e

...

• CERT C
• CERT C++
• CWE
• CWE Top 25 Most Dangerous Software Errors
• CWE on the Cusp
• OWASP Top 10
• OWASP API Security Top 10

Each organization has different security requirements and environments. This guide is intended to help you set up and execute the security solution under the following scenario:

...

We recognize that each organization is at a different point in their security compliance initiative. You may be using following this guide in your organization, for instance, while building as you build the dev/test infrastructure, for instance, while others are much further along in their development journey. The Prerequisites section describes assumptions we make in this guide regarding the state of your dev/test infrastructure deployment.

...

You can configure your CI tool to apply quality gates as part of your build process. Parasoft integrates with several CI tools that enable you to visualize test execution and code analysis results from Parasoft tools in your continuous integration system interface. Refer to the Appendix for  for supported CI tools.

Configuring quality gates at the CI layer differs from system to system. The Parasoft Findings for Jenkins extension, for example, supports quality gate configuration from the UI. Refer to the documentation for your CI tool for details.

...

Your compliance policy should be a measurable and achievable plan for releasing software that conforms to a security standard. You can also define a compliance goal that strives for a higher degree of guideline conformance. Your compliance goal (like your compliance policy) is encapsulated in a code analysis configuration. The difference is that you expect to comply your compliance policy prior to release, whereas you expect to run your compliance goal configuration with acceptable outcomes at some time in the future. This topic is discussed in greater detail in the Implement Your Compliance Strategy section and Achieving Your Compliance Goal sections.

How Parasoft Supports Security Compliance Initiatives

...

• Parameterization: Many checkers can be parameterized and may need to be tuned to your codebase. You should disable these checkers if they do not provide value based on your project. 
• Value to the project: You should consider disabling checkers if they do not provide value based on your project.
• Age and criticality: Many projects include older code that should not be touched because knowledge about the code is no longer available or because it is extremely sensitive.  Proper controls should be put in place to suppress violations related to this kind of code. Do not run SAST on any cod code that you either have no intention of fixing or where your policy prevents fixing without specific circumstances. 

...

In addition, Parasoft DTP ships with portfolio-level widgets, such as the Portfolio - Violations Statistics widget, for displaying SAST results across projects in your portfolio.

...

Running What-if Scenarios

As you work toward your long-term compliance goal, you may want to incrementally enable additional checkers in your test configuration. Duplicate your primary test configuration and add one or more checkers. Before executing analysis, however, add a filter to your project and configure your tool to send the what-if execution results to the new filter. In this way, you are can keep exploratory analysis results separate from your official compliance data. Refer to the DTP documentation to learn more about filters.

Appendix

The following sections describe the supported components for enabling Parasoft's Security Compliance solution.

Supported Languages

Parasoft can analyze the following languages out of the box:

• Java
• .NET-based languages
• C
• C++
• C#
• VB.NET
• HTML
• CSS
• XML

Parasoft supports several other programming languages via the Parasoft Multi-Language Pack:

• Android-based applications 
• Apex
• Go
• Groovy
• JavaScript
• Kotlin
• Objective-C
• PHP
• Python
• Ruby
• Scala
• Swift
• Typescript

...

What-if scenarios are mechanisms for understanding the outcomes resulting from a given input. In a SAST context, the results of your current build serve as the input and the states of compliance against your short- and long-term goals are the outcomes. What-if scenarios can help you understand the impact, for example, of enabling a new checker or changing the severity of an active checker.

You can run what-if scenarios without executing additional analysis by creating profiles in DTP Extension Designer, which filter results for the current build in order to preview potential changes to your test configuration. You can also run what-if scenarios by incrementally enabling additional checkers in your test configuration and sending the results to different filters.

Using Profiles to Create What-if Scenarios

The Security Compliance Pack includes a default profile for each set of guidelines. Profiles indicate which checkers were expected in the analysis, which tool ran the checkers, and other details, that are included in dashboard widgets and reports. You can create additional profiles and modify the list of checkers to change the scope of the expected results—add additional checkers to the profile, for example, to understand how the current build would perform if analysis ran with the additional checkers.

Do not modify the default profile. Instead, export a copy of the profile and import it into the model, which is an entity that defines the template for the data contained in the profile. The model defines the expected fields in the profile. The profile defines the expected values in the analysis.

Use the following process to create profile-based what-if scenarios that you can apply to your existing results:

1. Export a copy of the default profile for you compliance configuration. Profiles are exported as XLSX files, which you can modify before importing or import as-is and modify the profile in the Extension Designer UI.
2. Import the profile and enable/disable checkers.
3. 3. In the DTP dashboard, add a compliance widget for each profile and specify the compliance profile the encapsulates each what-if scenario. You can configure a widget to track your long-term goal against the profile with the all checkers you want to eventually use, for example, and configure another widget to track your short-term goal against the profile with a subset of checkers enabled.

You can add a Categories in Compliance widget to your dashboard and click into the report for list of checkers enabled in the compliance profile and number of violations for each checker.

Using Filters to Create What-if Scenarios

You can incrementally enable additional checkers in your test configuration and send the results into different DTP filters. A filter is a mechanism in DTP for reporting results based on run configurations, which are sets of metadata, such as the machine name or IP that ran the execution, environment, build ID, and test configuration. Refer to the DTP documentation to learn more about filters.

Use the following process to create filter-based what-if scenarios to apply to builds incrementally:

1. Create a duplicate of your primary test configuration.
2. Enable (or disable) one or more checkers in the duplicate configuration.
3. Add a filter to your project in DTP and configure your tool to send the what-if execution results to the new filter. In this way, you are can keep exploratory analysis results separate from your official compliance data.

Appendix

The following sections describe the supported components for enabling Parasoft's Security Compliance solution.

Supported Languages

Parasoft can analyze the following languages out of the box:

• Java
• .NET-based languages
• C
• C++
• C#
• VB.NET
• HTML
• CSS
• XML

Parasoft supports several other programming languages via the Parasoft Multi-Language Pack:

• Android-based applications 
• Apex
• Go
• Groovy
• JavaScript
• Kotlin
• Objective-C
• PHP
• Python
• Ruby
• Scala
• Swift
• Typescript

The Parasoft Multi-Language Pack is available in the marketplace on the Parasoft customer portal.

DTP and Enterprise Pack 2021.1

DTP and Enterprise Pack 2020.2

DTP and Enterprise Pack 2020.1

...

...

...

...