Course structure
Module 1: Fortify Architecture and Application Security Overview
- Identify the Fortify architectural structure and workflow
- Recognize the importance of application security in your Software Development Life Cycle (SDLC)
Module 2: Fortify SSC Setup
- Recognize the Application version and Administration options
- Create an application version and update SSC Rulepacks
- Integrate Audit Workbench scan results with SSC application versions
Module 3: Fortify SCA Analyzers Metrics
- Describe the automated scanning process
- Explain the function of each Analyzer
- Recognize how the findings are placed within each risk folder
Module 4: Fortify Static Scanning
- Define the features and usage of Fortify’s scanning options
- Recognize the different IDE plugins that integrate with Fortify SCA Analysis
- Successfully run Fortify scans in several ways, using:
o Audit Workbench
o Scan Wizard
o Command Line
o Eclipse
o Visual Studio
Module 5: Auditing Fortify Scan Results
- Verify your scan results in Audit Workbench
- Identify the findings in the Critical folder
- Utilize Smart View for a visual representation of the dataflow issues in your code
- Recognize findings categories in the Critical folder
- Apply the appropriate validation method to remediate a given vulnerability
- Filter, Audit, and suppress issues to reduce noise
- Find information, i.e. Details and Recommendations, to fix security issues
Module 6: Data Validation
- Securely implement data validation
- Select the right data validation for a particular situation
- Extend data validation libraries
Module 7: Analysis Trace and Remediating Vulnerabilities
- Properly read the analysis trace
- Audit vulnerabilities for:
o SQL Injection
o XSS
o Log Forging
o Cross-Site Request Forgery (CSRF)
Module 8: Custom Rules
- Recognize how to use data flow cleanse rules to integrate data validation into Fortify
- Create a data validation rule
Module 9: Utilize Fortify SSC (Software Security Center), Audit and Report
- Effectively navigate the Fortify SSC (Software Security Center)
- Review scan results upload and audit issues using SSC capabilities
- Generate reports to show outstanding issues, progress on security goals and a summary of the vulnerabilities detected during a scan
Module 10: Bug Tracking Integration
- Utilize Bug tracking tool through the SSC and AWB
Module 11: Utilize Audit Assistant in SSC
- Recognize the value for utilizing Audit Assistant
- Define the Fortify Scan Analytics tenant Prediction Policies
- Configure your SSC to utilize Audit Assistant
- Submit training data, issues, and review the AA results