The Parasoft OWASP Compliance extension is a set of assets for your DTP infrastructure that enable you to demonstrate compliance with OWASP coding guidelines. The extension is shipped as part of the Security Compliance Pack for DTP 5.4.0Contact your Parasoft representative to download and license the Security Compliance Pack. 

In this section:

About OWASP Top 10

OWASP Top 10: The Ten Most Critical Web Application Security Risks is a collection of coding guidelines for ensuring web application security. OWASP Top 10 is focused on identifying the most serious web application security risks that affect many organizations. For each risks, OWASP provides information about the likelihood of a security vulnerability resulting from a violation, as well as its technical impact, using a ratings scheme based on the OWASP Risk Rating Methodology.

Where possible, the names of the risks in the Top 10 are aligned with Common Weakness Enumeration (CWE) weaknesses to promote generally accepted naming conventions and to reduce confusion. 

See https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project for additional information about OWASP Top 10.

Prerequisites

  • DTP 5.4.0 or later
  • A Parasoft code analysis tool (desktop or plug-in edition) 10.4.0 or later. 

See Security Compliance Pack for DTP 5.4.0 for additional information.

Process Overview

  1. Analyze code using the OWASP Top 10 2017 test configuration (shipped with your code analysis tool) and report violations to DTP. The test configuration as well as  and rulemap.xml file (also shipped with the tool) configures analysis rules to report violations according to OWASP guidelines.
  2. Install the Security Compliance Pack (security-compliance-<version>.zip) using Extension Designer. This enables DTP to process the code analysis data to output the compliance deliverables.
  3. Add the OWASP Compliance dashboard and widgets to your DTP interface. The dashboard widgets and shows the reported violations within the context of OWASP guidelines.
  4. Interact with the widgets and reports to identify code that needs to be fixed to achieve your compliance goals.

OWASP Compliance Assets

  • OWASP-Top10.xml: This configuration file provides OWASP-oriented compliance categories in DTP interfaces. 
  • owaspTopTen.json: This file adds the OWASP Top 10 2017 dashboard template. See Custom Dashboard Templates for additional information about understanding dashboards. 
  • owaspTop10Compliance.def.json: This file contains the OWASP-specific widget definitions. 

Additional Assets

The Security Compliance Pack ships with additional assets are not specific to OWASP but are included so that they can provide additional insight into your OWASP compliance goals.

Violations by Compliance.json

This DTP Workflow (also called 'slice') contains a set of widgets that you can configure to show OWASP Top 10 violations. See Security Compliance Widgets for OWASP

Installation

OWASP Compliance is installed as part of the Security Compliance Pack. See Installation for instructions.

Adding the OWASP Dashboard

The OWAS dashboard template will be available after installing the Security Compliance Pack. See Adding Dashboards for instructions on how to add dashboards. The dashboard includes the following widgets.

OWASP Top 10 2017 - Compliance Widget

This widget provides a comprehensive overview of the project's compliance with OWASP Top 10 2017 guidelines. It shows the number of OWASP-specific rules that were enabled and passed, as well as how many violations were reported for applicable severity levels. If no violations were reported for a specific severity level, a column will not render for that level. 

The widget is automatically added to your DTP widget library after installing the Security Compliance Pack. See Adding Widgets.

Widget Configuration

Title

Enter a new title to replace the default title that appears on the dashboard.

FilterChoose Dashboard Settings to use the dashboard filter or choose a filter from the drop-down menu.
Target BuildChoose a build from the drop-down menu. Only the data in this build will display in the widget.

Actions

Click on a rule category to view the Violations by Rule report for the category. See Violations by Rule.

Custom Dashboard Properties

You can also add this widget to your custom dashboards by specifying the following properties in the dashboard definition JSON file (see Custom Dashboard Templates for details): 

"name": "owasp_top_10_compliance",
"type": "native",
"id": "d1621bce-7b9c-11e6-8b77-86f30ca893d3"

Rules in Compliance

The OWASP dashboard includes an instance of the Rules in Compliance widget configured for OWASP Top 10. See Rules in Compliance - Summary for details about the widget. 

Violations - Summary Trend

The OWASP dashboard includes an instance of the Violations - Summary Trend widget configured for OWASP Top 10. See Violations - Summary Trend for details about the widget.

Severities - Pie

The OWASP dashboard includes an instance of the Severities - Pie widget configured for OWASP Top 10. See Severities - Pie for details about the widget.

Assignees - Top 5 Bar

The OWASP dashboard includes an instance of the Assignees - Top 5 Bar widget configured for OWASP Top 10. See Assignees - Top 5 Bar for details about the widget.

Categories - Top 5 Table

The OWASP dashboard includes an instance of the Categories - Top 5 Table widget configured for OWASP Top 10. See Categories - Top 5 Table for details about the widget.

Rules - Top 5 Table

The OWASP dashboard includes an instance of the Rules - Top 5 Table widget configured for OWASP Top 10. See Rules - Top 5 Table for details about the widget.

Security Compliance Widgets for OWASP

You can import the Violations by Compliance DTP flow into Extension Designer and deploy it to DTP to access additional compliance widgets. See Working with Flows for instructions on importing and deploying flows.

Violations in Compliance - Pie

This widget shows the overall compliance status as a percentage. Each pie chart segment represents a compliance category that the code violates. The widget also shows the total number of compliance categories being applied and the number of categories with which the code is compliant. See Configuring Security Compliance Pack Widgets for details on how to configure this widget.

You can perform the following actions:

Violations in Compliance - Treemap

This widget shows the violations grouped by compliance in a tree map. Each tile is assigned a color and represents a compliance category. See Configuring Security Compliance Pack Widgets for details on how to configure this widget.

You can perform the following actions:

  • Mouse over a tile in the to view the number of violations associated with a specific category.
  • Click on a tile to open the Violations Explorer.

Compliance Violations by Metadata

This widget shows the distribution of Parasoft metadata (priority, action, and risk impact) associated with the violations reported in the filter. You can add an instance of the widget for each type of metadata. 

See Configuring Security Compliance Pack Widgets for details on how to configure this widget. Unless you have configured DTP to automatically assign metadata when violations are reported, new projects will show undefined metadata.

Configuring Security Compliance Pack Widgets

You can configure the following settings for Security Compliance widgets (some settings are only available for certain widgets):

TitleYou can rename the widget in the Title field. This setting is available for all widgets.
FilterChoose a specific filter or Dashboard Settings from the drop-down menu. See Creating and Managing Filters for additional information. This setting is available for all widgets.
Target BuildChoose a specific build from the drop-down menu. The build selected for the entire dashboard is selected by default. See Using Build Administration for additional information about understanding builds. This setting is available for all widgets. 
ComplianceChoose OWASP TOP 10 2017 to view the data according to OWASP guidelines.
Group byThis setting is available for the Compliance Violations by Metadata widget. Choose the DTP metadata type (priority, action, risk) you want to see.
  • No labels