Anda di halaman 1dari 48

HP Fortify Software Security Center

Software Version 3.70

HP Fortify Software Security Center Process Designer User Guide

Document Release Date: November 2012 Software Release Date: November 2012

Legal Notices
Warranty The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. The information contained herein is subject to change without notice. Restricted Rights Legend Confidential computer software. Valid license from HP required for possession, use, or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. Copyright Notice Copyright 2012 Hewlett-Packard Development Company, L.P.

Documentation Updates
The title page of this document contains the following identifying information: Software version number Document release date, which changes each time the document is updated Software release date, which indicates the release date of this version of the software

To check for recent updates or to verify that you are using the most recent edition of a document, go to: http://h20230.www2.hp.com/selfsolve/manuals This site requires that you register for an HP Passport and sign in. To register for an HP Passport ID, go to: http://h20229.www2.hp.com/passport-registration.html You will also receive updated or new editions if you subscribe to the appropriate product support service. Contact your HP sales representative for details. Part Number: 1-1b3-2012-11-370-01

Contents
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .vi Contacting HP Fortify. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vi Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vi Corporate Headquarters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vi Website . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vi About the Software Security Center Documentation Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vi
Chapter 1: Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Typographic Conventions Used in This Document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7


Chapter 2: Getting Started with Software Security Center Process Designer . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

About This Chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Starting Process Designer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Process Designer Account Permission Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Permissions for Template Assignment Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Configuring the Connection to Software Security Center. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Creating and Editing Software Security Center Process Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Downloading Software Security Center Process Templates from Software Security Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Loading a Process Template from Disk. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Committing and Saving Edited Process Templates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Committing a Process Template to Software Security Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Saving Process Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Process Template Display Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Changing the Display Name of a Process Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Customizing the Process Designer View. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Restoring the Default Process Designer View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Basic Software Security Center Process Designer Workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Summary of Requirements and Activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Demonstration Work Flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Chapter 3: Customizing Software Security Center Process Templates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

About This Chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Overview of Customizing a New Process Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Using Global Design Elements in New Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Choosing a Baseline Process Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Process Template Assessment Criteria. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Selecting a Baseline Process Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Global Design Elements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
HP Fortify Software Security Center Process Designer User Guide iii

Managing Global Design Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Synchronizing Global Design Elements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Process Template Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Defining New Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Process Template Activities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Process Template Activity Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Time Lapse Activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Creating a Time Lapse Activity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Document Activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Constructing Document Activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Creating a Document Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Creating a Document Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Project State Activities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Overview of Constructing a Project State Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Software Security Center Equation Variables. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Creating an Equation Variable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Creating Performance Indicators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Creating a Project State Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 35 37 38 39

Adding an Activity to a Requirement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Creating and Managing Sign-Off Personas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 Default Personas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 Creating a Persona . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 Adding a Persona to a Requirement or Activity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Default Work Owners. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Adding a Default Work Owner to a Requirement or Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Software Security Center Project Templates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Assigning a Project Template to a Process Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Chapter 4: Working with Software Security Center Template Assignment Policies . . . . . . . . . . . . . . . . . . . . 43

About This Chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Overview of the Software Security Center Center Template Assignment Policy Operation . . . . . . . . . . . . . . 43 Getting Started with Software Security Center Template Assignment Policy Editor. . . . . . . . . . . . . . . . . . . . . 43 Downloading Software Security Center Template Assignment Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Uploading Edited Template Assignment Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 Saving Software Security Center Template Assignment Policies to Disk . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 Working With Template Assignment Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Overview of Template Assignment Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Overview of Assignment Rule Elements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Overview of Constructing Template Assignment Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 An Example Software Security Center Template Assignment Policy Editing Session . . . . . . . . . . . . . . . . . . . . 46 Overview of Example Editing Session Tasks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
HP Fortify Software Security Center Process Designer User Guide iv

Creating a New Template Assignment Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Specifying a Policys Assignment Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Raising or Lowering the Runtime Order of a Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Removing a Software Security CenterTemplate Assignment Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

46 47 48 48

HP Fortify Software Security Center Process Designer User Guide

Preface
Contacting HP Fortify
If you have questions or comments about any part of this guide, contact one of the HP Fortify resources listed in this section.

Technical Support
650.735.2215 fortifytechsupport@hp.com

Corporate Headquarters
Moffett Towers 1140 Enterprise Way Sunnyvale, CA 94089 650.358.5600 contact@fortify.com

Website
http://www.hpenterprisesecurity.com

About the Software Security Center Documentation Set


The HP Fortify Software Security Center documentation set contains installation, user, and deployment guides for all HP Fortify Software Security Center products and components. It also includes technical notes and release notes that describe new features, known issues, and last-minute updates. The latest versions of these documents are available on the HP Software Product Manuals site: http://h20230.www2.hp.com/selfsolve/manuals

HP Fortify Software Security Center Process Designer User Guide

vi

Chapter 1: Introduction
This document contains information about how to use Process Designer to create and edit process templates for your HP Fortify Software Security Center projects.
Note: Process Designer is installed by default during HP Fortify Source Code Analyzer installation. To use it,

you need only configure the connection to Software Security Center.

Typographic Conventions Used in This Document


This document contains three categories of typographic conventions: Conventions used to describe graphical user interface (GUI) elements Conventions used to describe command line syntax Conventions used in samples of program code, configuration files, XML, SQL, and all other text-based examples

Table 1 lists the typographic conventions used in this document.


Table 1: Typographic conventions used in this document

Convention On the File menu, click Open. expr, path

Description In procedure steps, bold indicates items that appear in the user interface. In command lines, italics indicate placeholders for information you supply. In documentation, italic letters indicate terms that the document uses in specific ways, usually the first time a term occurs in a topic. Italics also denote emphasis.

ReadOnly, FileName

In text and command lines, the use of bold and italic together indicates named arguments. In command lines, square brackets contain optional choices. In command lines, terms enclosed in braces and separate by a vertical bar indicate a choice between two or more items. You must choose one of the items unless all of the items are enclosed in square brackets.

[ expressionlist ]HP Fortify Real-Time Analyzer: Microsoft .NET Edition { While | Until}

Dim rstCust As ADODB.Recordset Copy Code Sub StockSale() . . . End Sub

In command lines, monospace font indicates code. In code examples, a column of three periods indicates that part of an example has been omitted intentionally.

HP Fortify Software Security Center Process Designer User Guide

Table 1: Typographic conventions used in this document (Continued)

Convention backslash \

Description In code examples, the backslash character is used to continue command examples that are too long to fit on a single line. For example:
dd if=/dev/rdsk/c0t1d0s6 \ of=/dev/rst0 bs=10b count=10000

In Unix-like systems, you can type command lines that contain the line continuation character: braces { } ellipses As displayed (with a backslash) On a single line without a backslash

In code examples, braces indicate required items:


.DEFINE {macro1}

In code examples, ellipses indicate an arbitrary number of similar items:


CHKVAL fieldname val1 val2 valN

HP Fortify Software Security Center Process Designer User Guide

Chapter 2: Getting Started with Software Security Center Process Designer


About This Chapter
Use this chapter to learn how to start the Process Designer, configure its connection to your Software Security Center instance, and then use Process Designer to work with Software Security Center process templates. This chapter contains the following topics: Starting Process Designer Configuring the Connection to Software Security Center Creating and Editing Software Security Center Process Templates Committing and Saving Edited Process Templates Changing the Display Name of a Process Template Customizing the Process Designer View Basic Software Security Center Process Designer Workflow

HP Fortify Software Security Center Installation and Configuration Guide

Starting Process Designer


To start Process Designer, do one of the following: If you are running Process Designer on a UNIX-based system, open a command prompt, change to the <install_dir>/bin directory, and then run ProcessDesigner. If you are running Process Designer on a Windows system, select Start All Programs HP Fortify Software HP Fortify <Version_Number> Process Designer.

Process Designer Account Permission Requirements


To work with Software Security Center process templates from Process Designer, you must have a Software Security Center user account. Table 1 lists the Software Security Center account types and shows which of these have permission to download process templates from or upload templates to Software Security Center.
Table 2: Process template permissions for Software Security Center accounts

Software Security Center Account Type Administrator Security Lead Manager Developer

Download Process Templates from Software Security Center


X X X X

Upload Process Templates to Software Security Center


X X

Permissions for Template Assignment Policies


To view and download template assignment policies in Template Assignment Policies (TAP), you must have the following permissions: View project templates, process templates, and template assignment policies View attribute definitions Manage project templates, process templates, and template assignment policies View attribute definitions

To upload assignment rules via TAP to Software Security Center you must have the following permissions:

HP Fortify Software Security Center Installation and Configuration Guide

10

Configuring the Connection to Software Security Center


To enable Process Designer to download working copies of Software Security Center process templates from a running instance of Software Security Center, you must specify the network location of that server instance.
Note: To perform the procedure in this section, you must have the URL for a running instance of Software

Security Center, and information about any proxy server used to connect to that server instance. To configure the connection between Process Designer and Software Security Center: 1. In Process Designer, select Options Options. The Options dialog box opens.

2. In the Server URL box, type the network location for your Software Security Center instance. 3. In the Proxy Server and Port boxes, type any proxy information required to connect to your Software Security Center server. 4. Click OK.

HP Fortify Software Security Center Installation and Configuration Guide

11

Creating and Editing Software Security Center Process Templates


Before you can use Process Designer edit a Software Security Center process template, you must download a working copy of that template. Process Designer can download copies of process templates from either a running instance of Software Security Center or from disk (as an FPD file).

Downloading Software Security Center Process Templates from Software Security Center
This section provides instructions on how to download a process template from Software Security Center.
Note: To download a working copy of a process template from Software Security Center, you must have a user

account for the Software Security Center instance associated with Process Designer (see Configuring the Connection to Software Security Center on page 11).

Choosing to Create a New, or Edit an Existing, Process Template


When you use Process Designer to download a working copy of a process template from Software Security Center, you can choose to do one of the following: Edit the copy of the template under a new name (Create New). If you modify a working copy of a process template under a new name, when you upload that template to Software Security Center, the server leaves the original template unchanged. Edit the copy of the template under its existing name (Edit Existing). If you modify a working copy of a process template under its existing name, when you upload that template to Software Security Center, the server overwrites the original template with the modified version. If you decide to edit a working copy of an existing process template from Software Security Center, and you then decide to instead create a new template with a different name, you can rename that working copy. Table 3 lists descriptions of all of the Software Security Center process templates.
Table 3: Process templates available in Software Security Center

Template Name Commercial Off the Shelf

Description Prescribes the minimal risk mitigation activities for an external component that your organization cannot directly control. Use only for projects that have limited exposure to external systems and not for projects that interact with sensitive data or high-risk applications. Prescribes the minimal risk mitigation activities for an application. Use only for projects that have limited exposure to external systems and not for projects that interact with sensitive data or high-risk applications. Prescribes the minimal risk mitigation activities for high-risk applications that your organization cannot directly control (for example, provider-supplied software, open source software, and so on). Use this template for an externally-developed application that is to be used with other high-risk applications or that is to interact with sensitive information. Prescribes risk mitigation activities for high-risk applications that have already undergone (or are well into) one production release. Use this for projects that, if compromised, would result in significant business exposure. The most comprehensive prescription of risk mitigation activities for a high-risk application that is still in the project planning phase. Use this for projects that, if compromised, would result in significant business exposure.

Fortify Basic Template

High Risk 3rd Party Development

High Risk Active Development High Risk New Development

HP Fortify Software Security Center Installation and Configuration Guide

12

Table 3: Process templates available in Software Security Center

Template Name Low Risk 3rd Party Development

Description Prescribes the minimal risk mitigation activities for low-risk applications that your organization cannot directly control (for example, provider-supplied software, open-source software, commercial off-the-shelf software, and so on). Use only for projects that have minimum exposure to external systems and not for projects that interact with sensitive data or high-risk applications. Prescribes risk mitigation activities for low-risk applications that have already undergone (or are well into) one production release. Use this for projects that have limited exposure to external systems. Do not use for projects that interact with sensitive data or high-risk applications. Prescribes the minimal risk mitigation activities for low risk applications that is still in the project planning phase. Use this for projects that have limited exposure to external systems. Do not use for projects (can't display the rest in the UI) that interact with sensitive data or high-risk applications. Prescribes the minimal risk mitigation activities for an externally-developed open-source component that your organization does not directly control. Use this for projects that have limited exposure to external systems. Do not use this for projects that interact with sensitive data or high-risk applications. Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. This template provides guidance on the application secretaryships activities that must be completed in order to comply with the PCI-DSS v2.0 standard as of June 2012.

Low Risk Active Development

Low Risk New Development

Open Source

PCI-DSS v2.0 Application Security Requirements Template

HP Fortify Software Security Center Installation and Configuration Guide

13

Creating Process Templates (Based on Existing Templates)


To create a process template based on a working copy from Software Security Center: 1. Log on to Process Designer, and then select Server Create New Template. The Software Security Center Login dialog box opens. 2. Enter your Software Security Center user name and password, and then click OK. Process Designer downloads the current set of process templates from Software Security Center.
Note: If Process Designer displays an error message during the templates download, verify the Process

Designer connection settings using the procedure in Configuring the Connection to Software Security Center on page 11. The Create Template dialog box opens and lists the available Software Security Center process templates.

Note: By default, the dialog box displays the message 2 errors detected. After you specify the template

name and select an existing process template to copy, Process Designer no longer displays this message. 3. In the Template name box, type a name for the template. 4. In the Template column, select a process template. 5. Click OK.

HP Fortify Software Security Center Installation and Configuration Guide

14

Process Designer downloads the data for the process template you selected and displays it in a new <Template_Name> page.

For information about how to customize your Process Designer view, see Customizing the Process Designer View on page 21. 6. To save the new process template, select File Save, and then browse to the directory in which you want to save it. Process Designer saves the template as an FPD file (with the fpd file extension) in the specified directory. 7. To close the process template, select File Close.

HP Fortify Software Security Center Installation and Configuration Guide

15

Editing Software Security Center Process Templates


To edit a working copy of a process template in Software Security Center: 1. Log on to Process Designer, and then select Server Edit Existing Template. The Software Security Center Login dialog box opens. 2. Enter your Software Security Center user name and password, and then click OK. Process Designer downloads the current set of process templates from Software Security Center.
Note: If Process Designer displays an error message during the templates download, verify the Process

Designer connection settings using the procedure in Configuring the Connection to Software Security Center on page 11. The Edit Template dialog box lists all of the process templates in the Software Security Center system.

3. In the Template column, select the process template to edit. 4. Click OK.

HP Fortify Software Security Center Installation and Configuration Guide

16

Process Designer downloads the data for the process template you selected and displays it on a new <Template_Name> page.

For information about how to customize your Process Designer view, see Customizing the Process Designer View on page 21. 5. Make any necessary changes to the template. For information about what you can modify and how to modify it, see Chapter 3: Customizing Software Security Center Process Templates on page 26. 6. To save the modified process template, select File Save. Process Designer saves the template as an FPD file (with the fpd file extension) in the directory you specify. 7. To close the template, select File Close.

HP Fortify Software Security Center Installation and Configuration Guide

17

Loading a Process Template from Disk


To load a process template file into Process Designer: 1. In Process Designer, select File Open. The File Open dialog box opens. 2. Browse to and select the process template file (with the fpd file extension) to open in Process Designer. Process Designer loads a working copy of the process template.

Committing and Saving Edited Process Templates


This section provides information about how to commit process templates to Software Security Center and how the save your edited process templates.

Committing a Process Template to Software Security Center


When you use Process Designer to commit a process template to Software Security Center, you upload the template from the active Process Designer page to the server. Because Software Security Center permits you to hide, but not delete, process templates, it is important that you carefully review each process template you modify for completeness and accuracy before you commit it to Software Security Center. If you try to commit a process template, and a process template with the same name already exists on Software Security Center, then you must either add the process template under a new name, or overwrite the existing instance of the process template.

Committing Process Templates to Software Security Center


The procedure in this section assumes that you have used Process Designer to modify a process template. To commit the edited process template currently displayed in Process Designer to Software Security Center: 1. If more than one process template page is open, check to make sure that you have selected the page tab for the template you want to commit. 2. Select Server Commit Changes. If you try to commit a process template that has the same name as a template that already exists in Software Security Center, Process Designer displays a warning and prompts you to indicate whether you want to overwrite the existing template or commit your template as a new template.

If you choose to create a new process template, Process Designer prompts you to type a name for the new template instance. Process Designer uploads the process template to Software Security Center, which now displays the template name in its Process Templates list.

HP Fortify Software Security Center Installation and Configuration Guide

18

Viewing Committed Process Templates in Software Security Center

To check the Process Templates list in Software Security Center for templates you have committed: 1. Log on to Software Security Center, and then click the Administration tab. 2. In the Process Management section of the Administration panel (on the left), click Process Templates. Software Security Center lists all of the committed process templates in the system in the right pane.

Saving Process Templates


Process Designer enables you to save a process template to disk as a Fortify Process Designer file (FPD) file. This means that you can save copies of incompletely customized process templates that you or another team member can complete later. Package completely customized process templates to share with other security teams or to archive. A process templates FPD file name may or may not correspond to the display name for the process template, which HP Fortify products use to manage templates. For information about how to change the display name of a process template, see Changing the Display Name of a Process Template on page 20.

Saving an FPD File


To save an open process template as an FPD file: 1. Process Designer saves the contents of the selected template. If you have more than one template open, verify that the one you want to save is selected. 2. Save the process template either under its current name (select File Save), or under a new name (select File Save As). If you use Save As to save an FPD file with a new name, Process Designer does not change the display name of the process template. For information about display names, see Process Template Display Names on page 20.

HP Fortify Software Security Center Installation and Configuration Guide

19

Process Template Display Names


Process templates have a display name, which may or may not match the name of the corresponding FPD file that contains the template. HP Fortify products use display names to manage templates. For example, Process Designer lists template display names in its Create Template and Edit Template dialog boxes. To change the display name of a process template, you must use Process Designer. After you change a process template display name, Process Designer uploads the new display name to Software Security Center.

Changing the Display Name of a Process Template


To rename a process template: 1. From Process Designer, open the FPD or TAP file for the process template for which you want to specify a new display name. 2. Select File Rename. The Rename Template dialog box opens.

3. In the Template name box, type the new display name.


Note: If you type a template name that already exists on Software Security Center, the Rename Template

dialog box displays an error message. 4. Click OK.

HP Fortify Software Security Center Installation and Configuration Guide

20

Customizing the Process Designer View


The default Process Designer view, which is shown in Figure 1, consists of an upper, requirements panel and a lower, global elements panel. The requirements panel displays the requirements and requirement details of the open process template, as well as the process template description, owner, assigned personas, and due date. The global elements panel displays several tabs that you can use to view and configure the global design elements of the process template. For information about the categories of global design elements, see Global Design Elements on page 31.
Figure 1: Default Process Designer view

You can change the Process Designer view in the following ways: To toggle between a horizontal (default) and a vertical orientation of fields in the upper panel use the Horizontal orientation ( ) and Vertical orientation ( ) buttons. In the lower panel, drag a tab up to display it in its own panel.

HP Fortify Software Security Center Installation and Configuration Guide

21

Restoring the Default Process Designer View


To restore the default Process Designer view: 1. Select View Reset. Process Designer prompts you to confirm that you wan to restore the default view. 2. Click OK.

Basic Software Security Center Process Designer Workflow


This section describes how Process Designer is typically used and provides an example exercise that takes you through the steps of the workflow that results in a new process template. Use this section to edit a temporary copy of a Software Security Center process template. The procedure in this section does not direct you to commit (upload) the edited template to Software Security Center. This enables you to perform the editing tasks without modifying an existing process template or adding the modified template to Software Security Centers list of templates.

Summary of Requirements and Activities


The essential elements of a process template are its requirements and activities. Requirements comprise the set of high-level objectives that a Software Security Analysis (SSA) project version must meet in order to achieve secure development. Activities are the individual tasks that must be performed in order to fulfill the SSA project versions requirements. Each requirement must have at least one associated activity.

The demonstration workflow illustrates the creation and relationship of the requirements and activities process template design elements.

HP Fortify Software Security Center Installation and Configuration Guide

22

Demonstration Work Flow


Perform the procedure in this section to demonstrate process template customization. The procedure in this section does not direct you to commit or save the modified template. This enables you to perform a demonstration customization without overwriting an existing process template or adding the modified template to Software Security Centers list of templates.

Before you Begin


The procedure in this section assumes that you have used the information in this chapter to: Start Process Designer Connect Process Designer to a running instance of Software Security Center Familiarize yourself with the essential process template editing tools

To perform a simple Process Designer customization workflow: 1. Create a new process template. (See Creating Process Templates (Based on Existing Templates) on page 14.) Name the template EXAMPLE High Risk 3rd Party Development and select the High Risk 3rd Party Development template to base it on.

Note: Do not commit the template to Software Security Center. Committing a template adds the modified

copy of the template you created for this demonstration to Software Security Center.

HP Fortify Software Security Center Installation and Configuration Guide

23

2. Add a new requirement to the working copy of the EXAMPLE High Risk 3rd Party Development Software Security Center process template. a. In the Requirements section, click Add. The Add Requirement dialog box opens.

Process Designer displays an error message next to the Name box to remind you to type a name for the new activity. b. In the Name box, type EXAMPLE REQUIREMENT. c. (Optional) From the Default Work Owner list, select the persona to which you want to assign responsibility for the requirement. d. From the Persona list, select the persona for the user who is to sign off on the completed requirement. e. In the Description box, type Example requirement. f. (Optional) In the Due Date box, specify the number of days or weeks after which the requirement must be signed off on, and then select Days or Weeks from the list on the right. g. Click OK. 3. Create a new activity in the working copy of the EXAMPLE High Risk 3rd Party Development Software Security Center process template. a. In the global elements area (lower pane), select the Activities tab, and then click Add. The Add Activity dialog box opens. b. In the Name box, type EXAMPLE PROJECT STATE ACTIVITY. c. From the Type list, select Project State. For more information about activity types, see Process Template Activity Types on page 32. d. From the Default Work Owner list, select the persona to which you want to assign responsibility for the activity. e. From the Persona list, select the persona for the user who is to sign off on the completed activity. f. In the Description box, type Example project state activity. g. Click OK. Process Designer adds EXAMPLE PROJECT STATE ACTIVITY to the Activities list. To the right, in the activities detail area for the new activity, Process Designer displays a red x next to the Indicator list. The x reminds you that you must choose an indicator type.
HP Fortify Software Security Center Installation and Configuration Guide 24

h. From the Indicator list, select Total Issues. You can now add the new activity to the EXAMPLE REQUIREMENT requirement. 4. In the Requirements list, select EXAMPLE REQUIREMENT. 5. To the right of the Activities box, click Add. The Add Activity dialog box opens.

Because an activity can be used only once in a process template, Process Designer lists activities that have not been added to any other requirement in this process template. a. From the list of activities, select EXAMPLE PROJECT STATE ACTIVITY. b. Click OK. 6. Delete EXAMPLE PROJECT STATE ACTIVITY. a. In the global elements area, select Abuse Case Creation. Process Designer does not enable the Remove button. Because global element definitions downloaded from Software Security Center exist outside of a process template, the activity cannot be deleted. b. Select EXAMPLE PROJECT STATE ACTIVITY. Process Designer enables the Remove button. Because global element definitions that have not been uploaded to Software Security Center exist only within the working copy of the process template being edited, the activity can be deleted. c. Click Remove. Process Designer deletes EXAMPLE PROJECT STATE ACTIVITY. 7. Delete EXAMPLE REQUIREMENT. a. In the Requirements area, select Threat Model. b. Select EXAMPLE REQUIREMENT, and then click Remove. Process Designer removes EXAMPLE REQUIREMENT. 8. Discard the High Risk 3rd Party Development template created for this demonstration. On the High Risk 3rd Party Development Edit tab, click the X to close the tab, and then click No to discard the modified template.

HP Fortify Software Security Center Installation and Configuration Guide

25

Chapter 3: Customizing Software Security Center Process Templates


About This Chapter
This chapter provides information about how to customize process templates. It begins with an overview and then presents a strategy for choosing a template to serve as the starting point for a new process template. Subsequent sections describe process template activities, which determine the tasks the project team must complete in order to fulfill the Secure Software Assurance (SSA) requirements for a project version. The final sections of this chapter describe how to create and manage the personas and work owners that you assign to requirements and their associated activities. This chapter covers the following topics: Overview of Customizing a New Process Template Using Global Design Elements in New Requirements Choosing a Baseline Process Template Global Design Elements Process Template Requirements Process Template Activities Time Lapse Activities Document Activities Project State Activities Adding an Activity to a Requirement Creating and Managing Sign-Off Personas Default Work Owners Software Security Center Project Templates

HP Fortify Software Security Center Process Designer User Guide

26

Overview of Customizing a New Process Template


A process template contains multiple template design elements. As a process template designer, you must have both a top down and a bottom up overview of template design elements. As you acquire more experience with process templates and Process Designer, you can develop your own refinements to template design.

Using Global Design Elements in New Requirements


Before you can add activities to a requirement, you must first determine whether the hierarchy of global design element definitions that the activity requires already exist. If the elements do not exist, you must define those global elements from the bottom up.

Choosing a Baseline Process Template


This section presents an overview of process template assessment criteria and then provides guidance on how to select the process template on which to base a new template.

Process Template Assessment Criteria


A process template contains a set of risk mitigation activities for a project. A process templates activities define the complete set of tasks that must be performed in order to minimize the risks the project introduces. When you customize a project template, you use a given project versions risk profile to determine that projects risk mitigation activities. Table 4 lists the criteria you can use to determine a project versions risk profile. Use these criteria to guide your selection of a baseline process template.
Table 4: Template assessment criteria

Criteria
Data Business Risk Access

Description Sensitivity of the data processed by the application Aggregate risk to the business, including, but not limited to, disruption of activity, property loss, and damage to reputation Security risks presented by external entities malicious interactions with any portion of the application Access can be broadly categorized as follows: Human interactions via input devices Network interactions with network systems of variable trustworthiness (external internet being least trustworthy and internal corporate network being the most trustworthy) External program or application program interface (API) interactions

Origin

Source of program components If an SSA project version incorporates any components provided by a third party, then use a process template that includes risk mitigation activities for outsourced components.

HP Fortify Software Security Center Process Designer User Guide

27

Selecting a Baseline Process Template


When you use Process Designer to customize a process template, you begin by selecting a working copy of an existing process template to use as the baseline for a customized instance of that template. HP Fortifys has designed a default set of process templates for the most common varieties of secure development objectives. Table 5 summarizes the key characteristics of these process templates.
Table 5: Default process template set

Process Template Name Third-Party Development: Low Risk, High Risk

SSA Project Version Characteristics Defines risk mitigation activities for projects that contain at least one component supplied by an external third party operating under the control of the enterprise
Data:

For projects that do not interact with sensitive data, select Low Risk. For projects that interact with sensitive data, select High Risk. For projects with low business risk, select Low Risk. For projects with high business risk, select High Risk. For projects that do not interact with other high-risk, applications, select Low Risk. For projects that interact with other high-risk, applications, select High Risk.

Business Risk:

Access:

Origin:

For either high or low risk, contains one or more components developed by third parties operating under the direction of the enterprise Active Development: Low Risk, High Risk Defines risk mitigation activities for projects that have undergone at least one production release
Data:

For projects that do not interact with sensitive data, select Low Risk. For projects that interact with sensitive data, select High Risk. For projects with low business risk, select Low Risk. For projects with high business risk, select High Risk. For projects that do not interact with other high-risk, applications, select Low Risk. For projects that interact with other high-risk, applications, select High Risk.

Business Risk:

Access:

Origin:

For either high or low risk, contains no components developed by third parties

HP Fortify Software Security Center Process Designer User Guide

28

Table 5: Default process template set (Continued)

Process Template Name Commercial Off The Shelf

SSA Project Version Characteristics Defines risk mitigation activities for projects that contain at least one component supplied by a third party operating outside the control of the enterprise
Data:

For projects that do not interact with sensitive data


Business Risk:

Projects that present low risk


Access:

Projects that do not interact with other high-risk applications


Origin:

For either high or low risk, contains one or more components developed by third parties operating outside of the control of the enterprise HP Fortify Basic Template Defines risk mitigation activities for projects that present only minimal risk
Data:

For projects that do not interact with sensitive data


Business Risk:

Projects that present low risk


Access:

For projects that do not interact with other high-risk applications


Origin:

Contains no components developed by third parties New Development: Low Risk, High Risk Defines risk mitigation activities for projects in the design phase, or that have yet to undergo a production release
Data:

For projects that do not interact with sensitive data, select Low Risk. For projects that interact with sensitive data, select High Risk. For projects with low business risk, select Low Risk. For projects with high business risk, select High Risk. For projects that do not interact with other high-risk, applications, select Low Risk. For projects that interact with other high-risk, applications, select High Risk

Business Risk:

Access:

Origin:

Project does not contain any components developed by a third party

HP Fortify Software Security Center Process Designer User Guide

29

Table 5: Default process template set (Continued)

Process Template Name Open Source

SSA Project Version Characteristics Defines risk mitigation activities for projects developed by third parties operating outside the control of the enterprise
Data:

Project does not interact with sensitive data, choose Low Risk.
Business Risk:

For projects with low business risk, select Low Risk. For projects with high business risk, select High Risk.

Access:

Project does not interact with other high-risk applications


Origin:

For either high or low risk, contains one or more components developed by third parties PCI-DSS Application Security Requirements Defines risk mitigation activities for projects that must perform the activities specific to Payment Card Industry-Data Security Standard (PCI-DSS v2.0 standard as of June 2012)
Data:

For projects that interact with sensitive data


Business Risk:

Specific to PCI-DSS
Access:

For projects that interact with applications as defined by the applicable PCI-DSS standards
Origin:

Contains no components developed by third parties

HP Fortify Software Security Center Process Designer User Guide

30

Global Design Elements


Global design elements form an essential part of all Software Security Center process templates and exist outside the boundaries of any given process template. Process Designer can access all the global elements defined in Software Security Center, regardless of which process template or templates you download to edit. Table 6 lists the six default global design elements represented in the global elements (lower) panel of the Process Designer view.
Table 6: Global process template design elements

Global Design Element Activities Document definitions Personas

Description Tasks that must be performed to fulfill a process template requirement External process documents required to define a document activity Specify the default work owner and sign-off responsibilities for process template activities and requirements For information about work owners, see Default Work Owners on page 41. Performance indicators use formulas constructed from equation variables to provide project state activities a numeric or percentage metric for a specific aspect of a Secure Software Assurance project version Equation variables use formulas constructed from search strings and search targets to provide performance indicators with the formulas used to calculate a numeric or percentage metric Determine how HP Fortify products prioritize issues

Performance indicators

Equation variables

Project templates

For a seventh type of global entity, HP Fortify Software Security Center template assignment policies, Process Designer provides a separate editing environment.

Managing Global Design Elements


If you add a new design element to a working copy of a process template, and do not use Commit to Server to upload the process template that contains that element to Software Security Center, then the design element exists only in Process Designer and is not global. Process Designer lists the names of these new elements in italic font. After you use Commit to Server to upload the process template that contains the new element, Software Security Center adds that element to its list of global design elements. The next time a Process Designer user downloads process templates from Software Security Center, the new element is listed on the Global Elements tab.
Note: You can delete new design elements that have not been committed in Software Security Center.

However, after a design element has become global, you cannot delete it.

Synchronizing Global Design Elements


If you use Process Designer to load an FPD file that contains a template, the template may not include the latest set of global design elements. To acquire the current set of global design elements, use Process Designers synchronization feature. To acquire the current set of global design elements: After you open a process template in Process Designer, select Server Synchronize.

HP Fortify Software Security Center Process Designer User Guide

31

Process Template Requirements


The design of a process template begins with the templates requirements and activities. Process template requirements: Specify the set of high-level secure development objectives of a particular SSA project version. Contain one or more activities

Typically, most process template contain a similar set of requirements. It is the activities contained within those broadly similar requirements sets that determine the shape and texture of a given process template.

Defining New Requirements


The default set of Process Designer process template contain similar sets of requirements. The number and type of activities those requirements contain characterize a given type of process template. Before you create a new process template requirement, consider whether an existing requirement can simply be supplemented with one or more new activities. If you decide to create a new process template requirement, define the requirement in strategic terms. You can then populate that requirement with the activities necessary to coordinate your security teams fulfillment of that strategic security objective.

Process Template Activities


Process template activities define the tasks the security team must perform to fulfill an SSA project versions requirements. All other process template design elements serve to add management and collaboration capabilities to these activities.

Process Template Activity Types


Software Security Center supports the three process template activity types listed in Table 7.
Table 7: Software Security Center activity types

Icon

Type Time Lapse Document Project State

Description Defines an operation, such as the upload of a measurement file, that must occur at certain times during the SSA project versions lifecycle References an external document that must be completed by one or more members of the SSA secure development team Specifies the value of a process template performance indicator

Time Lapse Activities


Time lapse activities reference a system-defined event that determines how often (in days) the activity must be performed. The two categories of system-defined time lapse activity events are: Collaboration module (CM) audit events Upload events for files from a particular HP Fortify client product, a source code upload, or the upload of some other type of external file

You cannot use Process Designer or Software Security Center to create or modify time lapse activity events.

HP Fortify Software Security Center Process Designer User Guide

32

Creating a Time Lapse Activity


To define a new time lapse activity: 1. On the Activities tab in the global elements panel, click Add. The Add Activity dialog box opens. 2. In the Name box, type the name for the new activity. 3. From the Type list, select Time Lapse. 4. (Optional) Provide a description of the activity. 5. (Optional) Assign a default work owner. 6. (Optional) In the Due Date box, specify the frequency (type the number of days or weeks) with which the activity is to be performed. 7. From the Sign Off Personas list, select one or more personas to be responsible for signing off on this activity. 8. Click OK. Process Designer adds the new activity to the Activities list and displays the details of the activity on the right side of the Activities tab. 9. On the Activities tab, in the Event Type list, select an event type. For more information about personas, see Creating and Managing Sign-Off Personas on page 40. For more information about default work owners, see Default Work Owners on page 41. For instructions on how to add an activity to a process template requirement, see Adding an Activity to a Requirement on page 39.

Document Activities
A a document activity in a Software Security Center SSA project version references an external document that must be exported from Software Security Center for completion by one or more members of the project team. In Process Designer, you can choose to reference an existing document, or you can reference a placeholder for a document that the project team is to add to the activity sometime later in the project. Regardless of how the document activity references its external document, in Software Security Center the project team must access the document from a centrally accessible external location; Software Security Center does not provide version control or document management capabilities. After the project team has completed the external process document, the activitys work owner imports the completed document back into the Software Security Center document activity. The sign-off persona or personas assigned to the activity then review the completed document, and either sign off on the document activity, or sign off on it with exception.

Constructing Document Activities


Adding a document activity to a process template requirement requires that the template designer think from the bottom up. When you add a document activity to a requirement, you use Process Designer to select an existing document activity definition, or more specifically, a global activities definition of type document. A document activity, in turn, references a global document definition. A document definition references an external process document or document placeholder for the document that must be completed to fulfill the document activity. This means that before you can add a document activity to a requirement, you must determine whether the hierarchy of global design element definitions required by that activity already exist. If the elements do not exist, you must create those global element definitions before you add the activity to a requirement.

HP Fortify Software Security Center Process Designer User Guide

33

Creating a Document Definition


Process template document definitions reference an external an external process document or document placeholder. The referenced document must be completed to fulfill the document activity. Perform the procedure in this section to create a new global document definition.

Understanding Document Location Specifiers


Document definitions reference an external process document. If the document already exists, you can choose to import the document from disk into the document definition or reference the document by its URL. If the document does not yet exist, you can configure the document definition to provide a placeholder for an external document that is to be created and referenced later during the secure development lifecycle.

Whenever possible, reference external documents by URL. Documents referenced by URL helps ensure that the project team accesses the current version of the process document from its shared network location. To create a new document definition: 1. In the global elements panel, click the Document Definitions tab, and then click Add. The Add Document Definition dialog box opens. 2. Specify the new document definition details: In the Name box, type a name for the new document definition. If the document referenced by this definition already exists, select either File or URL to specify whether the document is to be imported from disk or referenced by a URL. (Optional) If the existing document referenced by this definition is to be imported from disk, click Import, and then browse to and select the referenced file. If the document is to reference a URL, then type the URL in the text box. (Optional) Type a description of the document.

3. Click OK. Process Designer adds the new document definition to the list of definitions.

Creating a Document Activity


To define a new document activity: 1. On the Activities tab in the global elements panel, click Add. The Add Activity dialog box opens. 2. In the Name box, type a name for the new document activity 3. Click OK. Process Designer adds the new document activity to the Activities list. To the right, Process Designer displays the details about the activity. 4. On the Activities tab, from the Document Definition list, select a document definition. For information about how to create document definitions, see Creating a Document Definition on page 34. 5. Assign an optional sign-off persona or default work owner to the new document activity. For more information about personas, see Creating and Managing Sign-Off Personas on page 40. For more information about default work owners, see Default Work Owners on page 41. 6. To add the new document activity to a requirement, see Adding an Activity to a Requirement on page 39.

HP Fortify Software Security Center Process Designer User Guide

34

Project State Activities


Project State activities provide a way to quantify some aspect of an SSA project versions completion status. The quantitative value of that activity can then be viewed in one or more Software Security Center summary displays and used to generate email alerts to one or more members of the project team.

Overview of Constructing a Project State Activity


Adding a project state activity to a process template requirement requires the template designer to think bottom up. A Project State activity references a global Performance Indicator definition. The Performance Indicator in turn references a global Equation Variable definition. An Equation Variable returns either an integer or percentage measurement of some aspect of an SSA project version. When you add a project state activity to a requirement, you use Process Designer to select an existing project state activity definition, or more specifically, a global activities definition of type Project State. This means that before you can add a project state activity to a requirement, you will need to determine whether the hierarchy of global design element definitions required by that activity already exist. If the elements do not exist, you will need to create those global element definitions from the bottom up before adding the activity to a requirement.

Software Security Center Equation Variables


This section provides an overview of Software Security Center equation variables.

Variable Syntactic Elements


Software Security Center variables have the following format:
modifier:searchstring

Variable Search Strings


Table 8 lists the Software Security Center variable search strings.
Table 8: Software Security Center variables, relational operators

Relational operator
Search String "Search_String"

Description Searches for the specified search string without qualification Searches for an exact match of the term wrapped in quotation marks (" ") Searches for values that match a Java-style regular expression delimited by slash marks (/)For example, /eas.+?/ Comma-separated pair of numbers that specifies the beginning and end of the number range Use a left or right bracket ([ ]) to specify that the range includes the adjoining number Use a left or right parentheses (( )) to specify that the range excludes (is greater than or less than) the adjoining number For example, (2,4] means greater than two, less than or equal to 4.

Regex Number range

! (not equal)

Negate a statement with an exclamation character (!) For example, !file:Main.java returns all issues that are not in Main.java
HP Fortify Software Security Center Process Designer User Guide 35

Variable Search Targets


Table 9 lists some commonly used Software Security Center search-string targets.
Table 9: Software Security Center variables, search-string targets

Search-string modifier
[issue age] <custom_tagname>

Description Searches for the issue age, which is either removed, existing, or new Searches the specified custom tag analysis is the default name for Primary Custom Tag which searches the issue analysis field Searches the issues metagrouping field. The default metagroups are: [OWASP Top Ten 2004] [OWASP Top Ten 2007] Searches the issues for the specified analyzer Searches the issues for type of analysis (runtime, configuration, data flow) Searches the issue attributes using the specified string Searches the issues for the specified audience Searches the issues to find true if Primary Custom Tag is set and false if not set Searches for the given category or substring of a category Searches in the comments entered on the issue Searches for issues with comments from user Searches for issues with the specified confidence value Searches for the file the issue is in High, Medium, and Low issues based on the combined values of HP Fortify SCA confidence and severity Searches the issues for a user name in the history Searches for all issues in the specified kingdom Searches for all issues with confidence up to and including the number specified as the search term Searches for all issues with confidence lower than and including the number specified as the search term Searches for issues in the specified package Returns the issues containing the context of the sink node Searches for all issues related to the specified sink rule Searches for all issues with the specified severity rating Returns the issues that have the specified string in the sink function Returns the issues that have the specified string in the source function

<metagroupings>

analyzer Analysis Type Any Attribute audience audited category (cat) comments (comment, com) comment user confidence (con) file HP Fortify Priority Order historyuser kingdom maxconf

minconf

package primary context primaryrule (rule) severity (sev) sink source

HP Fortify Software Security Center Process Designer User Guide

36

Table 9: Software Security Center variables, search-string targets (Continued)

Search-string modifier
source context sourcefile status suppressed taint

Description Returns the issues containing the context of the source node Returns the issues containing the file the source node is in. Searches the status of issues reviewed, not reviewed, or under review Searches for issues that have been suppressed Searches for issues that have the specified taint flag

Variable Examples
Software Security Center search-string syntax is similar to that of the Google search engine. Table 10 illustrates some common Software Security Center variable search strings.
Table 10: Software Security Center variables, common search strings

Search-string target All issues that contain cleanse as part of any modifier Categories except for SQL Injection Filenames containing
com/fortify/awb

Example search string


cleanse

category:!SQL Injection injection

file:"com/fortify/awb"

Paths that contain traces with cleanse as part of the name Paths that contain traces with mydbcode.sqlcleanse as part of the name Privacy violations in filenames that contain jsp with getSSN() as a source. Suppressed vulnerabilities with asdf in the comments Two (or more) queries use the same modifier to create a logical OR

trace:cleanse

trace:mydbcode.sqlcleanse

category:"privacy violation" source:getssn file:jsp

suppressed:true comments:asdf

category:sql injection category:privacy violation (Category equals sql injection OR privacy violation)

Creating an Equation Variable


To create an equation variable: 1. In the global elements panel, click the Equation Variable tab, and then click Add. The Add Equation Variable dialog box opens. 2. In the Name box, type a name for the variable.
Note: The first character in the variable name must not be a numeric character (0-9 ). The rest of the name can consist of alphanumeric characters and the underscore character. HP Fortify Software Security Center Process Designer User Guide 37

3. Click Advanced. The Search Query dialog box opens.

4. Define the equation variable, as follows: a. From the list on the left, select a modifier. b. From the center list, select an operator. c. In the box on the right, type a search string. d. Click OK. The Add Equation Variable dialog box opens. The Search string box displays the search string you specified. 5. Click OK. Process Designer adds the new equation variable to the Equation Variables list and displays the details of the activity on the right side of the Activities tab.

Creating Performance Indicators


Project state activities define an equation constructed from global equation variable definitions. That equation returns an integer or percentage result about some aspect of project status. You can then use that status metric in Software Security Center Dashboard or project version displays, or to send an email alert to members of the project team. To create a performance indicator: 1. In the global elements panel, click the Performance Indicator tab, and then click Add. The Add Performance Indicator dialog box opens. 2. In the text box, type a name for the performance indicator. 3. Click OK. Process Designer adds the new performance indicator to the Performance Indicators list and displays the details about the performance indicator on the right side of the tab. 4. In the Equation box, construct a valid equation using global equation variables. 5. Click OK.

HP Fortify Software Security Center Process Designer User Guide

38

Creating a Project State Activity


To define a new project state activity: 1. In the global elements panel, click the Activities tab, and then click Add. The Add Activities dialog box opens. 2. Specify the details for the activity as follows: a. In the Name box, type the name for the project state activity. b. In the Type list, choose Project State. c. (Optional) Type a description of the activity. d. (Optional) Assign a default work owner. e. (Optional) In the Due Date box, specify the frequency (type the number of days or weeks) with which the activity is to be performed. f. From the Sign Off Personas list, select one or more personas to be responsible for signing off on this activity. g. Click OK. Process Designer adds the new project state activity to the Activities list and displays its details to the right of the list. 3. Select and configure the indicator for the project state activity as follows: a. From the Indicator list, select a performance indicator. For information about how to create performance indicators, see Creating Performance Indicators on page 38. b. From the list of operators, select an operator. c. In the text box to the right of the operators list, type a value that corresponds to the integer or percentage value returned by the selected performance indicator. For more information about personas, see Creating and Managing Sign-Off Personas on page 40. For more information about default work owners, see Default Work Owners on page 41. For instructions on how to add an activity to a requirement, see Adding an Activity to a Requirement on page 39.

Adding an Activity to a Requirement


The procedure in this section describes how to add a new activity to an existing process template requirement. To add an activity to a process template requirement: 1. In the requirements panel of Process Designer, from the Requirements list, select a requirement. The Activities box on the right lists the activities defined for the selected requirement. 2. To add the new activity to the selected requirement: a. To the right of the Activities box, click Add. The Add Activity dialog box opens. b. From the list of activities, select an activity. c. Click OK. Process Designer adds the activity to the requirement.
HP Fortify Software Security Center Process Designer User Guide 39

Creating and Managing Sign-Off Personas


In Software Security Center, one or more personas have sign-off responsibility for process template requirements and activities. Personas enable the process template designer to: Assign sign-off responsibility for process template requirements and activities to organizational units or job titles (rather than Software Security Center user account privilege levels) Require that more than one persona sign off a particular process template requirement or activity Achieve a high level of accountability with regard to task assignments and completion Efficiently manage changing personnel resources throughout a Software Security Center SSA project versions complete development lifecycle

For more information about working with personas in Software Security Center, see the HP Fortify Software Security Center User Guide.

Default Personas
Software Security Center includes a default set of global persona definitions, which are listed in Table 11.
Table 11: Software Security Center default personas

Default Persona Architect Business Risk Owner Developer Operations and Build Teams Project Manager QA Testers Security Expert/Champion Support Operations

Example responsibilities High-level design and system engineering Sign off on the complete set of business and technological risks for the application Design and implement code, scan that code for vulnerabilities, and address security issues contained in that code Deploy and maintain applications in production settings. Ensure that all project milestones are enumerated and completed Test and verify software throughout the secure development process Define and ensure compliance with the SSA project versions security strategy and delivery Internal and external customer support and technical operations support

Creating a Persona
The procedure in this section describes how to define a new persona. More specifically, the procedure describes how to create a new global activity definition of type Document. To define a new persona: 1. In the global elements panel, click the Personas tab, and then click Add. The Add Persona Definition dialog box opens. 2. Supply the persona details as follows: a. In the Name box, type a name for the persona. b. (Optional) Type a description of the persona.
HP Fortify Software Security Center Process Designer User Guide 40

c. Click OK. Process Designer adds the persona to the Personas list. For instructions on how to add a persona to a process template requirement or activity, see Adding a Persona to a Requirement or Activity.

Adding a Persona to a Requirement or Activity


The procedure in this section describes how to add a new persona to an existing process template requirement or activity. 1. To add a persona to a requirement: a. From the Requirements list in the Requirements panel, select a requirement. b. On the right side of the Requirements panel, from the Requirement Sign Off Personas list, select one or more sign-off personas. 2. To add a persona to an activity: a. On the Activities tab in the global elements panel, select a listed activity. b. On the right side of the Activities tab, from the Activity Sign Off Personas list, select one or more sign-off personas.

Default Work Owners


In Software Security Center, work owners are users whose Software Security Center accounts have permission to perform certain activities and requirements in a given SSA project version. You can assign work owners to activities and requirements. If you assign a work owner to a process template requirement, neither Process Designer nor Software Security Center automatically assigns that work owners to any requirement activities. Software Security Center assigns work owners on the basis of server account name. But when you use Process Designer to customize a process template, you may not be able to compileor maintaina complete and accurate list of the server account names for all Software Security Center instances that will use the process template. Therefore, Process Designer allows you to assign personas as a requirement or activitys default work owner. When a member of the project team assigns a Software Security Center user account name to that persona, Software Security Center replaces the persona name with the user account name.

Adding a Default Work Owner to a Requirement or Activity


To add a new persona to an existing process template requirement or activity: 1. To add a persona to a requirement: a. From the Requirements list in the Requirements panel, select a requirement. b. On the right side of the Requirements panel, from the Requirement Default Work Owner list, select a work owner. 2. To add a persona to an activity. a. On the Activities tab, from the Activities list, select an activity. b. To the right side of the Activities list, from the Default Work Owner list, select a work owner.

HP Fortify Software Security Center Process Designer User Guide

41

Software Security Center Project Templates


Project templates determine how HP Fortify products prioritize issues. When you create an SSA project version, Software Security Center uses the new project versions attributes to recommend a process template. Each Software Security Center process template includes a project template that corresponds to the project versions SSA and security requirements. In addition to its default set of project templates, Software Security Center enables customized project templates to be imported into the server. An imported project template then becomes an additional global design element. To learn more about importing project templates into Software Security Center, see the HP Fortify Software Security Center User Guide.

Assigning a Project Template to a Process Template


The procedure in this section describes how to use Process Designer to assign a globally-defined project template definition to a process template. To assign a project template to a process template: In the Requirements panel, from the Project Template list, select a project template to assign to the open process template.

HP Fortify Software Security Center Process Designer User Guide

42

Chapter 4: Working with Software Security Center Template Assignment Policies


About This Chapter
This chapter provides details about the Process Designers Template Assignment Editor. This chapter contains the following topics: Overview of the Software Security Center Center Template Assignment Policy Operation Getting Started with Software Security Center Template Assignment Policy Editor Working With Template Assignment Policies An Example Software Security Center Template Assignment Policy Editing Session

Overview of the Software Security Center Center Template Assignment Policy Operation
In Software Security Center, you must select a process template before you can finish creating a new SSA project version. When you select a process template, Software Security Center uses the servers template assignment policies to recommend a process template that corresponds to the project versions attributes. To determine which process template to recommend, Software Security Center sequentially evaluates its list of template assignment policies until it finds the first policy with assignment rules that matches the SSA project versions attributes. Software Security Center then stops scanning the list of Template Assignment Policies and places the process template specified by the matching policy in the process template panels Template list. (Software Security Center permits you to override that recommendation and choose another process template if desired.)

Getting Started with Software Security Center Template Assignment Policy Editor
This section contains the following topics: Downloading Software Security Center Template Assignment Policies Uploading Edited Template Assignment Policies Saving Software Security Center Template Assignment Policies to Disk

Downloading Software Security Center Template Assignment Policies


Before you can perform the procedure described in this section, you must first start Software Security Center Process Designer and configure the connection between Process Designer and a running instance of Software Security Center (see Chapter 4, Getting Started with Software Security Center Process Designer on page 9). To download template assignment policies from Software Security Center: 1. In Process Designer, select Server Edit Template Assignment Policies. Process Designer downloads the template assignment policy definitions from Software Security Center. (Process Designer also acquires the current values for the process template project attributes and project attribute values). 2. From the Template Assignment Policies list, select a template assignment policy.

HP Fortify Software Security Center Process Designer User Guide

43

Process Designer updates the right-side details pane with the template assignment policy rules.

For more information about template assignment policy rules, see Overview of Assignment Rule Elements on page 45.

Uploading Edited Template Assignment Policies


To upload new or edited template assignment policies to Software Security Center, perform the procedure in this section. To upload modified template assignment policies to Software Security Center: 1. In Server, choose Upload Template Assignment Policies. Process Designer displays the Upload Template Assignment Policies confirmation dialog box. 2. Click Yes. Process Designer uploads the template assignment policies to Software Security Center.

Saving Software Security Center Template Assignment Policies to Disk


Perform the procedure in this section to save the current Template Assignment Policies editing tab to disk as a template assignment policy file (.tap filename extension). To save the Template Assignment Policies editing tab to disk as a TAP file: 1. Select File Save. The Template Assignment Policies editor does not enable the File Save option if the policies set is unchanged. To save an unmodified template assignment policy, choose Save As. Process Designer prompts you for the location of the template assignment policy file. 2. Choose the location to save the TAP file, and then click Save.

HP Fortify Software Security Center Process Designer User Guide

44

Working With Template Assignment Policies


This section contains the following topics: Overview of Template Assignment Rules Overview of Assignment Rule Elements Overview of Constructing Template Assignment Rules

Overview of Template Assignment Rules


The following two criteria determine which template assignment policy Software Security Center uses to recommend a new SSA project version process template: The template assignment policys position in the list of policy definitions The template assignment policys assignment rules

Overview of Assignment Rule Elements


The template assignment policy editor supports three types of rule element: Type, Project Attribute, and Project Attribute Value. The Type rules in turn consists of two categories: Logical operators or Project Attribute Definitions. Table 12 lists the three categories of template assignment policy assignment rules.
Table 12: Template assignment policy assignment rules

Assignment criterion
Type,

Description Use the And, Or, and Not logical operators to create Boolean expressions that provide container elements for Project Attribute elements Select Project Attribute Definition to enable the Project Attribute and Project Attribute Value lists, described later in this table When Type equals Project Attribute Definition, use the Project Attribute list to choose an existing global project attribute definition The choice of project attribute determines the values listed in the Project Attribute Value list, described next

logical operator
Type,

Project Attribute Definition


Project Attribute

Project Attribute Value

When Type equals Project Attribute Definition, use the Project Attribute Value list to choose the value of the project attribute selected in the Project Attribute list

Overview of Constructing Template Assignment Rules


When you specify a template assignment policys rules, Process Designer guides you through the rulescreation process by enabling and disabling certain selections in the Add Child dialog box. The following rules govern the creation of nodes in an assignment policys rule definition: No node can be changed to a project attribute node if it contains any children No node can be changed to a NOT if it contains more than one child You cannot add a child to a Project Attribute type You cannot add a NOT as a child to a parent NOT
HP Fortify Software Security Center Process Designer User Guide 45

Additionally, the following governs how you can add a child to a node:

An Example Software Security Center Template Assignment Policy Editing Session


This section contains the following topics: Overview of Example Editing Session Tasks Creating a New Template Assignment Policy Specifying a Policys Assignment Rules Raising or Lowering the Runtime Order of a Policy Removing a Software Security CenterTemplate Assignment Policy

Overview of Example Editing Session Tasks


The procedures in this section illustrate how to create and configure a new template assignment policy. To create and configure a new template assignment policy, you must first create the policy definition. You must then define the new policys assignment rules. Finally, you can increase or decrease the policys likelihood of being selected for a given SSA project version by moving the policy up or down in the list of policies. The procedures in this section assumes you have performed the procedure in Downloading Software Security Center Template Assignment Policies on page 43.

Creating a New Template Assignment Policy


To perform an example template assignment policy editing session: 1. On the Process Designer Template Assignment Policies tab, in the list of template assignment policies, click Add. The Add Template Assignment Policy dialog box opens.

2. In the Name text entry area, type EXAMPLE Template Assignment Policy. 3. From the Process Template list, select Low Risk 3rd Party Development. If Software Security Center selects EXAMPLE Template Assignment Policy during the creation of a new SSA project version, the policy will recommend the Low Risk 3rd Party Development process template. 4. In the Description box, type Example of a new template assignment policy. 5. Click OK. Process Designer adds the new definition to the list of definitions.

HP Fortify Software Security Center Process Designer User Guide

46

Specifying a Policys Assignment Rules


Perform the procedure in this section to configure EXAMPLE Template Assignment Policy to apply to any SSA project version where Project Attribute Value specifies that some portion of the project includes code developed by a third party. To add assignment rules to EXAMPLE Template Assignment Policy: 1. Define a logical Or to contain multiple project attribute specifiers. a. In the left-side list of policy definitions, select EXAMPLE Template Assignment Policy, from the list of assignment rules on the right, select EXAMPLE Template Assignment Policy. b. Click Add Child. The Add Child dialog box opens.

c. From the Type list, select Or. d. Click OK. Process Designer displays the Or operator as a child of the EXAMPLE template assignment policy. 2. Add the first Project Attribute specifier to EXAMPLE Template Assignment Policy. a. From the list of assignment rules on the right, select the Or operator you created in the preceding step, b. Click Add Child. The Add Child dialog box opens. c. Select the Or.
Note: If you select an element that cannot support a child element, Process Designer does not enable the Add Child button. This Process Designer feature helps you construct well-formed template assignment

rules. d. From the Project Attribute list, select Development Strategy. Process Designer updates the Project Attribute Value List with the valid values for the Development Strategy attribute. e. From the Project Attribute Value list, select Fully Outsourced. f. Click OK. Process Designer adds the new Project Attribute child to the Or logical operator. 3. Repeat step 2, but this time, from the Project Attribute Value list, select Partially Outsourced. 4. Repeat step 2, but this time, from the Project Attribute Value list, select Open Source. The policy now specifies assignment rules for any SSA project version that contains any code developed by a third party.

HP Fortify Software Security Center Process Designer User Guide

47

Raising or Lowering the Runtime Order of a Policy


You can raise or lower a given template assignment policys likelihood of being selected by moving the policys position upward or downward in the list of policies. In Software Security Center, when you create a new SSA project version, the final step in the project creation process is to select the process template used by the new project version: You cannot complete the project creation process until you select a process template. To recommend a process template, Software Security Center sequentially evaluates its list of template assignment policies until it finds the first template assignment policy with assignment rules that match the new project versions attributes; Software Security Center then stops evaluating policies and recommends the process template specified by the matching policy. Because Software Security Center stops evaluating the list of policies after it detects a match, the position of a given template assignment policy in the list of policies affects the likelihood of that policy, and the process template specified by that policy, becoming the recommended process template for a new SSA project version. To position a template assignment policy in the list of policies: 1. From the Template Assignment Policies list, select EXAMPLE Template Assignment Policy. 2. To change the position of in the list of policies, use the Up and Down buttons to the right of the list.

Removing a Software Security CenterTemplate Assignment Policy


Perform the procedure in this section to remove (delete) EXAMPLE Template Assignment Policy. You can also use the template assignment policy editor to remove assignment policies that were previously uploaded to Software Security Center. To completely remove a template assignment policy, you must use the Process Designer Template Assignment Editor to remove the policy from the list, then upload the revised list of policies to Software Security Center. To delete a template assignment policy from the list of policies: 1. From the Template Assignment Policies list, select EXAMPLE Template Assignment Policy. 2. Click Remove. If you had deleted a non-demonstration template assignment policy, in Save you would use Upload to upload the revised list of policies to Software Security Center. In Software Security Center, the list of template assignment policies no longer includes the abridged list.

HP Fortify Software Security Center Process Designer User Guide

48