache Derby database for evaluation purposes only. This database cannot be expanded or upgraded. Do not use it to store critical data. Database Disk Space Use the following formula to estimate the size (in GB) of the HP Fortify Software Security Center database disk space: DB_Space (GB) = ( < TotalIssues > *30kb) + < TotalArtifacts in kb > 1,000,000 where: <TotalIssues> = Total number of issues in the system <TotalArtifacts> = Total size of all uploaded artifacts and scan results Notes: This equation produces only a rough estimate for the allocation of database disk space. The formula is not intended for use in estimating disk space requirements for long term projects. The disk requirements for the HP Fortify Software Security Center databases grow in proportion to the number of projects, scans, and issues in the system. Browsers HP Fortify Software Security Center requires Flash Player version 10.2 or later. For the best experience, we recommend that you use one of the following browsers with a minimum resolution of 1280x1024: Browser Firefox Internet Explorer Safari Chrome JAWS (See HP Fortify Assistive Technologies Section 508) Flash Plug-in Flash Player 11 (recommended) Flash Player 11 (recommended) Flash Player 11 (recommended) Flash Player 11 (recommended) Flash Player 11 (recommended) Authentication Systems Windows Active Directory Service LDAP MOFFETT TOWERS, 1140 ENTERPRISE WAY, SUNNYVALE, CA 94089 USA 650.735.2215 3

Service Integrations HP Fortify Software Security Center supports the following service integrations: Service Applications Versions Bug Creation Bugzilla 3.0 HP ALM 11 JIRA 4.0 Authentication CA SiteMinder 12 Active Directory 2003, 2008 Issue Import AppDetective 6.0 AppScan 7.7, 7.9, 8.0 For compatibility with HP Fortify Static Code Analyzer (SCA), HP WebInspect, and HP AMP, see HP Fortify 3.70 Compatibility Matrix Dynamic Assessments WebInspect Enterprise Notes: ALM 11 changeset mapping is only supported in conjunction with VisualSVN. Importing third-party issues may result in the loss of some third-party format functionality. MOFFETT TOWERS, 1140 ENTERPRISE WAY, SUNNYVALE, CA 94089 USA 650.735.2215 4

Documentation The documents listed in the following table apply to HP Fortify Software Security Center. Document Name PDF HTML Help HP Fortify Software Security Center User Guide HP_Fortify_SSC_User_Guide_3.70.pdf HP Fortify Software Security Center Help HP Fortify Software Security Center Process Guide HP Fortify Software Security Center Installation and Configuration Guide HP Fortify Software Security Center Runtime Hybrid Analysis User Guide HP_Fortify_SSC_Installation_and_ Configuration_Guide_3.70.pdf HP_Fortify_Runtime_Hybrid_Analysis_User_ Guide_3.70.pdf Within the web application at /ssc/guide/ HP Fortify Software Security Center Installation and Configuration Help MOFFETT TOWERS, 1140 ENTERPRISE WAY, SUNNYVALE, CA 94089 USA 650.735.2215 5

Hardware Requirements HP Fortify Static Code Analyzer Requirements HP Fortify Software recommends that you install HP Fortify Static Code Analyzer (SCA) on a high-end processor with at least 4 GB of RAM. If your software is particularly complex, you may need more RAM. Platforms and Architectures SCA supports the following platforms and architectures: Operating System Architectures Versions Linux x86: 32-bit or Red Hat ES 4, ES5 Windows 64-bit (recommended) x86: 32-bit or 64-bit (recommended) Mac OS x86 10.6, 10.7 Solaris SPARC 10 x86 10 HP-UX Itanium 11.31 Notes: Novell SUSE 10, Oracle EL 5.2 2003 SP1, 2008, XP, Vista Business, Vista Ultimate, Windows 7 Audit Workbench, Process Designer, Custom Rules Editor, and Scan Wizard are not supported on HP-UX, and Oracle Solaris. SCA has not been tested on all Linux variants, but most distributions are not known to cause issues. SCA has been supported on other platforms in the past. If the operating system that you require is not in the table above, please contact HP Fortify support for more information. Languages SCA supports the programming languages listed in the following table: Language Versions ABAP/BSP 6 ActionScript/MXML (Flex) 3, 4 ASP.NET, VB.NET, C# (.NET) 1.1, 2.0, 3.0, 3.5, 4.0 C/C++ See Compilers Classic ASP (with VBScript) 2, 3 COBOL CFML 5, 7, 8 HTML IBM Enterprise Cobol for z/os 3.4.1 with IMS, DB2, CICS, MQ 4 and earlier Java 1.3, 1.4, 1.5, 1.6, 1.7 JavaScript/AJAX 1.7 JSP 1.2, 2.1 MOFFETT TOWERS, 1140 ENTERPRISE WAY, SUNNYVALE, CA 94089 USA 650.735.2215 6

Language Versions Objective-C See Compilers PHP 5.0 5.3 PL/SQL 8.1.6 Python 2.6 T-SQL SQL Server 2005 and 2008 Visual Basic 6 VBScript 2.0, 5.0 XML 1.0 Note: ios projects compiled using Objective-C require ios SDK 4.3 or 4.5. Build Tools SCA supports the build tools listed in the following table: Build Tool Versions Ant 1.5.x, 1.6.x, 1.7.x, 1.8.x Maven 2.0.9 to 2.x.x MSBuild 2, 3.5, 4 Xcodebuild 4.1, 4.2, 4.2.1, 4.3 Compilers SCA supports the compilers listed in the following table: Compilers Clang 2.9, 3.0 LLVM-GCC 4.2, 4.3 GNU gcc 2.9 4 GNU g++ 3 4 Intel icc 8.0 Microsoft cl 12.x 13.x Sun cc / Sun CC 5.9, 5.10, 5.11 Sun javac 1.3 1.6 Operating Systems Mac OS Mac OS Linux, HP-UX, Mac OS, Solaris, Windows Linux, HP-UX, Mac OS, Solaris, Windows Linux Windows Solaris Linux, HP-UX, Mac OS, Solaris, Windows MOFFETT TOWERS, 1140 ENTERPRISE WAY, SUNNYVALE, CA 94089 USA 650.735.2215 7

Integrated Development Environments SCA supports the following integrated development environments: Auditing and Scanning Plug-ins Eclipse 3.3, 3.4, 3.5, 3.6, 3.7 RAD 7, 7.5, 8.0, 8.5; RSA 7, 7.5, 8.0 JBuilder 2008 R2 Remediation Plug-ins (audit-only) JDeveloper 10.1.3, 11.1.1 IntelliJ 10, 11 Microsoft Visual Studio 2010 Microsoft Visual Studio 2003 (scanning only) Microsoft Visual Studio 2005, 2008, 2010 Note: The HP Fortify Software Security Center Plug-in for Eclipse requires JRE 1.5 or greater. HP Fortify Build Monitor HP Fortify Build Monitor supports the following Windows platforms and architectures: Operating System Architectures Versions Windows x86: 32-bit and 64-bit 2003 SP1, 2008, XP Windows x86: 32-bit 2000 Note: Build Monitor is not supported on Windows Vista or later. Service Integrations HP Fortify Audit Workbench and Secure Code Plug-ins (SCP) support the following service integrations: Service Applications Versions Supported Tools Bug Creation Bugzilla 3.0 Audit Workbench, Visual Studio SCP, Eclipse SCP HP Quality Center 9.2, 10.0 Audit Workbench, Eclipse SCP Microsoft Team Foundation Server Software Security Center Bugtracker 2005, 2008, 2010 Visual Studio SCP 3.70 Audit Workbench, Eclipse SCP Issue Import AppDetective 6.0 Issue Import AppScan 7.7, 7.9, 8.0 For compatibility with HP Fortify SSC, HP WebInspect, and HP AMP, see the HP Fortify 3.70 Compatibility Matrix on page 14. Notes: HP Quality Center integration requires that you install the HPQC Client-Side Add-in software. Team Foundation Server integration requires that you install the Visual Studio Team Explorer software. When integrating with TFS 2010, Visual Studio SCP must be installed on a machine running Visual Studio 2010. MOFFETT TOWERS, 1140 ENTERPRISE WAY, SUNNYVALE, CA 94089 USA 650.735.2215 8

Documentation The documents listed in the following table apply to HP Fortify Static Code Analyzer: Document Name PDF HTML Help HP Fortify Audit HP_Fortify_Audit_Workbench_User_Guide_ HP Fortify Audit Workbench User Guide 3.70.pdf Workbench User Guide Help HP Fortify Eclipse Plug-in Guide HP Fortify JDeveloper Installation and Usage Guide HP Fortify Package for Visual Studio Installation and Configuration Guide HP Fortify Remediation Package for Microsoft Visual Studio 2010 Installation and Usage Guide HP Fortify Remediation Plug-in for IntelliJ Installation and Usage Guide HP Fortify Software Security Center Process Designer User Guide HP Fortify Static Code Analyzer Custom Rules Guide HP Fortify Static Code Analyzer for COBOL Addendum HP Fortify Static Code Analyzer Installation and Configuration Guide HP Fortify Static Code Analyzer User Guide HP Fortify Static Code Analyzer Utilities User Guide HP_Fortify_Eclipse_Plug-in_Guide_3.70.pdf HP_Fortify_JDeveloper_Install_and_Usage_ Guide_3.70.pdf HP_Fortify_Visual_Studio_Install_and_ Config_3.70.pdf HP_Fortify_VS_2010_Remediation_3.70.pdf HP_Fortify_IntelliJ_Remediation_3.70.pdf HP_Fortify_Process_Designer_User_Guide_ 3.70.pdf HP_Fortify_SCA_Custom_Rules_3.70.pdf HP_Fortify_SCA_COBOL_Addendum_3.70.pdf HP_Fortify_SCA_Install_and_Config_3.70.pdf HP_Fortify_SCA_User_Guide_3.70.pdf HP_Fortify_SCA_Utilities_User_Guide_ 3.70.pdf HP Fortify Eclipse Plug-in Help HP Fortify JDeveloper Help HP Fortify Visual Studio Package Help HP Fortify Visual Studio 2010 Remediation Package Help HP Fortify IntelliJ Remediation Plug-in Help HP Fortify v3.70 SCA Install & Config Help HP Fortify v3.70 SCA User Help MOFFETT TOWERS, 1140 ENTERPRISE WAY, SUNNYVALE, CA 94089 USA 650.735.2215 9

HP Fortify CloudScan HP Fortify CloudScan has three major components: CloudScan CLI, CloudScan Controller, and CloudScan Cloud. The requirements for each component are listed below. Hardware Requirements CloudScan CLI CloudScan CLI will run on any machine that supports HP Fortify Static Code Analyzer. Because CloudScan CLI is installed on build machines running SCA, hardware requirements will be met. Hardware Requirements CloudScan Controller HP Fortify Software recommends that you install the CloudScan Controller on a high-end processor running at 2 GHz with at least 4 GB of RAM. Platforms and Architectures The CloudScan Controller supports the following platforms and architectures: Operating System Architectures Versions Linux x86: 32-bit or Red Hat ES 4, ES5, Novell SUSE 10, Oracle EL 5.2 64-bit (recommended) Windows x86: 32-bit or 64-bit (recommended) 2003 SP1, 2008, XP Vista Business, Vista Ultimate, Windows 7 Disk Space Requirement To estimate the amount of disk space you will need on the machine running the CloudScan Controller, use the following equation: (number of jobs per day) (average size of mobile build session) (number of days data is persisted) 100MB is a conservative estimate for the average size of the mobile build session. Seven days is the default for the number of days the data is persisted. CloudScan Cloud The CloudScan Cloud is created using the Cloudera CDH3u0 release of the Apache Hadoop distribution. Your Cloudera Hadoop cluster will require at least two machines. For information on creating your Hadoop network: https://ccp.cloudera.com/display/doc/documentation Notes: 64-bit nodes with 8GB+ RAM is recommended. The Hadoop slave nodes require installation of SCA. The official range of supported platforms for Cloudera includes Linux distributions not officially supported by SCA. However, there are no known SCA issues on these additional Linux variants. The size and resource requirements of HP Fortify jobs running in this cluster are not typical. Leveraging an existing Hadoop cluster might adversely affect the performance of other jobs running on the system. Create a separate Cloudera Apache Hadoop cluster to use with CloudScan. MOFFETT TOWERS, 1140 ENTERPRISE WAY, SUNNYVALE, CA 94089 USA 650.735.2215 10

Documentation The HP Fortify CloudScan Installation, Configuration, and Usage Guide applies to HP Fortify CloudScan. This guide is available in both PDF (HP_Fortify_CloudScan_Guide_3.70.pdf) and html (HP Fortify CloudScan Help) formats. MOFFETT TOWERS, 1140 ENTERPRISE WAY, SUNNYVALE, CA 94089 USA 650.735.2215 11

Hardware Requirements HP Fortify Runtime Requirements HP Fortify Runtime is a single install image for each platform (Windows 32-bit.NET, Windows 64-bit.NET, Windows Java, and Linux Java) which includes HP Fortify Runtime Application Protection, HP Fortify Runtime Application Logging, and HP Fortify SecurityScope. HP Fortify Software recommends that you install HP Fortify Runtime on a high-end processor or equivalent with at least 1 GB of RAM and 100 MB of available hard disk space for the software. The installation also requires at least 60 MB of available space in the temp directory. Note: With this release, two HP Fortify Runtime products have been renamed, as follows: HP Fortify Real-Time Analyzer (also called RTA) is now HP Fortify Runtime Application Protection AppSM is now HP Fortify Runtime Application Logging Supported Java Runtime Environments Runtime supports the following Java runtime environments: JRE Type Major Versions IBM J9 1.4.2, 1.5.0, 1.6.0 Oracle HotSpot 1.4.2, 1.5.0, 1.6.0 Oracle JRockit 1.4.2, 1.5.0, 1.6.0 Runtime for Java is supported on Windows and Linux. Supported Java Application Servers Runtime supports the following Java application servers: Application Server Versions RedHat JBoss 4.0, 5.0, 5.1, 6.0 Apache Tomcat 5.0, 5.5, 6.0, 7.0 Oracle WebLogic 8.1, 9.0, 9.2, 10.0, 10.3, 11g, 11gR1 IBM WebSphere 6.0, 6.1, 7.0 Supported.NET Runtime Environments Runtime supports the following.net runtime environments: Operating System CLR Architectures CLR.NET Versions Windows XP 32-bit 2.0, 3.0, 3.5, 4.0 Windows Server 2003 32-bit, 64-bit 2.0, 3.0, 3.5, 4.0 Windows Server 2008 32-bit, 64-bit 2.0, 3.0, 3.5, 4.0 Windows Server 2008 R2 64-bit 2.0, 3.0, 3.5, 4.0 Windows 7 32-bit, 64-bit 2.0, 3.0, 3.5, 4.0 MOFFETT TOWERS, 1140 ENTERPRISE WAY, SUNNYVALE, CA 94089 USA 650.735.2215 12

Supported.NET Application Server Runtime supports the following.net application server: Application Server Versions IIS 5.1, 6, 7, 7.5 Documentation The following documentation applies to HP Fortify Runtime: Document Name PDF HTML Help HP Fortify Runtime Application Protection Operator Guide HP Fortify Runtime Application Protection: Java Edition Installation and Configuration Guide HP Fortify Runtime Application Protection:.NET Edition Installation and Configuration Guide HP Fortify Runtime Application Logging: Java Edition Installation and Configuration Guide HP Fortify Runtime Application Logging:.NET Edition Installation and Configuration Guide HP Fortify Runtime: Java Edition Designer Guide HP Fortify Runtime:.NET Edition Designer Guide HP Fortify RTA Rulepack Guide HP Fortify Runtime AppSM Rulepack Guide HP Fortify SecurityScope Taint Rulepack Guide HP Fortify Runtime Hybrid Analysis User Guide HP_Fortify_RuntimeAppProtect_Oper ator_guide_3.70.pdf HP_Fortify_RuntimeAppProtect_Java_ Install_and_Config_Guide_3.70.pdf HP_Fortify_RuntimeAppProtect_DOT NET_Install_and_Config_Guide_3.70.p df HP_Fortify_RuntimeAppLog_Java_Ins tallation_and_config_guide_3.70.pdf HP_Fortify_RuntimeAppLog_DOTNET _Installation_and_Config_Guide_3.70. pdf HP_Fortify_Runtime_Java_Designer_G uide_3.70.pdf HP_Fortify_Runtime_DOTNET_Design er_guide_3.70.pdf HP_Fortify_RTA_Rulepack_Guide_3.7 0.pdf HP_Fortify_AppSM_Rulepack_Guide_ 3.70.pdf HP_Fortify_SecurityScope_Taint_Rule pack_guide_3.70.pdf HP_Fortify_Hybrid_Analysis_User_Gui de_3.70.pdf HP Fortify v3.70 Runtime Operator Guide Help HP Fortify v3.70 Runtime Java Install & Config Help HP Fortify v3.70 Runtime DOTNET Install & Config Help HP Fortify v3.70 Runtime Java Install & Config Help HP Fortify v3.70 Runtime DOTNET Install & Config Help MOFFETT TOWERS, 1140 ENTERPRISE WAY, SUNNYVALE, CA 94089 USA 650.735.2215 13

Summary HP Fortify 3.70 Compatibility Matrix This section provides compatibility information for HP Fortify Software Security Center and components. HP Fortify Software Security Center 3.70 HP Fortify Software Security Center works with the following component versions: Component Versions Audit Workbench 2.0, 2.1, 2.5, 2.6, 2.6.1, 2.6.5, 3.0, 3.1, 3.20, 3.30, 3.40, 3.50, 3.60, 3.70 Secure Coding Plug-in 2.0, 2.1, 2.5, 2.6, 2.6.1, 2.6.5, 3.0, 3.1, 3.20, 3.30, 3.40, 3.50, 3.60, 3.70 HP Fortify Client 2.0, 2.1, 2.5, 2.6, 2.6.1, 2.6.5, 3.0, 3.1, 3.20, 3.30, 3.40, 3.50, 3.60, 3.70 HP Fortify Runtime Application Protection HP Fortify Runtime 3.70 2.6, 2.6.1, 2.6.5, 3.0, 3.1, 3.20, 3.30, 3.40, 3.50, 3.60 Process Designer 2.6, 2.6.1, 2.6.5, 3.0, 3.1, 3.20, 3.30, 3.40, 3.50, 3.60, 3.70 JDeveloper Plug-in 2.6, 2.6.1, 2.6.5, 3.0, 3.1, 3.20, 3.30, 3.40, 3.50, 3.60, 3.70 Visual Studio 2010 Remediation Plug-in 3.40, 3.50, 3.60, 3.70 IntelliJ Remediation Plug-in 3.50, 3.60, 3.70 HP Fortify SecurityScope 3.0, 3.1, 3.20, 3.30, 3.40, 3.50, 3.60, 3.70 HP WebInspect 8.0, 8.10, 9.00, 9.10, 9.20, 9.30 HP AMP 9.10, 9.20, 9.30 FPR Compatibility Later versions of HP Fortify products can open and read FPR files generated by earlier versions of HP Fortify products. For example, Audit Workbench 3.20 can read 2.1 FPR files. Earlier versions of HP Fortify products cannot open and read FPR files generated by later versions of HP Fortify products. For example, Audit Workbench 2.1 cannot read 3.20 FPR files. FPR versions are determined as follows: The version of an FPR is the same as the version of the analyzer that initially generates it. For example, an FPR generated by SCA 2.1 will be version 2.1. If two FPRs are merged, the resulting FPR has the version of the later one. For example, if a 2.1 and a 2.5 FPR are merged, the resulting FPR will be version 2.5. Caution: HP Fortify Software Security Center keeps a project file FPR that contains the latest scan results and audit information for each project. Audit Workbench and the Secure Coding Plug-ins also use this project file for collaborative auditing. Each time an FPR is uploaded to HP Fortify Software Security Center, it is merged with the project file. If the FPR has a later version number than the project file, the project file s version will change to match the FPR. In order for Audit Workbench and the Secure Coding Plug-ins to work with the updated FPR, they must be at least the same version as the FPR. For example, Audit Workbench 2.0 cannot read a 2.5 FPR. MOFFETT TOWERS, 1140 ENTERPRISE WAY, SUNNYVALE, CA 94089 USA 650.735.2215 14

Seed Bundle HP Fortify Software Security Center 3.70 supports seed bundle 3.70. Process Templates HP Fortify Software Security Center 3.70 supports the following process templates: Process Templates 2.0, 2.1, 2.5, 2.6, 2.6.1, 3.0, 3.1, 3.20, 3.30, 3.40, 3.50, 3.60, and 3.70 (If you have older versions of Process Templates, you might need to open them in 3.70 Process Designer first and make appropriate changes before they can be accepted by HP Fortify Software Security Center 3.70.) Runtime Configuration Bundle and Template HP Fortify Software Security Center 3.70 supports Runtime Configuration Bundle and Template 3.70. MOFFETT TOWERS, 1140 ENTERPRISE WAY, SUNNYVALE, CA 94089 USA 650.735.2215 15

Acquiring HP Fortify Software HP Fortify Software is available on DVD or as an electronic download. You must have a SAID access account number in order to download HP Fortify Software from the HP Software Support Online site. Table 1 lists the available packages and describes their contents. Table 1: Packages File Name Software_HP_Fortify_3.70_Eng_SW_Media_TF3 02-15079.iso Software_HP_Fortify_3.70_Eng_SW_Media_TF3 02-15079.iso.sig Software_HP_Fortify_3.70_Linux_Unix_Mac_TF 302-15080.iso Software_HP_Fortify_3.70_Linux_Unix_Mac_TF 302-15080.iso.sig HP_Fortify_Scan_Wizard_3.70_Windows_TF30 2-15091.zip HP_Fortify_Scan_Wizard_3.70_Windows_TF30 2-15091.zip.sig HP_Fortify_Scan_Wizard_3.70_MacOSX_TF302-15090.tar.gz HP_Fortify_Scan_Wizard_3.70_MacOSX_TF302-15090.tar.gz.sig HP_Fortify_Scan_Wizard_3.70_Linux_TF302-15089.tar.gz HP_Fortify_Scan_Wizard_3.70_Linux_TF302-15089.tar.gz.sig HP_Fortify_SSC_Demo_Suite_3.70_Windows_ x86_tf302-15095.zip HP_Fortify_SSC_Demo_Suite_3.70_Windows_ x86_tf302-15095.zip.sig HP_Fortify_SSC_Demo_Suite_3.70_Windows_ x64_tf302-15094.zip HP_Fortify_SSC_Demo_Suite_3.70_Windows_ x64_tf302-15094.zip.sig HP_Fortify_SSC_Demo_Suite_3.70_Unix_TF302-15093.tar.gz HP_Fortify_SSC_Demo_Suite_3.70_Unix_TF302-15093.tar.gz.sig HP_Fortify_SSC_Server_3.70_TF302-15096.zip Description Disc image of the entire Software Security Center product line. After downloading, you will need to either mount the ISO image or burn it to a DVD before installation. For Windows operating systems. Signature file for the Software Security Center product line ISO for Windows. Disc image of the entire Software Security Center product line. After downloading, you will need to either mount the ISO image or burn it to a DVD before installation. For Linux, Unix, and Macintosh operating systems. Signature File for the Software Security Center product line ISO for Linux, Unix, and Macintosh operating systems. HP Fortify Scan Wizard for Windows. Signature file for HP Fortify Scan Wizard for Windows. HP Fortify Scan Wizard for Mac OS X. Signature file for HP Fortify Scan Wizard for Mac OS X. HP Fortify Scan Wizard for Linux. Signature file for HP Fortify Scan Wizard for Linux. HP Fortify Demo Suite for Windows (x86) Signature file for HP Fortify Demo Suite for Windows (x86) HP Fortify Demo Suite for Windows (x64) Signature file for HP Fortify Demo Suite for Windows (x64) HP Fortify Demo Suite for Unix Signature file for HP Fortify Demo Suite for Unix HP Fortify Software Security Center MOFFETT TOWERS, 1140 ENTERPRISE WAY, SUNNYVALE, CA 94089 USA 650.735.2215 16

File Name HP_Fortify_SSC_Server_3.70_TF302-15096.zip.sig HP_Fortify_CloudScan_Controller_3.70_TF302-15081.zip HP_Fortify_CloudScan_Controller_3.70_TF302-15081.zip.sig HP_Fortify_Runtime_3.70_TF302-15082.exe HP_Fortify_Runtime_3.70_TF302-15082.exe.sig HP_Fortify_SCA_and_Apps_3.70_Windows_TF3 02-15088.zip HP_Fortify_SCA_and_Apps_3.70_Windows_ TF302-15088.zip.sig HP_Fortify_SCA_and_Apps_3.70_Mac_TF302-15087.tar.gz HP_Fortify_SCA_and_Apps_3.70_Mac_TF302-15087.tar.gz.sig HP_Fortify_SCA_and_Apps_3.70_Linux_TF302-15086.tar.gz Description Signature file for HP Fortify Software Security Center HP Fortify CloudScan Controller Signature file for HP Fortify CloudScan Controller HP Fortify Runtime Signature file for HP Fortify Runtime The HP Fortify SCA and Apps package for Windows includes: Static Code Analyzer Audit Workbench HP Fortify SCA plug-in for Eclipse HP Fortify SCA plug-in for Visual Studio 2003 HP Fortify SCA plug-in for Visual Studio 2005 HP Fortify SCA plug-in for Visual Studio 2008 HP Fortify SCA plug-in for Visual Studio 2010 HP Fortify SCA plug-in for Visual Studio 2010 Remediation Note: The plug-ins for IntelliJ and Jdeveloper are available only on DVD and as part of the ISO. Signature files for the HP Fortify SCA and Apps package for Windows The HP Fortify SCA and Apps package for Macintosh includes: Static Code Analyzer Audit Workbench HP Fortify SCA plug-in for Eclipse HP Fortify SCA plug-in for Visual Studio 2003 HP Fortify SCA plug-in for Visual Studio 2005 HP Fortify SCA plug-in for Visual Studio 2008 HP Fortify SCA plug-in for Visual Studio 2010 HP Fortify SCA plug-in for Visual Studio 2010 Remediation Note: The plug-ins for IntelliJ and Jdeveloper are available only on DVD and as part of the ISO. Signature file for the HP Fortify SCA and Apps package for Macintosh The HP Fortify SCA and Apps package for Linux includes: Static Code Analyzer Audit Workbench HP Fortify SCA plug-in for Eclipse MOFFETT TOWERS, 1140 ENTERPRISE WAY, SUNNYVALE, CA 94089 USA 650.735.2215 17

File Name HP_Fortify_SCA_and_Apps_3.70_Linux_TF302-15086.tar.gz.sig HP_Fortify_SCA_3.70_HPUX_TF302-15084.tar.gz HP_Fortify_SCA_3.70_HPUX_TF302-15084.tar.gz.sig HP_Fortify_SCA_3.70_Solaris_TF302-15085.tar.gz HP_Fortify_SCA_3.70_Solaris_TF302-15085.tar.gz.sig Description HP Fortify SCA plug-in for Visual Studio 2003 HP Fortify SCA plug-in for Visual Studio 2005 HP Fortify SCA plug-in for Visual Studio 2008 HP Fortify SCA plug-in for Visual Studio 2010 HP Fortify SCA plug-in for Visual Studio 2010 Remediation Note: The plug-ins for IntelliJ and Jdeveloper are available only on DVD and as part of the ISO. Signature file for the HP Fortify SCA and Apps package for Linux HP Fortify SCA for HPUX Signature file for HP Fortify SCA for HPUX HP Fortify SCA for Solaris Signature file for HP Fortify SCA for Solaris Downloading the Software To download HP Fortify Software from the HP Software Support Online site: 1. Navigate to https://support.openview.hp.com. 2. Click the Downloads tab to enter the software downloads section. 3. Click Login, and then sign in using your HP Passport credentials. Note: If you do not have an HP Passport, click the New users please register link. The Downloads screen appears. MOFFETT TOWERS, 1140 ENTERPRISE WAY, SUNNYVALE, CA 94089 USA 650.735.2215 18

4. Click the Software Updates link. 5. The Software updates screen appears. 6. Click My Updates. The My software updates screen appears. If you do not have SAID access for HP Fortify products associated with your HP Passport, you must select the Directly enter an SAID option, and then type in your HP Fortify SAID account number. 7. Select the terms and conditions check box, and then click View available products. The My software updates product list page appears. 8. Expand the Application Security Center product node to see the list of Application Security Center product names. 9. From the Product name box select the version of the HP Fortify English Software E-Media software you want. For information about the available packages, see Table 1: Packages on page 16. 10. From the Downloads box, select the package you want to download. 11. Click Download Directly or Use HP Download Manager. Note: If your organization requires that you verify the download, you must also download the like-named signature file. For example, if you download the HP_Fortify_3.70_Eng_SW_Media_TF302-15079.iso file, you will also need to download the associated signature file, HP_Fortify_3.70_Eng_SW_Media_TF302-15079.iso.sig. In rare cases, the signature file you download has the wrong extension (either.zip or.gz). If this case, change the final extension to.sig. Verifying Software Downloads The following instructions walk you through the process of verifying the HP Fortify package you acquired from the Downloads section of the HP Software Support Online site (http://support.openview.hp.com). Successful verification ensures that the package has not been altered since it was signed by HP and posted to the site. Before proceeding with the verification process, download the HP Fortify product files and their associated signature (*.sig) files. You are not required to verify the package to use the software, but your organization may require it for security reasons. Preparing Your System for Electronic Media Verification 1. Download and install version 1.4.x or 2.0.x of GnuPG: http://www.gnupg.org/download/. 2. Generate a private key, as follows. a. Run the following command. On a Windows system, run the command without the '$' prompt. $ gpg --gen-key b. When prompted for key type, select DSA and Elgamal. c. When prompted for a key size, select 2048. d. When prompted for the length of time the key should be valid, select key does not expire. e. Answer the user identification questions and provide a passphrase to protect your private key. 3. Use the instructions provided on the following linked page to create an HP public key file named hppublickey.pub : https://h20392.www2.hp.com/portal/swdepot/displayproductinfo.do?productnumber=hplinuxco designing&jumpid=reg_r1002_usen 4. Import the HP public key into GnuPG, as follows: a. Move the hppublickey.pub file to the GNU installation directory. b. Navigate to the GNU installation directory. c. Run gpg --import hppublickey.pub MOFFETT TOWERS, 1140 ENTERPRISE WAY, SUNNYVALE, CA 94089 USA 650.735.2215 19

Verify that the Signature File Matches the Downloaded Software Package To verify that the signature file matches the downloaded software package: 1. Navigate to the directory where you stored the downloaded package and signature file. 2. On Windows machines, run the following command: gpg --verify <Signature_File_Name> <Downloaded_File_Name> On Unix/Linux, run: gpg -verify <Signature_File_Name> <Downloaded_File_Name> 3. Examine the output to insure you receive verification that the software you downloaded has been signed by HP and has not been altered. Your output should include something like the following: c:.sig HP.Fortify_3.SEng_SW.Media_TF302-15039.iso \Users\username\<downloadDirectory>gpg --uerif HPFortify_3.5Eng_SWJ1edia_TF3O2-15039.iso gpg: Signature made 04/18/12 15:05:36 Pacific Daylight Time using DSA key ID 2689BB87 gpg: Good signature from Hewlett-Packard Company(HP Codesigning Service) gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: FB41 0E68 CEDF 95D0 6681 1E95 527B CS3A 2689 B887 Note: The warning message appears because the HP public key is not known to the system. You can ignore this warning or set up your environment to identify the HP public key as a trusted signature. For more information on downloading, verifying, and installing HP Fortify Software, see "Acquiring HP Fortify Software" on page 21. MOFFETT TOWERS, 1140 ENTERPRISE WAY, SUNNYVALE, CA 94089 USA 650.735.2215 20

The ISO Download If you choose to download an ISO file of the entire suite, you will need to either burn the ISO to a DVD or mount the ISO file prior to installing the software. To burn the ISO file to a DVD: Windows Unix/Linux Mac OS X Windows 7 natively supports burning an ISO to a DVD. 1. Put a writable DVD disc in your writable DVD drive. 2. Navigate to the ISO file that you downloaded. 3. Right-click the file name. 4. Select Burn disc image from the menu. The Windows Disc Image Burner window appears. 5. Select the writable DVD drive for your system. 6. (Optional) Select the Verify disc after burning box. 7. Click Burn. Note: Windows versions earlier than Windows 7 do not natively support burning an ISO file to a DVD. You must acquire software that supports burning an ISO to disc. The following instructions are general command-line instructions; your distribution might require alterations to these steps. 1. Put a writable DVD disc in your writable DVD drive. 2. To find the path to your disc drive, type: wodim devices, and then press Enter. 3. Burn the ISO file to disc by typing: wodim dev=/dev/cdrw v data <downloaded_iso_file>. iso, replacing /dev/cdrw with the path to your disc drive. 4. Press Enter. Note: You can also burn an ISO file using software included with a GUI shell. 1. Insert a blank DVD into the drive. 2. Run Disk Utility. 3. From the File menu, select Open Disk Image, and then select the ISO to be burned. 4. From the list of volumes, select the item that represents the ISO file. 5. Click Burn, and then follow the instructions. MOFFETT TOWERS, 1140 ENTERPRISE WAY, SUNNYVALE, CA 94089 USA 650.735.2215 21

To mount the ISO file: Windows Linux / Unix Mac OS X If you choose not to burn the ISO image to a disc, you can mount the ISO on your hard drive and run the installation from there. Windows does not include native support for mounting ISO files. You must use a third-party application if you choose to mount the ISO file to a directory in Windows rather than burning it to disc. The following instructions are general command-line instructions; your distribution might require alterations to these steps. 1. Open a terminal in Linux. 2. Become root or an administrator user. 3. Create a mount point for the ISO file: mkdir/media/<folder_name_for_mount_ point> 4. Navigate to the directory you just created. 5. Type: mount o loop file.iso /media/<folder_name_for_mount_point> 6. Type Enter. 1. Run Disk Utility. 2. From the Disk Utility menu, select Open Image File. 3. Select the HP Fortify ISO file. The ISO file appears on the Mac OS desktop. MOFFETT TOWERS, 1140 ENTERPRISE WAY, SUNNYVALE, CA 94089 USA 650.735.2215 22

HP Fortify Assistive Technologies (Section 508) In accordance with section 508 of the Rehabilitation Act, HP Fortify Software Security Center and HP Fortify Audit Workbench have been engineered to work with the JAWS screen reading software package from Freedom Scientific. JAWS provides text-to-speech support for use by the visually impaired. With JAWS, labels, text boxes, and other textual components can be read aloud, providing greater access to these technologies. Using JAWS with HP Fortify Products When using JAWS to generate text-to-speech translations of the text in Audit Workbench or Software Security Center's graphical user interface, there are a number of keyboard combinations that will help you get the most out of the interaction. The following table provides a list of useful keyboard commands. Note: For best results, run JAWS before launching your browser and logging on to your HP Fortify program. JAWS Keyboard Combinations The following table lists keyboard combinations that will help you use JAWS with HP Fortify products. For more information about using JAWS, see the JAWS documentation. To do this To read values in combo boxes. Tab through multi-line text boxes. Read multi-line labels. Read disabled (grayed-out) items. Read disabled check boxes. Enable table headings to be read. Press Insert + F2. Switch between pods or panels. Return focus to the application (JAWS is reading the web browser application rather than the content of the browser). Use this keyboard combination Press Ctrl + down arrow key to turn on Form mode, or press Enter. Press Ctrl + Tab to move from one multiline text box to another. Press Insert + down arrow to read all lines in label. Press Insert + B or Insert + down arrow. Press ESC to leave Forms mode and enter Virtual Cursor mode. The Run JAWS Manager dialog box appears. Click OK. Hold down CTRL + F7 while you select a different pane. Press CTRL + R to refresh the display. Note that when you refresh the display, your session is aborted and any data you have typed onto the page is lost. For more information or assistance, please visit HP Accessibility at: http://www.hp.com/accessibility. MOFFETT TOWERS, 1140 ENTERPRISE WAY, SUNNYVALE, CA 94089 USA 650.735.2215 23