static analysis - Fortify SCA/SSC Report for IA? -
i'm developer working on mid-size c# application , using fortify secure coding plugin visual studio 2010 static code analysis on regular basis. we're nearing end of development cycle , asked provide vulnerability report ia.
i've not had submit before, , ia doesn't appear familiar fortify reports. plan generate 2 or 3 reports , submit ia can decide appropriate use. i'm not quite report(s), (with options) appropriate submission ia. have access generate reports audit workbench , ssc.
so question is, fortify report (with configs) organization provide ia shop? or more generically, type of static analysis vulnerability information provide ia?
thank in advance.
my guess "ia" stands "information assurance". when deal infosec types, need precise in language, since need be. i'm transitioning being developer infosec, has been challenge me, too.
the ia team has asked vulnerability report, output of penetration testing. output of penetration test include weaknesses proven exploitable, whereas static security assessment static analysis include weaknesses in code not exploitable. there limits types of issues static analysis can find, in no way replacement dynamic assessments or penetration testing.
many companies require results of multiple types of analysis part of requirement approve application. manual penetration testing done, scanner such webinspect or appscan used scan application in place of manual pen testing. when results web app scanner combined static analysis results, covers both potential weaknesses in code typical vulnerabilities in deployed application (when running in environment production environment).
you should work ia team determine process of vetting application deployment production, responsible steps in process. need schedule them conduct pen testing on application in qa or functional testing environment.
as report, if want results of static analysis, i'd @ generating report that's less 20 pages them start, includes prevalent issues in web applications, assuming you're writing web application. i'm partial cwe/sans top 25 2010 report in ssc, without "detailed report" option.
Nice blog... Thanks for sharing report on Micro focus fortify static code analyzer. Very helpful blog post.
ReplyDelete