How to Automatically Verify Security Requirements: SD Elements & Fortify Integration

We’re excited about our integration with Fortify. It follows on our recent Veracode integration. With these integrations a company can automatically create a set of tailored security requirements and automatically test the requirements. We think it’s a huge boost for application security. It works like this:

Start by modeling your application in SD Elements:

1

Then generate a set of tailored tasks (i.e. requirements) in SD Elements:

2

Use these requirements during development:

3

Run the application through Fortify and import the scanning results:

4

Review the verification status of requirements in SD Elements:

5

You now know:

  • Which requirements have failed verification (i.e. a vulnerability was discovered)
  • Which requirements have passed verification (i.e. a vulnerability was not discovered, and Fortify can generally find this kind of vulnerability in supported languages / frameworks)
  • Which requirements have partially passed verification (i.e. Fortify can find some but not all instances of a vulnerability)
  • Which requirements were not covered by Fortify. These need to be manually tested

Now use SD Elements test cases to manually test areas not covered by Fortify:

6

About the Guest Blogger:

Chris_Tyson

Chris Tyson, has recently joined Security Compass as our Customer Success Engineer.

Most recently he was a Senior Sales Engineer at Klocwork. Klocwork’s tools find exploitable security defects, code quality issues, architecture and metrics issues in software. Previous to that Chris has extensive customer facing experience in Pre-Sales Engineering, Training, Consulting, Customer Support, Software Development and management of software development teams. He is passionate about security, software quality and user experience. Chris has a Bachelor’s Degree in Computing and Information Science with a minor in Business Administration from the University of Guelph.

Previous Article
Open Web Application Security Project Top 10
Open Web Application Security Project Top 10

The OWASP Top 10 focuses on security concerns for web applications. Read on to learn more about these mains...

Next Article
Beyond OWASP Top 10 Vulnerabilities
Beyond OWASP Top 10 Vulnerabilities

We discuss 3 vulnerabilities that don’t fit into the OWASP Top 10 categories but are just as dangerous if p...