The Parasoft OWASP Compliance extension is a set of assets for your DTP infrastructure that enable you to demonstrate compliance with OWASP coding guidelines. The extension is shipped as part of the Security Compliance Pack for DTP 5.4.0. Contact your Parasoft representative to download and license the Security Compliance Pack.

In this section:

About OWASP Top 10

OWASP Top 10: The Ten Most Critical Web Application Security Risks is a collection of coding guidelines for ensuring web application security. OWASP Top 10 is focused on identifying the most serious web application security risks that affect many organizations. For each risks, OWASP provides information about the likelihood of a security vulnerability resulting from a violation, as well as its technical impact, using a ratings scheme based on the OWASP Risk Rating Methodology.

Where possible, the names of the risks in the Top 10 are aligned with Common Weakness Enumeration (CWE) weaknesses to promote generally accepted naming conventions and to reduce confusion.

See https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project for additional information about OWASP Top 10.

Prerequisites

DTP 5.4.0 or later
A Parasoft code analysis tool (desktop or plug-in edition) 10.4.0 or later.

See Security Compliance Pack for DTP 5.4.0 for additional information.

Process Overview

Analyze code using the OWASP Top 10 2017 test configuration (shipped with your code analysis tool) and report violations to DTP. The test configuration as well as and rulemap.xml file (also shipped with the tool) configures analysis rules to report violations according to OWASP guidelines.
Install the Security Compliance Pack (security-compliance-<version>.zip) using Extension Designer. This enables DTP to process the code analysis data to output the compliance deliverables.
Add the OWASP Compliance dashboard and widgets to your DTP interface. The dashboard widgets and shows the reported violations within the context of OWASP guidelines.
Interact with the widgets and reports to identify code that needs to be fixed to achieve your compliance goals.

OWASP Compliance Assets

OWASP-Top10.xml: This configuration file provides OWASP-oriented compliance categories in DTP interfaces.
owaspTopTen.json: This file adds the OWASP Top 10 2017 dashboard template. See カスタムダッシュボードテンプレート for additional information about understanding dashboards.
owaspTop10Compliance.def.json: This file contains the OWASP-specific widget definitions.

Additional Assets

The Security Compliance Pack ships with additional assets are not specific to OWASP but are included so that they can provide additional insight into your OWASP compliance goals.

Violations by Compliance.json

This DTP Workflow (also called 'slice') contains a set of widgets that you can configure to show OWASP Top 10 violations. See Security Compliance Widgets for OWASP.

Installation

OWASP Compliance is installed as part of the Security Compliance Pack. See Installation for instructions.

Adding the OWASP Dashboard

The OWAS dashboard template will be available after installing the Security Compliance Pack. See ダッシュボードの追加 for instructions on how to add dashboards. The dashboard includes the following widgets.

OWASP Top 10 2017 - Compliance Widget

This widget provides a comprehensive overview of the project's compliance with OWASP Top 10 2017 guidelines. It shows the number of OWASP-specific rules that were enabled and passed, as well as how many violations were reported for applicable severity levels. If no violations were reported for a specific severity level, a column will not render for that level.

Parasoft DTP 5.4.0 (Japanese) > OWASP Compliance > dtp-comp-widgets-owaspTop10-540.png

The widget is automatically added to your DTP widget library after installing the Security Compliance Pack. See ウィジェットの追加.

Widget Configuration

Title	Enter a new title to replace the default title that appears on the dashboard.
Filter	Choose Dashboard Settings to use the dashboard filter or choose a filter from the drop-down menu.
Target Build	Choose a build from the drop-down menu. Only the data in this build will display in the widget.

Actions

Click on a rule category to view the Violations by Rule report for the category. See Violations by Rule.

Custom Dashboard Properties

You can also add this widget to your custom dashboards by specifying the following properties in the dashboard definition JSON file (see カスタムダッシュボードテンプレート for details):

"name": "owasp_top_10_compliance",
"type": "native",
"id": "d1621bce-7b9c-11e6-8b77-86f30ca893d3"

Rules in Compliance

The OWASP dashboard includes an instance of the Rules in Compliance widget configured for OWASP Top 10. See Rules in Compliance - Summary for details about the widget.

Violations - Summary Trend

The OWASP dashboard includes an instance of the Violations - Summary Trend widget configured for OWASP Top 10. See Violations - Summary Trend for details about the widget.

Severities - Pie

The OWASP dashboard includes an instance of the Severities - Pie widget configured for OWASP Top 10. See Severities - Pie for details about the widget.

Assignees - Top 5 Bar

The OWASP dashboard includes an instance of the Assignees - Top 5 Bar widget configured for OWASP Top 10. See Assignees - Top 5 Bar for details about the widget.

Categories - Top 5 Table

The OWASP dashboard includes an instance of the Categories - Top 5 Table widget configured for OWASP Top 10. See Categories - Top 5 Table for details about the widget.

Rules - Top 5 Table

The OWASP dashboard includes an instance of the Rules - Top 5 Table widget configured for OWASP Top 10. See Rules - Top 5 Table for details about the widget.

Security Compliance Widgets for OWASP

You can import the Violations by Compliance DTP flow into Extension Designer and deploy it to DTP to access additional compliance widgets. See フローの使用 for instructions on importing and deploying flows.

Parasoft DTP 5.4.0 (Japanese) > OWASP Compliance > importing-violations-by-comp-ext-des-owasp-540.png

Violations in Compliance - Pie

This widget shows the overall compliance status as a percentage. Each pie chart segment represents a compliance category that the code violates. The widget also shows the total number of compliance categories being applied and the number of categories with which the code is compliant. See Configuring Security Compliance Pack Widgets for details on how to configure this widget.

Parasoft DTP 5.4.0 (Japanese) > OWASP Compliance > vios-in-comp-pie-owasp-sec-comp-pack-540.png

You can perform the following actions:

Mouse over a segment in the chart to view the number of violations associated with a specific category.
Click on a segment to open the Violations by Rule report.
Click on the compliance percentage to open the コンプライアンスカテゴリ別の違反 report.

Violations in Compliance - Treemap

This widget shows the violations grouped by compliance in a tree map. Each tile is assigned a color and represents a compliance category. See Configuring Security Compliance Pack Widgets for details on how to configure this widget.

Parasoft DTP 5.4.0 (Japanese) > OWASP Compliance > vios-in-comp-treemap-owasp-sec-comp-pack-540.png

You can perform the following actions:

Mouse over a tile in the to view the number of violations associated with a specific category.
Click on a tile to open the 違反エクスプローラー.

Compliance Violations by Metadata

This widget shows the distribution of Parasoft metadata (priority, action, and risk impact) associated with the violations reported in the filter. You can add an instance of the widget for each type of metadata.

Parasoft DTP 5.4.0 (Japanese) > OWASP Compliance > comp-vios-by-meta-owasp-multi-540.png

See Configuring Security Compliance Pack Widgets for details on how to configure this widget. Unless you have configured DTP to automatically assign metadata when violations are reported, new projects will show undefined metadata.

Parasoft DTP 5.4.0 (Japanese) > OWASP Compliance > comp-vios-by-meta-owasp-new-540.png

Configuring Security Compliance Pack Widgets

You can configure the following settings for Security Compliance widgets (some settings are only available for certain widgets):

Title	You can rename the widget in the Title field. This setting is available for all widgets.
Filter	Choose a specific filter or Dashboard Settings from the drop-down menu. See フィルターの作成と管理 for additional information. This setting is available for all widgets.
Target Build	Choose a specific build from the drop-down menu. The build selected for the entire dashboard is selected by default. See ビルド管理の使用 for additional information about understanding builds. This setting is available for all widgets.
Compliance	Choose OWASP TOP 10 2017 to view the data according to OWASP guidelines.
Group by	This setting is available for the Compliance Violations by Metadata widget. Choose the DTP metadata type (priority, action, risk) you want to see.