SD Elements integrates with application security tools. There are two kinds of application security tools that SD Elements integrates with:
- Static analysis: Tools that scan application code for vulnerabilities, such as Veracode (static analysis) and HP Fortify
- Dynamic analysis: Tools that scan application runtime for vulnerabilities, such as Veracode (dynamic testing) and HP WebInspect
The purpose of these integrations is to help automatically verify that security tasks have been followed, and also identify which requirements the tools were unable to verify. Using SD Elements integration gives you a much broader visibility of risk than just using a scanning solution on its own.
More information about how scanning tools are mapped to SD Elements requirements can be found here: Understand: Security Tools Mappings
All security tool integrations follow this process:
- Import an analysis result from the scanning tool.
- Compare all potential vulnerabilities that the scanning tool can find with the tasks in SD Elements.
- If the scanning tool does not cover the specific task, then there is no change to verification status.
- If the scanning tool does cover a task, then it marks the appropriate verification status. See "Understand: Verification status" for more details. If any vulnerability was found, the task will appear as "Fail". Where possible, SD Elements provides a reference of where to find more details in the scanning tool's report.
- All vulnerabilities found by the scanning tool that do not match with a task in SD Elements are enumerated in task T193: Review non-categorized/miscellaneous findings from automated analysis
NOTE: In order to have task T193: Review non-categorized/miscellaneous findings from automated analysis appear you must ensure that the following project setting is enabled: Project Settings->Development/Test Tools->Development Tools->Uses static or dynamic security code analysis
As an SD Elements user with permissions to verify tasks, you can also manually set the verification status of a task to either pass, partial pass, or fail. This allows you to override a false positive or false negative from one of these tools, or update a task that these tools can not scan for.