下载文档原格式
Fortify SCA安装使用手册编号:GRG _YT-RDS-PD-D03_A.0.1版本:V1.0发布日期:2011-5-5文档历史记录编号与名称版本发布日期创建/修改说明参与人员版权声明本软件产品(包括所含的任何程序、图像、文档和随附的印刷材料),以及本软件产品的任何副本的产权和著作权,均属广州广电运通金融电子股份有限公司所有。
您不得使用任何工具或任何方式对本软件产品进行反向工程,反向编译。
未经广州广电运通金融电子股份有限公司许可,您不得以任何目的和方式发布本软件产品及任何相关资料的部分或全部,否则您将受到严厉的民事和刑事制裁,并在法律允许的范围内受到最大可能的民事起诉。
目录文档历史记录 (II)1. 产品说明 (9)1.1.特性说明 (10)1.2.产品更新说明 (10)2. 安装说明 (10)2.1.安装所需的文件 (11)2.2.F ORTIFY SCA支持的系统平台 (11)2.3.支持的语言 (11)2.4.F ORTIFY SCA的插件 (12)2.5.F ORTIFY SCA支持的编译器 (12)2.6.F ORTIFY SCA在WINDOWS上安装 (13)2.7.F ORTIFY SCA安装E CLISPE插件 (14)2.8.F ORTIFY SCA在LINUX上的安装(要有LINUX版本的安装文件) (14)2.9.F ORTIFY SCA在U NIX上的安装(要有U NIX版本的安装文件) (15)3. 使用说明 (15)3.1.F ORTIFY SCA扫描指南 (16)3.2.分析F ORTITFY SCA扫描的结果 (21)4.故障修复 (25)4.1使用日志文件去调试问题 (26)4.2转换失败的信息 (26)4.3JSP的转换失败 (26)4.4C/C++预编译的头文件 (27)前言Fortify SCA是目前业界最为全面的源代码白盒安全测试工具,它能精确定位到代码级的安全问题,完全自动化的完成测试,最广泛的安全漏洞规则,多维度的分析源代码的安全问题。
Fortify RTA 简介Fortify RTA是Fortify 公司独有在对软件运行时刻进行安全防护的软件。
它可以理解为“软的IPS”,提供对WEB应用系统运行时刻的防护和监控功能。
RTA的独特之处是它仅仅是一堆的代码,通过静态插桩方式与WEB应用系统的二进制代码结合后,就可以在WEB应用系统内部工作。
实时地了解,跟踪并分析WEB应用系统的运行状况,当有恶意攻击数据进入系统时,它会及时地阻止攻击发生,为应用系统提供及时地防护;同时,它会把所有关于攻击的信息详细地记录下来,发送至控制台,从攻击的When, What, Where, How以及Who 等方面,多维度报告攻击行为的信息,让运维人员或者安全管理人员及时地了解上线的应用系统在生产过程中遭受到的黑客攻击,以及应用系统自身所存在的安全漏洞等相关技术的详细数据和信息。
它使得软件主动防御黑客成为可能。
1.Fortify RTA 的工作原理:“Fortify RTA, 它通过对WEB应用系统的每一个DNA注入安全的因子来增强应用系统自身的防攻击能力”OWASP组织的创始人Mark Curphey这样形象化描述到。
是的,正如Mark Curphey所说,Fortify RTA是根据AOP——“面向切面编程”的原理,通过对WEB 应用系统的可执行代码(不需要源代码)进行静态地分析,找出所有的输入点(Input)和输出点(Output),插入安全切面,即Fortify RTA 的安全防御机制,如下图1。
因此Fortify RTA的安全检测机制就结合到了应用系统内部中,与应用系统的执行代码成为一体,就如同RTA是一剂安全防御疫苗被注入到了应用系统中。
从应用系统内部形成防护网。
这样一来,当结合了RTA的应用系统在生产环境上受到黑客攻击的时候,系统中的RTA就可以及时地对其进行防御了。
图1:Fortify RTA工作原理图2.Fortify RTA 的控制台:Fortify RTA的功能之二就是可以把应用系统遭受到的攻击的详细技术信息记录并报告出来,方便系统运维人员或安全管理人员及时地了解生产环境上的应用系统的安全状况。
Fortify SCA源代码应用安全测试工具快速入门手册文档版本:v1.0发布日期:2022-11深圳市稳安技术有限公司*************************Fortify SCA源代码应用安全测试工具快速入门手册Fortify SCA(Static Code Analyzer)是Micro Focus公司旗下的一款静态应用程序安全性测试(SAST) 产品,可供开发团队和安全专家分析源代码,检测安全漏洞,帮助开发人员更快更轻松地识别问题并排定问题优先级,然后加以解决。
Fortify SCA支持27种编程语言:ABAP/BSP、Apex,、C/C++、C#、Classic ASP、COBOL、ColdFusion、CFML、Flex/ActionScript、Java、JavaScript、JSP、Objective C、PL/SQL、PHP、Python、T-SQL、、VBScript、VB6、XML/HTML、Ruby、Swift、Scala 、Kotlin 、Go,能够检测超过1051个漏洞类别,涵盖一百多万个独立的API。
一、安装Fortify SCA源代码应用安全测试工具1、创建华为云服务器ECS1.1、主机配置建议:1.2、操作系统支持:1.3、网络配置安全组规则配置要求:1.3.1、Linux系统:22端口(SSH登录管理)1.3.2、Windows系统:3389端口(Windows RDP)1.4、安装操作系统通过VNC或CloudShell远程登录平台服务器,根据需求选用合适的镜像安装操作系统。
1.5、代码编译环境准备以下几种语言扫描需要准备相应的编译环境,代码需要在可通过编译的情况下扫描:a)C#,,b)C/C++ on Windows or Linuxc)iPhone App用户需要根据代码安装相应的编译环境,并确保需要扫描的代码能够通过编译。
2、安装Fortify SCA2.1、上传安装包完成产品购买后,根据扫描主机的操作系统,从MicroFocus下载平台下载对应的安装文件压缩包,然后解压出安装文件上传至云服务器。
商业级别Fortify⽩盒神器介绍与使⽤分析转⾃:/sectool/95683.html什么是fortify它⼜能⼲些什么?答:fottify全名叫:Fortify SCA ,是HP的产品,是⼀个静态的、⽩盒的软件源代码安全测试⼯具。
它通过内置的五⼤主要分析引擎:数据流、语义、结构、控制流、配置流等对应⽤软件的源代码进⾏静态的分析,分析的过程中与它特有的软件安全漏洞规则集进⾏全⾯地匹配、查找,从⽽将源代码中存在的安全漏洞扫描出来,并给予整理报告。
它⽀持扫描多少种语⾔?答:FortifySCA⽀持的21语⾔,分别是:1. 2. 3. c#.Net4. ASP5. VBscript6. VS67.java8.JSP9.javascript10. HTML11. XML12. C/C++13.PHP14.T-SQL15.PL/SQL16. Action script17. Object-C (iphone-2012/5)18. ColdFusion5.0 - 选购19. python -选购20. COBOL - 选购21.SAP-ABAP -选购他是免费的吗?答:不是,是收费的。
当然⽹上也没有破解的。
貌似他⼀个⽉收费10万。
如何使⽤?安装fortify之后,打开界⾯:选择⾼级扫描他问要不要更新?我就选择No,因为这是我私⼈的,我是在2015年7⽉份购买的试⽤期为1个⽉。
怕更新了就⽤不了了。
如果你购买了可以选择YES。
选择之后出现如下界⾯浏览意思是:扫描之后保存的结果保存在哪个路径。
然后点击下⼀步。
参数说明:enable clean :把上⼀次的扫描结果清楚,除⾮换⼀个build ID,不然中间⽂件可能对下⼀次扫描产⽣影响。
enable translation: 转换,把源码代码转换成nst⽂件-64:是扫描64位的模式,sca默认扫描是32位模式。
-Xmx4000m:4000M⼤概是4G,制定内存数-Xmx4G :也可以⽤G定义这个参数建议加-encoding: 定制编码,UTF-8⽐较全,⼯具解析代码的时候指定字符集转换的⽐较好,建议加,如果中⽂注释不加会是乱码。
中国建设银行网上银行投资产品创新项目F o r t i f y使用手册总行信息技术管理部广州开发中心2008年6月修改记录编号日期描述版本作者审核发布日期2008-6-2 网银投资产品创新项目文档 1.1 廖敏飞、羌雪本文档中所包含的信息属于机密信息,如无中国建设银行的书面许可,任何人都无权复制或利用。
®Copy Right 2008 by China Construction Bank目录1、引言 (5)1.1目的 (5)1.2背景 (5)1.3定义 (5)1.4环境说明 (6)1.5提醒注意 (6)1.6相关要求 (7)2、安装FORTIFY (7)2.1进入F ORTIFY安装目录 (7)2.2输入LICENSE KEY:BAHODPERE9I9 (8)2.3选择ALL U SERS (9)2.4下面选项全部选中 (10)2.5选择N O选项 (11)3、使用FORTIFY (12)3.1进入源码目录执行SCA COMMANDLINE S CAN.BAT (12)3.2SCA COMMANDLINE S CAN.BAT的内容 (12)4、结果查询 (12)5、可能的问题 (14)6、结果分析 (15)6.1R ACE C ONDITION (15)6.2SQL I NJECTION (16)6.3C ROSS-S ITE S CRIPTING (16)6.4S YSTEM I NFORMATION L EAK (18)6.5HTTP R ESPONSE S PLITTING (18)1、引言1.1目的提高中心项目软件安全意识转达总行关于软件安全编码及测试的相关要求了解、学习fortify SCA的使用1.2背景网银投资产品创新项目文档。
1.3定义Fortify Source Code Analysis Suite是美国Fortify Software为软件开发企业提供的软件源代码安全漏洞扫描、分析和管理的工具。
Fortify SCA 安装使用手册目录1. 产品说明 (7)1.1.特性说明 (7)1.2.产品更新说明 (7)2. 安装说明 (8)2.1.安装所需的文件 (8)2.2.F ORTIFY SCA支持的系统平台 (8)2.3.支持的语言 (9)2.4.F ORTIFY SCA的插件 (9)2.5.F ORTIFY SCA支持的编译器 (10)2.6.F ORTIFY SCA在WINDOWS上安装 (10)2.7.F ORTIFY SCA安装E CLISPE插件 (12)2.8.F ORTIFY SCA在LINUX上的安装(要有LINUX版本的安装文件) (12)2.9.F ORTIFY SCA在U NIX上的安装(要有U NIX版本的安装文件) (13)3. 使用说明 (14)3.1.F ORTIFY SCA扫描指南 (14)3.2.分析F ORTITFY SCA扫描的结果 (23)4.故障修复 (28)4.1使用日志文件去调试问题 (28)4.2转换失败的信息 (28)如果你的C/C++应用程序能够成功构建,但是当使用F ORTIFY SCA来进行构建的时候却发现一个或者多个“转换失败”的信息,这时你需要编辑<INSTALL_DIRECTORY>/C ORE/CONFIG/FORTIFY-SCA.PROPERTIES 文件来修改下面的这些行:.. 28 COM.FORTIFY.SCA.CPFE.OPTIONS=--REMOVE_UNNEEDED_ENTITIES --SUPPRESS_VTBL (28)TO (28)COM.FORTIFY.SCA.CPFE.OPTIONS=-W --REMOVE_UNNEEDED_ENTITIES -- (28)SUPPRESS_VTBL (28)重新执行构建,打印出转换器遇到的错误。
如果输出的结果表明了在你的编译器和F ORTIFY 转换器之间存在冲突 (28)4.3JSP的转换失败 (28)4.4C/C++预编译的头文件 (29)前言Fortify SCA是目前业界最为全面的源代码白盒安全测试工具,它能精确定位到代码级的安全问题,完全自动化的完成测试,最广泛的安全漏洞规则,多维度的分析源代码的安全问题。
Case StudyAt a Glance IndustryTechnologyLocationQuito, EcuadorChallengeFind a more efficient way to identify and remediate vulnerabilities across a growing portfolio of applications and microservicesProducts and ServicesFortify on DemandFortify Static Code AnalyzerSuccess Highlights• Saves time and money by detectingvulnerabilities earlier in the development lifecycle • Enables delivery of higher-quality applications to clients• Boosts developer efficiency, helping teams keep pace with rising workloads • Strengthens Location World’s globalrecognition as a trusted software provider using cutting-edge technologies based on best practices and world-class standards and frameworksLocation WorldFortify supports high-quality application release with less expense and effort.Who is Location World?Location World is the leader in providing telematic solutions, fleet management, and connected car technology for the automotive, security, logistics, and insurance industries. With clients in 10 countries across LATAM and Spain, the company works with more than 6,500 customers, including YPF, Entel, AVIS, AB InBev, and Prosegur. Its telematics solutions connect more than 75,000 vehicles, generating insights that empower companies to optimize their vehicle fleets and better understand driver behavior. The company aims to make a difference for its customers:it wants not only to track vehicles but also to create useful sources of information for users.Securing a Growing Application LandscapeLocation World has established strategic alliances in the region with big players in the market with innovative and disruptive B2B and B2B2C business models connecting thousands of vehicles and Internet of Things (IoT) devices, with several use cases for different industry segments that help them in its day-to-day operations to maximize their efficiency and return on investment (ROI) in less time. In the words of CIO Jaime Baracaldo, the company generates and implements powerful “TelematicsMega Ecosystems” with highest add value throughout digital transformation and Internet of Things (IoT) with PaaS and SaaS solutions around the world generating high impact. To develop and deploy its array of web and mobile applications and microservices, the company counts on an in-house development team that follows an agile, DevOps approach. As Wilson González, DevOps Manager at Location World,explains: “In total we have 789 microservices and 460 pipelines, so you can imagine the“We received excellent sales and technical support from CyberRes (now OpenT ext Cybersecurity), which set the tone for a smooth and successful implementation. We decided to work with T elefónica on this project. Their specialists had great knowledge about the Fortify tools and how to best integrate them with our development process.”Jaime Baracaldo CIOLocation WorldLocation Worldtransaction volumes that we generateday by day.”Delivering applications and microservices with the highest levels of quality, stability, and security has always been a top priority for Location World. However,with development workload continuously growing, the company was keen to adopta more scalable and rigorous approach to managing application security.González continues: “We’ve always been trying to innovate in terms of security.Our first beginnings were manual. Then,we introduced a cloud-based code quality and security tool. As our operations grew, we found ourselves reaching the limits of this tool. We needed something more, and that’s why we decided to look for a solution that supported both static (SAST) and dynamic (DAST) analysis integrated with our DevOps pipelines.”Finding the Right Solution Supported by longtime partner Telefónica, Location World launched the search for a solution, and soon homed in on Fortify by Open T ext: a unified vulnerability management platform that integrates static, dynamic, and mobile application security testing with continuous application monitoring.Not only was Location World impressed by Fortify’s comprehensive, enterprise-grade application security capabilities, OpenText TM Cybersecurity also offered strong local-language support, which proved to be a key differentiator.Following a promising proof-of-concept, Location World moved ahead with an implementation of Fortify on Demand byOpenText—an application security-as-a-service solution running in the Cybersecuritycloud—and Fortify Static Code Analyzerby OpenText, deployed in the company’sprivate Microsoft Azure and GoogleCloud environment.Throughout the implementation, LocationWorld was able to count on strong supportfrom both Telefónica and Cybersecurity.Baracaldo confirms: “We received effectivesales and technical support from CyberRes(now OpenText Cybersecurity), whichset the tone for a smooth and successfulimplementation. Telefónica specialists hadgreat knowledge and gave us their guidanceabout the Fortify tools and how to bestintegrate them with our processes.”Integrated, AutomatedApplication Security TestingToday, Fortify Static Code Analyzer isintegrated seamlessly with Location World’sIntegrated Development Environments(IDEs)—Microsoft Visual Studio, AndroidStudio and Xcode—as well as its AzureDevOps integration platform, used to createbuild and deployment pipelines. Fortify StaticCode Analyzer pinpoints the root causesof security vulnerabilities in source code,prioritizes results sorted by severity of risk,and provides detailed guidance on how to fixvulnerabilities. Alongside this, Location Worlduses Fortify on Demand to perform finalchecks on code before it is released.Baracaldo explains how the Fortify solutionsare used on a day-to-day basis: “When adeveloper launches an upload for DevOpsto the pipeline, Fortify Static Code Analyzerautomatically launches the vulnerabilityanalysis and shares the results with ourSecurity Operations Center (SOC) in realtime. After that, the SOC then carries out thedynamic analysis process with the Fortify onDemand module to certify whether or not thecode passes. If it does not pass, there is noapproval to go to production and an analysiswith the development team is required to fixthe detected vulnerabilities before SOC canretest and approve publishing any code tothe production environment.”Delivering Secure Software, FastWith Fortify now integrated into itsdevelopment cycle, Location World can scanfor software vulnerabilities in parallel withdevelopment processes and fix any issuesas they arise. The Cybersecurity solutionis helping both development and securityteams work more productively, and hassteadily driven down the number of potentialvulnerabilities identified during development.“Fortify allows us to analyze a greater volumeof code in a much more agile and rapid way,”notes Gonzalez. “Now, our pipelines usuallyreach me without vulnerability errors becausethey’ve already been detected up front in thedevelopment process.”Gabriel Ayala, SOC Manager at LocationWorld, adds: “Fortify has helped ourdevelopment team to substantiallyimprove the way they identify and mitigatevulnerabilities in code. We can also replicatethese improvements in other applications,which contributes to higher-quality codeacross the entire organization.”Comprehensive vulnerability managementgives Location World the confidence thatit is releasing highly secure and reliable2applications. In turn, this is helping the company strengthen its global recognition as a trusted software provider.Baracaldo concludes: “Many of our clients also have a control process where they perform their own vulnerability analysis, so they’ve been able to see first-hand the improvements that we’ve made since introducing Fortify. It’s a very positive situation for everyone: our clients have greater peace of mind about the applications they’re using, and we grow our recognition as a global provider of high-quality, secure software.”“Fortify allows us to analyze a greater volume of code in a much more agile and rapid way. Now, our pipelines usually reach me withoutvulnerability errors because they’ve already been detected up front in the development process.”Wilson González DevOps Manager Location World768-000088-001 | M | 07/22 | © 2022 Micro Focus or one of its affiliates. Micro Focus and the Micro Focus logo, among others, are trademarks or registered trademarks of Micro Focus or its subsidiaries or affiliated companies in the United Kingdom, United States and other countries. All other marks are the property of their respective owners.OpenText Cybersecurity provides comprehensive security solutions for companies and partners of all sizes. From prevention, detection and response to recovery, investigation and compliance, our unified end-to-end platform helps customers build cyber resilience via a holistic security portfolio. Powered by actionable insights from our real-time and contextual threat intelligence, OpenText Cybersecurity customers benefit from high efficacy products, a compliant experience and simplified security to help manage business risk. 768-000088-003 | O | 11/23 | © 2023 Open Text。
