In this section:
Introduction
The Parasoft Security Compliance Pack is a set of assets for your DTP infrastructure that help you implement your software security compliance initiatives. It includes configurations that re-orient static analysis data to security compliance standards, widgets for viewing your security compliance status, and a custom compliance DTP dashboard for monitoring the progress toward you overall security compliance goals.
The Security Compliance Pack can be adapted to support any security-related standard, but it supports CWE Top 25 and CWE List Version 2.11 out of the box. Contact your Parasoft representative for download and licensing information.
About CWE Top 25 2011
The 2011 CWE/SANS Top 25 Most Dangerous Software Errors is a list of the most widespread and critical errors that can lead to serious vulnerabilities in software. They are often easy to find, and easy to exploit. They are dangerous because they will frequently allow attackers to completely take over the software, steal data, or prevent the software from working at all.
Visit http://cwe.mitre.org/top25/ to learn more about the CWE Top 25 standard.
About CWE List Version 2.11
The Common Weakness Enumeration (CWE) is a list of software weaknesses types. It is an ongoing community-driven effort to capture the specific effects, behaviors, exploit mechanisms, and implementation details affecting software development. The items on the list are created with input from many organizations and individuals. The position on the list is chosen based on real-world criteria, such as prevalence, ease-of-exploit, etc.
Visit https://cwe.mitre.org/data/ to learn more about the CWE List.
Requirements
In addition to the Security Compliance Pack, the following Parasoft products are also required:
- Development Testing Platform (DTP) Enterpise 5.3.3 or later
- DTP Extension Designer 5.3.3 or later (included with the DTP Enterprise license)
- The Key Performance Indicator 2.1 (or later) extension must be installed and the Security Impact profile must be enabled.
- A code analysis tool (i.e., Jtest, C/C++test, or dotTEST) version 10.3.2 or later with the Flow Analysis license feature enabled.
Process Overview
- Deploy the Security Compliance Pack configuration files to DTP.
- Connect your code analysis tool to DTP and configure the report settings, such as project name, build ID, etc. See the documentation for your analysis tool for details. This enables the tool send code analysis data to the correct project in DTP for processing.
- Install, configure, and deploy the Security Compliance artifact, which includes widgets for viewing compliance status on your DTP dashboard, as well as configurations for reorienting Parasoft static analysis rules to display as CWE IDs. This process is performed in DTP Extension Designer.
- Analyze the project with your code analysis tool using the configuration and report violations to DTP.
- Run the KPI Process Intelligence slice as part of your automated build process to generate the compliance data.
- Use the DTP dashboard template, widgets, and reports to monitor compliance with security standards.
What’s Included in the Parasoft Security Compliance Pack
The Security Compliance Pack includes the following artifacts.
CWE Compliance Rule Categories
The pack ships with four sets of compliance categories that enable CWE-centric views of the static analysis data reported by the code analysis tools:
| File | Description |
|---|---|
| compliance_cweid_all.xml | MITRE CWE 2.11 This set of compliance categories re-maps the static analysis violations so that they are grouped and displayed as CWE List Version 2.11 errors in widgets and reports. |
| compliance_impact_all.xml | MITRE CWE 2.11 - Technical Impact This set of compliance categories re-maps the static analysis violations so that they are grouped and displayed in widgets and reports by their technical impact according to CWE List Version 2.11 guidelines. The "technical impact" is a weakness categorization in CWE. See https://cwe.mitre.org/cwraf/ti_scorecard.html for additional information. |
| compliance_cweid_top25.xml | 2011 CWE/SANS Top 25 This set of compliance categories re-maps the static analysis violations so that they are grouped and displayed as CWE/SANS Top 25 Most Dangerous Software Programming Errors in widgets and reports. |
| compliance_impact_top25.xml | 2011 CWE/SANS Top 25 - Technical Impact This set of compliance categories re-maps the static analysis violations so that they are grouped and displayed in widgets and reports by their technical impact according to CWE/SANS Top 25 Most Dangerous Software Programming Errors guidelines. The "technical impact" is a weakness categorization in CWE. See https://cwe.mitre.org/cwraf/ti_scorecard.html for additional information. |
See Custom Compliance Categories for additional information about rule categories in DTP.
Security Compliance Workflow
The Security Compliance DTP Workflow performs additional advanced analysis to align code analysis findings with security compliance standards. The artifact includes the following widgets and report:
- Violations in Compliance - Pie
- Violations in Compliance - Treemap
- Compliance Violations by Metadata
- Compliance Violations by Metadata Report
See Viewing Security Compliance Status for details.
CWE Top 25 Dashboard Template
The template adds security compliance-related widgets to your DTP dashboard (see Custom Dashboard Templates for additional information about dashboard templates).
Configuring DTP for Security Compliance Reporting
Unzip the Security Compliance Pack into your DTP home installation directory to deploy the necessary assets. You many need to restart DTP (see Stopping DTP Services and Starting DTP Services).
Executing Code Analysis
See the tool documentation for instructions on configuring and executing code analysis.
Configuring Extension Designer
Installing and Deploying the Security Compliance Workflow
- Most extensions for DTP Enterprise Pack are downloaded and installed directly from the connected marketplace, such as the Parasoft Marketplace, but the Security Compliance DTP Workflow must be downloaded and installed manually. See Uploading Artifacts for instructions.
- Deploy the artifacts after installation. See Deploying Services.
Running the KPI Slice
The Key Performance Indicator (KPI) Process Intelligence slice defines a KPI associated with static analysis rules so you can measure and quantify results. The KPI slice uses model profiles to perform custom calculations (see Working with Model Profiles). You can adjust the calculations by modifying the profile.
KPI ships with an example model profile called “Security Impact” that demonstrates how you can adjust the weight of static analysis rules to define your own KPIs, such as the impact of a rule on security.
Every rule can have a different weighting, and not every rule has to be in the profile, which enables you to run different KPIs for different purposes and different profiles for different subsets of rules.
Run KPI as part of your automated build process
Depending on the volume of data being analyzed, KPI calculation may require multiple runs to acquire the core data and may take significant time, therefore triggering KPI calculation should be done as part of your build process or by manually using a trigger node in the KPI slice.
After configuring the profile, it must be passed when invoking the KPI slice to run the calculation. See Invoking the Calculation for instructions on invoking KPI with the Security Impact profile enabled.
Viewing Security Compliance Status
After installing the Security Compliance DTP Workflow and running the KPI Process Intelligence slice with the Security Impact profile, you can add the CWE Top 25 template to your dashboard (see Adding Dashboards).
The template includes the widgets installed as part of the Security Compliance DTP Workflow, as well as the following native DTP widgets:
- Categories - Top 5 Table: This widget is titled “CWE Top 25 Violations” in the dashboard.
- Compliance by Category/Severity: This widget is titled “CWE Top 25 - Technical Impact/Severity” in the dashboard.
- Rules in Compliance
- Metrics - Summary: This widget is titled “Security Impact Score” in the dashboard.
Security Compliance Widgets
The following widgets are added when you install the Security Compliance DTP Workflow.
Violations in Compliance - Pie
This widget shows the overall compliance status as a percentage. Each pie chart segment represents a compliance category that the code violates. The widget also shows the total number of compliance categories being applied and the number of categories with which the code is compliant.
This widget is added to the Compliance category after deploying the Security Compliance DTP Workflow. See Adding Widgets for instructions on how to manually add the widget to your dashboard.
You can configure the following settings:
Title | Enter a new title to replace the default title that appears on the dashboard. |
|---|---|
Filter | Choose Dashboard Settings to use the dashboard filter or choose a filter from the drop-down menu. |
Target Build | Choose a build from the drop-down menu. Only the data for this build will appear in the widget. |
Compliance | Choose one of the following compliance category groups (see CWE Compliance Rule Categories for details):
You can also choose any other compliance category available in DTP. |
You can add an instance of the widget for each set of compliance categories.
You can perform the following actions:
- Mouse over a segment in the chart to view the number of violations associated with a specific category.
- Click on a segment to open the Violations by Rule Category Report.
- Click on the compliance percentage to open the Compliance Violations by Metadata Report.
Violations in Compliance - Treemap
This widget shows the violations grouped by compliance in a tree map. Each tile is assigned a color and represents a compliance category.
This widget is added to the Compliance category after deploying the Security Compliance DTP Workflow. See Adding Widgets for instructions on how to manually add the widget to your dashboard.
You can configure the following settings:
Title | Enter a new title to replace the default title that appears on the dashboard. |
|---|---|
Filter | Choose Dashboard Settings to use the dashboard filter or choose a filter from the drop-down menu. |
Target Build | Choose a build from the drop-down menu. Only the data for this build will appear in the widget. |
Compliance | Choose one of the following compliance category groups (see CWE Compliance Rule Categories for details):
You can also choose any other compliance category available in DTP. |
You can add an instance of the widget for each set of compliance categories.
You can perform the following actions:
- Mouse over a tile in the to view the number of violations associated with a specific category.
- Click on a tile to open the Violations Explorer.
Compliance Violations by Metadata
This widget shows the distribution of Parasoft metadata (priority, action, and risk impact) associated with the violations reported in the filter. This widget is added to the Compliance category after deploying the Security Compliance DTP Workflow. See Adding Widgets for instructions on how to manually add the widget to your dashboard.
You can configure the following settings:
Title | Enter a new title to replace the default title that appears on the dashboard. |
|---|---|
Filter | Choose Dashboard Settings to use the dashboard filter or choose a filter from the drop-down menu. |
Target Build | Choose a build from the drop-down menu. Only the data for this build will appear in the widget. |
Compliance | Choose one of the following compliance category groups (see CWE Compliance Rule Categories for details):
You can also choose any other compliance category available in DTP. |
Group by | Choose a type of metadata to group by in the widget (priority, action, and risk impact). |
You can add an instance of the widget for each type of metadata.
You can perform the following actions:
- Mouse over a segment in chart to view the number of violations tagged according to a specific metadata category.
- Click on a section to open the Compliance Violations by Metadata Report filtered by type of metadata.
For new projects or for projects in which the metadata has not been set, the chart will show undefined metadata for the violations reported.
You can manually set the metadata in the Violations Explorer (see Addressing Violations) or implement a flow as part of your build automation process to automatically set the metadata (see the How to Update Violations Metadata tutorial for additional information).
Compliance Violations by Metadata Report
This report shows the violations grouped by priority, risk, or action depending on the configuration of the widget you clicked to open the report.
The report is filtered by the widget segment you clicked, but you can use the Group By drop-down menu to filter the report by different metadata values.
You can also click on a link in the Violation Count column to open the Violations Explorer.
