...
Table of Contents maxLevel 12
Introduction
The Parasoft OWASP Compliance artifact is a set of assets for your DTP infrastructure that enable you to demonstrate compliance with OWASP coding guidelines. The artifact is shipped as part of the Security Compliance Pack.
...
- OWASP Top 10 2021
- OWASP API Security Top 10 2019
- OWASP API Security Top 10 2023
Prerequisites
Code analysis data is required from one of the following Parasoft tools:
...
See Security Compliance Pack for additional prerequisites information.
Process Overview
- Install the Security Compliance Pack into DTP Extension Designer.
- Deploy the OWASP Compliance artifact into your DTP environment.
- Analyze code using the OWASP test configuration(s) shipped with the Security Compliance Pack and report violations to DTP.
- Add the OWASP Compliance dashboard and widgets to your DTP interface. The dashboard widgets and shows the reported violations within the context of OWASP guidelines.
- Interact with the widgets and reports to identify code that needs to be fixed to achieve your compliance goals.
| Note | ||
|---|---|---|
| ||
DTP will report 100% compliance against all OWASP guidelines that are mapped to a Parasoft static analysis rule. |
Deploying the OWASP Compliance Assets
OWASP Compliance is installed as part of the Security Compliance Pack (see Installation for instructions).
...
You will now be able to add the OWASP dashboard and widgets.
Adding the OWASP Dashboards
The OWASP dashboard template enables you to quickly add a set of preconfigured widgets that monitor OWASP compliance. See Dashboard Templates for a list of the templates included with the OWASP Compliance artifact.
...
- Click Add Dashboard from the DTP toolbar and specify a name when prompted.
- Enable Create dashboard from a template and choose one of the OWASP templates from the associated menu.
- Click Create to finish adding the dashboard.
Manually Adding OWASP Widgets to an Existing Dashboard
You can add the OWASP widgets shipped with the artifact to an existing dashboard. See Adding Widgets for general instructions on adding widgets to a dashboard. After deploying the artifact, the OWASP widgets will appear in the OWASP API or OWASP Top 10 categories in the Add Widget dialog.
...
| Title | Enter a new title to replace the default title that appears on the dashboard. |
|---|---|
| Filter | Choose a specific filter or Dashboard Settings from the menu. See Configuring Filters for additional information. |
| Target Build | Choose a specific build from the menu. The build selected for the entire dashboard is selected by default. See Using Build Administration for additional information about understanding builds. |
| Compliance Profile | Specify a compliance profile (see Custom Configuration for Profile). The compliance profile data is used in compliance reports. |
| Exploitability | For API Security only. Choose an exploitability category (1 - 3) that you want to view. Refer to the OWASP guidelines for details. Only applies to the OWASP Compliance - Weakness by Status widget. |
| Prevalence | For API Security only. Choose a prevalence category (1 - 3) that you want to view. Refer to the OWASP guidelines for details. Only applies to the OWASP Compliance - Weakness by Status widget. |
| Detectability | For API Security only. Choose a detectability category (1 - 3) that you want to view. Refer to the OWASP guidelines for details. Only applies to the OWASP Compliance - Weakness by Status widget. |
| Impact | For API Security only. Choose an impact level (1 - 3) that you want to view. Refer to the OWASP guidelines for details. Only applies to the OWASP Compliance - Weakness by Status widget. |
OWASP Compliance Widgets
See Dashboard Templates for a list of the dashboard templates shipped with the compliance artifact. The following widgets are included on one or more the dashboards:
...
The dashboard includes an instance of the native Categories - Top 5 Table widget configured for OWASP Top 10. It shows the five OWASP categories with the most violations. See Categories - Top 5 Table for details about the widget.
Rules - Top 5 Table
The dashboard includes an instance of the native Rules - Top 5 Table widget configured for OWASP Top 10. It shows the five Parasoft rules mapped to OWASP categories with the most violations. See Rules - Top 5 Table for details about the widget.
...
This widget shows the violations grouped by weakness in a tree map. Each tile is assigned a color and represents a weakness from the OWASP guidelines.
| Anchor | ||||
|---|---|---|---|---|
|
The main OWASP compliance report provides details about your OWASP compliance status and serves as the primary document for demonstrating compliance.
...
- Use the menus to sort by a weakness property.
- Click a link in the # of Violations column to view the violations in the Violations Explorer.
- Click a link in the # of Deviations column to view the suppressed violations in the Violations Explorer.
- Click a link in the Weakness column to open the Weakness Detection Plan. The link goes directly to the specific weakness so that you can review the Parasoft code analysis rule or rules detecting the weaknesses.
- Open one of the OWASP Compliance sub-reports (Weakness Detection Plan, Deviations Report, Build Audit Report).
- Click Download PDF to export a printer-friendly PDF version of the report data. If you added a custom graphic to DTP as described in Adding a Custom Graphic to the Navigation Bar, the PDF will also be branded with the graphic.
Weakness Detection Plan
The Weakness Detection Plan shows which static analysis rules are used to enforce the OWASP guidelines and is intended to describe how you are enforcing each guideline. This report uses the data specified in the compliance profile (see Custom Configuration for Profile). In the profile, you can configure the values associated with each weakness property to better reflect the specific challenges associated with your project.
Deviations Report
Your code can contain violations and still be OWASP-compliant as long as the deviations from the standard are documented and that the safety of the software is unaffected. Deviations are code analysis rules that have been suppressed either directly in the code or in the DTP Violations Explorer. See the dotTEST and Jtest documentation for details on suppressing violations in the code. See Suppressing Violations in the Violations Explorer documentation for information about suppressing violations in DTP.
...
- Enable Only Deviations to exclude violations that do not have deviations.
- Enable Hide Modification History to exclude the modification history for deviations.
Build Audit Report
The Build Audit Report shows an overview of code analysis violations, as well as test results and coverage information, associated with the build. This report also allows you to download an archive of the data, which is an artifact you can use to demonstrate compliance with OWASP during a regulatory audit.
In order to download an archive, the build has to be locked. See Build Audit Report for additional details about this report.
Custom Configuration for Profile
Models and profiles are assets that enable DTP Enterprise Pack to perform custom calculations and data processing tasks. The model defines the attributes to be used in the calculations and acts as the template for a profile. See Working with Model Profiles to learn more about models and profiles.
...
You will be able to choose an alternate profile when configuring the widgets shipped with the OWASP artifact.
OWASP Compliance Assets
The following artifacts are included in the package and added to your DTP environment when you install the Security Compliance Pack.
...