HPE Security Fortify Audit Workbench
NIST SP 800-53 Rev.4 Riches_scan
Compliance
Pass
Fail
Table of Contents Executive Summary Project Description Issue Breakdown Issue Details AC-3 Access Enforcement (P1) AC-4 Information Flow Enforcement (P1) AC-6 Least Privilege (P1) AC-12 Session Termination (P2) AU-5 Response to Audit Processing Failures (P1) AU-9 Protection of Audit Information (P1) AU-12 Audit Generation (P1) CA-3 System Interconnections (P1) CM-4 Security Impact Analysis (P2) CM-6 Configuration Settings (P2) IA-5 Authenticator Management (P1) IA-6 Authenticator Feedback (P2) IA-8 Identification and Authentication (Non-Organizational Users) (P1) SC-4 Information in Shared Resources (P1) SC-5 Denial of Service Protection (P1) SC-8 Transmission Confidentiality and Integrity (P1) SC-12 Cryptographic Key Establishment and Management (P1) SC-13 Cryptographic Protection (P1) SC-17 Public Key Infrastructure Certificates (P1) SC-18 Mobile Code (P2) SC-23 Session Authenticity (P1) SC-28 Protection of Information at Rest (P1) SC-38 Operations Security (P0) SI-2 Flaw Remediation (P1) SI-3 Malicious Code Protection (P1) SI-10 Information Input Validation (P1) SI-11 Error Handling (P2) SI-15 Information Output Filtering (P0) SI-16 Memory Protection (P1) TR-1 Privacy Notice Description of Key Terminology About HPE Security Enterprise Security Products
© Copyright 2016 Hewlett Packard Enterprise Development, L.P. The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.
Dec 12, 2017, 12:15 PM © Copyright 2016 Hewlett Packard Enterprise Development LP
2
Executive Summary Project Name:
COMPLIANCE
Riches_scan
Project Version:
FAIL
PASS
SCA:
Results Present
WebInspect:
Results Not Present
SecurityScope:
Results Not Present
Other:
Results Not Present
NIST SP 800-53 Rev.4 groups Access Control (AC)
Total 5
Status FAIL
Audit and Accountability (AU)
8
FAIL
Configuration Management (CM)
0
PASS
Identification and Authentication (IA)
0
PASS
Security Assessment and Authorization (CA)
0
PASS
System and Communications Protection (SC)
3
FAIL
System and Information Integrity (SI)
28
FAIL
Transparency (TR)
0
PASS
* The detailed sections following the Executive Summary contain specifics.
Dec 12, 2017, 12:15 PM © Copyright 2016 Hewlett Packard Enterprise Development LP
3
Project Description This section provides an overview of the HPE Security Fortify scan engines used for this project, as well as the project meta-information. SCA Date of Last Analysis:
Dec 12, 2017, 12:06 PM
Engine Version:
17.10.0156
Host Name:
DESKTOP-NMLL4TQ
Certification:
VALID
Number of Files:
57
Lines of Code:
3,059
Dec 12, 2017, 12:15 PM © Copyright 2016 Hewlett Packard Enterprise Development LP
4
Issue BreakDown The following table summarizes the number of issues identified across the different NIST SP 800-53 Rev.4 categories and broken down by Fortify Priority Order. The status of a category is considered "In Place" or "PASS" when there are no issues reported for that category. Access Control (AC) Critical AC-3 Access Enforcement (P1) AC-4 Information Flow Enforcement (P1) AC-6 Least Privilege (P1) AC-12 Session Termination (P2)
0 0 0 0
Audit and Accountability (AU) Critical AU-5 Response to Audit Processing Failures (P1) AU-9 Protection of Audit Information (P1) AU-12 Audit Generation (P1)
Security Assessment and Authorization (CA) CA-3 System Interconnections (P1)
IA-5 Authenticator Management (P1) IA-6 Authenticator Feedback (P2) IA-8 Identification and Authentication (NonOrganizational Users) (P1)
System and Communications Protection (SC) SC-4 Information in Shared Resources (P1) SC-5 Denial of Service Protection (P1) SC-8 Transmission Confidentiality and Integrity (P1) SC-12 Cryptographic Key Establishment and Management (P1) SC-13 Cryptographic Protection (P1) SC-17 Public Key Infrastructure Certificates (P1) SC-18 Mobile Code (P2) SC-23 Session Authenticity (P1) SC-28 Protection of Information at Rest (P1) SC-38 Operations Security (P0)
System and Information Integrity (SI) SI-2 Flaw Remediation (P1) SI-3 Malicious Code Protection (P1) SI-10 Information Input Validation (P1) SI-11 Error Handling (P2)
0 0 0 0
Fortify Priority High Medium
0 0 0 0
Status 5 0 0 0
Total Issues
Low
FAIL PASS PASS PASS
Status
0
0
0
0
PASS
0 0
8 0
0 0
0 0
8 0
FAIL PASS
Critical 0
Critical
Identification and Authentication (IA)
5 0 0 0
Total Issues
Low
0
Configuration Management (CM) CM-4 Security Impact Analysis (P2) CM-6 Configuration Settings (P2)
Fortify Priority High Medium
0 0
Critical 0 0 0
Critical
Fortify Priority High Medium 0
0 0
0
Fortify Priority High Medium
0
0 0
0 0 0
PASS PASS
Status 0 0 0
Total Issues
Low
PASS
Status 0 0
Total Issues
Low
0 0 0
Status
Total Issues
Low
0 0
Fortify Priority High Medium 0 0 0
Low
0
Fortify Priority High Medium
Total Issues
PASS PASS PASS
Status
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
PASS PASS PASS
0
1
0
0
1
FAIL
1 0
0 0
0 0
0 0
1 0
FAIL PASS
0 0 0 0
0 0 1 0
0 0 0 0
0 0 0 0
0 0 1 0
PASS PASS FAIL PASS
Critical 0 0 21 0
Fortify Priority High Medium 0 0 7 0
Total Issues
Low
0 0 0 0
Dec 12, 2017, 12:15 PM © Copyright 2016 Hewlett Packard Enterprise Development LP
0 0 0 0
0 0 28 0
Status PASS PASS FAIL PASS
5
System and Information Integrity (SI) SI-15 Information Output Filtering (P0) SI-16 Memory Protection (P1)
Critical 0 0
Transparency (TR) Critical TR-1 Privacy Notice
0
Fortify Priority High Medium 0 0
0
Low
0 0
Fortify Priority High Medium
Total Issues 0 0
0 0
Total Issues
Low
0
Status
0
PASS PASS
Status 0
PASS
NOTE: 1. Reported issues in the above table may violate more than one NIST SP 800-53 Rev.4 category. As such, the same issue may appear in more than one row. The total number of unique vulnerabilities are reported in the Executive Summary table.
Dec 12, 2017, 12:15 PM © Copyright 2016 Hewlett Packard Enterprise Development LP
6
Issue Details Below is an enumeration of all issues found in the project. The issues are organized by NIST SP 800-53 Rev. 4, Fortify Priority Order, and vulnerability category. The issues are then further broken down by the package, namespace, or location in which they occur. Issues reported at the same line number with the same category originate from different taint sources.
AC-3 Access Enforcement (P1) AC-3 Access Enforcement control states: "The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies." HPE Security Fortify considers issues related to (a) abuse of access control settings and (b) untrusted data used to influence criteria keys, paths, and resource locations to violate this control and the following sub-controls: (3) Mandatory Access Control, (5) Security-Relevant Information, and (7) Role-Based Access Control. Struts 2 Bad Practices: Dynamic Method Invocation
High
Package: com.fortify.samples.riches Location
Analysis Info
Analyzer
share/Training Material/Code/ Java/riches_java_src/WEB-INF/ src/java/com/fortify/samples/ riches/PerformCheck.java:59
Sink: Function: printUsers Enclosing Method: printUsers() Source:
SCA
share/Training Material/Code/ Java/riches_java_src/WEB-INF/ src/java/com/fortify/samples/ riches/ PerformRegistration.java:100
Sink: Function: getNewAcctno Enclosing Method: getNewAcctno() Source:
SCA
share/Training Material/Code/ Java/riches_java_src/WEB-INF/ src/java/com/fortify/samples/ riches/ PerformRegistration.java:112
Sink: Function: getNewCCN Enclosing Method: getNewCCN() Source:
SCA
Package: com.fortify.samples.riches.oper Location
Analysis Info
Analyzer
share/Training Material/Code/ Java/riches_java_src/WEB-INF/ src/java/com/fortify/samples/ riches/oper/SendMessage.java: 40
Sink: Function: getMailCommand Enclosing Method: getMailCommand() Source:
SCA
share/Training Material/Code/ Java/riches_java_src/WEB-INF/ src/java/com/fortify/samples/ riches/oper/ SendNewsletter.java:27
Sink: Function: getMailCommand Enclosing Method: getMailCommand() Source:
SCA
Dec 12, 2017, 12:15 PM © Copyright 2016 Hewlett Packard Enterprise Development LP
7
AC-4 Information Flow Enforcement (P1) AC-4 Information Flow Enforcement control states: "The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on [Assignment: organization-defined information flow control policies]." HPE Security Fortify considers issues related to (a) improper usage of permissions when sending and receiving messages and (b) overly permissive domain policies to violate this control and the following subcontrols: (20) Approved Solutions and (21) Physical / Logical Separation of Information Flows. No Issues
AC-6 Least Privilege (P1) AC-6 Least Privilege control states: "The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions." HPE Security Fortify considers issues related to overprivilege to violate this control and the following subcontrol: (8) Privilege Levels for Code Execution. No Issues
AC-12 Session Termination (P2) AC-12 Session Termination control states: "The information system automatically terminates a user session after [Assignment: organization-defined conditions or trigger events requiring session disconnect]." HPE Security Fortify considers issues related to excessive session timeouts to violate this control. No Issues
AU-5 Response to Audit Processing Failures (P1) AU-5 Response to Audit Processing Failures control states: "The information system: a. Alerts [Assignment: organization-defined personnel or roles] in the event of an audit processing failure; and b. Takes the following additional actions: [Assignment: organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records)]." HPE Security Fortify considers issues related to insufficient audit failure handling to violate this control and the following sub-control: (2) Real-Time Alerts. No Issues
Dec 12, 2017, 12:15 PM © Copyright 2016 Hewlett Packard Enterprise Development LP
8
AU-9 Protection of Audit Information (P1) AU-9 Protection of Audit Information control states: "The information system protects audit information and audit tools from unauthorized access, modification, and deletion." HPE Security Fortify considers issues related to log forging to violate this control and the following sub-controls: (4) Access by Subset of Privileged Users and (6) Read-Only Access. Log Forging
High
Package: com.fortify.samples.riches.model Location
Analysis Info
Analyzer
share/Training Material/Code/ Java/riches_java_src/WEB-INF/ src/java/com/fortify/samples/ riches/model/ TransactionService.java:42
Sink: javax.servlet.ServletContext.log() Enclosing Method: getTransactions() Source: setAcctno(0) from com.fortify.samples.ric hes.AccountDetails.setAcctno() In share/Training Material/Code/Java/riches_java_src/WEB-INF/src/j ava/com/fortify/samples/riches/AccountDetails.jav a:61
SCA
share/Training Material/Code/ Java/riches_java_src/WEB-INF/ src/java/com/fortify/samples/ riches/model/ TransactionService.java:61
Sink: javax.servlet.ServletContext.log() Enclosing Method: getTransactionsDebug() Source: setAcctno(0) from com.fortify.samples.ric hes.AccountDetails.setAcctno() In share/Training Material/Code/Java/riches_java_src/WEB-INF/src/j ava/com/fortify/samples/riches/AccountDetails.jav a:61
SCA
share/Training Material/Code/ Java/riches_java_src/WEB-INF/ src/java/com/fortify/samples/ riches/model/ TransactionService.java:113
Sink: java.util.logging.Logger.finest() Enclosing Method: debugTransactions() Source: net.sf.hibernate.Query.list() from com.fo rtify.samples.riches.model.TransactionService.get Transactions() In share/Training Material/Code/J ava/riches_java_src/WEB-INF/src/java/com/fortify/ samples/riches/model/TransactionService.java:44
SCA
share/Training Material/Code/ Java/riches_java_src/WEB-INF/ src/java/com/fortify/samples/ riches/model/ TransactionService.java:163
Sink: javax.servlet.ServletContext.log() Enclosing Method: getTransactions() Source: GetTransactions(5) from com.fortify.sampl es.riches.restful.TransactionResources.GetTransac tions() In share/Training Material/Code/Java/ric hes_java_src/WEB-INF/src/java/com/fortify/samples /riches/restful/TransactionResources.java:106
SCA
share/Training Material/Code/ Java/riches_java_src/WEB-INF/ src/java/com/fortify/samples/ riches/model/ TransactionService.java:163
Sink: javax.servlet.ServletContext.log() Enclosing Method: getTransactions() Source: GetTransactions(6) from com.fortify.sampl es.riches.restful.TransactionResources.GetTransac tions() In share/Training Material/Code/Java/ric hes_java_src/WEB-INF/src/java/com/fortify/samples /riches/restful/TransactionResources.java:107
SCA
share/Training Material/Code/ Java/riches_java_src/WEB-INF/ src/java/com/fortify/samples/ riches/model/ TransactionService.java:163
Sink: javax.servlet.ServletContext.log() Enclosing Method: getTransactions() Source: GetTransactions(4) from com.fortify.sampl es.riches.restful.TransactionResources.GetTransac tions() In share/Training Material/Code/Java/ric hes_java_src/WEB-INF/src/java/com/fortify/samples /riches/restful/TransactionResources.java:105
SCA
share/Training Material/Code/ Java/riches_java_src/WEB-INF/ src/java/com/fortify/samples/ riches/model/ TransactionService.java:163
Sink: javax.servlet.ServletContext.log() Enclosing Method: getTransactions() Source: GetTransactions(3) from com.fortify.sampl es.riches.restful.TransactionResources.GetTransac tions() In share/Training Material/Code/Java/ric hes_java_src/WEB-INF/src/java/com/fortify/samples /riches/restful/TransactionResources.java:104
SCA
Dec 12, 2017, 12:15 PM © Copyright 2016 Hewlett Packard Enterprise Development LP
9
AU-9 Protection of Audit Information (P1) AU-9 Protection of Audit Information control states: "The information system protects audit information and audit tools from unauthorized access, modification, and deletion." HPE Security Fortify considers issues related to log forging to violate this control and the following sub-controls: (4) Access by Subset of Privileged Users and (6) Read-Only Access. Log Forging
High
Package: com.fortify.samples.riches.model Location share/Training Material/Code/ Java/riches_java_src/WEB-INF/ src/java/com/fortify/samples/ riches/model/ TransactionService.java:163
Analysis Info
Analyzer
Sink: javax.servlet.ServletContext.log() Enclosing Method: getTransactions() Source: GetTransactions(1) from com.fortify.sampl es.riches.restful.TransactionResources.GetTransac tions() In share/Training Material/Code/Java/ric hes_java_src/WEB-INF/src/java/com/fortify/samples /riches/restful/TransactionResources.java:102
SCA
AU-12 Audit Generation (P1) AU-12 Audit Generation control states: "The information system: a. Provides audit record generation capability for the auditable events defined in AU-2 a. at [Assignment: organization-defined information system components]; b. Allows [Assignment: organization-defined personnel or roles] to select which auditable events are to be audited by specific components of the information system; and c. Generates audit records for the events defined in AU-2 d. with the content defined in AU-3." HPE Security Fortify considers issues related to insufficient logging to violate this control. No Issues
CA-3 System Interconnections (P1) CA-3 System Interconnections control states: "The organization: a. Authorizes connections from the information system to other information systems through the use of Interconnection Security Agreements; b. Documents, for each interconnection, the interface characteristics, security requirements, and the nature of the information communicated; and c. Reviews and updates Interconnection Security Agreements [Assignment: organization-defined frequency]." HPE Security Fortify considers issues related to open proxy access to violate this control. No Issues
CM-4 Security Impact Analysis (P2) CM-4 Security Impact Analysis control states: "The organization analyzes changes to the information system to determine potential security impacts prior to change implementation." HPE Security Fortify considers issues related to cache configuration management to violate this control. No Issues
Dec 12, 2017, 12:15 PM © Copyright 2016 Hewlett Packard Enterprise Development LP
10
CM-6 Configuration Settings (P2) CM-6 Configuration Settings control states: "The organization: a. Establishes and documents configuration settings for information technology products employed within the information system using [Assignment: organization-defined security configuration checklists] that reflect the most restrictive mode consistent with operational requirements; b. Implements the configuration settings; c. Identifies, documents, and approves any deviations from established configuration settings for [Assignment: organization-defined information system components] based on [Assignment: organization-defined operational requirements]; and d. Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures." HPE Security Fortify considers issues related to server misconfiguration to violate this control. No Issues
IA-5 Authenticator Management (P1) IA-5 Authenticator Management control states: "The organization manages information system authenticators by: a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator; b. Establishing initial authenticator content for authenticators defined by the organization; c. Ensuring that authenticators have sufficient strength of mechanism for their intended use; d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators; e. Changing default content of authenticators prior to information system installation; f. Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators; g. Changing/refreshing authenticators [Assignment: organization-defined time period by authenticator type]; h. Protecting authenticator content from unauthorized disclosure and modification; i. Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and j. Changing authenticators for group/role accounts when membership to those accounts changes." HPE Security Fortify considers issues related to default credentials to violate this control. No Issues
IA-6 Authenticator Feedback (P2) IA-6 Authenticator Feedback control states: "The information system obscures feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals." HPE Security Fortify considers issues related to unmasked password fields to violate this control. No Issues
IA-8 Identification and Authentication (Non-Organizational Users) (P1) IA-8 Identification and Authentication (Non-Organizational Users) control states: "The information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users)." HPE Security Fortify considers issues related to authentication misconfiguration to violate this control. No Issues
Dec 12, 2017, 12:15 PM © Copyright 2016 Hewlett Packard Enterprise Development LP
11
SC-4 Information in Shared Resources (P1) SC-4 Information in Shared Resources control states: "The information system prevents unauthorized and unintended information transfer via shared system resources." HPE Security Fortify considers issues related to (a) heap inspection, (b) race conditions, (c) cross-session contamination, and (d) insecure compiler optimization to violate this control. No Issues
SC-5 Denial of Service Protection (P1) SC-5 Denial of Service Protection control states: "The information system protects against or limits the effects of the following types of denial of service attacks: [Assignment: organization-defined types of denial of service attacks or reference to source for such information] by employing [Assignment: organization-defined security safeguards]." HPE Security Fortify considers issues that can result in a denial of service, such as memory leak, unreleased resource, and use after free, to violate this control. No Issues
SC-8 Transmission Confidentiality and Integrity (P1) SC-8 Transmission Confidentiality and Integrity control states: "The information system protects the [Selection (one or more): confidentiality; integrity] of transmitted information." HPE Security Fortify considers issues related to insecure transport to violate this control and the following sub-controls: (1) Cryptographic or Alternate Physical Protection and (3) Cryptographic Protection for Message Externals. No Issues
SC-12 Cryptographic Key Establishment and Management (P1) SC-12 Cryptographic Key Establishment and Management control states: "The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction]." HPE Security Fortify considers issues related to (a) cryptographic key management and (b) insufficient key size to violate this control and the following sub-controls: (2) Symmetric Keys and (3) Asymmetric Keys. Key Management: Hardcoded Encryption Key
High
Package: com.fortify.samples.riches Location share/Training Material/Code/ Java/riches_java_src/WEB-INF/ src/java/com/fortify/samples/ riches/PerformTransfer.java:45
Analysis Info
Analyzer
Sink: FunctionCall: SecretKeySpec Enclosing Method: execute() Source:
Dec 12, 2017, 12:15 PM © Copyright 2016 Hewlett Packard Enterprise Development LP
SCA
12
SC-13 Cryptographic Protection (P1) SC-13 Cryptographic Protection control states: "The information system implements [Assignment: organization-defined cryptographic uses and type of cryptography required for each use] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards." HPE Security Fortify considers issues related to weak (a) encryption, (b) hash functions, and (c) pseudorandom number generators to violate this control. Weak Encryption: Insecure Mode of Operation
Critical
Package: com.fortify.samples.riches Location share/Training Material/Code/ Java/riches_java_src/WEB-INF/ src/java/com/fortify/samples/ riches/PerformTransfer.java:46
Analysis Info
Analyzer
Sink: getInstance() Enclosing Method: execute() Source:
SCA
SC-17 Public Key Infrastructure Certificates (P1) SC-17 Public Key Infrastructure Certificates control states: "The organization issues public key certificates under an [Assignment: organization-defined certificate policy] or obtains public key certificates from an approved service provider." HPE Security Fortify considers issues related to (a) weak SSL certificates and (b) inadequate certificate validation to violate this control. No Issues
SC-18 Mobile Code (P2) SC-18 Mobile Code control states: "The organization: a. Defines acceptable and unacceptable mobile code and mobile code technologies; b. Establishes usage restrictions and implementation guidance for acceptable mobile code and mobile code technologies; and c. Authorizes, monitors, and controls the use of mobile code within the information system." HPE Security Fortify considers issues related to (a) JavaScript hijacking, (b) cross-site flashing, (c) file uploads, (d) using external ant, maven or ivy dependency repositories, and (e) unauthorized includes to violate this control and the following subcontrols: (3) Prevent Downloading / Execution, (4) Prevent Automatic Execution, and (5) Allow Execution Only in Confined Environments. No Issues
SC-23 Session Authenticity (P1) SC-23 Session Authenticity control states: "The information system protects the authenticity of communications sessions." HPE Security Fortify considers issues related to (a) session fixation, (b) inadequate session identifiers, (c) cross-site request forgery, and (d) the use of persistent cookies to violate this control and the following sub-controls: (1) Invalidate Session Identifiers at Logout and (3) Unique Session Identifiers with Randomization. No Issues
Dec 12, 2017, 12:15 PM © Copyright 2016 Hewlett Packard Enterprise Development LP
13
SC-28 Protection of Information at Rest (P1) SC-28 Protection of Information at Rest control states: "The information system protects the [Selection (one or more): confidentiality; integrity] of [Assignment: organization-defined information at rest]." HPE Security Fortify considers issues related to (a) password and credential management and (b) insecure storage to violate this control and the following sub-control: (1) Cryptographic Protection. Password Management: Empty Password in Configuration File
High
Package: Users.WORKSHOP.workspace.Riches.Riches Location Users/WORKSHOP/workspace/ Riches/Riches/build.xml:26
Analysis Info
Analyzer
Sink: null Enclosing Method: () Source:
SCA
SC-38 Operations Security (P0) SC-38 Operations Security control states: "The organization employs [Assignment: organization-defined operations security safeguards] to protect key organizational information throughout the system development life cycle." HPE Security Fortify considers issues related to insecure deployment to violate this control. No Issues
SI-2 Flaw Remediation (P1) SI-2 Flaw Remediation control states: "The organization: a. Identifies, reports, and corrects information system flaws; b. Tests software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation; c. Installs security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates; and d. Incorporates flaw remediation into the organizational configuration management process." HPE Security Fortify considers issues related to discovery of unpatched applications to violate this control. No Issues
Dec 12, 2017, 12:15 PM © Copyright 2016 Hewlett Packard Enterprise Development LP
14
SI-3 Malicious Code Protection (P1) SI-13 Malicious Code Protection control states: "The organization: a. Employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code; b. Updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures; c. Configures malicious code protection mechanisms to: 1. Perform periodic scans of the information system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (one or more); endpoint; network entry/exit points] as the files are downloaded, opened, or executed in accordance with organizational security policy; and 2. [Selection (one or more): block malicious code; quarantine malicious code; send alert to administrator; [Assignment: organization-defined action]] in response to malicious code detection; and d. Addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system." HPE Security Fortify considers issues related to malicious application discovery to violate this control. No Issues
Dec 12, 2017, 12:15 PM © Copyright 2016 Hewlett Packard Enterprise Development LP
15
SI-10 Information Input Validation (P1) SI-10 Information Input Validation control states: "The information system checks the validity of [Assignment: organization-defined information inputs]." HPE Security Fortify considers issues related to (a) inadequate or disabled input validation, including cross-site scripting and path manipulation, and (b) injection flaws to violate this control and the following sub-control: (5) Restrict Input to Trusted Sources and Approved Formats. Path Manipulation
Critical
Package: com.fortify.samples.riches.webservices Location
Analysis Info
Analyzer
share/Training Material/Code/ Java/riches_java_src/WEB-INF/ src/java/com/fortify/samples/ riches/webservices/ BannerAdClient.java:37
Sink: java.io.FileInputStream.FileInputStream() Enclosing Method: copy() Source: com.fortify.samples.riches.webservices.Ba nnerAdServer.retrieveBannerAd() from com.fortify. samples.riches.webservices.BannerAdClient.main() In share/Training Material/Code/Java/riches_java _src/WEB-INF/src/java/com/fortify/samples/riches/ webservices/BannerAdClient.java:79
SCA
share/Training Material/Code/ Java/riches_java_src/WEB-INF/ src/java/com/fortify/samples/ riches/webservices/ BannerAdServer.java:31
Sink: java.io.File.File() Enclosing Method: retrieveBannerAd() Source: retrieveBannerAd(0) from com.fortify.samp les.riches.webservices.BannerAdServer.retrieveBan nerAd() In share/Training Material/Code/Java/ric hes_java_src/WEB-INF/src/java/com/fortify/samples /riches/webservices/BannerAdServer.java:25
SCA
SQL Injection
Critical
Package: com.fortify.samples.riches.model Location
Analysis Info
Analyzer
share/Training Material/Code/ Java/riches_java_src/WEB-INF/ src/java/com/fortify/samples/ riches/model/ LocationService.java:120
Sink: java.sql.Connection.prepareStatement() Enclosing Method: findByZip() Source: setZip(0) from com.fortify.samples.riches .FindLocations.setZip() In share/Training Materi al/Code/Java/riches_java_src/WEB-INF/src/java/com /fortify/samples/riches/FindLocations.java:91
SCA
share/Training Material/Code/ Java/riches_java_src/WEB-INF/ src/java/com/fortify/samples/ riches/model/ LocationService.java:149
Sink: java.sql.Statement.executeQuery() Enclosing Method: findAtmByAddress() Source: setCity(0) from com.fortify.samples.riche s.FindLocations.setCity() In share/Training Mate rial/Code/Java/riches_java_src/WEB-INF/src/java/c om/fortify/samples/riches/FindLocations.java:71
SCA
share/Training Material/Code/ Java/riches_java_src/WEB-INF/ src/java/com/fortify/samples/ riches/model/ LocationService.java:149
Sink: java.sql.Statement.executeQuery() Enclosing Method: findAtmByAddress() Source: setState(0) from com.fortify.samples.rich es.FindLocations.setState() In share/Training Ma terial/Code/Java/riches_java_src/WEB-INF/src/java /com/fortify/samples/riches/FindLocations.java:81
SCA
share/Training Material/Code/ Java/riches_java_src/WEB-INF/ src/java/com/fortify/samples/ riches/model/ LocationService.java:149
Sink: java.sql.Statement.executeQuery() Enclosing Method: findAtmByAddress() Source: setAddress(0) from com.fortify.samples.ri ches.FindLocations.setAddress() In share/Trainin g Material/Code/Java/riches_java_src/WEB-INF/src/ java/com/fortify/samples/riches/FindLocations.jav a:61
SCA
Dec 12, 2017, 12:15 PM © Copyright 2016 Hewlett Packard Enterprise Development LP
16
SI-10 Information Input Validation (P1) SI-10 Information Input Validation control states: "The information system checks the validity of [Assignment: organization-defined information inputs]." HPE Security Fortify considers issues related to (a) inadequate or disabled input validation, including cross-site scripting and path manipulation, and (b) injection flaws to violate this control and the following sub-control: (5) Restrict Input to Trusted Sources and Approved Formats. SQL Injection: Hibernate
Critical
Package: com.fortify.samples.riches.model Location
Analysis Info
Analyzer
share/Training Material/Code/ Java/riches_java_src/WEB-INF/ src/java/com/fortify/samples/ riches/model/ AccountService.java:318
Sink: net.sf.hibernate.Session.find() Enclosing Method: IsAccountExist() Source: DeleteAccount(0) from com.fortify.samples .riches.restful.AccountResources.DeleteAccount() In share/Training Material/Code/Java/riches_java _src/WEB-INF/src/java/com/fortify/samples/riches/ restful/AccountResources.java:141
SCA
share/Training Material/Code/ Java/riches_java_src/WEB-INF/ src/java/com/fortify/samples/ riches/model/ LocationService.java:69
Sink: net.sf.hibernate.Session.createQuery() Enclosing Method: findAtmByZip() Source: setZip(0) from com.fortify.samples.riches .FindLocations.setZip() In share/Training Materi al/Code/Java/riches_java_src/WEB-INF/src/java/com /fortify/samples/riches/FindLocations.java:91
SCA
share/Training Material/Code/ Java/riches_java_src/WEB-INF/ src/java/com/fortify/samples/ riches/model/ MessageService.java:137
Sink: net.sf.hibernate.Session.createQuery() Enclosing Method: getMessage() Source: javax.servlet.http.HttpServletRequest.get RemoteUser() from com.fortify.samples.riches.Mess ages.execute() In share/Training Material/Code/J ava/riches_java_src/WEB-INF/src/java/com/fortify/ samples/riches/Messages.java:20
SCA
share/Training Material/Code/ Java/riches_java_src/WEB-INF/ src/java/com/fortify/samples/ riches/model/ ProfileService.java:247
Sink: net.sf.hibernate.Session.find() Enclosing Method: IsProfileExist() Source: GetTransactions(0) from com.fortify.sampl es.riches.restful.TransactionResources.GetTransac tions() In share/Training Material/Code/Java/ric hes_java_src/WEB-INF/src/java/com/fortify/samples /riches/restful/TransactionResources.java:101
SCA
share/Training Material/Code/ Java/riches_java_src/WEB-INF/ src/java/com/fortify/samples/ riches/model/ ProfileService.java:247
Sink: net.sf.hibernate.Session.find() Enclosing Method: IsProfileExist() Source: GetAccountsByName_JSON(0) from com.fortif y.samples.riches.restful.AccountResources.GetAcco untsByName_JSON() In share/Training Material/Cod e/Java/riches_java_src/WEB-INF/src/java/com/forti fy/samples/riches/restful/AccountResources.java:8 2
SCA
share/Training Material/Code/ Java/riches_java_src/WEB-INF/ src/java/com/fortify/samples/ riches/model/ ProfileService.java:247
Sink: net.sf.hibernate.Session.find() Enclosing Method: IsProfileExist() Source: GetAccountsByName(0) from com.fortify.sam ples.riches.restful.AccountResources.GetAccountsB yName() In share/Training Material/Code/Java/ric hes_java_src/WEB-INF/src/java/com/fortify/samples /riches/restful/AccountResources.java:62
SCA
Dec 12, 2017, 12:15 PM © Copyright 2016 Hewlett Packard Enterprise Development LP
17
SI-10 Information Input Validation (P1) SI-10 Information Input Validation control states: "The information system checks the validity of [Assignment: organization-defined information inputs]." HPE Security Fortify considers issues related to (a) inadequate or disabled input validation, including cross-site scripting and path manipulation, and (b) injection flaws to violate this control and the following sub-control: (5) Restrict Input to Trusted Sources and Approved Formats. SQL Injection: Hibernate
Critical
Package: com.fortify.samples.riches.model Location
Analysis Info
Analyzer
share/Training Material/Code/ Java/riches_java_src/WEB-INF/ src/java/com/fortify/samples/ riches/model/ TransactionService.java:43
Sink: net.sf.hibernate.Session.createQuery() Enclosing Method: getTransactions() Source: setAcctno(0) from com.fortify.samples.ric hes.AccountDetails.setAcctno() In share/Training Material/Code/Java/riches_java_src/WEB-INF/src/j ava/com/fortify/samples/riches/AccountDetails.jav a:61
SCA
share/Training Material/Code/ Java/riches_java_src/WEB-INF/ src/java/com/fortify/samples/ riches/model/ TransactionService.java:62
Sink: net.sf.hibernate.Session.createQuery() Enclosing Method: getTransactionsDebug() Source: setAcctno(0) from com.fortify.samples.ric hes.AccountDetails.setAcctno() In share/Training Material/Code/Java/riches_java_src/WEB-INF/src/j ava/com/fortify/samples/riches/AccountDetails.jav a:61
SCA
share/Training Material/Code/ Java/riches_java_src/WEB-INF/ src/java/com/fortify/samples/ riches/model/ TransactionService.java:164
Sink: net.sf.hibernate.Session.createQuery() Enclosing Method: getTransactions() Source: GetTransactions(1) from com.fortify.sampl es.riches.restful.TransactionResources.GetTransac tions() In share/Training Material/Code/Java/ric hes_java_src/WEB-INF/src/java/com/fortify/samples /riches/restful/TransactionResources.java:102
SCA
share/Training Material/Code/ Java/riches_java_src/WEB-INF/ src/java/com/fortify/samples/ riches/model/ TransactionService.java:164
Sink: net.sf.hibernate.Session.createQuery() Enclosing Method: getTransactions() Source: GetTransactions(5) from com.fortify.sampl es.riches.restful.TransactionResources.GetTransac tions() In share/Training Material/Code/Java/ric hes_java_src/WEB-INF/src/java/com/fortify/samples /riches/restful/TransactionResources.java:106
SCA
share/Training Material/Code/ Java/riches_java_src/WEB-INF/ src/java/com/fortify/samples/ riches/model/ TransactionService.java:164
Sink: net.sf.hibernate.Session.createQuery() Enclosing Method: getTransactions() Source: GetTransactions(6) from com.fortify.sampl es.riches.restful.TransactionResources.GetTransac tions() In share/Training Material/Code/Java/ric hes_java_src/WEB-INF/src/java/com/fortify/samples /riches/restful/TransactionResources.java:107
SCA
share/Training Material/Code/ Java/riches_java_src/WEB-INF/ src/java/com/fortify/samples/ riches/model/ TransactionService.java:164
Sink: net.sf.hibernate.Session.createQuery() Enclosing Method: getTransactions() Source: GetTransactions(4) from com.fortify.sampl es.riches.restful.TransactionResources.GetTransac tions() In share/Training Material/Code/Java/ric hes_java_src/WEB-INF/src/java/com/fortify/samples /riches/restful/TransactionResources.java:105
SCA
Dec 12, 2017, 12:15 PM © Copyright 2016 Hewlett Packard Enterprise Development LP
18
SI-10 Information Input Validation (P1) SI-10 Information Input Validation control states: "The information system checks the validity of [Assignment: organization-defined information inputs]." HPE Security Fortify considers issues related to (a) inadequate or disabled input validation, including cross-site scripting and path manipulation, and (b) injection flaws to violate this control and the following sub-control: (5) Restrict Input to Trusted Sources and Approved Formats. SQL Injection: Hibernate
Critical
Package: com.fortify.samples.riches.model Location share/Training Material/Code/ Java/riches_java_src/WEB-INF/ src/java/com/fortify/samples/ riches/model/ TransactionService.java:164
Analysis Info
Analyzer
Sink: net.sf.hibernate.Session.createQuery() Enclosing Method: getTransactions() Source: GetTransactions(3) from com.fortify.sampl es.riches.restful.TransactionResources.GetTransac tions() In share/Training Material/Code/Java/ric hes_java_src/WEB-INF/src/java/com/fortify/samples /riches/restful/TransactionResources.java:104
XML External Entity Injection
SCA
Critical
Package: com.fortify.samples.riches.restful Location
Analysis Info
Analyzer
share/Training Material/Code/ Java/riches_java_src/WEB-INF/ src/java/com/fortify/samples/ riches/restful/XMLUtil.java:29
Sink: javax.xml.parsers.DocumentBuilder.parse() Enclosing Method: getDocument() Source: WriteCheck(0) from com.fortify.samples.ri ches.restful.AccountResources.WriteCheck() In sh are/Training Material/Code/Java/riches_java_src/W EB-INF/src/java/com/fortify/samples/riches/restfu l/AccountResources.java:124
SCA
share/Training Material/Code/ Java/riches_java_src/WEB-INF/ src/java/com/fortify/samples/ riches/restful/XMLUtil.java:29
Sink: javax.xml.parsers.DocumentBuilder.parse() Enclosing Method: getDocument() Source: AddAccount(0) from com.fortify.samples.ri ches.restful.AccountResources.AddAccount() In sh are/Training Material/Code/Java/riches_java_src/W EB-INF/src/java/com/fortify/samples/riches/restfu l/AccountResources.java:102
SCA
Command Injection
High
Package: com.fortify.samples.riches.oper Location
Analysis Info
Analyzer
share/Training Material/Code/ Java/riches_java_src/WEB-INF/ src/java/com/fortify/samples/ riches/oper/SendMessage.java: 83
Sink: java.lang.Runtime.exec() Enclosing Method: sendMail() Source: setTo(0) from com.fortify.samples.riches. oper.SendMessage.setTo() In share/Training Mater ial/Code/Java/riches_java_src/WEB-INF/src/java/co m/fortify/samples/riches/oper/SendMessage.java:15 0
SCA
share/Training Material/Code/ Java/riches_java_src/WEB-INF/ src/java/com/fortify/samples/ riches/oper/SendMessage.java: 83
Sink: java.lang.Runtime.exec() Enclosing Method: sendMail() Source: setSubject(0) from com.fortify.samples.ri ches.oper.SendMessage.setSubject() In share/Trai ning Material/Code/Java/riches_java_src/WEB-INF/s rc/java/com/fortify/samples/riches/oper/SendMessa ge.java:142
SCA
Dec 12, 2017, 12:15 PM © Copyright 2016 Hewlett Packard Enterprise Development LP
19
SI-10 Information Input Validation (P1) SI-10 Information Input Validation control states: "The information system checks the validity of [Assignment: organization-defined information inputs]." HPE Security Fortify considers issues related to (a) inadequate or disabled input validation, including cross-site scripting and path manipulation, and (b) injection flaws to violate this control and the following sub-control: (5) Restrict Input to Trusted Sources and Approved Formats. Command Injection
High
Package: com.fortify.samples.riches.oper Location
Analysis Info
Analyzer
share/Training Material/Code/ Java/riches_java_src/WEB-INF/ src/java/com/fortify/samples/ riches/oper/SendMessage.java: 83
Sink: java.lang.Runtime.exec() Enclosing Method: sendMail() Source: setSeverity(0) from com.fortify.samples.r iches.oper.SendMessage.setSeverity() In share/Tr aining Material/Code/Java/riches_java_src/WEB-INF /src/java/com/fortify/samples/riches/oper/SendMes sage.java:158
SCA
share/Training Material/Code/ Java/riches_java_src/WEB-INF/ src/java/com/fortify/samples/ riches/oper/SendMessage.java: 83
Sink: java.lang.Runtime.exec() Enclosing Method: sendMail() Source: setBody(0) from com.fortify.samples.riche s.oper.SendMessage.setBody() In share/Training M aterial/Code/Java/riches_java_src/WEB-INF/src/jav a/com/fortify/samples/riches/oper/SendMessage.jav a:134
SCA
share/Training Material/Code/ Java/riches_java_src/WEB-INF/ src/java/com/fortify/samples/ riches/oper/ SendNewsletter.java:61
Sink: java.lang.Runtime.exec() Enclosing Method: sendMail() Source: setBody(0) from com.fortify.samples.riche s.oper.SendNewsletter.setBody() In share/Trainin g Material/Code/Java/riches_java_src/WEB-INF/src/ java/com/fortify/samples/riches/oper/SendNewslett er.java:117
SCA
share/Training Material/Code/ Java/riches_java_src/WEB-INF/ src/java/com/fortify/samples/ riches/oper/ SendNewsletter.java:61
Sink: java.lang.Runtime.exec() Enclosing Method: sendMail() Source: setSubject(0) from com.fortify.samples.ri ches.oper.SendNewsletter.setSubject() In share/T raining Material/Code/Java/riches_java_src/WEB-IN F/src/java/com/fortify/samples/riches/oper/SendNe wsletter.java:125
SCA
Path Manipulation
High
Package: com.fortify.samples.riches.oper Location share/Training Material/Code/ Java/riches_java_src/WEB-INF/ src/java/com/fortify/samples/ riches/oper/ UploadProfilePicture.java:55
Analysis Info
Analyzer
Sink: java.io.File.File() Enclosing Method: execute() Source: setUploadFileName(0) from com.fortify.sam ples.riches.oper.UploadProfilePicture.setUploadFi leName() In share/Training Material/Code/Java/ri ches_java_src/WEB-INF/src/java/com/fortify/sample s/riches/oper/UploadProfilePicture.java:34
Dec 12, 2017, 12:15 PM © Copyright 2016 Hewlett Packard Enterprise Development LP
SCA
20
SI-11 Error Handling (P2) SI-11 Error Handling control states: "The information system: a. Generates error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries; and b. Reveals error messages only to [Assignment: organization-defined personnel or roles]." HPE Security Fortify considers issues related to (a) inadequate error handling and (b) revealing debug information to violate this control. No Issues
SI-15 Information Output Filtering (P0) SI-15 Information Output Filtering control states: "The information system validates information output from [Assignment: organization-defined software programs and/or applications] to ensure that the information is consistent with the expected content." HPE Security Fortify considers issues related to output encoding miconfiguration to violate this control. No Issues
SI-16 Memory Protection (P1) SI-16 Memory Protection control states: "The information system implements [Assignment: organizationdefined security safeguards] to protect its memory from unauthorized code execution." HPE Security Fortify considers issues related to buffer overflows to violate this control. No Issues
TR-1 Privacy Notice TR-1 Privacy Notice control states: "The organization: a. Provides effective notice to the public and to individuals regarding: (i) its activities that impact privacy, including its collection, use, sharing, safeguarding, maintenance, and disposal of personally identifiable information (PII); (ii) authority for collecting PII; (iii) the choices, if any, individuals may have regarding how the organization uses PII and the consequences of exercising or not exercising those choices; and (iv) the ability to access and have PII amended or corrected if necessary; b. Describes: (i) the PII the organization collects and the purpose(s) for which it collects that information; (ii) how the organization uses PII internally; (iii) whether the organization shares PII with external entities, the categories of those entities, and the purposes for such sharing; (iv) whether individuals have the ability to consent to specific uses or sharing of PII and how to exercise any such consent; (v) how individuals may obtain access to PII; and (vi) how the PII will be protected; and c. Revises its public notices to reflect changes in practice or policy that affect PII or changes in its activities that impact privacy, before or as soon as practicable after the change." HPE Security Fortify considers issues related to missing privacy policy to violate this control. No Issues
Dec 12, 2017, 12:15 PM © Copyright 2016 Hewlett Packard Enterprise Development LP
21
Description of Key Terminology Likelihood and Impact Likelihood Likelihood is the probability that a vulnerability will be accurately identified and successfully exploited. Impact Impact is the potential damage an attacker could do to assets by successfully exploiting a vulnerability. This damage can be in the form of, but not limited to, financial loss, compliance violation, loss of brand reputation, and negative publicity.
Fortify Priority Order Critical Critical-priority issues have high impact and high likelihood. Critical-priority issues are easy to detect and exploit and result in large asset damage. These issues represent the highest security risk to the application. As such, they should be remediated immediately. SQL Injection is an example of a critical issue. High High-priority issues have high impact and low likelihood. High-priority issues are often difficult to detect and exploit, but can result in large asset damage. These issues represent a high security risk to the application. High-priority issues should be remediated in the next scheduled patch release. Password Management: Hardcoded Password is an example of a high issue. Medium Medium-priority issues have low impact and high likelihood. Medium-priority issues are easy to detect and exploit, but typically result in small asset damage. These issues represent a moderate security risk to the application. Medium-priority issues should be remediated in the next scheduled product update. Path Manipulation is an example of a medium issue. Low Low-priority issues have low impact and low likelihood. Low-priority issues can be difficult to detect and exploit and typically result in small asset damage. These issues represent a minor security risk to the application. Low-priority issues should be remediated as time allows. Dead Code is an example of a low issue.
Dec 12, 2017, 12:15 PM © Copyright 2016 Hewlett Packard Enterprise Development LP
22
About HPE Security Enterprise Security Products HPE Security is a leading provider of security and compliance solutions for the modern enterprise that wants to mitigate risk in their hybrid environment and defend against advanced threats. Based on market-leading products from HPE Security ArcSight and HPE Security Fortify, the HPE Security Intelligence Platform uniquely delivers the application protection and advanced correlation to protect today's hybrid IT infrastructure from sophisticated cyber threats.
Dec 12, 2017, 12:15 PM © Copyright 2016 Hewlett Packard Enterprise Development LP
23