Fortify-SCA and SSC

Module 1: Fortify Architecture and Application Security Overview

• Identify the Fortify architectural structure and workflow
• Recognize the importance of application security in your Software Development Life Cycle (SDLC)

Module 2: Fortify SSC Setup

• Recognize the Application version and Administration options
• Create an application version and update SSC Rulepacks
• Integrate Audit Workbench scan results with SSC application versions

Module 3: Fortify SCA Analyzers Metrics

• Describe the automated scanning process
• Explain the function of each Analyzer
• Recognize how the findings are placed within each risk folder

Module 4: Fortify Static Scanning

• Define the features and usage of Fortify’s scanning options
• Recognize the different IDE plugins that integrate with Fortify SCA Analysis
• Successfully run Fortify scans in several ways, using:

• Audit Workbench
• Scan Wizard
• Command Line
• Eclipse
• Visual Studio

Module 5: Auditing Fortify Scan Results

• Verify your scan results in Audit Workbench
• Identify the findings in the Critical folder
• Utilize Smart View for a visual representation of the dataflow issues in your code
• Recognize findings categories in the Critical folder
• Apply the appropriate validation method to remediate a given vulnerability
• Filter, Audit, and suppress issues to reduce noise
• Find information, i.e. Details and Recommendations, to fix security issues

Module 6: Data Validation

• Securely implement data validation
• Select the right data validation for a particular situation
• Extend data validation libraries

Module 7: Analysis Trace and Remediating Vulnerabilities

• Properly read the analysis trace
• Audit vulnerabilities for:

• SQL Injection
• XSS
• Log Forging
• Cross-Site Request Forgery (CSRF)

Module 8: Custom Rules

• Recognize how to use data flow cleanse rules to integrate data validation into Fortify
• Create a data validation rule

Module 9: Utilize Fortify SSC (Software Security Center), Audit and Report

• Effectively navigate the Fortify SSC (Software Security Center)
• Review scan results upload and audit issues using SSC capabilities
• Generate reports to show outstanding issues, progress on security goals and a summary of the vulnerabilities detected during a scan

Module 10: Bug Tracking Integration

• Utilize Bug tracking tool through the SSC and AWB

Module 11: Utilize Audit Assistant in SSC

• Recognize the value for utilizing Audit Assistant
• Define the Fortify Scan Analytics tenant Prediction Policies
• Configure your SSC to utilize Audit Assistant
• Submit training data, issues, and review the AA results