In this section:
Introduction
The Parasoft OWASP Compliance artifact is a set of assets for your DTP infrastructure that enable you to demonstrate compliance with OWASP coding guidelines. The artifact is shipped as part of the Security Compliance Pack.
The following OWASP standards are supported:
- OWASP Top 10 2017
- OWASP Top 10 2021
- OWASP API Security Top 10 2019
Prerequisites
Code analysis data is required from one of the following Parasoft tools:
- Parasoft dotTEST with appropriate Security Compliance Pack licenses.
- Parasoft Jtest with appropriate Security Compliance Pack licenses.
See Security Compliance Pack for additional prerequisites information.
Process Overview
- Install the Security Compliance Pack into DTP Extension Designer.
- Deploy the OWASP Compliance artifact into your DTP environment.
- Analyze code using the OWASP test configuration(s) shipped with the Security Compliance Pack and report violations to DTP.
- Add the OWASP Compliance dashboard and widgets to your DTP interface. The dashboard widgets and shows the reported violations within the context of OWASP guidelines.
- Interact with the widgets and reports to identify code that needs to be fixed to achieve your compliance goals.
Deploying the OWASP Compliance Assets
OWASP Compliance is installed as part of the Security Compliance Pack (see Installation for instructions).
To deploy OWASP Compliance assets:
- Choose Extension Designer from the DTP settings (gear icon) menu.
- Click the Services tab and expand the DTP Workflows service category. You can deploy assets under any service category you wish, but we recommend using the DTP Workflows category to match how Parasoft categorizes the assets. You can also click Add Category to create your own service category (see Working with Services for additional information).
- You can deploy the artifact to an existing service or add a new service. The number of artifacts deployed to a service affects the overall performance. See Extension Designer Best Practices for additional information. Choose an existing service and continue to step 5 or click Add Service.
- Specify a name for the service and click Confirm.
- The tabbed interface helps you keep artifacts organized within the service. Organizing your artifacts across one or more tabs does not affect the performance of the system. Click on a tab (or click the + button to add a new tab) and choose Import from the vertical ellipses menu.
- For OWASP Top 10 2017 or OWASP Security API Top 10 2019, go to Local> Flows> Workflows> Security> OWASP Compliance and click Import.
- For OWASP Top 10 2021, go to Local> Flows> Workflows> Security> OWASP Compliance 2021 and click Import.
- Click anywhere in the open area to drop the the artifact into the service.
- Click Deploy to finish deploying the artifact to your DTP environment.
- Return to DTP and refresh your dashboard.
You will now be able to add the OWASP dashboard and widgets.
Adding the OWASP Dashboards
The OWASP dashboard template enables you to quickly add a set of preconfigured widgets that monitor OWASP compliance. See Dashboard Templates for a list of the templates included with the OWASP Compliance artifact.
The dashboard templates are deployed to your DTP environment as part of the Security Compliance Pack installation.
- Click Add Dashboard from the DTP toolbar and specify a name when prompted.
- Enable the Create dashboard from a template option and choose one of the OWASP templates from the drop-down menu.
- Click Create to finish adding the dashboard.
Manually Adding OWASP Widgets to an Existing Dashboard
You can add the OWASP widgets shipped with the artifact to an an existing dashboard. See Adding Widgets for general instructions on adding widgets to a dashboard. After deploying the artifact, the OWASP widgets will appear in the OWASP or OWASP 2021 categories in the Add Widget dialog.
The following configurations are available:
Title | Enter a new title to replace the default title that appears on the dashboard. |
---|---|
Filter | Choose a specific filter or Dashboard Settings from the drop-down menu. See Creating and Managing Filters for additional information. |
Target Build | Choose a specific build from the drop-down menu. The build selected for the entire dashboard is selected by default. See Using Build Administration for additional information about understanding builds. |
Compliance Profile | Specify a compliance profile (see Profile Configuration). The compliance profile data is used in compliance reports. |
Exploitability | For Top 10 2017 and API Security 2019 only. Choose an exploitability category (1 - 3) that you want to view. Refer to the OWASP guidelines for details. Only applies to the OWASP Compliance - Weakness by Status widget. |
Prevalence | For Top 10 2017 and API Security 2019 only. Choose a prevalence category (1 - 3) that you want to view. Refer to the OWASP guidelines for details. Only applies to the OWASP Compliance - Weakness by Status widget. |
Detectability | For Top 10 2017 and API Security 2019 only. Choose a detectability category (1 - 3) that you want to view. Refer to the OWASP guidelines for details. Only applies to the OWASP Compliance - Weakness by Status widget. |
Impact | For Top 10 2017 and API Security 2019 only. Choose an impact level (1 - 3) that you want to view. Refer to the OWASP guidelines for details. Only applies to the OWASP Compliance - Weakness by Status widget. |
OWASP Compliance Widgets
See Dashboard Templates for a list of the dashboard templates shipped with the compliance artifact. The following widgets are included on one or more the dashboards:
OWASP Compliance Status
This widget is included with the OWASP Compliance artifact. It shows the current state of compliance with OWASP Top 10.
There are seven possible states:
- No rules enabled: Code analysis has not been reported to DTP or the OWASP Top 10 test configuration was not executed by Jtest or dotTEST.
- N/A: The OWASP assets have not been deployed to a service or the service is not running. See Deploying the OWASP Compliance Assets.
- Compliant with Deviations: Any violations reported are acceptable and have been suppressed. See Deviations Report for additional information about deviations/suppressions.
- Compliant with Violations: Any violations reported do not represent a significant risk.
- Compliant: No violations are reported and no suppressions have been applied.
- Not Compliant: Violations have been reported that represent a significant risk.
- Missing rule(s) in analysis: Parasoft code analysis rules documented in the profile were not included in the specified build. Make sure all rules are enabled in Jtest or dotTEST and re-run analysis.
Click on the widget to open the OWASP Compliance Report.
OWASP Compliance Risk Matrix
This widget is included with the OWASP Compliance artifact. It shows the concentration of violations and deviations by weakness risk for exploitability and prevalence.
Mouse over a cell in the chart to view the number of violations and suppressions for the specified risk level. Click on a cell to open the OWASP Compliance Report filtered according to the risk.
OWASP Compliance Risk
This widget is included with the OWASP Compliance artifact. It provides a chart showing the distribution of violations according to its risk as defined in the OWASP standard.
Mouse over a cell in the chart to view the number of violations and suppressions for the specified risk level. Click on a cell to open the OWASP Compliance Report filtered according to the risk.
OWASP Compliance Percentage
This widget is included with the OWASP Compliance artifact. It shows the percentage of OWASP weaknesses that the code is in compliance with. Click on the widget to open the OWASP Compliance Report.
Click on the widget to open the CWE Compliance report (see CWE Compliance for additional information).
OWASP Compliance - Weakness by Status
This widget is included with the OWASP Compliance artifact. The red segment of the pie chart represents the weaknesses that the code is not compliant with. The green segment represents weaknesses that the code is in compliance with. The widget also shows the number of violations and deviations.
You can perform the following actions:
- Click on a segment in the pie chart to open the OWASP Compliance Report filtered by the selected status.
- Click on the Violations section to open an unfiltered OWASP Compliance Report.
- Click on the Deviations section to open the Deviations Report.
Rules in Compliance
This widget is an implementation of the native DTP Rules in Compliance widget. It shows the percentage of Parasoft rules that are mapped to OWASP weaknesses that are not reporting a violation (are in compliance). See Rules in Compliance - Summary for details about the widget.
Categories - Top 5 Table
The dashboard includes an instance of the native Categories - Top 5 Table widget configured for OWASP Top 10. It shows the five OWASP categories with the most violations. See Categories - Top 5 Table for details about the widget.
Rules - Top 5 Table
The dashboard includes an instance of the native Rules - Top 5 Table widget configured for OWASP Top 10. It shows the five Parasoft rules mapped to OWASP categories with the most violations. See Rules - Top 5 Table for details about the widget.
Violations by Weakness - Treemap
This widget shows the violations grouped by weakness in a tree map. Each tile is assigned a color and represents a weakness from the OWASP guidelines. See Configuring Security Compliance Pack Widgets for details on how to configure this widget.
Viewing the OWASP Compliance Report
The main OWASP compliance report provides details about your OWASP compliance status and serves as the primary document for demonstrating compliance.
You can perform the following actions:
- Use the drop-down menus to sort by a weakness property.
- Click on a link in the # of Violations column to view the violations in the Violations Explorer.
- Click on a link in the # of Deviations column to view the suppressed violations in the Violations Explorer.
- Click on a link in the Weakness column to open the Weakness Detection Plan. The link goes directly to the specific weakness so that you can review the Parasoft code analysis rule or rules detecting the weaknesses.
- Open one of the OWASP Compliance sub-reports (Weakness Detection Plan, Deviations Report, Build Audit Report).
- Click Download PDF to export a printer-friendly PDF version of the report data. If you added a custom graphic to DTP as described in Adding a Custom Graphic to the Navigation Bar, the PDF will also be branded with the graphic.
Weakness Detection Plan
The Weakness Detection Plan shows which static analysis rules are used to enforce the OWASP guidelines and is intended to describe how you are enforcing each guideline. This report uses the data specified in the compliance profile (see Profile Configuration). In the profile, you can configure the values associated with each weakness property to better reflect the specific challenges associated with your project.
Deviations Report
Your code can contain violations and still be OWASP-compliant as long as the deviations from the standard are documented and that the safety of the software is unaffected. Deviations are code analysis rules that have been suppressed either directly in the code or in the DTP Violations Explorer. See the dotTEST and Jtest documentation for details on suppressing violations in the code. See Suppressing Violations in the Violations Explorer documentation for information about suppressing violations in DTP.
Click on the Deviations Report link in the OWASP Compliance report to open the Deviations Report.
The Deviations Report shows all guideline IDs and headers, but guidelines that have been suppressed will show additional information. You can perform the following actions:
- Enable the Only Deviations option to exclude violations that do not have deviations
- Enable the Hide Modification History option to exclude the modification history for deviations
Build Audit Report
The Build Audit Report shows an overview of code analysis violations, as well as test results and coverage information, associated with the build. This report also allows you to download an archive of the data, which is an artifact you can use to demonstrate compliance with OWASP during a regulatory audit.
In order to download an archive, the build has to be locked. See Build Audit Report for additional details about this report.
Custom Configuration for Profile
Models and profiles are assets that enable DTP Enterprise Pack to perform custom calculations and data processing tasks. The model defines the attributes to be used in the calculations and acts as the template for a profile. See Working with Model Profiles to learn more about models and profiles.
The OWASP Compliance artifact ships with a default model and profiles for code analysis results from Parasoft dotTEST and Jtest. The model/profile assigns values to the detected weaknesses' exploitability, prevalence, and detectability. It also contains categorization information for mapping Parasoft rules to OWASP and OWASP API weaknesses.
The profile includes information necessary for generating compliance reports, as well as displaying data in the widgets shipped with the OWASP artifact. You can modify the profile if you want to re-categorize guidelines to meet your specific goals or specify additional metadata for your reports. Changes will be reflected in the Weakness Detection Plan.
We recommend creating a copy of the default profile and modifying the copy:
- Click Export Profile to download a copy.
- Rename the copy and click Import Profile.
- Browse for the copy and confirm to upload.
- Click Edit and make your changes.
- Click Save.
You will be able to choose an alternate profile when configuring the widgets shipped with the OWASP artifact.
OWASP Compliance Assets
The following artifacts are included in the package and added to your DTP environment when you install the Security Compliance Pack.
Test Configurations
You can configure your tool to run either the test configurations it ships with or the test configurations installed with the Security Compliance Pack. Refer to your tool's documentation for details. The following test configurations are included in the compliance pack:
- OWASP Top 10-2017
- OWASP Top 10-2021
- OWASP API Security Top 10-2019
- UL 2900 (combines OWASP Top 10-2021 and CWE Top 25 + On the Cusp)
Dashboard Templates
Dashboard templates include preconfigured widgets to help you quickly view specific information about your projects.
- OWASP Top 10 2017 - .NET
- OWASP Top 10 2017 - Java
- OWASP Top 10 2021 - .NET
- OWASP Top 10 2021 - Java
- OWASP API Top 10 2019 - .NET
- OWASP API Top 10 2019 - Java
The Security Compliance pack ships with the following UL 2900 dashboard templates that include a combination of widgets configured to show CWE Top 25 + On the Cusp and OWASP Top 10 2021 compliance. Note that both CWE and OWASP 2021 compliance artifacts must be deployed.
- UL 2900 - Java
- UL 2900 - .NET
Compliance Categories
Individual code analysis rules belong to a category, such as Security, Exceptions, etc. The OWASP Compliance artifact includes files that map code analysis rules to OWASP-specific categories, i.e., weakness type or impact. You can configure widgets to report violations according to the categories defined in the following files to view them according to their OWASP category:
- OWASP Top 10 2017 - Java
- OWASP Top 10 2017 - .NET
- OWASP Top 10 2017 - Score – Java (provides categories by OWASP Top 10 2017 Score)
- OWASP Top 10 2017 - Score - .NET (provides categories by OWASP Top 10 2017 Score)
- OWASP Top 10 2021 - Java
- OWASP Top 10 2021 - .NET
- OWASP API Security Top 10 2019 - Java
- OWASP API Security Top 10 2019 - .NET
Models and Profiles
Profiles provide a range of functions in a DTP infrastructure, such as providing inputs for custom calculations executed by an extension and providing data for compliance reports. Profiles take their structure from models, which define fields, headers, or other components used in the profile. See Working with Model Profiles for information about understanding profiles in DTP Enterprise Pack.
The following profile files are included with the artifact:
- OWASP Top 10 2017 - Java
- OWASP Top 10 2017 - .NET
- OWASP Top 10 2021 - Java
- OWASP Top 10 2021 - .NET
- OWASP API Security Top 10 2019 - Java
- OWASP API Security Top 10 2019 - .NET
Cross-reference PDFs
For your convenience, PDFs that show the association between Parasoft rules and OWASP guidelines are located in the <PACK>/rules/jtest and <PACK>/rules/dottest directories.