![FILTER SET
• Filter set is used to differentiate high , medium and low priority issues.
• By Default fortify enables two filters for viewing the issues 1)Quick View 2)Security
Audit View.
• Quick View -> 1.Hide Issue if impact is not in range [2.5,5.0]
2.Hide Issue if Likelihood is not in range [1,5]
• Security Audit View -> Show every issue based on category specified.
• We can add our customized filter set](https://image.slidesharecdn.com/hp-fortifysca-160921053251/85/Hp-fortify-source-code-analyzer-sca-11-320.jpg)
Ad
More Related Content
What's hot (20)
Viewers also liked (20)
Ad
Similar to Hp fortify source code analyzer(sca) (20)
Ad
Recently uploaded (20)
![Get & Download Wondershare Filmora Crack Latest [2025]](https://cdn.slidesharecdn.com/ss_thumbnails/revolutionizingresidentialwi-fi-250422112639-60fb726f-250429170801-59e1b240-thumbnail.jpg?width=560&fit=bounds)
Hp fortify source code analyzer(sca)
- 1. HP-FORTIFY SCA Source Code Analyzer
- 2. CONTENTS • Use of it. • System Specifications. • Installation. • How it works. • Report generation.
- 3. USE OF FORTIFY • HPE Security Fortify Static Code Analyzer (SCA) is used by development groups and security professionals to analyze the source code of an application for security issues. • It identifies root causes of software security vulnerabilities. • It supports Java, .Net , Action script ,ABAP, Coldfusion,Ruby,Python,Php languages. • There are various types of filter sets ,based on it we can generate report. • There are 7 kingdoms associated with securtity defects in source code ,based on those kingdoms it generates the security issues. • Input Validation, API abuse, Security Features , Time and state ,Errors, Code Quality and Encapsulation.
- 4. SYSTEM SPECIFICATION Size (LOC) <100k 100k to 500k 500k to 1M 1M+ Java 32- bit machine 2GB RAM 32-bit machine 4GB RAM 64- bit machine 8GB RAM 64-bit machine 16GB RAM .Net 32- bit machine 2GB RAM 32- bit machine 2GB RAM 64- bit machine 8GB RAM 64-bit machine 16GB RAM C/C++ 32- bit machine 2GB RAM 64-bit machine 16GB RAM 64-bit machine 16GB RAM 64-bit machine 16GB RAM
- 5. SYSTEM SPECIFICATION Application Complexity CPU Cores RAM Average Scan time Notes Simple 2 4 GB 0.5 hours A system that runs on a server or desktop in a standalone manner like a Batch job or a command line utility Medium 4 16 GB 4 hours A standalone system, which works with Complex computer models like a tax Calculation system or a scheduling system Complex 8 64 GB 2 days A three tiered business system with transactional data processing like a Financial system or a commercial website Very Complex 16 256 GB 4 days A application like a cms.
- 6. INSTALLATION It is supported in windows and linux .Make sure you have jre installed. Windows :- 1.Extract the iso and install the HP_Fortify_SCA_and_Apps_16.11.exe 2.During installation , in the update security configuration module give server url as https://update.fortify.com 3.Give the path of license file fortify.license when prompted. 4.In the plugin dialgox box ,check java ide and visual studio .net plugins. 5.After Installation, fortify is ready to use in Graphical and CLI Mode.
- 7. INSTALLATION …. Linux Installation : 1.Download the fortify.xx.xx.tar.gz package from hp website. 2.Extract it and run the installation file. 3.While prompt give the fortify.license key for license version and https://update.fortify.com for security configuration update. 4.After installation is done, Open the terminal and type sourceanalyzer to run fortify sca.
- 8. TIPS FOR HIGH PERFORMANCE • Better Use SSD Disk for faster performance. • Increase Heap Size by <SCA Install Directory>Coreconfigfortify-sca.properties Forexample com.fortify.sca.RmiWorkerMaxHeap=1G • In Scan option use the options –Xmx=1G and –j 4 (where enables the parallel processing 4 is the no.of cores we want assign) • Increase the session file size <SCA Install Directory>Coreconfigfortify- sca.properties Forexample com.fortify.sca.IncrementFileMaxSizeMB=1024 or 1G
- 9. HOW IT WORKS • It starts with a Command mode and Gui mode . • For small file size we use gui . • Start->Audit WorkBench->New Project->Locate the source code->Configure the rules- >For java projects (select framework version). • We can remove the third party plugin codes for faster output. • Give the path to output file(Ex.sampleoutput.fpr) • At one point we can see one dialog box where it shows translation phase and scan phase. • At this we can give commands for log storage for separate phases, and commands to increase the performance of tool (-Xmx,-Xss)
- 10. REPORT GENERATION • After Completion we can see .fpr file opened in Audit workbench. • There are different types of templates 1)Owasp Top 10 2013 2)Sans top 25 3)Pci-Dss 4)Owasp Top 10 Mobile 5)Developer WorkBook etc. • Developer Workbook shows you the detailed report with every instance reported. • You can customize the report template by adding workbook and owasp top 10 categories. • After selecting the template click on generate report.
- 11. FILTER SET • Filter set is used to differentiate high , medium and low priority issues. • By Default fortify enables two filters for viewing the issues 1)Quick View 2)Security Audit View. • Quick View -> 1.Hide Issue if impact is not in range [2.5,5.0] 2.Hide Issue if Likelihood is not in range [1,5] • Security Audit View -> Show every issue based on category specified. • We can add our customized filter set
- 12. COMMAND SET • Scan : sourceanalyzer –b <buildid> -scan –f results.fpr sourceanalyzer -b "Build ID" -Xmx1280M -Xss8M -debug -logfile scan.log -scan -f Results.fpr -html-report Parallel Processing : -j 4 (4 no.of cores) -Xmx heap size, -Xss Stack size