The Parasoft Security Compliance Pack is a set of artifacts for your DTP infrastructure that help you implement your software security compliance initiatives. It includes configurations that re-orient static analysis data to report violations according to security compliance standards. It also includes widgets for viewing your security compliance status and custom compliance DTP dashboards for monitoring the progress toward your overall security compliance goals. The Security Compliance Pack supports the following standards by default:
- CERT C
- CERT C++
- CWE Top 25
- CWE List Version 2.11
- CWE List Version 3.1
- CWE List Version 3.2
- OWASP Top 10
Contact your Parasoft representative for download and licensing information.
Requirements
- DTP and DTP Enterprise Pack 5.4.2 or later with Enterprise license.
- A Parasoft code analysis tool with the Flow Analysis license feature enabled. See the documentation for individual artifacts for specific requirements.
Terminology
A compliance pack in DTP refers to the collection of assets that are installed in DTP Enterprise Pack and deployed to DTP.
A compliance pack in Parasoft tools, however, is a collection of test configurations that check code against specific standards.
Compatibility
DTP compliance packs are optimized for use with specific versions of DTP and code analysis tools. Newer versions include updated test configurations, widgets, reports, and other enhancements. We strongly recommend upgrading your code analysis tool, DTP, and the compliance pack to the latest version to ensure full compatibility.
The following table describes the optimized deployment:
| Compliance Pack | DTP / DTP Enterprise Pack | Tool | Supported test configurations |
|---|---|---|---|
| 5.4.2 | 5.4.2 | 10.4.2 |
|
| 5.4.1 | 5.4.1 | 10.4.1 |
|
| 5.4.0 | 5.4.0 | 10.4.0 |
|
Parasoft Security Compliance Pack Artifacts
The Security Compliance Pack includes the following artifacts:
- CERT C Compliance
- CERT C++ Compliance
- CWE Compliance
- Key Performance Indicator (refer the documentation for the specific standard for details on how to use this artifact)
- OWASP Compliance
See the documentation for these artifacts for usage details.
Process Overview
- Download and install the Security Compliance Pack (security-compliance-<version>.zip) into your DTP environment. Installing the package adds several files that configure DTP to report code analysis violations according the supported security standards.
- Use DTP Extension Designer to deploy the compliance artifact(s) you want to analyze code against.
- Connect an instance of your tool to DTP and analyze the project using a Security Compliance Pack test configuration. Test configurations ship with the Parasoft tools and with the Security Compliance Pack. The configurations are automatically uploaded to your DTP test configurations when you deploy the compliance pack. You can run code analysis using either instance of the test configuration. See the documentation for your tool for static analysis execution instructions.
- Add the security compliance dashboard(s) and widgets to DTP and configure them to view the data according to your security standard.
- Interact with the widgets and reports to identify code that needs to be fixed, as well as print out the reports for auditing purposes.
Installation
Parasoft provides the compliance pack as a compressed folder (.zip). Extension Designer will expand the .zip file and move the contents to the appropriate location when uploaded. The following process is also described in the Downloading and Installing Artifacts section:
- Choose Extension Designer from the DTP settings menu (gear icon).
- Click the Configuration tab and click Upload Artifact.
- Browse for the .zip file when prompted and click Install.
After the compliance pack files have been installed, the next step is to deploy the artifacts for the compliance standard(s) you want to measure your code against. See the following documentation for instructions:
Upgrading
Although Parasoft extensions are designed to be forward compatible, they are not guaranteed to work in newer versions of DTP or Extension Designer. We strongly recommend installing the latest version of the artifact and removing the previous version.
- Install the newer artifact as described in Installation.
- Un-deploy older artifact from Extension Designer by deleting its nodes and clicking Deploy.
- Deploy the newer version.
- After deploying the newer artifact, you can remove the older version from Artifact Manager by clicking the delete button (trash icon). This is optional, but we recommend keeping your DTP environment organized.
