FortifyMyApp User Guide

HP Fortify on Demand
FortifyMyApp.com User Guide

Document Release Date: June 2013
Software Release Date: June 2013

FortifyMyApp User Guide 2

Legal Notices
Warranty
The only warranties for HP products and services are set forth in the express warranty statements
accompanying such products and services. Nothing herein should be construed as constituting an additional
warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.
The information contained herein is subject to change without notice.
Restricted Rights Legend
This is confidential computer software. A valid license from HP is required for possession, use, or copying.
Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation,
and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard
commercial license.
Copyright Notice
Copyright 2013 Hewlett-Packard Development Company, L.P.
Documentation Updates
The title page of this document contains the following identifying information:
Software Version Number, which indicates the software version
Document Release Date, which changes each time the document is updated
Software Release Date, which indicates the release date of this version of the software
Part number: 1-1131-2013-06-000-01


Preface
This guide describes how to use the HP Fortify on Demand application called FortifyMyApp.com.
Contacting HP Fortify
If you have questions or comments about any part of this guide, contact HP Fortify in one of the following
ways.
Technical Support
support@fortifyondemand.com
To Submit Feedback about FortifyMyApp.com
fodsales@hp.com
Corporate Headquarters
Moffett Towers
1140 Enterprise Way
Sunnyvale, CA 94089
650.358.5600
Website
For Fortify on Demand:
www.hp.com/go/fortifyondemand
For HP Enterprise Software:
http://www8.hp.com/us/en/software/enterprise-software.html


Contents
Legal Notices ............................................................................................................................................. 2
Warranty .............................................................................................................................................................. 2
Restricted Rights Legend .................................................................................................................................. 2
Copyright Notice ............................................................................................................................................... 2
Documentation Updates .......................................................................................................................... 2
Preface ...................................................................................................................................................... 3
Contacting HP Fortify ...................................................................................................................................... 3
Technical Support ........................................................................................................................................ 3
To Submit Feedback about FortifyMyApp.com ................................................................................ 3
Corporate Headquarters ............................................................................................................................ 3
Website ............................................................................................................................................................. 3
Contents .................................................................................................................................................... 4
Chapter 1: Overview of HP Fortify on Demand ........................................................................... 6
About HP Fortify on Demand Services ..................................................................................................... 6
About Testing ................................................................................................................................................. 6
About Results ..................................................................................................................................................... 6
About the HP Fortify Security Rating System ........................................................................................ 6
About the HP Fortify Five-Star Assessment Rating ......................................................................... 6
About Likelihood and Impact .................................................................................................................. 7
About Fortify Priority Order ........................................................................................................................ 7
Critical ............................................................................................................................................................... 7
High .................................................................................................................................................................... 7
Medium ............................................................................................................................................................ 8
Low .................................................................................................................................................................... 8
Best Practices ................................................................................................................................................. 8
Info ..................................................................................................................................................................... 8
About HP Fortify Terminology .................................................................................................................... 8
Chapter 2: Getting Started with FortifyMyApp ........................................................................... 9


About Logging on to FortifyMyApp ........................................................................................................... 9
About Logging on to FortifyMyApp Directly ...................................................................................... 9
About Logging on through LinkedIn ..................................................................................................... 9
Sample Scan ..................................................................................................................................................... 11
Managing Your Assessments ..................................................................................................................... 11
Beginning a New Assessment ............................................................................................................... 11
Chapter 3: Preparing Files for Upload ......................................................................................... 13
About HP Fortify on Demand File Categories ..................................................................................... 13
About Analysis Files ................................................................................................................................. 13
About Source Code Files ......................................................................................................................... 13
About Preparing Java Application Files ................................................................................................ 14
Preparing Analysis Files (Required) .................................................................................................. 14
Preparing Source Code Files (Optional, but recommended) .................................................... 14
Reviewing Files before Clicking Submit ........................................................................................... 14
Preparing .NET Application Files ............................................................................................................ 15
Preparing Analysis and Source Files .................................................................................................. 15
Uploading Files to FortifyMyApp for Assessment ............................................................................ 16
Chapter 4: Results ............................................................................................................................... 18
About Checking the Status of your Assessment ................................................................................. 18
About When Your Assessment is Complete .................................................................................... 18
About Reports ................................................................................................................................................. 18
Issues by Priority ....................................................................................................................................... 18
About Types of Issues .............................................................................................................................. 19
Chapter 5: General Information ..................................................................................................... 21
Frequently Asked Questions ..................................................................................................................... 21
About Your Account ...................................................................................................................................... 21
Accessing Personal Information .......................................................................................................... 21
About Changing Formatting .................................................................................................................. 21
About the Scan Summary ....................................................................................................................... 21
Logging Out ...................................................................................................................................................... 21


Chapter 1: Overview of HP Fortify on Demand
HP Fortify on Demand (FoD) is a Software-as-a-Service solution enabling organizations to test the security of
software quickly, accurately, and affordably, without the necessity of installing software.
FoD is available for both static and dynamic assessments, and there are multiple options within each of those
categories. You may purchase individual assessments or a one-year subscription for unlimited assessments of
a particular application. You can upload files and initiate an assessment of your code for a static assessment;
or, if you have purchased a dynamic assessment, you can test your URL.
In some cases, your assessment may even be free. If your application qualifies for submission to
FortifyMyApp.com, you can receive up to five free assessments per month.
Note that, currently, only static scans are available free through FortifyMyApp. Also, to qualify for a free
FortifyMyApp scan, your application must be no more than 75 MB, and produced in Java or .Net format.
About HP Fortify on Demand Services
About Testing
Our expert team has created an automatic scanning process that will conduct an audit of your application for
security vulnerabilities. You provide FortifyMyApp with the analysis files and source code and Fortify
performs automatic testing.
About Results
Efficient, Easy-to-Grasp Reporting: We deliver the results of our assessments in a set of simple charts that
feature a consistent five-star rating system and organize vulnerabilities by type and by priority.
You will receive these results in one to three business days.
About the HP Fortify Security Rating System
Fortify on Demand, like all HP Fortify products, is designed to provide useful information about the
vulnerability of your applications. To ensure that the results we give you are consistent, understandable, and
actionable we have developed a set of reporting conventions, described below.
About the HP Fortify Five-Star Assessment Rating
The HP Fortify five-star assessment rating provides information on the likelihood and impact of defects
present within an application. A perfect rating within this system would be five complete stars, indicating that
no high-impact vulnerabilities were discovered.


1. Fortify awards one star to projects that undergo a Fortify security review, which analyzes an
application (also known as a project) for a variety of software security vulnerabilities. A rating of one
star means the application has critical vulnerabilities. Any application that gets scanned
automatically gets at least one star.
2. Applications receive two stars if the security review identifies no vulnerabilities that are both high
likelihood and high impact. Vulnerabilities that are trivial to exploit and have a high business or
technical impact should never exist in business-critical software.
3. A three-star rating means an application has only low- to medium-severity vulnerabilities.
4. Fortify awards four stars to applications with only low-severity vulnerabilities (even if those have a
high likelihood of occurring). Note that vulnerabilities which have a low impact but are easy to
exploit should be considered carefully as they may pose a greater threat if an attacker exploits many
of them as part of a concerted effort or leverages a low-impact vulnerability as a stepping stone to
mount a high-impact attack.
5. Five stars is Fortifys highest rating, awarded only to applications that have undergone a Fortify
security review which identified no vulnerabilities.
About Likelihood and Impact
About Likelihood
Likelihood is the probability that vulnerability will be accurately identified by an outsider, and successfully
exploited.
About Impact
Impact is the potential damage an attacker could do to your assets by successfully exploiting vulnerability.
This damage could be in the form of financial loss, compliance violation, loss of brand reputation, negative
publicity, and more
About Fortify Priority Order
HP Fortify has defined the following four levels of priority as a way to categorize the severity of
vulnerabilities (also known as issues).
Critical
Critical issues are those that have both a high potential impact and a high likelihood of occurring. Critical
issues are easy to detect and exploit, and can result in significant damage to your assets. These issues
represent the highest security risks to an application, and should be remediated immediately. SQL injection is
an example of a critical issue.
High
High-priority issues have the potential for high impact, but a low likelihood of occurring. High-priority issues
are often difficult for outsiders to detect and exploit, but they can result in large damage to your assets, so
they represent a high security risk to an application. High priority issues should be remediated in your next
scheduled patch release. A hardcoded password is an example of a high-priority issue


Medium
Medium-priority issues have a low potential impact but a high likelihood. Medium-priority issues are easy to
detect and exploit, but they typically result in small asset damage. These issues represent a moderate security
risk to your application. Medium-priority issues should be remediated in the next scheduled product update.
Path manipulation is an example of a medium issue.
Low
Low-priority issues have low potential impact and a low likelihood of occurring. Low-priority issues can be
difficult for others to detect and exploit, and they typically result in small asset damage. These issues
represent a minor security risk to your application. Low priority issues should be remediated as time
allows. Dead code is an example of a low issue.
Best Practices
If you are notified that your application has best practices shortcomings, that means there are no significant
vulnerabilities; just minor issues that may be less than ideal for applications of your type.
Info
Info is the lowest level of warning. HP Fortify may provide you with information about your application that
does not represent a vulnerability but might be of interest for some reason.
About HP Fortify Terminology
In an ongoing effort to make Fortify on Demand and FortifyMyApp clear and accessible, and respond to
customer feedback, we occasionally update terminology used in the program. Below are a few notes that we
hope will help alleviate confusion:
Generally speaking, a project is the same thing as an application.
A release in this version is the same as a project version in earlier iterations of FoD.
A lookup is the same thing as an attribute.
An assessment of your code or URL is sometimes referred to as a scan or a test.
Fortify Priority Order is the same thing as Severity. Both terms refer to the hierarchy of seriousness
among vulnerabilities (Critical, High, Medium, Low, Best Practices, Info).
This User Guide focuses primarily on FortifyMyApp, which includes the Basic and Standard level of
assessment service. For Fortify on Demand Premium service, contact FoDsales@hp.com or see the
Pricing page within FortifyMyApp.com.
FortifyMyApp (FMA) is sometimes used synonymously with freemium and web selling.


Chapter 2: Getting Started with FortifyMyApp
About Logging on to FortifyMyApp
There are now two ways to log on to FortifyMyApp. If you wish, you can log on to FMA by linking it with your
LinkedIn account, thereby avoiding the need to remember another set of credentials. If you do not choose to
do that, you may also log on to FMA directly.
About Logging on to FortifyMyApp Directly
The instructions that follow explain how to log on to FMA for the first time, and for subsequent visits, after
you have established an FMA account.
Logging on Directly for First-Time Users
To log on to Fortify on Demand for the first time:
1. Go to www.fortifymyapp.com.
2. Click Get Started.
3. In the box that appears, enter your first and last names and your email address, and select your country
from the menu.
4. Enter a password. Your password must be at least twelve characters long and have at least one capital
letter, one lower-case letter, one number, and one special character.
5. Click the small box to indicate that you agree to FMAs Terms of Service.
6. Click Register.
After you have registered, FMA will generate a verification email and send it to the address you used.
7. When the link arrives in your email, click it to verify your address.
Before you verify your email address, you will be able to create one assessment in FMA, but no more than
that.
Logging on Directly for Return Visitors
To log on to Fortify on Demand after you have registered and created an account:
2. In the upper right-hand corner, click Login.
3. In the new box that appears, type in your user name and password.
About Logging on through LinkedIn
HP Fortify recognizes that you probably have many accounts and many passwords already, and that defining
and remembering a new set of credentials can be burdensome. To help alleviate that, we have designed a
connection with LinkedIn, enabling you to link a FortifyMyApp account with a LinkedIn account so you will
need only one set of credentials to access both. Note that this is optional. You may use FortifyMyApp without
establishing a connection to LinkedIn if you choose.


Logging on with LinkedIn the First Time You Use FMA
If you already have an account with LinkedIn, but do not yet have an account with FortifyMyApp:
The log-on screen will appear.
3. Do not fill in the boxes with your personal information. Instead, just click the box to agree to the terms
and then click Register with LinkedIn.
You will be directed to the LinkedIn site.
4. If you are already signed on to your LinkedIn account, click Allow Access.
You will be returned to the FMA site, with full access to all FMA functionality.
5. If you are not already signed on to your LinkedIn account, enter your LinkedIn user name and password
and then click Allow Access.
Connecting Your Existing FMA Account to Your Existing LinkedIn Account
If you already have an account with FortifyMyApp and an account with LinkedIn, but you have not yet linked
the two:
1. Log on to www.fortifymyapp.com in your normal way.
2. In the upper right-hand corner, click your user name.
3. From the menu that appears, click My Account.
On the lower left section of this page, you will see a button with the LinkedIn logo, labeled Link your
accounts.
4. Click Link your accounts.
Logging on through LinkedIn after Establishing a Connection
Once you have gone through the steps above to link your FortifyMyApp account with your LinkedIn account,
subsequent entries to FMA are faster.
To log on through LinkedIn after establishing a connection:
The log-on screen will appear.
3. Click Login with LinkedIn.


Sample Scan
When you log on to FortifyMyApp, you will have one sample scan available for testing and review. To access
this:
1. Log on, as described above.
2. Click My Results.
If you have not yet added any assessments of your own, you will see a grid with one item in it. The
Assessment Name is Sample Scan. It will have a status of Completed.
To see more information about this assessment, and preview the FMA report styles:
1. In the right-hand column of the grid, click View.
Managing Your Assessments
The place to manage the testing of your applications is under the menu called My Results. Find that at the top
center of the FMA screen and click it. This brings you to a screen also titled My Results.
Before you can submit your code for testing, you must prepare your files for upload. To do that, see
Preparing Files for Upload on page 13 below.
Beginning a New Assessment
After you have prepared your files for upload (See Chapter 3, Preparing Files for Upload), proceed with
these instructions to begin your assessment. To do a security assessment of an application in FortifyMyApp:
2. In the upper right-hand corner, click the blue box that says Run New Test.
3. Go to the box called Name Your Assessment, and type any name you want.
4. Under Step 2, select the language in which your application is written: Java or .Net.
Note: Currently, free FoD assessments are available only for applications in Java or .Net. However, FoD
Premium offers many more options. If you are working in a language other than Java or .Net, go to the
Pricing page, find the Premium chart, and click the red button called Contact Us. Or send a note to
FoDSales@hp.com. Someone from FoD will get back to you with information on the other languages
supported by FoD Premium.
5. If you have questions about how to upload your files, in either Java or .Net, see the instructions below, or
select one of the videos on your screen.


6. If the video does not play when you click it, look at the bottom of your screen. If you have a message
saying Only secure content is displayed, click Show all content. Then click the white arrow on the
video icon again.
7. Then go to Step 3: Choose File, and click the blue button to the right of the box.
8. Browse to the file you want to assess and double-click it.
The name of your file will appear in the box under Step 3.
9. Click Run Test.
You will receive an email letting you know that you have successfully submitted your code.
You will then receive a second email, anywhere from a few minutes to a few days later, informing you
that your assessment is complete.


Chapter 3: Preparing Files for Upload
The first step before submitting your files for assessment is to find the section below that refers to the type of
files you will be using (Java or .Net). Follow the instructions there to ensure that you have properly prepared
your files.
About HP Fortify on Demand File Categories
When you use HP Fortify on Demand (FoD) to do a static assessment of your application for security issues,
you must upload at least one, and as many as two, categories of application files:
1. Analysis files (required)
2. Source code files (Optional, but strongly recommended)
About Analysis Files
Analysis files are:
The executable files produced by compiling your applications source code files
The executable library and resource files produced and delivered by third parties that are used by your
application
The purpose of analyzing an application with HPs FortifyMyApp is to identify security issues in the
executable files you created by compiling your applications source code. In order to get complete and
accurate assessment results, you must upload all of your applications files to FortifyMyApp.
About Source Code Files
Source code files are the text files you compile to produce the application files.
To enhance the ability of FortifyMyApp to customize the assessment to your application, you may upload all
the source code files used to produce the analysis files.


About Preparing Java Application Files
For Java applications, package your analysis and source code files for upload to FortifyMyApp in a single zip
file, as follows:
Preparing Analysis Files (Required)
Web application: Package in a .WAR or .EAR file. If you have multiple .WAR files, you can package them
into a zip and call it a .EAR. (You cannot have .JAR files inside other .JAR files or .EAR files inside other
.EAR files in the zip.)
Non-web applications: Package in a single zip file. (FortifyMyApp cannot recursively process zip files
contained within a zip package.) Ensure that there are no precompiled JSPs.
Ensure that all JARs are included, including third-party JAR files.
Ensure that all files are compiled in DEBUG mode. If they are not, the assessment will still run but the
results will not include line-of-code details for each issue.
Preparing Source Code Files (Optional, but recommended)
To improve the quality of results, HP Fortify recommends that you upload all of your applications source
code files to FortifyMyApp. Package the application source code files together with your analysis files in a
single zip package.
Reviewing Files before Clicking Submit
Make sure you have resolved all warnings presented in the FortifyMyApp interface after upload.
Select only JARs that are part of the application code. Do not select JARs that are part of third-party
libraries.


Preparing .NET Application Files
For .NET applications, package analysis and source code files for upload to FortifyMyApp as follows:
Preparing Analysis and Source Files
Rebuild the application in DEBUG mode to ensure that a .PDB file is produced. Only DLLs that are compiled
in DEBUG mode will present filename and line number resolution in the results.
Ensure that all ASP.NET pages are precompiled. See the section below for guidance.
Package the analysis files in a single zip file. HP FortifyMyApp cannot recursively process zip files
contained within a zip package.
Ensure that all DLLs are present in the upload.
Also ensure that executables and .config files for web applications, websites, and other files produced
during the deployment process are present in the upload file.
Ensure that the associated .PDB files are included in the upload file.


Uploading Files to FortifyMyApp for Assessment
Once you have prepared your files properly, as described in one of the sections above, you are ready to
upload them to FortifyMyApp. The steps to do that are as follows:
1. On your system, find the analysis files to be uploaded. These will be the application files in either .jar or
.ear format; or packaged in a .war if yours is a web application.

2. Create one zip file that includes all files to be submitted to FoD. This should include both application files
and source files.


3. In this case, your zip file would include the .java files from the src directory.

4. Log on to www.fortifymyapp.com and follow the instructions in Chapter 2.
Note: Try to avoid checking any third-party, or dependency, files unless you specifically intend to have such
files analyzed, and you have the rights to do so.


Chapter 4: Results
About Checking the Status of your Assessment
HP Fortify will notify you, via email, when your assessment is complete. However, you may also check the
status any time, by logging onto the program and following these steps:
1. Go to My Results.
2. Find your application in the list that appears on your screen.
The first column on this page is headed Status. For each application (assessment) listed here, this column
will show one of the following statuses: Not Started, Pending, Rejected, or Completed.
3. If your status is Rejected, look at the final column on this chart (called View Report) and click the button
called Reason.
You will get a pop-up explaining why your code was rejected. You will also see instructions on how to re-
load your code for better results.
About When Your Assessment is Complete
At the completion of the assessment, FoD will release the results to your account. At that point:
You will receive a confirmation email saying that your assessment is complete.
You can log on to FortifyMyApp to view your results.
About Reports
Your Free or Standard FortifyMyApp assessment offers several types of important information about your
application. To see your report:
2. Find your application in the list.
3. Click the green button on the left that says Completed, or go to the final column, called View Report, and
click View.
Either of those paths takes you to a new screen with the name of your assessment at the top.
Two charts display the crucial information about your applications security risks:
On the left is the chart called Issues by Priority.
On the right is the Type of Issues chart.
Issues by Priority
The Issues by Priority chart gives you a quick, graphic view of how many vulnerabilities your code has, and
how serious they are.
The horizontal axis shows the severity of your issues, described as Low, Medium, High, or Critical.
The vertical axis shows how many issues your code has at each priority level.


For example, in the screenshot below, the application called Default Application has two security issues.
One of them, represented by the blue bar, has a priority level of Low and the other, represented by the red
bar, is more urgent, with a priority level of High.

About Types of Issues
For more detailed information on the vulnerabilities (or issues) revealed by your assessment in
FortifyMyApp:
2. In the list that appears, find the assessment you want to see and then, in the far-right column on that line,
click View.
The chart that appears on the right-hand side of the screen is called Type of Issues.
Here, you will see a list of issue types, and a number in the Occurrence column which indicates how many of
each type your code has.
About Cross-Site Scripting Errors
If one or more of your issues involves cross-site scripting, you will also see a link in the Details column of the
chart, labeled More Details. Click that button to get more information about the vulnerability.


About SQL Injection Errors
If one or more of your issues is a SQL injection error, you will see a link in the Details column labeled
Upgrade. This is because SQL injection errors cannot be fully assessed or remediated using only the free
assessment. You may, however, upgrade to a Standard assessment, at a cost of $395. We strongly
recommend that you upgrade to Standard or Premium Fortify on Demand service levels if you have a
SQL injection error. To proceed:
1. Click the Upgrade button.
A pop-up will appear, asking if you want to upgrade to Standard.
2. Click Upgrade.


Chapter 5: General Information
Frequently Asked Questions
At any point while you are working in FortifyMyApp, you can access information by clicking the FAQ link in
the upper right-hand corner of your screen. Here, you will find more information about the free services
provided by FortifyMyApp and also about the expanded service available through Fortify on Demand
Premium. You will also find information about how this program works, how to perform various tasks, and
how to submit feedback.
About Your Account
Accessing Personal Information
To see, or change, information about your account in FortifyMyApp, find your user name in the upper right-
hand side of the screen.
1. Click your name.
A brief menu will appear.
2. Click My Account.
Here, you will see the name associated with your account, and the telephone number, email address, and
country. You may make changes to any of this information. For your telephone number, enter digits only;
no dashes, parentheses, or other punctuation.
3. Then click Save.
About Changing Formatting
On this page (My Account), you may also change your password, and select your preferred formats for the
date (DD/MM/YYYY or MM/DD/YYYY or YYYY/MM/DD) and the time (12-hour or 24-hour systems).
About the Scan Summary
A summary of all the assessments in FortifyMyApp and Fortify on Demand Premium that are associated with
your email address can be seen on the right-hand side of the My Account page. There you will see a list of all
Free, Standard, and Premium assessments (scans) you have performed. In the case of Free and Standard, this
chart will also show you how many you have remaining (unused).
Logging Out
To log out of FortifyMyApp:
1. Click your user name at the upper right-hand corner of the screen.
2. From the new menu that appears, click Log Out.

FortifyMyApp User Guide

Caricato da

Informazioni sul documento

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

FortifyMyApp User Guide

Caricato da

Copyright:

Formati disponibili

HP Fortify on Demand

FortifyMyApp.com User Guide

Potrebbero piacerti anche