The Parasoft Security Compliance Pack is a set of artifacts for your DTP infrastructure that help you implement your software security compliance initiatives. It includes configurations that re-orient static analysis data to report violations according to security compliance standards. It also includes widgets for viewing your security compliance status and custom compliance DTP dashboards for monitoring the progress toward your overall security compliance goals. The Security Compliance Pack supports the following standards by default:

• CERT C
• CERT C++
• CWE Top 25 
• CWE List Version 2.11
• CWE List Version 3.1
• OWASP Top 10

Contact your Parasoft representative for download and licensing information.

Requirements

• DTP and DTP Enterprise Pack 5.4.1 or later with Enterprise license.
• A Parasoft code analysis tool with the Flow Analysis license feature enabled. See the documentation for individual artifacts for specific requirements. 

Parasoft Security Compliance Pack Artifacts

The Security Compliance Pack includes the following artifacts: 

• CERT C Compliance
• CERT C++ Compliance
• CWE Compliance
• Key Performance Indicator
• OWASP Compliance

See the documentation for these artifacts for usage details.

Process Overview

1. Download and install the Security Compliance Pack (security-compliance-<version>.zip) into your DTP environment. Installing the package adds several files that configure DTP to report code analysis violations according the supported security standards. 
2. Use DTP Extension Designer to deploy the compliance artifact(s) you want to analyze code against. 
3. Connect an instance of your tool (i.e., C/C++test, dotTEST, Jtest) to DTP and analyze the project using one of the security standard test configurations shipped with the tool. See the documentation for your tool for static analysis execution instructions.
4. Add the security compliance dashboard(s) and widgets to DTP and configure them to view the data according to your security standard.
5. Interact with the widgets and reports to identify code that needs to be fixed, as well as print out the reports for auditing purposes.

Installation

Parasoft provides the compliance pack as a compressed folder (.zip). Extension Designer will expand the .zip file and move the contents to the appropriate location when uploaded. The following process is also described in the Downloading and Installing Artifacts section:

1. Choose Extension Designer from the DTP settings menu (gear icon).
   
2. Click the Configuration tab and click Upload Artifact. 
   
3. Browse for the .zip file when prompted and click Install. 
4. Restart DTP (see Stopping DTP Services and Starting DTP Services).

After the compliance pack files have been installed, the next step is to deploy the artifacts for the compliance standard(s) you want to measure your code against. See the following documentation for instructions:  

• CERT C Compliance
• CERT C++ Compliance
• CWE Compliance
• Key Performance Indicator
• OWASP Compliance

Upgrading

Although Parasoft extensions are designed to be forward compatible, they are not guaranteed to work in newer versions of DTP or Extension Designer. We strongly recommend installing the latest version of the artifact and removing the previous version. 

1. Install the newer artifact as described in Installation. 
2. Un-deploy older artifact from Extension Designer by deleting its nodes and clicking Deploy. 
3. Deploy the newer version. 
4. After deploying the newer artifact, you can remove the older version from Artifact Manager by clicking the delete button (trash icon). This is optional, but we recommend keeping your DTP environment organized.