Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

e

Scroll Export Button
template-id29ddee97-c404-4718-8c99-135aae59e4e2
captionExport this Guide to PDF
add-onScroll PDF Exporter

...

  • CERT C
  • CERT C++
  • CWE
  • CWE Top 25 Most Dangerous Software Errors
  • CWE on the Cusp
  • OWASP Top 10
  • OWASP API Security Top 10

Each organization has different security requirements and environments. This guide is intended to help you set up and execute the security solution under the following scenario:

...

We recognize that each organization is at a different point in their security compliance initiative. You may be using following this guide in your organization, for instance, while building as you build the dev/test infrastructure, for instance, while others are much further along in their development journey. The Prerequisites section describes assumptions we make in this guide regarding the state of your dev/test infrastructure deployment.

...

  • Parameterization: Many checkers can be parameterized and may need to be tuned to your codebase. You should disable these checkers if they do not provide value based on your project. 
  • Value to the project: You should consider disabling checkers if they do not provide value based on your project.
  • Age and criticality: Many projects include older code that should not be touched because knowledge about the code is no longer available or because it is extremely sensitive.  Proper controls should be put in place to suppress violations related to this kind of code. Do not run SAST on any cod code that you either have no intention of fixing or where your policy prevents fixing without specific circumstances. 

...

Running What-if Scenarios

As you work toward your long-term compliance goal, you may want to incrementally enable additional checkers in your test configuration. Duplicate your primary test configuration and add one or more checkers. Before executing analysis, however, add a filter to your project and configure your tool to send the what-if execution results to the new filter. In this way, you are can keep exploratory analysis results separate from your official compliance data. Refer to the DTP documentation to learn more about filters.

Appendix

The following sections describe the supported components for enabling Parasoft's Security Compliance solution.

Supported Languages

Parasoft can analyze the following languages out of the box:

  • Java
  • .NET-based languages
  • C
  • C++
  • C#
  • VB.NET
  • HTML
  • CSS
  • XML

Parasoft supports several other programming languages via the Parasoft Multi-Language Pack:

  • Android-based applications 
  • Apex
  • Go
  • Groovy
  • JavaScript
  • Kotlin
  • Objective-C
  • PHP
  • Python
  • Ruby
  • Scala
  • Swift
  • Typescript

The Parasoft Multi-Language Pack is available in the marketplace on the Parasoft customer portal.What-if scenarios are mechanisms for understanding the outcomes resulting from a given input. In a SAST context, the results of your current build serve as the input and the states of compliance against your short- and long-term goals are the outcomes. What-if scenarios can help you understand the impact, for example, of enabling a new checker or changing the severity of an active checker.

You can run what-if scenarios without executing additional analysis by creating profiles in DTP Extension Designer, which filter results for the current build in order to preview potential changes to your test configuration. You can also run what-if scenarios by incrementally enabling additional checkers in your test configuration and sending the results to different filters.

Using Profiles to Create What-if Scenarios

The Security Compliance Pack includes a default profile for each set of guidelines. Profiles indicate which checkers were expected in the analysis, which tool ran the checkers, and other details, that are included in dashboard widgets and reports. You can create additional profiles and modify the list of checkers to change the scope of the expected results—add additional checkers to the profile, for example, to understand how the current build would perform if analysis ran with the additional checkers.

Do not modify the default profile. Instead, export a copy of the profile and import it into the model, which is an entity that defines the template for the data contained in the profile. The model defines the expected fields in the profile. The profile defines the expected values in the analysis.

Use the following process to create profile-based what-if scenarios that you can apply to your existing results:

  1. Export a copy of the default profile for you compliance configuration. Profiles are exported as XLSX files, which you can modify before importing or import as-is and modify the profile in the Extension Designer UI.
  2. Import the profile and enable/disable checkers.
  3. 3. In the DTP dashboard, add a compliance widget for each profile and specify the compliance profile the encapsulates each what-if scenario. You can configure a widget to track your long-term goal against the profile with the all checkers you want to eventually use, for example, and configure another widget to track your short-term goal against the profile with a subset of checkers enabled.

You can add a Categories in Compliance widget to your dashboard and click into the report for list of checkers enabled in the compliance profile and number of violations for each checker.

Using Filters to Create What-if Scenarios

You can incrementally enable additional checkers in your test configuration and send the results into different DTP filters. A filter is a mechanism in DTP for reporting results based on run configurations, which are sets of metadata, such as the machine name or IP that ran the execution, environment, build ID, and test configuration. Refer to the DTP documentation to learn more about filters.

Use the following process to create filter-based what-if scenarios to apply to builds incrementally:

  1. Create a duplicate of your primary test configuration.
  2. Enable (or disable) one or more checkers in the duplicate configuration.
  3. Add a filter to your project in DTP and configure your tool to send the what-if execution results to the new filter. In this way, you are can keep exploratory analysis results separate from your official compliance data.

Appendix

The following sections describe the supported components for enabling Parasoft's Security Compliance solution.

Supported Languages

Parasoft can analyze the following languages out of the box:

  • Java
  • .NET-based languages
  • C
  • C++
  • C#
  • VB.NET
  • HTML
  • CSS
  • XML

Parasoft supports several other programming languages via the Parasoft Multi-Language Pack:

  • Android-based applications 
  • Apex
  • Go
  • Groovy
  • JavaScript
  • Kotlin
  • Objective-C
  • PHP
  • Python
  • Ruby
  • Scala
  • Swift
  • Typescript

The Parasoft Multi-Language Pack is available in the marketplace on the Parasoft customer portal.

DTP and Enterprise Pack 2021.1

Standards

  • CERT C
  • CERT C++
  • CWE List Version 4.4
  • CWE Top 25
  • CWE Top 25 + On the Cusp
  • UL 2900
  • OWASP Top 10
  • OWASP API Security Top 10 2019
  • PCI DSS 3.2

Parasoft tools

  • C/C++test 2021.1 (all editions)
  • dotTEST 2021.1
  • Jtest 2021.1

Continuous integration

Parasoft can report static analysis violations in the following CI systems:

  • Bamboo 5.14 +
  • Jenkins 1.625.1 +
  • TeamCity 2017.1.2 +
  • Microsoft Azure DevOps 

Refer to the Parasoft Findings documentation for details.

You can integrate with other CI systems using the command line interface.

Source control

Refer to the tool documentation for supported SCMs:

DTP and Enterprise Pack 2020.2

Standards

  • CERT C
  • CERT C++
  • CWE List Version 4.0
  • CWE Top 25
  • CWE Top 25 + On the Cusp
  • UL 2900
  • OWASP Top 10
  • PCI DSS 3.2

Parasoft tools

  • C/C++test 2020.2 (all editions)
  • dotTEST 2020.2
  • Jtest 2020.2

Continuous integration

Parasoft can report static analysis violations in the following CI systems:

  • Bamboo 5.14 +
  • Jenkins 1.625.1 +
  • TeamCity 2017.1.2 +
  • Microsoft Azure DevOps 

Refer to the Parasoft Findings documentation for details.

You can integrate with other CI systems using the command line interface.

Source control

Refer to the tool documentation for supported SCMs:

DTP and Enterprise Pack 2020.1

Standards

  • CERT C
  • CERT C++
  • CWE List Version 4.0
  • CWE Top 25
  • CWE Top 25 + On the Cusp
  • UL 2900
  • OWASP Top 10
  • PCI DSS 3.2

Parasoft tools

  • C/C++test 2020.1 (all editions)
  • dotTEST 2020.1
  • Jtest 2020.1

Continuous integration

Parasoft can report static analysis violations in the following CI systems:

  • Bamboo 5.14 +
  • Jenkins 1.625.1 +
  • TeamCity 2017.1.2 +
  • Microsoft Azure DevOps 

Refer to the Parasoft Findings documentation for details.

You can integrate with other CI systems using the command line interface.

Source control

Refer to the tool documentation for supported SCMs:

...

Standards

  • CERT C
  • CERT C++
  • CWE Top 25
  • CWE List Version 2.11
  • CWE List Version 3.1
  • CWE List Version 3.2
  • CWE List Version 3.4
  • UL 2900
  • OWASP Top 10
  • PCI DSS 3.2

Parasoft tools

  • C/C++test 10.4.3 (all editions)
  • dotTEST 10.4.3
  • Jtest 10.4.3

Continuous integration

Parasoft can report static analysis violations in the following CI systems:

  • Bamboo 5.14 +
  • Jenkins 1.625.1 +
  • TeamCity 2017.1.2 +
  • Microsoft Azure DevOps 

Refer to the Parasoft Findings documentation for details.

You can integrate with other CI systems using the command line interface.

Source control

Refer to the tool documentation for supported SCMs:

...

Standards

  • CERT C
  • CERT C++
  • CWE Top 25
  • CWE List Version 2.11
  • CWE List Version 3.1
  • CWE List Version 3.2
  • OWASP Top 10

Parasoft tools

  • C/C++test 10.4.2 (all editions)
  • dotTEST 10.4.2
  • Jtest 10.4.2

Continuous integration

Parasoft can report static analysis violations in the following CI systems:

  • Bamboo 5.14 +
  • Jenkins 1.625.1 +
  • TeamCity 2017.1.2 +
  • Microsoft Azure DevOps (formerly  Visual Studio Team Services)

Refer to the Parasoft Findings documentation for details.

You can integrate with other CI systems using the command line interface.

Source control

Refer to the tool documentation for supported SCMs:

...

Standards

  • CERT C
  • CERT C++
  • CWE Top 25 
  • CWE List Version 2.11
  • CWE List Version 3.1
  • OWASP Top 10

Parasoft tools

  • C/C++test 10.4.1 (all editions)
  • dotTEST 10.4.1
  • Jtest 10.4.1

Continuous integration

Parasoft can report static analysis violations in the following CI systems:

  • Bamboo 5.14 +
  • Jenkins 1.625.1 +
  • TeamCity 2017.1.2 +
  • Microsoft Azure DevOps (formerly  Visual Studio Team Services)

Refer to the Parasoft Findings documentation for details.

You can integrate with other CI systems using the command line interface.

Source control

Refer to the tool documentation for supported SCMs:

...