Static Application Security Testing(SAST) with Fortify

Introduction

IT systems are enabled by software that could harbor loopholes that cyber attackers can use to access the system. A comprehensive and complete security vulnerability assessment plan ensures that all threats are eliminated before the development of application is in final stages.

Apart from stealing company sensitive data, cyber attackers can also modify the source code and have the system do the work on their behalf. Cases of identity theft begin with a security weakness that gives attackers an access point to an individual’s mobile or an organization’s system.

There are different categories of security analysis that can be done along the software development life cycle. The following picture describes some of the typical checks and tools that can be integrated.

Static application security testing (SAST) ensures that application binaries, source codes and byte codes are safely and systematically analyzed outside the production environment for easy elimination of vulnerabilities.

Micro Focus Fortify is one such tool which helps to eliminate these vulnerabilities and build a secure software. Fortify has many small applications according to specific requirements of your project.

In this article we are going to cover Micro Focus Fortify Scan Wizard — Tool to quickly prepare a script that you can use to scan your code with Fortify Static Code Analyzer and optionally, upload the results directly to Fortify Software Security Center.

Below points are covered in this article:

1. Prerequisites
2. Steps to generate a SAST scan
3. Sample issues identified
4. False positives
5. Alternative Tools
6. Conclusion

Prerequisites

1. JRE
2. License for Micro Focus Fortify Static Code Analyzer. You can check out the products and license details available here- Products. Type fortify in the search option and it will list down all the products related to fortify and details on how to get the license.

3. Fortify SCA(static code analyzer) Installer — Fortify Static Code Analyzer and Applications are available as a downloadable application or package.

• For details on hardware and software requirement checkout here-System Requirement
• For details on installation check the installation section here- Guide
• Note: It can be installed on Linux, Windows, MacOS . In this article, we are using Windows.

Steps to generate a SAST scan :

1. In this example, we are using a WebGoat application which is a deliberately designed insecure application that allows interested developers just to test vulnerabilities commonly found in Java-based applications that use common and popular open source components. SourceCode:https://github.com/WebGoat/WebGoat.

Download the Project code, unzip it in a folder.

2. Starting the Fortify Scan Wizard: On Windows, select Start > All Programs > Fortify SCA and Applications > Scan Wizard. For Information on starting on any other OS check here: Starting the Fortify Scan Wizard

3. Add the project folder in the scan wizard window:

4. Review Source Files:It will identify all the dependencies in your application on its own. You can include and exclude dependencies and versions manually as well. Check the left side of the scan wizard window, it will provide the information about each step as you move through the window.

5. If Your Project has a Software Security Center(SSC) installed which is optional and is used in a project if you have multiple applications and you need your security team and development team to work together, else you can skip to step 6. Once you provide the SSC URL and login to SSC ,it will provide an upload token against which your code will be scanned and the result will be uploaded and available for compliance check by the security team.

6. Once you click next and move ahead in the window it will generate a .bat file at a provided specific location

7. Run the bat file.

8.This bat file will generate a scan.fpr locally which can be converted into pdf with Audit Work bench which will be installed in your system already once you install the SCA installer.

In case, you have SSC installed it will scan and upload the result which will be visible on its dashboard. Once the scan is complete, you can download the scan.fpr file and convert it in PDF and share it with respective teams.

Sample issues identified

Critical:

1. CWE ID 079
2. CWE ID 200

High:

1. CWE ID 287
2. CWE ID 022

False positives:

One weakness of SAST is the prevalence of false positives. Teams need to triage and validate individual security bug candidates to make sure it is not a false positive. In the case of Fortify, the Audit Workbench tool (AWB) is used to remove these false positives. Open the scan.fpr in the Audit Workbench. Locate the Details for a particular Issue. Within its Summary tab, set the Analysis field to “Not An Issue ‘’ (i.e. “this is a False Positive”). There are other options available including Reliability Issue, Bad Practice, Suspicious, and Exploitable. This process of marking-up the Issues is called “auditing the results” and it permits your team to prioritize and verify the Issues found by the automated tool. Essentially, your opportunity for “Trust, but Verify”. When these identical Issues arrive from subsequent scans, this Analysis setting should remain the same.

Fortify alternative tools:

1. Coverity
2. Checkmarx
3. Veracode

Conclusion:

Since, SAST identifies issues very early in the development cycle , it has become an integral part of the whole software development life cycle. Another Pro of SAST is that it is easy to implement and adopt. There are many other tools available in the market as listed above. We can safely say that SAST will be in use for the foreseeable future.

Reference:

►Micro Focus Fortify Static Code Analyzer

►SCA user documentation