HP Fortify Software Security Center

This page has been moved to Zendesk. Please, refer to this link for the latest version.

Overview

IriusRisk can integrate with HP Fortify Software Security Center ("SSC"), to import latest test results.  With these imports IriusRIsk can automatically add new detected vulnerabilities to Weaknesses in the threat model.

Configuration

To configure integration with SSC complete the fields in the Product Settings Window:



















Alternatively, global default values for all new projects can be configured in the Global Settings:


FieldDescription
URLURL to the SSC server. The url must match the login page, so, it may require an "/ssc" at the end of URL, depending on the server configuration
Application NameThe name of the application in SSC (case sensitive). Please see image below for more details
VersionThe version of application in SSC (case sensitive). Please see image below for more details

Username

Username
PasswordPassword


How to find the Name and Version in SSC:

Importing Test Results from SSC

Results are automatically imported from SSC every 5 minutes. This interval can be customised in Settings → Test → Testing → Import Interval.  The import can also be pre-empted by using: Products → Threats tab → Action menu → Import automated test results:


Mapping between SSC and Irius

IriusRisk and SSC are integrated using this mapping:

SSC ConceptIriusRisk Concept
Application-VersionProduct
IssueVulnerability Instance

Application-Version and Project

A product in IriusRisk must be mapped to a specific Application/Version pair in SSC.  If there is another version in SSC, it should be mapped to another product in IriusRisk

Issue and Vulnerability Instance

An issue in SSC is mapped to a Vulnerability Instance in IriusRisk.

Vulnerability Instances are the bottom of IriusRisk tree structure:

  • Product
    • Component
      • Use Case
        • Threat
          • Weakness e.g. Cross-Site Scripting - Reflected 
            • Test
              • Vulnerability e.g. Cross-Site Scripting - Reflected (example)
                • Vulnerability Instance: each instance of XSS 

The image below shows two Vulnerability Instances created by two different Issues in SSC. Because they are related to the same CWE, they were grouped into the same Weakness:

SSC Statuses

All Issues in SSC have a specific Analysis status. The table below illustrates how IriusRisk treats each status:

SSCIriusRisk
Not SetReported Issue
Not an IssueFalse Positive
Reliability IssueReported Issue
Bad PracticeReported Issue
SuspiciousReported Issue
ExploitableReported Issue


Suppressed, Removed or no longer reported Issues

In SSC an issue can be marked as Suppressed. These issues will be treated as if they have been removed.  If the issue in SSC has been Removed or the issue is not reported anymore in SSC, it will be removed from IriusRisk too. There is a warning message when configuring the SSC integration which warns about this behaviour: