Document Release Date: June 2013 Software Release Date: June 2013
FortifyMyApp User Guide 2
Legal Notices Warranty The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. The information contained herein is subject to change without notice. Restricted Rights Legend This is confidential computer software. A valid license from HP is required for possession, use, or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. Copyright Notice Copyright 2013 Hewlett-Packard Development Company, L.P. Documentation Updates The title page of this document contains the following identifying information: Software Version Number, which indicates the software version Document Release Date, which changes each time the document is updated Software Release Date, which indicates the release date of this version of the software Part number: 1-1131-2013-06-000-01
FortifyMyApp User Guide 3
Preface This guide describes how to use the HP Fortify on Demand application called FortifyMyApp.com. Contacting HP Fortify If you have questions or comments about any part of this guide, contact HP Fortify in one of the following ways. Technical Support support@fortifyondemand.com To Submit Feedback about FortifyMyApp.com fodsales@hp.com Corporate Headquarters Moffett Towers 1140 Enterprise Way Sunnyvale, CA 94089 650.358.5600 Website For Fortify on Demand: www.hp.com/go/fortifyondemand For HP Enterprise Software: http://www8.hp.com/us/en/software/enterprise-software.html
FortifyMyApp User Guide 4
Contents Legal Notices ............................................................................................................................................. 2 Warranty .............................................................................................................................................................. 2 Restricted Rights Legend .................................................................................................................................. 2 Copyright Notice ............................................................................................................................................... 2 Documentation Updates .......................................................................................................................... 2 Preface ...................................................................................................................................................... 3 Contacting HP Fortify ...................................................................................................................................... 3 Technical Support ........................................................................................................................................ 3 To Submit Feedback about FortifyMyApp.com ................................................................................ 3 Corporate Headquarters ............................................................................................................................ 3 Website ............................................................................................................................................................. 3 Contents .................................................................................................................................................... 4 Chapter 1: Overview of HP Fortify on Demand ........................................................................... 6 About HP Fortify on Demand Services ..................................................................................................... 6 About Testing ................................................................................................................................................. 6 About Results ..................................................................................................................................................... 6 About the HP Fortify Security Rating System ........................................................................................ 6 About the HP Fortify Five-Star Assessment Rating ......................................................................... 6 About Likelihood and Impact .................................................................................................................. 7 About Fortify Priority Order ........................................................................................................................ 7 Critical ............................................................................................................................................................... 7 High .................................................................................................................................................................... 7 Medium ............................................................................................................................................................ 8 Low .................................................................................................................................................................... 8 Best Practices ................................................................................................................................................. 8 Info ..................................................................................................................................................................... 8 About HP Fortify Terminology .................................................................................................................... 8 Chapter 2: Getting Started with FortifyMyApp ........................................................................... 9
FortifyMyApp User Guide 5
About Logging on to FortifyMyApp ........................................................................................................... 9 About Logging on to FortifyMyApp Directly ...................................................................................... 9 About Logging on through LinkedIn ..................................................................................................... 9 Sample Scan ..................................................................................................................................................... 11 Managing Your Assessments ..................................................................................................................... 11 Beginning a New Assessment ............................................................................................................... 11 Chapter 3: Preparing Files for Upload ......................................................................................... 13 About HP Fortify on Demand File Categories ..................................................................................... 13 About Analysis Files ................................................................................................................................. 13 About Source Code Files ......................................................................................................................... 13 About Preparing Java Application Files ................................................................................................ 14 Preparing Analysis Files (Required) .................................................................................................. 14 Preparing Source Code Files (Optional, but recommended) .................................................... 14 Reviewing Files before Clicking Submit ........................................................................................... 14 Preparing .NET Application Files ............................................................................................................ 15 Preparing Analysis and Source Files .................................................................................................. 15 Uploading Files to FortifyMyApp for Assessment ............................................................................ 16 Chapter 4: Results ............................................................................................................................... 18 About Checking the Status of your Assessment ................................................................................. 18 About When Your Assessment is Complete .................................................................................... 18 About Reports ................................................................................................................................................. 18 Issues by Priority ....................................................................................................................................... 18 About Types of Issues .............................................................................................................................. 19 Chapter 5: General Information ..................................................................................................... 21 Frequently Asked Questions ..................................................................................................................... 21 About Your Account ...................................................................................................................................... 21 Accessing Personal Information .......................................................................................................... 21 About Changing Formatting .................................................................................................................. 21 About the Scan Summary ....................................................................................................................... 21 Logging Out ...................................................................................................................................................... 21
FortifyMyApp User Guide 6
Chapter 1: Overview of HP Fortify on Demand HP Fortify on Demand (FoD) is a Software-as-a-Service solution enabling organizations to test the security of software quickly, accurately, and affordably, without the necessity of installing software. FoD is available for both static and dynamic assessments, and there are multiple options within each of those categories. You may purchase individual assessments or a one-year subscription for unlimited assessments of a particular application. You can upload files and initiate an assessment of your code for a static assessment; or, if you have purchased a dynamic assessment, you can test your URL. In some cases, your assessment may even be free. If your application qualifies for submission to FortifyMyApp.com, you can receive up to five free assessments per month. Note that, currently, only static scans are available free through FortifyMyApp. Also, to qualify for a free FortifyMyApp scan, your application must be no more than 75 MB, and produced in Java or .Net format. About HP Fortify on Demand Services About Testing Our expert team has created an automatic scanning process that will conduct an audit of your application for security vulnerabilities. You provide FortifyMyApp with the analysis files and source code and Fortify performs automatic testing. About Results Efficient, Easy-to-Grasp Reporting: We deliver the results of our assessments in a set of simple charts that feature a consistent five-star rating system and organize vulnerabilities by type and by priority. You will receive these results in one to three business days. About the HP Fortify Security Rating System Fortify on Demand, like all HP Fortify products, is designed to provide useful information about the vulnerability of your applications. To ensure that the results we give you are consistent, understandable, and actionable we have developed a set of reporting conventions, described below. About the HP Fortify Five-Star Assessment Rating The HP Fortify five-star assessment rating provides information on the likelihood and impact of defects present within an application. A perfect rating within this system would be five complete stars, indicating that no high-impact vulnerabilities were discovered.
FortifyMyApp User Guide 7
1. Fortify awards one star to projects that undergo a Fortify security review, which analyzes an application (also known as a project) for a variety of software security vulnerabilities. A rating of one star means the application has critical vulnerabilities. Any application that gets scanned automatically gets at least one star. 2. Applications receive two stars if the security review identifies no vulnerabilities that are both high likelihood and high impact. Vulnerabilities that are trivial to exploit and have a high business or technical impact should never exist in business-critical software. 3. A three-star rating means an application has only low- to medium-severity vulnerabilities. 4. Fortify awards four stars to applications with only low-severity vulnerabilities (even if those have a high likelihood of occurring). Note that vulnerabilities which have a low impact but are easy to exploit should be considered carefully as they may pose a greater threat if an attacker exploits many of them as part of a concerted effort or leverages a low-impact vulnerability as a stepping stone to mount a high-impact attack. 5. Five stars is Fortifys highest rating, awarded only to applications that have undergone a Fortify security review which identified no vulnerabilities. About Likelihood and Impact About Likelihood Likelihood is the probability that vulnerability will be accurately identified by an outsider, and successfully exploited. About Impact Impact is the potential damage an attacker could do to your assets by successfully exploiting vulnerability. This damage could be in the form of financial loss, compliance violation, loss of brand reputation, negative publicity, and more About Fortify Priority Order HP Fortify has defined the following four levels of priority as a way to categorize the severity of vulnerabilities (also known as issues). Critical Critical issues are those that have both a high potential impact and a high likelihood of occurring. Critical issues are easy to detect and exploit, and can result in significant damage to your assets. These issues represent the highest security risks to an application, and should be remediated immediately. SQL injection is an example of a critical issue. High High-priority issues have the potential for high impact, but a low likelihood of occurring. High-priority issues are often difficult for outsiders to detect and exploit, but they can result in large damage to your assets, so they represent a high security risk to an application. High priority issues should be remediated in your next scheduled patch release. A hardcoded password is an example of a high-priority issue
FortifyMyApp User Guide 8
Medium Medium-priority issues have a low potential impact but a high likelihood. Medium-priority issues are easy to detect and exploit, but they typically result in small asset damage. These issues represent a moderate security risk to your application. Medium-priority issues should be remediated in the next scheduled product update. Path manipulation is an example of a medium issue. Low Low-priority issues have low potential impact and a low likelihood of occurring. Low-priority issues can be difficult for others to detect and exploit, and they typically result in small asset damage. These issues represent a minor security risk to your application. Low priority issues should be remediated as time allows. Dead code is an example of a low issue. Best Practices If you are notified that your application has best practices shortcomings, that means there are no significant vulnerabilities; just minor issues that may be less than ideal for applications of your type. Info Info is the lowest level of warning. HP Fortify may provide you with information about your application that does not represent a vulnerability but might be of interest for some reason. About HP Fortify Terminology In an ongoing effort to make Fortify on Demand and FortifyMyApp clear and accessible, and respond to customer feedback, we occasionally update terminology used in the program. Below are a few notes that we hope will help alleviate confusion: Generally speaking, a project is the same thing as an application. A release in this version is the same as a project version in earlier iterations of FoD. A lookup is the same thing as an attribute. An assessment of your code or URL is sometimes referred to as a scan or a test. Fortify Priority Order is the same thing as Severity. Both terms refer to the hierarchy of seriousness among vulnerabilities (Critical, High, Medium, Low, Best Practices, Info). This User Guide focuses primarily on FortifyMyApp, which includes the Basic and Standard level of assessment service. For Fortify on Demand Premium service, contact FoDsales@hp.com or see the Pricing page within FortifyMyApp.com. FortifyMyApp (FMA) is sometimes used synonymously with freemium and web selling.
FortifyMyApp User Guide 9
Chapter 2: Getting Started with FortifyMyApp About Logging on to FortifyMyApp There are now two ways to log on to FortifyMyApp. If you wish, you can log on to FMA by linking it with your LinkedIn account, thereby avoiding the need to remember another set of credentials. If you do not choose to do that, you may also log on to FMA directly. About Logging on to FortifyMyApp Directly The instructions that follow explain how to log on to FMA for the first time, and for subsequent visits, after you have established an FMA account. Logging on Directly for First-Time Users To log on to Fortify on Demand for the first time: 1. Go to www.fortifymyapp.com. 2. Click Get Started. 3. In the box that appears, enter your first and last names and your email address, and select your country from the menu. 4. Enter a password. Your password must be at least twelve characters long and have at least one capital letter, one lower-case letter, one number, and one special character. 5. Click the small box to indicate that you agree to FMAs Terms of Service. 6. Click Register. After you have registered, FMA will generate a verification email and send it to the address you used. 7. When the link arrives in your email, click it to verify your address. Before you verify your email address, you will be able to create one assessment in FMA, but no more than that. Logging on Directly for Return Visitors To log on to Fortify on Demand after you have registered and created an account: 1. Go to www.fortifymyapp.com. 2. In the upper right-hand corner, click Login. 3. In the new box that appears, type in your user name and password. About Logging on through LinkedIn HP Fortify recognizes that you probably have many accounts and many passwords already, and that defining and remembering a new set of credentials can be burdensome. To help alleviate that, we have designed a connection with LinkedIn, enabling you to link a FortifyMyApp account with a LinkedIn account so you will need only one set of credentials to access both. Note that this is optional. You may use FortifyMyApp without establishing a connection to LinkedIn if you choose.
FortifyMyApp User Guide 10
Logging on with LinkedIn the First Time You Use FMA If you already have an account with LinkedIn, but do not yet have an account with FortifyMyApp: 1. Go to www.fortifymyapp.com. 2. In the upper right-hand corner, click Login. The log-on screen will appear. 3. Do not fill in the boxes with your personal information. Instead, just click the box to agree to the terms and then click Register with LinkedIn. You will be directed to the LinkedIn site. 4. If you are already signed on to your LinkedIn account, click Allow Access. You will be returned to the FMA site, with full access to all FMA functionality. 5. If you are not already signed on to your LinkedIn account, enter your LinkedIn user name and password and then click Allow Access. You will be returned to the FMA site, with full access to all FMA functionality. Connecting Your Existing FMA Account to Your Existing LinkedIn Account If you already have an account with FortifyMyApp and an account with LinkedIn, but you have not yet linked the two: 1. Log on to www.fortifymyapp.com in your normal way. 2. In the upper right-hand corner, click your user name. 3. From the menu that appears, click My Account. On the lower left section of this page, you will see a button with the LinkedIn logo, labeled Link your accounts. 4. Click Link your accounts. You will be directed to the LinkedIn site. 6. If you are already signed on to your LinkedIn account, click Allow Access. You will be returned to the FMA site, with full access to all FMA functionality. 7. If you are not already signed on to your LinkedIn account, enter your LinkedIn user name and password and then click Allow Access. You will be returned to the FMA site, with full access to all FMA functionality. Logging on through LinkedIn after Establishing a Connection Once you have gone through the steps above to link your FortifyMyApp account with your LinkedIn account, subsequent entries to FMA are faster. To log on through LinkedIn after establishing a connection: 1. Go to www.fortifymyapp.com. 2. In the upper right-hand corner, click Login. The log-on screen will appear. 3. Click Login with LinkedIn.
FortifyMyApp User Guide 11
You will be directed to the LinkedIn site. 4. If you are already signed on to your LinkedIn account, click Allow Access. You will be returned to the FMA site, with full access to all FMA functionality. 5. If you are not already signed on to your LinkedIn account, enter your LinkedIn user name and password and then click Allow Access. You will be returned to the FMA site, with full access to all FMA functionality. Sample Scan When you log on to FortifyMyApp, you will have one sample scan available for testing and review. To access this: 1. Log on, as described above. 2. Click My Results. If you have not yet added any assessments of your own, you will see a grid with one item in it. The Assessment Name is Sample Scan. It will have a status of Completed. To see more information about this assessment, and preview the FMA report styles: 1. In the right-hand column of the grid, click View. Managing Your Assessments The place to manage the testing of your applications is under the menu called My Results. Find that at the top center of the FMA screen and click it. This brings you to a screen also titled My Results. Before you can submit your code for testing, you must prepare your files for upload. To do that, see Preparing Files for Upload on page 13 below. Beginning a New Assessment After you have prepared your files for upload (See Chapter 3, Preparing Files for Upload), proceed with these instructions to begin your assessment. To do a security assessment of an application in FortifyMyApp: 1. Click My Results. 2. In the upper right-hand corner, click the blue box that says Run New Test. 3. Go to the box called Name Your Assessment, and type any name you want. 4. Under Step 2, select the language in which your application is written: Java or .Net. Note: Currently, free FoD assessments are available only for applications in Java or .Net. However, FoD Premium offers many more options. If you are working in a language other than Java or .Net, go to the Pricing page, find the Premium chart, and click the red button called Contact Us. Or send a note to FoDSales@hp.com. Someone from FoD will get back to you with information on the other languages supported by FoD Premium. 5. If you have questions about how to upload your files, in either Java or .Net, see the instructions below, or select one of the videos on your screen.
FortifyMyApp User Guide 12
6. If the video does not play when you click it, look at the bottom of your screen. If you have a message saying Only secure content is displayed, click Show all content. Then click the white arrow on the video icon again. 7. Then go to Step 3: Choose File, and click the blue button to the right of the box. 8. Browse to the file you want to assess and double-click it. The name of your file will appear in the box under Step 3. 9. Click Run Test. You will receive an email letting you know that you have successfully submitted your code. You will then receive a second email, anywhere from a few minutes to a few days later, informing you that your assessment is complete.
FortifyMyApp User Guide 13
Chapter 3: Preparing Files for Upload The first step before submitting your files for assessment is to find the section below that refers to the type of files you will be using (Java or .Net). Follow the instructions there to ensure that you have properly prepared your files. About HP Fortify on Demand File Categories When you use HP Fortify on Demand (FoD) to do a static assessment of your application for security issues, you must upload at least one, and as many as two, categories of application files: 1. Analysis files (required) 2. Source code files (Optional, but strongly recommended) About Analysis Files Analysis files are: The executable files produced by compiling your applications source code files The executable library and resource files produced and delivered by third parties that are used by your application The purpose of analyzing an application with HPs FortifyMyApp is to identify security issues in the executable files you created by compiling your applications source code. In order to get complete and accurate assessment results, you must upload all of your applications files to FortifyMyApp. About Source Code Files Source code files are the text files you compile to produce the application files. To enhance the ability of FortifyMyApp to customize the assessment to your application, you may upload all the source code files used to produce the analysis files.
FortifyMyApp User Guide 14
About Preparing Java Application Files For Java applications, package your analysis and source code files for upload to FortifyMyApp in a single zip file, as follows: Preparing Analysis Files (Required) Web application: Package in a .WAR or .EAR file. If you have multiple .WAR files, you can package them into a zip and call it a .EAR. (You cannot have .JAR files inside other .JAR files or .EAR files inside other .EAR files in the zip.) Non-web applications: Package in a single zip file. (FortifyMyApp cannot recursively process zip files contained within a zip package.) Ensure that there are no precompiled JSPs. Ensure that all JARs are included, including third-party JAR files. Ensure that all files are compiled in DEBUG mode. If they are not, the assessment will still run but the results will not include line-of-code details for each issue. Preparing Source Code Files (Optional, but recommended) To improve the quality of results, HP Fortify recommends that you upload all of your applications source code files to FortifyMyApp. Package the application source code files together with your analysis files in a single zip package. Reviewing Files before Clicking Submit Make sure you have resolved all warnings presented in the FortifyMyApp interface after upload. Select only JARs that are part of the application code. Do not select JARs that are part of third-party libraries.
FortifyMyApp User Guide 15
Preparing .NET Application Files For .NET applications, package analysis and source code files for upload to FortifyMyApp as follows: Preparing Analysis and Source Files Rebuild the application in DEBUG mode to ensure that a .PDB file is produced. Only DLLs that are compiled in DEBUG mode will present filename and line number resolution in the results. Ensure that all ASP.NET pages are precompiled. See the section below for guidance. Package the analysis files in a single zip file. HP FortifyMyApp cannot recursively process zip files contained within a zip package. Ensure that all DLLs are present in the upload. Also ensure that executables and .config files for web applications, websites, and other files produced during the deployment process are present in the upload file. Ensure that the associated .PDB files are included in the upload file.
FortifyMyApp User Guide 16
Uploading Files to FortifyMyApp for Assessment Once you have prepared your files properly, as described in one of the sections above, you are ready to upload them to FortifyMyApp. The steps to do that are as follows: 1. On your system, find the analysis files to be uploaded. These will be the application files in either .jar or .ear format; or packaged in a .war if yours is a web application.
2. Create one zip file that includes all files to be submitted to FoD. This should include both application files and source files.
FortifyMyApp User Guide 17
3. In this case, your zip file would include the .java files from the src directory.
4. Log on to www.fortifymyapp.com and follow the instructions in Chapter 2. Note: Try to avoid checking any third-party, or dependency, files unless you specifically intend to have such files analyzed, and you have the rights to do so.
FortifyMyApp User Guide 18
Chapter 4: Results About Checking the Status of your Assessment HP Fortify will notify you, via email, when your assessment is complete. However, you may also check the status any time, by logging onto the program and following these steps: 1. Go to My Results. 2. Find your application in the list that appears on your screen. The first column on this page is headed Status. For each application (assessment) listed here, this column will show one of the following statuses: Not Started, Pending, Rejected, or Completed. 3. If your status is Rejected, look at the final column on this chart (called View Report) and click the button called Reason. You will get a pop-up explaining why your code was rejected. You will also see instructions on how to re- load your code for better results. About When Your Assessment is Complete At the completion of the assessment, FoD will release the results to your account. At that point: You will receive a confirmation email saying that your assessment is complete. You can log on to FortifyMyApp to view your results. About Reports Your Free or Standard FortifyMyApp assessment offers several types of important information about your application. To see your report: 1. Click My Results. 2. Find your application in the list. 3. Click the green button on the left that says Completed, or go to the final column, called View Report, and click View. Either of those paths takes you to a new screen with the name of your assessment at the top. Two charts display the crucial information about your applications security risks: On the left is the chart called Issues by Priority. On the right is the Type of Issues chart. Issues by Priority The Issues by Priority chart gives you a quick, graphic view of how many vulnerabilities your code has, and how serious they are. The horizontal axis shows the severity of your issues, described as Low, Medium, High, or Critical. The vertical axis shows how many issues your code has at each priority level.
FortifyMyApp User Guide 19
For example, in the screenshot below, the application called Default Application has two security issues. One of them, represented by the blue bar, has a priority level of Low and the other, represented by the red bar, is more urgent, with a priority level of High.
About Types of Issues For more detailed information on the vulnerabilities (or issues) revealed by your assessment in FortifyMyApp: 1. Click My Results. 2. In the list that appears, find the assessment you want to see and then, in the far-right column on that line, click View. The chart that appears on the right-hand side of the screen is called Type of Issues. Here, you will see a list of issue types, and a number in the Occurrence column which indicates how many of each type your code has. About Cross-Site Scripting Errors If one or more of your issues involves cross-site scripting, you will also see a link in the Details column of the chart, labeled More Details. Click that button to get more information about the vulnerability.
FortifyMyApp User Guide 20
About SQL Injection Errors If one or more of your issues is a SQL injection error, you will see a link in the Details column labeled Upgrade. This is because SQL injection errors cannot be fully assessed or remediated using only the free assessment. You may, however, upgrade to a Standard assessment, at a cost of $395. We strongly recommend that you upgrade to Standard or Premium Fortify on Demand service levels if you have a SQL injection error. To proceed: 1. Click the Upgrade button. A pop-up will appear, asking if you want to upgrade to Standard. 2. Click Upgrade.
FortifyMyApp User Guide 21
Chapter 5: General Information Frequently Asked Questions At any point while you are working in FortifyMyApp, you can access information by clicking the FAQ link in the upper right-hand corner of your screen. Here, you will find more information about the free services provided by FortifyMyApp and also about the expanded service available through Fortify on Demand Premium. You will also find information about how this program works, how to perform various tasks, and how to submit feedback. About Your Account Accessing Personal Information To see, or change, information about your account in FortifyMyApp, find your user name in the upper right- hand side of the screen. 1. Click your name. A brief menu will appear. 2. Click My Account. Here, you will see the name associated with your account, and the telephone number, email address, and country. You may make changes to any of this information. For your telephone number, enter digits only; no dashes, parentheses, or other punctuation. 3. Then click Save. About Changing Formatting On this page (My Account), you may also change your password, and select your preferred formats for the date (DD/MM/YYYY or MM/DD/YYYY or YYYY/MM/DD) and the time (12-hour or 24-hour systems). About the Scan Summary A summary of all the assessments in FortifyMyApp and Fortify on Demand Premium that are associated with your email address can be seen on the right-hand side of the My Account page. There you will see a list of all Free, Standard, and Premium assessments (scans) you have performed. In the case of Free and Standard, this chart will also show you how many you have remaining (unused). Logging Out To log out of FortifyMyApp: 1. Click your user name at the upper right-hand corner of the screen. 2. From the new menu that appears, click Log Out.