Versions Compared

Old Version 1

changes.mady.by.user Robert Andelin

Saved on

compared with

New Version Current

changes.mady.by.user Robert Andelin

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Published by Scroll Versions from space DTPDEVEL and version 2024.1

...

  1. Choose Extension Designer from the DTP settings (gear icon) menu.
  2. Click the Services tab and expand the DTP Workflows service category. You can deploy assets under any service category you wish, but we recommend using the DTP Workflows category to match how Parasoft categorizes the assets. You can also click Add Category to create your own service category (see Working with Services for additional information).
     
  3. You can deploy the artifact to an existing service or add a new service. The number of artifacts deployed to a service affects the overall performance. See Extension Designer Best Practices for additional information. Choose an existing service and continue to step 5 or click Add Service.
  4. Specify a name for the service and click Confirm.
  5. The tabbed interface helps you keep artifacts organized within the service. Organizing your artifacts across one or more tabs does not affect the performance of the system. Click on a tab (or click the + button icon to add a new tab) and choose Import from the vertical ellipses menu.
  6. For OWASP API Security Top 10, go to Local > Flows > Workflows > Security > OWASP API Security Top 10 Compliance and click Import.
  7. For OWASP Top 10, go to Local > Flows > Workflows > Security > OWASP Top 10 Compliance and click Import.
  8. Click anywhere in the open area to drop the the artifact into the service.
  9. Click Deploy to finish deploying the artifact to your DTP environment. 
  10. Return to DTP and refresh your dashboard.

...

  1. Click Add Dashboard from the DTP toolbar and specify a name when prompted.
  2. Enable Create dashboard from a template and choose one of the OWASP templates from the associated menu.
     
  3. Click Create to finish adding the dashboard.

...

You can add the OWASP widgets shipped with the artifact to an an existing dashboard.   See Adding Widgets for general instructions on adding widgets to a dashboard. After deploying the artifact, the OWASP widgets will appear in the OWASP API or OWASP Top 10 categories in the Add Widget dialog.

...

TitleEnter a new title to replace the default title that appears on the dashboard.
FilterChoose a specific filter or Dashboard Settings from the drop-down menu. See Configuring Filters for additional information.
Target BuildChoose a specific build from the drop-down menu. The build selected for the entire dashboard is selected by default. See Using Build Administration for additional information about understanding builds. 
Compliance ProfileSpecify a compliance profile (see Custom Configuration for Profile Configuration). The compliance profile data is used in compliance reports.
ExploitabilityFor API Security only. Choose an exploitability category (1 - 3) that you want to view. Refer to the OWASP guidelines for details. Only applies to the OWASP Compliance - Weakness by Status widget.
PrevalenceFor API Security only. Choose a prevalence category (1 - 3) that you want to view. Refer to the OWASP guidelines for details. Only applies to the OWASP Compliance - Weakness by Status widget.
DetectabilityFor API Security only. Choose a detectability category (1 - 3) that you want to view. Refer to the OWASP guidelines for details. Only applies to the OWASP Compliance - Weakness by Status widget.
ImpactFor API Security only. Choose an impact level (1 - 3) that you want to view. Refer to the OWASP guidelines for details. Only applies to the OWASP Compliance - Weakness by Status widget.

...

  • No rules enabled: Code analysis has not been reported to DTP or the OWASP Top 10 test configuration was not executed by Jtest or dotTEST.
  • N/A: The OWASP assets have not been deployed to a service or the service is not running. See Deploying the OWASP Compliance Assets 
  • Compliant with Deviations: Any violations reported are acceptable and have been suppressed. See Deviations Report for additional information about deviations/suppressions.
  • Compliant with Violations: Any violations reported do not represent a significant risk.
  • Compliant: No violations are reported, and no suppressions have been applied. 
  • Not Compliant: Violations have been reported that represent a significant risk. 
  • Missing rule(s) in analysis: Parasoft code analysis rules documented in the profile were not included in the specified build. Make sure all rules are enabled in Jtest or dotTEST and re-run analysis.

...

You can perform the following actions:

...

This widget shows the violations grouped by weakness in a tree map. Each tile is assigned a color and represents a weakness from the OWASP guidelines. See Configuring Security Compliance Pack Widgets for details on how to configure this widget.

Anchor
Viewing the OWASP Compliance Report
Viewing the OWASP Compliance Report
Viewing the OWASP Compliance Report

...

  • Use the menus to sort by a weakness property.
  • Click on a link in the # of Violations column to view the violations in the the Violations Explorer.
  • Click on a link in the # of Deviations column to view the suppressed violations in the the Violations Explorer.
  • Click on a link in the Weakness column to open the the Weakness Detection Plan. The link goes directly to the specific weakness so that you can review the Parasoft code analysis rule or rules detecting the weaknesses. 
  • Open one of the OWASP Compliance sub-reports (Weakness Detection PlanDeviations ReportBuild Audit Report).
  • Click Download PDF to export a printer-friendly PDF version of the report data. If you added a custom graphic to DTP as described in Adding a Custom Graphic to the Navigation Bar, the PDF will also be branded with the graphic. 

...

The Weakness Detection Plan shows which static analysis rules are used to enforce the OWASP guidelines and is intended to describe how you are enforcing each guideline. This report uses the data specified in the compliance profile (see Custom Configuration for Profile Configuration). In the profile, you can configure the values associated with each weakness property to better reflect the specific challenges associated with your project.  

...

You can configure your tool to run either the test configurations with which it ships, or the test configurations installed with the Security Compliance Pack. Refer to your tool's documentation for details. The following test configurations are included in the compliance pack:

...

The Security Compliance pack ships with the following UL 2900 dashboard templates that include a combination of widgets configured to show CWE Top 25 + On the Cusp and OWASP Top 10 2021 compliance.   Note that both CWE and OWASP 2021 compliance artifacts must be deployed. 

  • UL 2900 - Java
  • UL 2900 - .NET

...

Individual code analysis rules belong to a category, such as Security, Exceptions, etcand so on. The OWASP Compliance artifact includes files that map code analysis rules to OWASP-specific categories, i.e.that is, weakness type or impact. You can configure widgets to report violations according to the categories defined in the following files to view them according to their OWASP category: 

  • OWASP Top 10 2021 - Java
  • OWASP Top 10 2021 - .NET
  • OWASP API Security Top 10 2019 - Java
  • OWASP API Security Top 10 2019 - .NET
  • OWASP API Security Top 10 2023 - Java
  • OWASP API Security Top 10 2023 - .NET

...