fortify sca workshop exercises - carahsoft...fortify sca workshop exercises haleh nematollahy sr....
TRANSCRIPT
Fortify SCA Workshop ExercisesHaleh NematollahySr. Security Solutions Architect
Prep Work Exercises • Open Your VM c:\VM Images\2017\windows 10 x64 (2).vmx
UID: Admin PWD: P@ssword1
▪ Check Access to http://localhost:8180/sscUID: admin PWD: Workshop2017!
▪ Command Line Scan – open a dos prompt cd c:\users\workshop\desktop\TrainingMaterial\src\riches.java\riches_java_src
sourceanalyzer -b riches –clean
sourceanalyzer -b riches -sql-language PL/SQL -source 1.6 -cp ./WEB-INF/lib/*.jar;./lib/*.jar ./**/*java ./**/*jsp./**/*sql ./**/*xml ./**/*js ./**/*html
sourceanalyzer -b riches -source 1.6 -Xmx3200M –scan –f richesresults.fprauditworkbench richesresults.fpr
Exercise 1: Start the Fortify Demo Environment Setup
• Start the Fortify Demo Server There’s a “Launch the Riches Demo App” Shortcut on your desktopClick on it: You Should see some Command Prompt Windows.
Demo: SQL Injection • Open Internet Explorer and browse to:
http://localhost:8080/riches (there should also be a shortcut on desktop)
▪ Click the Locations Button at the top
▪ There is SQL Injection in this form. See if you can find it!
▪ Valid Zip Codes (94404, 10005, 94123)
Try entering: ' or '1'=‘1Same in the Find ATMs/Locations field
Exercise 2: XSS Injection • Click the submit button on the login form
▪ Open Internet Explorer and browse to http://localhost:8080/riches (there should also be a shortcut)
▪ There is Cross Site Scripting in the login page. See it?
▪ Valid Login (eddie/eddie)
Try entering <script>alert('XSS');</script> In the login field
Exercise 3: Command-Line Scan • Translation Exercise (Java Source Code)CD C:\Program Files\HPE_Security\Fortify_SCA_and_Apps_17.20\Samples\basic\eightball
Run Commands: (open cmd as Administrator)sourceanalyzer -b EightBall -clean
sourceanalyzer -b EightBall –source 1.6 EightBall.java
sourceanalyzer -b EightBall -source 1.6 -Xmx3200M –scan –f EightBall.fprAuditworkbench eightball.fpr
sourceanalyzer -b EightBall -show-files
sourceanalyzer -b EightBall -show-build-warnings
Exercise 4: Scanning With AuditWorkbenchin search box, type Auditworkbench
Exercise 4: Scanning With AuditWorkbench
Exercise 4: Scanning With AuditWorkbench
Exercise 4: Scanning With AuditWorkbench
Exercise 4: Scanning With Audit Workbench
Exercise 4: AuditWorkbench Scan Exercise
•Select “Advanced Scan...” •Navigate to C:\Users\Workshop\Desktop\TrainingMaterial\src\riches.java\riches_java_src•Click OK •Specify Java Version 1.6 •Start Audit Workbench •Click Next > •Click Next > then click Scan
Exercise 5: Eclipse IDE Plugin Scan
• In Package Explorer:Open Project Riches
• Fortify Drop Down: Analyze Project to Start Scan
Exercise 6: Remediate SQLI and Rescan • SCA Analysis Result
Find SQL Injection
• Expand SQL Injection Choose LocationService.Java:120
•LocationService.Java:120 Determine if the SQLI is exploitable or not Make change to the code
• Rescan
Exercise 6: Remediate SQLI
// String queryStr = "SELECT * FROM location WHERE zip = '" + zip + "'"; String queryStr = "SELECT * FROM location WHERE zip = ?"; statement = conn.prepareStatement(queryStr); statement.setString(1, zip);
Exercise 9: Issue Grouping
Create a 2-level grouping (AWB) FISMANIST 800-53
Exercise 10: Audit and Suppress
• Audit all insecure randomness issues▪ Add a comment to all issues related
• Suppress all Dead Code
Exercise 11: Software Security Center Walk Through
1.Click on “Launch the Fortify SSC Server” 2.Open a web browser 3.Navigate to http://localhost:8180/ssc4.Login information is in student_logins.txt on your Desktop.
Log in as adminPassword is Workshop2017!
Exercise 12: Create a New Application
Create a New Application • Click on “Launch the Fortify SSC Server” • Open a web browser • Navigate to http://localhost:8180/ssc• Login information is in student_logins.txt on your
Desktop. Log in as admin. Password is HPpass2017!
• Click Application • Click New Application
New Application • Name: Riches2
Version: v9Development Phase: New
Exercise 13: Upload FPR
Upload FPR • Launch AWB • Open Results: Riches• Click Tools
Upload Audit Project SSC URL: http://localhost:8180/sscUsername: adminPassword: Workshop2017!Application: Riches2Click: OK
Exercise 14: Generate AWB Reports
Generate AWB Reports • Launch AWB• Open Results: Riches• Click Tools• Generate BIRT Report – Developer
Workbook• Or:• Click Tools: Generate Legacy Report• Choose: Fortify Security Report
Features • New BIRT Reporting Engine• Simple Layout Configuration• Saves as DOC,HTML, PDF• Synchronous
Exercise 15: Generate SSC Reports
Generate SSC Reports • Click on “Launch the Fortify SSC Server” • Open a web browser • Navigate to http://localhost:8180/ssc• Login information is in student_logins.txt on your
Desktop. Log in as admin. Password is HPpass2017!
• Click Reports • Click New Report • Pick any Report and Generate
Features • New BIRT Reporting Engine• BIRT Customizations• Simple Layout Configuration• Saves as XLS,HTML, PDF • Asynchronous• Dashboard Portfolio and Application Reports
Enterprise Adoption Success Scorecard The Only Questions You Really Need to Ask
• Do you have SSC stood-up and operating properly? • Are the FPRs of record for active development teams loaded
at least once per week? • Does your CISO and/or Application Development Director
have a login? • Does your CISO and/or Application Development Director
login to SSC and review the portfolio results at least once per month?
• Has your CISO and/or Application Development Director specified a remediation policy for Fortify findings?