NIST SP 800-53 Rev

HPE Security Fortify Audit Workbench

NIST SP 800-53 Rev.4

Riches_scan

Compliance Pass Fail

Table of Contents

Executive Summary Project Description Issue Breakdown Issue Details

AC-3 Access Enforcement (P1) AC-4 Information Flow Enforcement (P1) AC-6 Least Privilege (P1) AC-12 Session Termination (P2) AU-5 Response to Audit Processing Failures (P1) AU-9 Protection of Audit Information (P1) AU-12 Audit Generation (P1) CA-3 System Interconnections (P1) CM-4 Security Impact Analysis (P2) CM-6 Configuration Settings (P2) IA-5 Authenticator Management (P1) IA-6 Authenticator Feedback (P2) IA-8 Identification and Authentication (Non-Organizational Users) (P1) SC-4 Information in Shared Resources (P1) SC-5 Denial of Service Protection (P1) SC-8 Transmission Confidentiality and Integrity (P1) SC-12 Cryptographic Key Establishment and Management (P1) SC-13 Cryptographic Protection (P1) SC-17 Public Key Infrastructure Certificates (P1) SC-18 Mobile Code (P2) SC-23 Session Authenticity (P1) SC-28 Protection of Information at Rest (P1) SC-38 Operations Security (P0) SI-2 Flaw Remediation (P1) SI-3 Malicious Code Protection (P1) SI-10 Information Input Validation (P1) SI-11 Error Handling (P2) SI-15 Information Output Filtering (P0) SI-16 Memory Protection (P1) TR-1 Privacy Notice Description of Key Terminology About HPE Security Enterprise Security Products

? Copyright 2016 Hewlett Packard Enterprise Development, L.P. The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.

Dec 12, 2017, 12:15 PM

2

? Copyright 2016 Hewlett Packard Enterprise Development LP

Executive Summary

Project Name: Project Version: SCA: WebInspect: SecurityScope: Other:

Riches_scan

Results Present Results Not Present Results Not Present Results Not Present

NIST SP 800-53 Rev.4 groups Access Control (AC) Audit and Accountability (AU) Configuration Management (CM) Identification and Authentication (IA) Security Assessment and Authorization (CA) System and Communications Protection (SC) System and Information Integrity (SI) Transparency (TR)

COMPLIANCE

PASS

FAIL

Total 5 8 0 0 0 3 28 0

Status FAIL FAIL PASS PASS PASS FAIL FAIL PASS

* The detailed sections following the Executive Summary contain specifics.

Dec 12, 2017, 12:15 PM

3

? Copyright 2016 Hewlett Packard Enterprise Development LP

Project Description

This section provides an overview of the HPE Security Fortify scan engines used for this project, as well as the project meta-information.

SCA

Date of Last Analysis: Host Name: Number of Files:

Dec 12, 2017, 12:06 PM DESKTOP-NMLL4TQ 57

Engine Version: Certification: Lines of Code:

17.10.0156 VALID 3,059

Dec 12, 2017, 12:15 PM

4

? Copyright 2016 Hewlett Packard Enterprise Development LP

Issue BreakDown

The following table summarizes the number of issues identified across the different NIST SP 800-53 Rev.4 categories and broken down by Fortify Priority Order. The status of a category is considered "In Place" or "PASS" when there are no issues reported for that category.

Access Control (AC)

AC-3 Access Enforcement (P1) AC-4 Information Flow Enforcement (P1) AC-6 Least Privilege (P1) AC-12 Session Termination (P2)

Audit and Accountability (AU)

AU-5 Response to Audit Processing Failures (P1) AU-9 Protection of Audit Information (P1) AU-12 Audit Generation (P1)

Security Assessment and Authorization (CA)

CA-3 System Interconnections (P1)

Configuration Management (CM)

CM-4 Security Impact Analysis (P2) CM-6 Configuration Settings (P2)

Identification and Authentication (IA)

IA-5 Authenticator Management (P1) IA-6 Authenticator Feedback (P2) IA-8 Identification and Authentication (NonOrganizational Users) (P1)

System and Communications Protection (SC)

SC-4 Information in Shared Resources (P1) SC-5 Denial of Service Protection (P1) SC-8 Transmission Confidentiality and Integrity (P1) SC-12 Cryptographic Key Establishment and Management (P1) SC-13 Cryptographic Protection (P1) SC-17 Public Key Infrastructure Certificates (P1) SC-18 Mobile Code (P2) SC-23 Session Authenticity (P1) SC-28 Protection of Information at Rest (P1) SC-38 Operations Security (P0)

System and Information Integrity (SI)

SI-2 Flaw Remediation (P1) SI-3 Malicious Code Protection (P1) SI-10 Information Input Validation (P1) SI-11 Error Handling (P2)

Critical

0 0 0 0

Critical

0

0 0

Critical

0

Critical

0 0

Critical

0 0 0

Critical

0 0 0

0

1 0

0 0 0 0

Critical

0 0 21 0

Fortify Priority

High Medium

5

0

0

0

0

0

0

0

Fortify Priority

High Medium

0

0

8

0

0

0

Fortify Priority

High Medium

0

0

Fortify Priority

High Medium

0

0

0

0

Fortify Priority

High Medium

0

0

0

0

0

0

Fortify Priority

High Medium

0

0

0

0

0

0

1

0

0

0

0

0

0

0

0

0

1

0

0

0

Fortify Priority

High Medium

0

0

0

0

7

0

0

0

Low

0 0 0 0

Low

0

Total Issues

5 0 0 0

Total Issues

0

0 0

Low

0

Low

0 0

Low

0 0 0

8 0

Total Issues

0

Total Issues

0 0

Total Issues

0 0 0

Low

0 0 0

Total Issues

0 0 0

0

1

0

1

0

0

0 0 0 0

Low

0 0 0 0

0 0 1 0

Total Issues

0 0 28 0

Status

FAIL PASS PASS PASS

Status

PASS

FAIL PASS

Status

PASS

Status

PASS PASS

Status

PASS PASS PASS

Status

PASS PASS PASS

FAIL

FAIL PASS

PASS PASS FAIL PASS

Status

PASS PASS FAIL PASS

Dec 12, 2017, 12:15 PM

5

? Copyright 2016 Hewlett Packard Enterprise Development LP

System and Information Integrity (SI)

SI-15 Information Output Filtering (P0) SI-16 Memory Protection (P1)

Transparency (TR)

TR-1 Privacy Notice

Critical

0 0

Critical

0

Fortify Priority

High Medium

0

0

0

0

Fortify Priority

High Medium

0

0

Low

0 0

Low

0

Total Issues

0 0

Total Issues

0

Status

PASS PASS

Status

PASS

NOTE: 1. Reported issues in the above table may violate more than one NIST SP 800-53 Rev.4 category. As such, the same issue may appear in more than one row. The total number of unique vulnerabilities are reported in the Executive Summary table.

Dec 12, 2017, 12:15 PM

6

? Copyright 2016 Hewlett Packard Enterprise Development LP

Issue Details

Below is an enumeration of all issues found in the project. The issues are organized by NIST SP 800-53 Rev. 4, Fortify Priority Order, and vulnerability category. The issues are then further broken down by the package, namespace, or location in which they occur. Issues reported at the same line number with the same category originate from different taint sources.

AC-3 Access Enforcement (P1)

AC-3 Access Enforcement control states: "The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies." HPE Security Fortify considers issues related to (a) abuse of access control settings and (b) untrusted data used to influence criteria keys, paths, and resource locations to violate this control and the following sub-controls: (3) Mandatory Access Control, (5) Security-Relevant Information, and (7) Role-Based Access Control.

Struts 2 Bad Practices: Dynamic Method Invocation Package: com.fortify.samples.riches

Location

Analysis Info

share/Training Material/Code/ Java/riches_java_src/WEB-INF/ src/java/com/fortify/samples/ riches/PerformCheck.java:59

Sink: Function: printUsers Enclosing Method: printUsers() Source:

share/Training Material/Code/ Java/riches_java_src/WEB-INF/ src/java/com/fortify/samples/ riches/ PerformRegistration.java:100

Sink: Function: getNewAcctno Enclosing Method: getNewAcctno() Source:

share/Training Material/Code/ Java/riches_java_src/WEB-INF/ src/java/com/fortify/samples/ riches/ PerformRegistration.java:112

Sink: Function: getNewCCN Enclosing Method: getNewCCN() Source:

Package: com.fortify.samples.riches.oper

Location

Analysis Info

share/Training Material/Code/ Java/riches_java_src/WEB-INF/ src/java/com/fortify/samples/ riches/oper/SendMessage.java: 40

Sink: Function: getMailCommand Enclosing Method: getMailCommand() Source:

share/Training Material/Code/ Java/riches_java_src/WEB-INF/ src/java/com/fortify/samples/ riches/oper/ SendNewsletter.java:27

Sink: Function: getMailCommand Enclosing Method: getMailCommand() Source:

High Analyzer

SCA SCA

SCA

Analyzer

SCA

SCA

Dec 12, 2017, 12:15 PM

7

? Copyright 2016 Hewlett Packard Enterprise Development LP

AC-4 Information Flow Enforcement (P1)

AC-4 Information Flow Enforcement control states: "The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on [Assignment: organization-defined information flow control policies]." HPE Security Fortify considers issues related to (a) improper usage of permissions when sending and receiving messages and (b) overly permissive domain policies to violate this control and the following subcontrols: (20) Approved Solutions and (21) Physical / Logical Separation of Information Flows.

No Issues

AC-6 Least Privilege (P1)

AC-6 Least Privilege control states: "The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions." HPE Security Fortify considers issues related to overprivilege to violate this control and the following subcontrol: (8) Privilege Levels for Code Execution.

No Issues

AC-12 Session Termination (P2)

AC-12 Session Termination control states: "The information system automatically terminates a user session after [Assignment: organization-defined conditions or trigger events requiring session disconnect]." HPE Security Fortify considers issues related to excessive session timeouts to violate this control.

No Issues

AU-5 Response to Audit Processing Failures (P1)

AU-5 Response to Audit Processing Failures control states: "The information system: a. Alerts [Assignment: organization-defined personnel or roles] in the event of an audit processing failure; and b. Takes the following additional actions: [Assignment: organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records)]." HPE Security Fortify considers issues related to insufficient audit failure handling to violate this control and the following sub-control: (2) Real-Time Alerts.

No Issues

Dec 12, 2017, 12:15 PM

8

? Copyright 2016 Hewlett Packard Enterprise Development LP

 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download