Overview
IriusRisk can integrate with HP Fortify Software Security Center ("SSC"), to import latest test results. With these imports IriusRIsk can automatically add new detected vulnerabilities to Weaknesses in the threat model.
Configuration
To configure integration with SSC complete the fields in the Product Settings Window:
Alternatively, global default values for all new projects can be configured in the Global Settings:
Field | Description |
---|---|
URL | URL to the SSC server. The url must match the login page, so, it may require an "/ssc" at the end of URL, depending on the server configuration |
Application Name | The name of the application in SSC (case sensitive). Please see image below for more details |
Version | The version of application in SSC (case sensitive). Please see image below for more details |
Username |
Username |
Password | Password |
How to find the Name and Version in SSC:
Importing Test Results from SSC
Results are automatically imported from SSC every 5 minutes. This interval can be customised in Settings → Test → Testing → Import Interval. The import can also be pre-empted by using: Products → Threats tab → Action menu → Import automated test results:
Mapping between SSC and Irius
IriusRisk and SSC are integrated using this mapping:
SSC Concept | IriusRisk Concept |
---|---|
Application-Version | Product |
Issue | Vulnerability Instance |
Application-Version and Project
A product in IriusRisk must be mapped to a specific Application/Version pair in SSC. If there is another version in SSC, it should be mapped to another product in IriusRisk
Issue and Vulnerability Instance
An issue in SSC is mapped to a Vulnerability Instance in IriusRisk.
Vulnerability Instances are the bottom of IriusRisk tree structure:
- Product
- Component
- Use Case
- Threat
- Weakness e.g. Cross-Site Scripting - Reflected
- Test
- Vulnerability e.g. Cross-Site Scripting - Reflected (example)
- Vulnerability Instance: each instance of XSS
- Vulnerability e.g. Cross-Site Scripting - Reflected (example)
- Test
- Weakness e.g. Cross-Site Scripting - Reflected
- Threat
- Use Case
- Component
The image below shows two Vulnerability Instances created by two different Issues in SSC. Because they are related to the same CWE, they were grouped into the same Weakness:
SSC Statuses
All Issues in SSC have a specific Analysis status. The table below illustrates how IriusRisk treats each status:
SSC | IriusRisk |
---|---|
Not Set | Reported Issue |
Not an Issue | False Positive |
Reliability Issue | Reported Issue |
Bad Practice | Reported Issue |
Suspicious | Reported Issue |
Exploitable | Reported Issue |
Suppressed, Removed or no longer reported Issues
In SSC an issue can be marked as Suppressed. These issues will be treated as if they have been removed. If the issue in SSC has been Removed or the issue is not reported anymore in SSC, it will be removed from IriusRisk too. There is a warning message when configuring the SSC integration which warns about this behaviour:
Comments
0 comments
Article is closed for comments.