Appendix A. Fortify Source Code Analysis Suite Tutorial


Appendix A. Fortify Source Code Analysis Suite Tutorial[1]

[1] This appendix was created and is maintained by Fortify Software and is reprinted here with permission.

A special demonstration version of the Fortify Source Code Analysis product is included with this book. Please note that the demonstration software includes only a subset of the functionality offered by the Source Code Analysis Suite. For example, this demonstration version scans for buffer overflow and SQL injection vulnerabilities but does not scan for cross-site scripting or access control vulnerabilities.

The key you will need to unlock the demo on the CD is FSDMOBEBESHIPFSDMO. To prevent any confusion, this key is composed of letters exclusively. There are no numbers.

This tutorial presents a set of lessons that cover a number of different source code analysis topics. Each lesson builds on the knowledge gained in the previous lessons, so the lessons should be taken on in the order they are presented. The final lesson allows you to practice what you have learned using a set of open source code bases.

The tutorial provides an introduction to the Fortify Source Code Analysis Suite for Java, C/C++ (using gcc), and .NET projects (using Visual Studio). Specifically, we include information about how to use the Fortify Source Code Analysis Engine and the Fortify Audit Workbench (see Chapter 4).

There are nine lessons in this tutorial:

  1. Introducing the Audit Workbench

  2. Auditing Source Code Manually

  3. Ensuring a Working Build Environment

  4. Running the Source Code Analysis Engine

  5. Exploring the Basic SCA Engine Command Line Arguments

  6. Understanding Raw Analysis Results

  7. Integrating with an Automated Build Process

  8. Using the Audit Workbench

  9. Auditing Open Source Applications

By using this tutorial, you will learn how to audit programs for security in order to ferret out the kinds of vulnerabilities that cause real security problems. The kinds of problems that you can find are exactly like those uncovered and publicized by experienced security researchers and malicious hackerssometimes becoming major news events. Who knows, you may even find yourself discovering previously unknown vulnerabilities in open source code that has been fielded for years!

The directories containing the files used in this tutorial are located in the Install_Directory/Tutorial directory, where Install_Directory is the directory in which the Fortify Source Code Analysis Suite is installed. See the CD accompanying this book.




Software Security. Building Security In
Software Security: Building Security In
ISBN: 0321356705
EAN: 2147483647
Year: 2004
Pages: 154
Authors: Gary McGraw

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net