Power of Customization

Many of our customers use organization-specific coding standards and proprietary libraries in their software. The HP Fortify Secure Coding Rulepacks model a wide range of general security idioms and public APIs, but might leave analysis involving proprietary or unsupported third-party libraries incomplete and/or inaccurate. HP Fortify Custom Rules are designed to help address this gap and mitigate the risk.

Custom rules are a powerful tool for security auditors to expand on the current analysis capabilities. Custom Rules allow you to arm the analysis engine with the knowledge of your proprietary security standards and libraries that are not covered by the HP Fortify Secure Coding Rulepacks. Custom rules help tailor the analysis to the needs of your software and organization.

Writing custom rules can be intimidating since it requires knowledge of the standard APIs to model, vulnerabilities that these APIs might cause, and knowledge of the rules schema and constructs. The Custom Rules Editor, a GUI tool built into HP Fortify Audit Workbench, provides various rule wizards and templates that guide the user through the rule writing process. The auto-completion and type checking features within the editor are nice additions that help make the rule writing process easier.

The Fortify Security Research Group periodically updates the Custom Rules Editor wizards and templates to make the latest rules and enhancements available to the end user. The following new custom rule wizards were added last quarter: characterization rule for generic taint, characterization rule for private taint, structural rule for hardcoded passwords and control flow rules for memory leak. Starting last quarter these updates are now also made available as a separate content bundle through Premium Content. This means you can get the latest custom rule writing capabilities without having to upgrade your HP Fortify SCA installation. The Custom Rules Editor, along with the SCA Custom Rules Guide provide a very effective tool to enhance and tailor the analysis to meet your specific business needs.