Name of Your Organization:
Hewlett-Packard Development Company, L.P.
Web Site:
www.hpenterprisesecurity.com/
Compatible Capability:
HP Fortify Static Code Analyzer
Capability home page:
http://www.hpenterprisesecurity.com/products/hp-fortify-software-security-center/hp-fortify-static-code-analyzer/
General Capability Questions
Product Accessibility <CR_2.4>
Provide a short description of how and where
your capability is made available to your customers and the public (required):
HP products are available for download within the customer's HP Software Updates portal. Additional information about the products is available on either www.hpenterprisesecurity.com or www.fortify.com
Mapping Questions
Map Currency Indication <CR_6.1>
Describe how and where your capability indicates the most recent CWE content used to create or update its mappings (required):
HP Fortify products provide CWE mappings as well as other category/taxonomy information. HP Software Security Center provides out-of-the-box reports for CWE/SANS Top 25 for years 2009 and 2010.
Current CWE mappings correspond to CWE version 2.0.
Map Currency Update Approach <CR_6.2>
Indicate how often you plan on updating the mappings to reflect the current CWE content and describe your approach to keeping reasonably current with the CWE content when mapping them to your repository (recommended):
The HP Fortify Secure Coding Rulepacks are updated by the Security Research Group once per quarter.
MAP CURRENCY UPDATE TIME <CR_6.3>
Describe how and where you explain to your customers the timeframe they should expect an update of your capability's mappings to reflect newly available CWE content (required):
The HP Fortify Secure Coding Rulepacks that provide mappings are released once per quarter. This includes changes the mappings against external lists, such as CWE, PCI, OWASP, and others. Rulepacks can be referred to as the “Q3 201X rulepack.”
Documentation Questions
CWE AND COMPATIBILITY DOCUMENTATION <CR_5.1>
Provide a copy, or directions to its location, of where your documentation describes CWE and CWE compatibility for your customers (required):
HP displays a vulnerability taxonomy at http://www.fortify.com/vulncat/ that provides category information. Categories contain references to CWE Identifiers as appropriate.
DOCUMENTATION OF FINDING ELEMENTS USING CWE IDENTIFIERS <CR_5.2>
Provide a copy, or directions to its location, of where your documentation describes the specific details of how your customers can use CWE identifiers to find the individual security elements within your capability's repository (required):
Results presented within HP products (Audit Workbench or Software Security Center) give customers the ability to search by CWE and/or group issues by the associated CWE mapping.
DOCUMENTATION OF FINDING CWE IDENTIFIERS USING ELEMENTS
<CR_5.3>
Provide a copy, or directions to its location, of where your documentation describes the process a user would follow to find the CWE identifiers associated with individual security elements within your capability's repository (required):
Issues reported with a CWE mapping contain the CWE information inside the Recommendations tab, as a supporting reference. Additionally, users can group issues by CWE for faster access.
HP Fortify Audit Workbench, grouping by CWE (left) and highlighting the CWE reference of a particular issue (bottom) |
HP Software Security Center, showing the issue list with CWE mappings (center-screen, right-most column). |
Fortify vulnerability taxonomy, showing the C/C++ Buffer Overflow category in www.fortify.com/vulncat/ - CWE mappings are highlighted.
|
HP Fortify on Demand displaying CWE mappings (right column), without specifying optional CWE search criteria. |
DOCUMENTATION INDEXING OF CWE-RELATED MATERIAL
<CR_5.4>
If your documentation includes an index, provide a copy of the items and resources that you have listed under "CWE" in your index. Alternately, provide directions to where these "CWE" items are posted on your web site (recommended):
HP updates the vulnerability taxonomy at www.fortify.com/vulncat/ quarterly, to correspond to HP Fortify Secure Coding Rulepacks releases. Individual categories within the taxonomy reference various CWE mappings.
Type-Specific Capability Questions
Tool Questions
FINDING TASKS USING CWE IDENTIFIERS <CR_A.2.1>
Give detailed examples and explanations of how a user can locate tasks in the tool by looking for their associated CWE identifier (required):
All interfaces provide users with the ability to group issues by CWE Identifiers.
Users searching for issues relating to specific CWE Identifiers can locate issues using search criteria, such as:
- An individual CWE Identifier: cwe:cwe id ##
- A list of CWE Identifiers: cwe:cwe id ## cwe: cwe id ## (repeat as necessary)
- All issues relating to CWE: cwe:cwe
HP Fortify Audit Workbench searching for a particular CWE.
|
HP Software Security Center searching for a particular CWE. |
|
HP Fortify on Demand displaying CWE mappings (right column), without specifying CWE search criteria. |
FINDING CWE IDENTIFIERS USING ELEMENTS IN REPORTS <CR_A.2.2>
Give detailed examples and explanations of how, for reports that identify individual security elements, the tool allows the user to determine the associated CWE identifier for the individual security elements in the report (required):
HP Software Security Center provides out-of-the-box reports for CWE mappings. Below: Findings by 2009 and 2010 CWE/SANS Top 25.
Page 1 |
Page 2, etc. |
GETTING A LIST OF CLAIMED CWE IDENTIFIER COVERAGE <CR_A.2.3>
Give detailed examples and explanations of how a user can obtain a listing of all of the CWE identifiers that the owner claims the tool is effective at locating in software (required):
The HP Fortify vulnerability taxonomy at www.fortify.com/vulncat/ contains information about categories and CWE mappings. The products offer additional capabilities beyond everything listed there. Customers may contact HP Fortify Technical Support for additional information.
Fortify vulnerability taxonomy, showing the C/C++ Buffer Overflow category in www.fortify.com/vulncat/ - CWE mappings are highlighted.
|
GETTING A LIST OF CWE IDENTIFIERS ASSOCIATED WITH TASKS <CR_A.2.6>
Give detailed examples and explanations of how a user can obtain a listing of all of the CWE identifiers that are associated with the tool's tasks (recommended):
CWE mappings are available as a reference within the vulnerability taxonomy at www.fortify.com/vulncat/.
Customers may contact HP Fortify Technical Support for additional information.
SELECTING TASKS WITH A LIST OF CWE IDENTIFIERS <CR_A.2.7>
Describe the steps and format that a user would use to select a set of tasks by providing a file with a list of CWE identifiers (recommended):
HP Fortify Static Code Analyzer performs analysis of an application using a large number rules that provide security and code intelligence. Certain rules contain programmatic API definitions that are unrelated to CWE but necessary to return valid results. For example, only using rules associated with a particular CWE will likely disable supporting rules that would identify a true positive.
In order to receive accurate results, users are advised to produce issues for using all security rules and then narrow down to individual CWE identifier when viewing the results.
When viewing results, all interfaces provide users with the ability to group findings by CWE Identifiers.
Users searching for issues relating to specific CWE Identifiers can locate issues using search criteria, such as:
- An individual CWE Identifier: cwe:cwe id ##
- A list of CWE Identifiers: cwe:cwe id ## cwe: cwe id ## (repeat as necessary)
- All issues relating to CWE: cwe:cwe
These queries can be stored as a filter set in a project template file within HP Fortify Audit Workbench or HP Fortify Software Security Center to focus results visibility towards CWE or any other external list, such as PCI or OWASP.
SELECTING TASKS USING INDIVIDUAL CWE IDENTIFIERS <CR_A.2.8>
Describe the steps that a user would follow to browse, select, and deselect a set of tasks for the tool by using individual CWE identifiers (recommended):
See answer to question <CR_A.2.7>.
Service Questions
FINDING TASKS USING CWE IDENTIFIERS <CR_A.3.1>
Give detailed examples and explanations of how a user can locate tasks in the tool by looking for their associated CWE identifier (required):
Fortify On Demand makes use of HP Fortify Static Code Analyzer (SCA), HP WebInspect, and other methodologies. Support for CWE is the summation of the individual products that produce analysis results, as well as the other products and methods used by backend Fortify On Demand professionals performing security analysis.
FINDING CWE IDENTIFIERS USING ELEMENTS IN REPORTS <CR_A.3.2>
Give detailed examples and explanations of how, for reports that identify individual security elements, the tool allows the user to determine the associated CWE identifier for the individual security elements in the report (required):
Fortify On Demand enables customers to browse issues with the associated CWE information.
Customers can also search for particular CWE Identifiers:
- An individual CWE identifier: cwe:cwe id ##
- A list of CWE Identifiers: cwe:cwe id ## cwe: cwe id ## (repeat as necessary)
- All issues relating to CWE: cwe:cwe
HP Fortify on Demand displaying CWE mappings (right column), without specifying CWE search criteria. |
GETTING A LIST OF CLAIMED CWE IDENTIFIER COVERAGE <CR_A.3.3>
Give detailed examples and explanations of how a user can obtain a listing of all of the CWE identifiers that the owner claims the tool is effective at locating in software (required):
HP Fortify On Demand makes use of HP Fortify Static Code Analyzer, HP WebInspect, and other products and methodologies performed by security professionals. Support for CWE is the summation of CWE support within each product.
The HP Fortify vulnerability taxonomy at www.fortify.com/vulncat/ contains information about categories and CWE mappings. The products offer additional capabilities beyond everything listed there. Customers may contact HP Fortify Technical Support for additional information.
Fortify vulnerability taxonomy, showing the C/C++ Buffer Overflow category in www.fortify.com/vulncat/ - CWE mappings are highlighted.
|
GETTING A LIST OF CWE IDENTIFIERS ASSOCIATED WITH TASKS <CR_A.3.6>
Give detailed examples and explanations of how a user can obtain a listing of all of the CWE identifiers that are associated with the tool's tasks (recommended):
HP Fortify Static Code Analyzer
HP WebInspect
Other products as needed
Online Capability Questions
FINDING ONLINE CAPABILITY TASKS USING CWE IDENTIFIERS <CR_A.4.1>
Give detailed examples and explanations of how a "find" or "search" function is available to the user to locate tasks in the online capability by looking for their associated CWE identifier or through an online mapping that links each element of the capability with its associated CWE identifier(s) (required):
All CWE mappings are available on www.fortify.com/vulncat and can be searched for in any search engine using criteria such as site: fortify.com/vulncat cwe ID 251
Fortify vulnerability taxonomy, showing the C/C++ Buffer Overflow category in www.fortify.com/vulncat/ - CWE mappings are highlighted.
|
Media Questions
ELECTRONIC DOCUMENT FORMAT INFO <B.3.1>
Provide details about the different electronic document formats that you provide and describe how they can be searched for specific CWE-related text (required):
Software Security Center can produce a SANS/CWE Top 25 Report for 2009 and 2010, in PDF or Word format.
Page 1 |
Page 2, etc. |
Issues relating to CWE can also be programmatically queried from HP Software Security Center's web services API, using the searchForIssues method. This search criteria accepts the same search format for CWE, such as:
- An individual CWE Identifier: cwe:cwe id ##
- A list of CWE Identifiers: cwe:cwe id ## cwe: cwe id ## (repeat as necessary)
- All issues relating to CWE: cwe:cwe
Graphical User Interface (GUI) Questions
FINDING ELEMENTS USING CWE IDENTIFIERS THROUGH THE GUI <CR_B.4.1>
Give detailed examples and explanations of how the GUI provides a "find" or "search" function for the user to identify your capability's elements by looking for their associated CWE identifier(s) (required):
All interfaces provide users with the ability to group findings by CWE Identifiers.
Users searching for issues relating to specific CWE Identifiers can locate issues using search criteria, such as:
- An individual CWE Identifier: cwe:cwe id ##
- A list of CWE Identifiers: cwe:cwe id ## cwe: cwe id ## (repeat as necessary)
- All issues relating to CWE: cwe:cwe
HP Fortify Audit Workbench searching for a particular CWE, using syntax: cwe: cwe id XX
|
HP Software Security Center searching for a particular CWE, using syntax: cwe: cwe id XX |
|
HP Fortify on Demand displaying CWE mappings (right column), without specifying optional CWE search criteria. |
GUI ELEMENT TO CWE IDENTIFIER MAPPING <CR_B.4.2>
Briefly describe how the associated CWE identifiers are listed for the individual security elements or discuss how the user can use the mapping between CWE identifiers and the capability's elements, also describe the format of the mapping (required):
Users can control the grouping of displayed issue in order to more easily locate issues relating to a particular CWE.
HP Fortify Audit Workbench enables users to control the grouping criteria, to browse issues by different criteria. Examples may include CWE, CWE then File, or Package then CWE, etc. |
HP Software Security Center enables grouping and searching by CWE. |
|
HP Fortify on Demand, showing an individual issue's CWE correlation.
|
GUI EXPORT ELECTRONIC DOCUMENT FORMAT INFO <CR_B.4.3>
Provide details about the different electronic document formats that you provide for exporting or accessing CWE-related data and describe how they can be searched for specific CWE-related text (recommended):
All interfaces provide the ability to search for CWE-related text through the issue search criteria:
- Search for issues relating to an individual CWE: cwe:cwe id ##
- Search for issues relating to a list of CWEs: cwe:cwe id ## cwe:cwe id ## (repeat as necessary)
- Search for issues relating to any CWE: cwe:cwe
Software Security Center can produce a SANS/CWE Top 25 Report for 2009 and 2010, in PDF or Word format.
Page 1
Report produced by HP Fortify Software Security Center. |
Page 2, etc.
Report produced by HP Fortify Software Security Center. |
Questions for Signature
STATEMENT OF COMPATIBILITY <CR_2.11>
Have an authorized individual sign and date the following Compatibility Statement (required):
"As an authorized representative of my organization I agree that we will abide by all of the mandatory CWE Compatibility Requirements as well as all of the additional mandatory CWE Compatibility Requirements that are appropriate for our specific type of capability."
Name: Erik Costlow
Title: Product Manager
STATEMENT OF ACCURACY <CR_3.4>
Have an authorized individual sign and date the following accuracy Statement (recommended):
"As an authorized representative of my organization I agree that we will abide by all of the mandatory CWE Compatibility Requirements as well as all of the additional mandatory CWE Compatibility Requirements that are appropriate for our specific type of capability."
Name: Erik Costlow
Title: Product Manager
STATEMENT ON FALSE-POSITIVES AND FALSE-NEGATIVES <CR_B.2.10> and/or <CR_B.3.7>
FOR TOOLS AND SERVICES ONLY - Have an authorized individual sign and date the following statement about your tools efficiency in identification of security elements (required):
"As an authorized representative of my organization I agree that we will abide by all of the mandatory CWE Compatibility Requirements as well as all of the additional mandatory CWE Compatibility Requirements that are appropriate for our specific type of capability."
Name: Erik Costlow
Title: Product Manager
More information is available — Please edit the custom filter or select a different filter.
|