Follow

Customize the Verification Tool Integration

Background

SD Elements can import the verification results from tools and mark the corresponding project security requirements with one of three verification statuses: Pass, Partial Pass, or Fail. The following scanning tools are currently supported:

  • AppScan Enterprise, Standard
  • Checkmarx
  • Fortify SCA, Fortify on Demand
  • WebInspect
  • Veracode
  • WhiteHat
  • Threadfix

Besides the technical aspects, integration with a verification tool involves the production of a mapping between the weaknesses found by the tool and the related security requirement in SD Elements. A mapping asserts that the weakness is mitigated, or controlled in some respects, by the requirements. Further, this mapping is applied a confidence level of "Low" or "High". The meaning of these are as follows:

Low: It is understood that the verification tool only detects the underlying problem in some of the supported languages/frameworks but not all, or it can only detect certain aspects of the problem but not all. A requirement that with no identified weaknesses in a scanner import yields a verification status of "Partial Pass".

High: It is understood that the tool can identify instances of the underlying problem in most circumstances with few false negatives. A requirement that with no identified weaknesses in a scanner import yields a verification status of "Pass".

These "requirement - weakness" mappings are in CSV format and stored on the SD Elements server. With a text editor it is possible to modify the mapping to match your organization's processes, scanner configuration and customized set of security requirements. Customized mappings can be stored such that they will survive upgrades. Details below.

 

Mapping File Format

The mapping file is in comma-separated-value (CSV) format. The first line of the file must contain the column headers: 

Task ID,Task Title,Weakness ID,Weakness Title,Confidence

The columns are described as follows:

- Task ID - SD Elements task identifier, such as T21, CT123, or PT53

- Task Title - SD Elements task title. This is informational-only - it doesn't need to match the related task

- Weakness ID - The value used in scanner results to identify a flaw or weakness. It is generally used to map scanner issues to the associated Task ID.

- Weakness Title - The value used in scanner tool documentation to describe a flaw or weakness. The integration with "App Scan Enterprise" uses this value instead of the Weakness ID during the mapping process. For all other tools this is treated as informational only.

Confidence - The value "low" or "high". The meaning of this column is described above.

By defining values for each of the columns listed above, each row in the file represents a mapping between an SD Elements task and a scanner weakness.

Example:

A mapping for AppScan having only two mappings would look similar to the following:

Task ID,Task Title,Weakness ID,Weakness Title,Confidence
T40,Use XML encoding when interacting with XML data,TPHidden_OWB_Injection_XML,WhiteBox: Injection_XML,low
T49,"Remove/disable unused, test or debug code and data",GD_InternalIP,Internal IP Disclosure Pattern Found,low

Follow the steps below to customize an existing mapping file on your SD Elements onsite instance.

 

Procedure

Step 1: Identify the Mapping Files Location

The list below outlines where the mapping files are located on an SD Elements server.

  • AppScan Enterprise, AppScan Standard
    /docs/sde/live/env/lib/python2.7/site-packages/sdetools/docs/analysis/sde_appscan_map.csv
  • Checkmarx
    /docs/sde/live/env/lib/python2.7/site-packages/sdetools/docs/analysis/sde_checkmarx_map.csv
  • Fortify SCA, Fortify On Demand
    /docs/sde/live/env/lib/python2.7/site-packages/sdetools/docs/analysis/sde_fortify_map.csv
  • Veracode
    /docs/sde/live/env/lib/python2.7/site-packages/sdetools/docs/analysis/sde_veracode_map.csv
  • WebInspect
    /docs/sde/live/env/lib/python2.7/site-packages/sdetools/docs/analysis/sde_webinspect_map.csv 


Step 2: Copy Mapping Files to Media Directory

As the sde_admin user, copy all of the mapping files to the SD Elements media directory:

mkdir /docs/sde/live/code/sigma/media/sdetools
cp -r /docs/sde/live/env/lib/python2.7/site-packages/sdetools/docs/analysis /docs/sde/live/code/sigma/media/sdetools/
find /docs/sde/live/code/sigma/media/sdetools/ -type d -exec chmod 775 {} \;
find /docs/sde/live/code/sigma/media/sdetools/ -type f -exec chmod 644 {} \;

 

Step 3: Activate New Mapping Files Location

Open local_settings.py in a text editor,

vim /docs/sde/live/code/sigma/local_settings.py

and add the following entry

SDETOOLS_MEDIA_PATH = os.path.join(MEDIA_ROOT, "sdetools/")

Restart apache and celery:

sde apache restart
sde supervisor restart sde_celery

The mapping files stored in the media directory are now active. Make any desired customization to these files. To revert back to the standard mappings or to deactivate your mapping customization - remove the change to local_settings.py and restart Apache.

 

Step 4: Modify the Mapping Files

Make a copy of the mapping file before making any changes. It is safer to make changes to the file on your desktop computer and check that it is formatted correctly first, and then copy it to the server.

Example: update the confidence

Change the confidence of a mapping to more effectively match your organization's processes or policies. Using the example above, the confidence level for the mapping affecting T40 can be changed from "low" to "high" by changing the confidence attribute. For example,

Task ID,Task Title,Weakness ID,Weakness Title,Confidence
T40,Use XML encoding when interacting with XML data,TPHidden_OWB_Injection_XML,WhiteBox: Injection_XML,high
T49,"Remove/disable unused, test or debug code and data",GD_InternalIP,Internal IP Disclosure Pattern Found,low


SDE Updates

Custom mappings do not persist after an SDE update. Follow these steps to copy customizations from OLD_SDE_VERSION to the latest

As the sde_admin user:

  1. Copy mappings from the previous release:
    cp -av /docs/sde/<OLD_SDE_VERSION>/code/sigma/media/sdetools /docs/sde/live/code/sigma/media/
    substitute <OLD_SDE_VERSION> with the previous version of SDE

  2. Restart apache and celery:
    sde apache restart
    sde supervisor restart sde_celery




Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments