HP Fortify Glossary PDF

HP Fortify
Software Version: SSC 4.40 and HP WebInspect 10.50
Glossary
Document Release Date: November 2015

Software Release Date: November 2015
Glossary
Legal Notices
Warranty
The only warranties for HP products and services are set forth in the express warranty
statements accompanying such products and services. Nothing herein should be
construed as constituting an additional warranty. HP shall not be liable for technical or
editorial errors or omissions contained herein.
The information contained herein is subject to change without notice.
Restricted Rights Legend

Confidential computer software. Valid license from HP required for possession, use or
copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software,
Computer Software Documentation, and Technical Data for Commercial Items are
licensed to the U.S. Government under vendor's standard commercial license.
The software is restricted to use solely for the purpose of scanning software for security vulnerabilities that is (i)
owned by you; (ii) for which you have a valid license to use; or (iii) with the explicit consent of the owner of the
software to be scanned, and may not be used for any other purpose.
You shall not install or use the software on any third party or shared (hosted) server without explicit consent from the
third party.
Copyright Notice
© Copyright 2010- 2015 Hewlett Packard Enterprise Development, LP
Documentation Updates
The title page of this document contains the following identifying information:
l Software Version number
l Document Release Date, which changes each time the document is updated
l Software Release Date, which indicates the release date of this version of the software
To check for recent updates or to verify that you are using the most recent edition of a document, go to:
https://protect724.hp.com/welcome
You will receive updated or new editions if you subscribe to the appropriate product support service. Contact your HP
sales representative for details.
HP Fortify (SSC 4.40 and HP WebInspect 10.50) Page 2 of 44

Contents
Preface 4
Contacting HP Fortify Support 4
For More Information 4
About the HP Fortify Software Security Center Documentation Set 4
Glossary 5

Preface
Contacting HP Fortify Support
If you have questions or comments about using this product, contact HP Fortify
Technical Support using one of the following options.
To Manage Your Support Cases, Acquire Licenses, and Manage Your Account
https://support.fortify.com
To Email Support
fortifytechsupport@hp.com
To Call Support
650.735.2215
For More Information

For more information on HP Enterprise Security Software products:
http://www.hpenterprisesecurity.com
About the HP Fortify Software Security Center

Documentation Set
The HP Fortify Software Security Center documentation set contains installation, user,
and deployment guides for all HP Fortify Software Security Center products and
components. In addition, you will find technical notes and release notes that describe
new features, known issues, and last-minute updates. You can access the latest
versions of these documents from the following HP ESP user community Protect724
website:
https://protect724.hp.com/welcome
You will need to register for an account.

Glossary
Glossary
Glossary
A
Access page
An HP Fortify Project Details page from which you can manage the access to an HP Fortify
Software Security Center application version based on account type.
accessibility
A required application version attribute for both basic remediation and SSA application version
types.
Accuracy
A measure of how closely the rules used in scanning and analysis come to uncovering an
application’s actual vulnerabilities.
action
A change to the state of the target program that can be invoked by an event handler. Examples of
actions include throwing an exception, showing an error page, terminating the user’s session, and
rewriting the value of a variable in the target program.
activity
One of a series of primary and subordinate tasks that must be signed off to complete the secure
development of an application version. HP Fortify Software Security Center process templates are
hierarchical constructions of requirements and activities.
Administrative Console
See WebInspect Enterprise Administrative Console
Aggregate report
Report available in HP WebInspect for multiple scans that can include information such as severity
categories, report sections (server content and vulnerability detail), session information
(responses and requests), and stack traces, when available.
Aggressive SQL Injection policy

An HP scanner policy for an HP WebInspect or HP WebInspect Enterprise scan that performs a
comprehensive security assessment of your web application for SQL Injection vulnerabilities. SQL
Injection is an attack technique that takes advantage of non-validated input vulnerabilities to
pass arbitrary SQL queries and/or commands through the web application for execution by a
backend database. This policy performs a more accurate and decisive job, but has a longer scan
time.

Glossary
Glossary
alert
See alert notification
alert definition
User-generated rules that determine under what circumstances SSC should generate an alert. An
alert definition uses variable, performance indicator, or HP Fortify Governance (SSA project types
only) process conditions to specify when HP Fortify Software Security Center (SSC) should
generate an alert notification in the Dashboard Alert Notification Pod and by email.
alert notification
A notice (or alert) generated by HP Fortify Software Security Center (SSC) when a specified set of
conditions (as defined by the alert definition) occur. When SSC receives an alert, it creates an alert
notification and displays it in a dashboard pod. SSC can also send an email to notify SSC
application version members of an alert.
Alert View report

Report available in HP WebInspect that lists all vulnerabilities sorted by severity, with a hyperlink
to each HTTP request that elicited the vulnerability. It also includes an appendix that describes
each vulnerability in detail.
All Checks policy

An HP scanner policy for an HP WebInspect or HP WebInspect Enterprise scan that includes an
automated crawl of the server and performs all active checks from SecureBase, the HP check
database. This includes checks for known and unknown vulnerabilities at the Web server, Web
application server, and Web application layers.
analysis evidence panel

A section in the HP Fortify Audit Workbench (AWB) graphical user interface that displays the chain
of evidence the analyzer used to produce the vulnerability.
analysis plugin
These plugins work with HP Fortify Software Security Center (SSC) to add scanning functionality to
Eclipse, Microsoft Visual Studio, JDeveloper, IntelliJ, and Android Studio integrated development
environments (IDEs).
analysis results
The information reported by HP Fortify Software Security Center (SSC). Analysis results are
viewed, uploaded, and managed from the Analysis Results tab of the Artifacts page.
analyzer
A component of a security software product that looks for security issues using one or more
particular techniques.
application
A customer code base that is evaluated by HP Fortify security software. The top-level container
for one or more application versions. When you work with a new code base, the application and

Glossary
Glossary
first application version are automatically created. An application includes one or more application
versions that users create and configure.
application dependencies
Optional application attributes that enable you to identify other application versions that affect
the completion or status of the current application. An optional field for documenting
dependencies among application versions.
application onboarding
The activities associated with beginning to use HP Fortify security solutions. These activities
include installing software, creating applications and application versions, defining user access,
and producing analysis results. (Sometimes called Instant-On Assessment)
Application policy
automated crawl of the server and performs all active checks from SecureBase, the HP check
database. This includes checks for known and unknown vulnerabilities at the Web server, Web
application server, and Web application layers.
Application Security Center (ASC)

Application that enables users to control sensor and scheduler services. Users can start and stop
the sensor service, start and stop the scheduler service, configure the sensor, and additionally
configure the HP WebInspect API.
application state
The state of completion of an application, as reported by HP Fortify Software Security Center
(SSC). An application state can be: not started, in progress, requires attention, awaiting sign-off,
signed off with exemption, or signed off.
application state activity

An activity that ensures that an application conforms to certain thresholds. If the threshold is
exceeded, that may indicate that there are critical issues that must be audited.
application template
A formula, or template, that determines how HP Fortify products prioritize issues. Prioritizing
issues of a particular category or type helps guide the security team in auditing and remediation
activities. HP Fortify Software Security Center (SSC) provides some standard templates. Users
may employ those as is, modify them, and/or create additional templates.
application version
A particular iteration of the analysis of a code base as it applies to HP Fortify Software Security
Center (SSC). A project always begins with a first version, and the administrator then controls
when new versions of a project are created and what they are named.
application version attributes

Metadata that HP Fortify Software Security Center (SSC) uses to perform cross-application
comparisons and reporting functions, and also to assign process templates to SSA (Software

Glossary
Glossary
Security Assurance) applications.
application version type

One of two categories of application version: either basic remediation or Software Security
Assurance (SSA).
Application Vulnerability Description Language

See AVDL
Artifacts page
An HP Fortify Project Details page that is used to access analysis results and document artifacts.
See also • analysis results • document artifacts
ASC
See Application Security Center
Assault policy
automated crawl of the server and performs checks for known and unknown vulnerabilities at the
Web server, Web application server, and Web application layers. An assault scan includes checks
that can create denial-of-service conditions.
assessment
The overall process of reviewing, triaging, and acting on a particular scan or analysis. (same as
scan)
assessment agent
A program that dynamically catalogs all areas of a Web application during an HP WebInspect scan.
When the agent completes an assessment, it automatically reports findings to a main security
engine that analyzes the results.
Attack Status report

Report available in HP WebInspect that lists the following for each attack agent (check) employed
during the scan: the vulnerability ID number, check name, vulnerability severity, whether or not
the check was enabled for the scan, whether or not the check passed or failed (that is, did or did
not detect the vulnerability), the number of URLs where the vulnerability was detected (if it
failed); and optionally, vulnerabilities of certain severity and pass/fail status.
attack surface
A collection of code, such as interfaces, services, protocols, and practices, that are accessible to
all users, including unauthenticated users. Since all code is fallible, it is important when writing
secure code to reduce the attack surface.
attribute
Descriptive fields within a security event that provides detailed information about the event.

Glossary
Glossary
attribute definitions
The optional and required attributes used during creation of a new HP Fortify Software Security
Center (SSC) application version.
audit
The process of assessing an application or program for security vulnerabilities.
audit engine
Audit engines use the crawled traffic and SecureBase rules as input and execute specialized
techniques (algorithms) to reveal exploitable entry points (vulnerabilities) in the application. Some
audit engines are built into the product and others are introduced by SecureBase as ‘custom
agents.’
Audit Inputs Editor

A diagnostic and penetration scan tool that enables testers using HP WebInspect to create or edit
inputs to the audit engines and to a distinct set of checks.
Audit Workbench
An HP Fortify product that provides a GUI front-end for HP Fortify Static Code Analyzer (SCA). It can
be used to scan software projects and to organize, investigate, and prioritize analysis results.
Audit Workbench is also able to open results from HP Fortify Software Security Center (SSC),
through a collaborative audit.
audited percentage
The percentage of an application's total issues that have been audited. Accessed via the Issues
page.
authentication
Identity verification, typically through the use of passwords. Authentication precedes
authorization.
authorization
Access control. After a user has been authenticated (proven his or her identify, typically via a
password), the operating system or application identifies what resources the user can access
during this session, and provides access accordingly.
AVDL
Application Vulnerability Description Language. An interoperability standard developed by leading
application security vendors and approved by the Organization for the Advancement of Structured
Information Standards (OASIS) AVDL Technical Committee as a Committee Draft. The goal of AVDL
is to create a uniform method of describing application security vulnerabilities using XML.

Glossary
Glossary
B
banner
Server identification. An attacker grabs banners to determine the make and model of the server
operating system, and use that information when formulating an attack against the
vulnerabilities of that software package.
basic remediation application version

One of two types of application versions, the other being Software Security Assurance (SSA). A
basic remediation application version requires you to select an application template but does not
support process templates. A basic remediation project is designed for vulnerability remediation,
but does not formalize a process.
BIRT report
A report based on a Business Intelligence and Reporting Tool (BIRT), which is an open source,
Eclipse-based reporting system. HP Fortify Software Security Center uses BIRT to produce formal
reports. Individual reports can be created as MS Word, MS Excel, or PDF documents.
black box
Testing techniques that automate the attacks hackers use to exploit vulnerabilities. WebInspect
is a black box scanner. Black box scanning usually involves mapping the attack surface of an
application (crawling), sending attacks, and measuring the response of the web application to
gauge whether those attacks were successful.
Blank policy
An HP scanner policy for an HP WebInspect or HP WebInspect Enterprise scan that serves as a
blank template to build one’s own policy. It includes an automated crawl of the server and no
vulnerability checks. A user can edit this policy to create custom policies that only scan for specific
vulnerabilities.
Buffer Analyzer
A component of HP Fortify Static Code Analyzer (SCA) that detects overflow vulnerabilities that
involve writing or reading more data than a buffer can hold.
Bugzilla
Third-party, open source software used by engineering groups to keep track of bugs in a given
software program.
build adapter command

A command that bundles translation and scan steps when using touchless integration.
build ID
Name of an application being analyzed.

Glossary
Glossary
business attributes
Application version attributes that provide business management qualifiers. (Most of these
attributes are optional; only “business unit” is required.) Individual BIRT reports may aggregate or
filter data by business attributes.
C
call graph
A directed graph that represents which functions call each other in a program. The call graph is
used by various analyzers, to track taint, among other things.
canonicalization
Sanitizing data by not accepting improper input. For example, stripping special characters from a
request before processing it.
certificate
A certificate states that a specific website is secure and genuine. It ensures that no other website
can assume the identity of the original secure site. When sending personal information over the
Internet, users should check the certificate of the website to ensure that it protects personally
identifiable information. When downloading software from a website, certificates verify that the
software is coming from a known, reliable source. A security associates an identity with a public
key. Only the owner of the certificate knows the corresponding private key, which allows the
owner to make a “digital signature” or decrypt information encrypted with the corresponding
public key.
chief information security officer

Executive responsible for establishing and maintaining the strategies and programs for an
enterprise that ensure the enterprise’s information is protected.
CISO
See chief information security officer
CLASSPATH
An environment variable that tells the Java Virtual Machine (JVM) where it should look for user-
defined classes and packages.
client
Requesting program or user in a client/server relationship. For example, the user of a web
browser is effectively making client requests for pages from servers all over the web. The
browser itself is a client in its relationship with the computer that is getting and returning the
requested HTML file. The computer handling the request and sending back the HTML file is a
server.
client (in HP WebInspect Enterprise)

Scanner supported by HP WebInspect Enterprise that connects to WebInspect Enterprise to
receive license permissions, updates or scan data, and which also presents a user interface

Glossary
Glossary
through which scans may be conducted. WebInspect Enterprise controls permissions for a client
and also provides the policies used by clients. A client can be configured to upload scan results to
WebInspect Enterprise automatically at the completion of the scan or only when specifically
instructed by the user.
CloudScan
See HP Fortify CloudScan
CloudScan Agent
A Hadoop node (task tracker and data node) responsible for executing HP Fortify Static Code
Analyzer (SCA) analysis on mobile build session files that have been translated by SCA.
CloudScan Client
A build machine where you use SCA to translate code and generate an SCA mobile build session
(MBS). The translated source code, along with optional and necessary data, such as custom rules
and SCA CLI arguments are uploaded to the CloudScan Controller. The interface for issuing
CloudScan commands is installed the build machine and is used to create an SCA mobile build
scan, and communicate your intentions with the CloudScan Controller.
CloudScan Controller
Server that receives the HP Fortify Static Code Analyzer (SCA) mobile build session and scan
instructions from the CloudScan CLI. It routes the information to the CloudScan Cloud.
CloudScan Workers
A distributed network of computers that have been set up to receive SCA mobile build sessions
and scan the code using SCA analyzers.
cluster
An event handler construct used to match a sequence of events. For example, an event handler
might use a cluster to specify that users be logged out after they attempt three cross-site
scripting attacks.
Collaboration Module
Audit page. A component of HP Fortify Software Security Center (SSC) which enables teams to
audit issues and collaboratively prioritize vulnerabilities. The HP Fortify Software Security Center
entities that were referred to as Collaborataion Module in 4.30 and earlier releases are referred
to as Audit page respectively, in version 4.40.
command injection
A common coding error that affects security, in which executing commands that include
unvalidated user input cause an application to execute malicious commands on behalf of an
attacker. For more information, see http://www.hpenterprisesecurity.com/vulncat/index.html
common rule elements

HP Fortify Static Code Analyzer (SCA) elements that are common to all rules. These include
<RuleID>, language, and formatVersion.

Glossary
Glossary
Common Weakness Enumeration

A description of vulnerabilities created by Mitre (http://cwe.mitre.org) and used as a standard
classification throughout the industry.
Compatibility Mode
An integration mode that allows HP Fortify Runtime Application Protection to operate with Java
Virtual Machines that do not support Java Agents. Compatibility Mode enables operation when
Java Agent Mode is not possible, with some limitations.
Compliance Manager
A diagnostic and penetration scan tool for testers using HP WebInspect that performs a
qualitative analysis by grading how well an application complies with certain government-
mandated regulations or corporate-defined guidelines. For example, the Health Insurance
Portability and Accountability Act (HIPAA) requires healthcare providers using web-based
applications to provide “procedures for creating, changing, and safeguarding passwords.” Using
this tool, a website tester can assess an application and then generate a Compliance report that
measures how well the application satisfies this HIPPA rule.
Compliance report
Report available in HP WebInspect, through the Compliance Manager tool, that provides a
qualitative analysis by grading how well an application complies with certain government-
mandated regulations or corporate-defined guidelines. A compliance template is specified to
generate the report.
compliance template
A default or custom-designed template that is used to generate the Compliance report in HP
WebInspect.
confidence
The degree of certainty that rules and SCA’s capabilities can find an issue’s true vulnerability.
Configuration Analyzer
An HP Fortify component bundled with the HP Fortify Static Code Analyzer (SCA), which searches
for mistakes, weaknesses, and policy violations in programming configuration files. For example,
the Configuration Analyzer checks for reasonable time-outs in web application user sessions.
configuration bundle
A file containing all of the information the Federation Controller uses to govern a federation,
including a configuration template, Rulepacks, settings, and administrator-specified event
handlers. An administrator might configure and test HP Fortify Runtime Application Protection in a
staging environment, then export a configuration bundle from the staging server and import the
configuration bundle into the production server.
configuration template
A baseline host configuration stored on a Federation Controller. HP Fortify Runtime Application
Protection enables a security designer to add functionality to a configuration by supplying
additional event handlers or overriding the values of settings.

Glossary
Glossary
Content Analyzer
A component of HP Fortify Static Code Analyzer (SCA) in static HTML pages and files that contain
dynamic HTML.
Control flow Analyzer

A component of HP Fortify Static Code Analyzer (SCA), which detects potentially dangerous
sequences of operations and whether a set of operations is executed in a specific order.
Cookie Cruncher
A diagnostic and penetration scan tool for testers using HP WebInspect that analyzes cookies to
determine the relative ease with which an attacker could predict or determine the value of a
session ID generated by a server and delivered to a client via a cookie.
crawl
The process by which HP WebInspect identifies the structure of the target Web site. This is usually
followed by an audit, which is the actual vulnerability scan. A crawl and an audit, when combined
into one function, is termed a scan.
Crawled URLs report

Report available in HP WebInspect that lists any cookies sent and the raw HTTP request and
response for each URL encountered during the crawl.
Critical and Highs policy

An HP scanner policy for an HP WebInspect or HP WebInspect Enterprise scan that is used to
quickly scan Web applications for the most urgent and pressing vulnerabilities while not
endangering production servers. This policy checks for SQL Injection, cross-site scripting, and
other critical and high severity vulnerabilities. It also lists directories that could potentially lead to
discovery of critical or high vulnerabilities. This policy does not contain checks that may write data
to databases or create denial-of-service conditions, and it is safe to run against production
servers.
cross-site scripting (XSS)

A common coding error that affects security, in which unvalidated data is sent to a web browser
and results in the browser’s executing malicious code. For more information, see
http://www.hpenterprisesecurity.com/vulncat/index.html
Cross-Site Scripting policy

security assessment of a Web application for cross-site scripting (XSS) vulnerabilities. XSS is an
attack technique that forces a Web site to echo attacker-supplied executable code, such as HTML
code or client-side script, which then loads in a user’s browser. Such an attack can be used to
bypass access controls or conduct phishing expeditions.
custom check
A user-defined probe for a specific vulnerability that the standard HP WebInspect repertoire does
not address. A custom check is similar to a custom attack agent, with the major difference being
that a custom check can be created using a simple wizard, while a custom attack agent is

Glossary
Glossary
programmed in Visual Basic using a special integrated development environment and requires
significant knowledge of the WebInspect architecture. The result is also narrower in scope than
that of a typical attack agent.
custom descriptions
Details specific to your organization, which can be integrated into HP Fortify products. Custom
descriptions can be added to HP Fortify Secure Coding Rulepacks or to your own custom rules
using the <CustomDescriptionRule> element. This enables you to add organization-specific secure
coding guidelines, best practices, and references to other internal documentation.
custom rules
Rules that extend the functionality of the Static Code Analyzer and the Secure Coding Rulepacks.
Custom rules enable you to enforce proprietary security guidelines or analyze a project that uses
third-party libraries or other pre-compiled binaries that are not already covered by the Secure
Coding Rulepacks.
Custom Rules Editor (CRE)

An HP Fortify product for creating and reviewing security or coding practice rules that are tailored
for a customer's source code.
CWE
Common Weakness Enumeration. A description of vulnerabilities created by Mitre
(http://cwe.mitre.org) and used as a standard classification throughout the industry.
D
DAST
Vulnerability tests conducted on a running application, typically performed in a QA environment.
DAST stands for dynamic application security testing.
Dataflow Analyzer
A component of HP Fortify Static Code Analyzer (SCA), which detects potential vulnerabilities. Uses
global, inter-procedural taint propagation analysis to detect the flow of data between a source
(site of input) and a sink (dangerous function call or operation).
Dataflow cleanse rule

Rule that validation logic and other actions that render tainted data either partially or completely
cleansed.
Dataflow entrypoint rule

Rule that describes program points that introduce tainted data to a program. Dataflow entrypoint
rules do this by describing the functions and methods that can be invoked from outside the
program.
Dataflow pass-through rule

Rule that describes how functions and methods propagate taint from their input to output.

Glossary
Glossary
Dataflow sink rule

Rule that identifies points in a program that tainted data must not reach.
default application
A permanent application definition included in the HP Fortify Software Security Center (SSC). If the
SSC receives a security event from an HP Fortify Runtime host, and the HP Fortify Runtime
application has no application assignment rule that associates the event to a target application
definition or application context path, then the HP Fortify Runtime application associates the
incoming event with the default application.
Dev (Developer) policy

Web application layer only. The Developer policy does not execute checks that are likely to create
denial-of-service conditions, so it is safe to run on production systems.
Developer Reference report

Report available in HP WebInspect that presents totals and detailed descriptions of each form,
JavaScript, email, comment, hidden control, and cookie discovered on the Web site. One or more
of these reference types can be selected.
Developer Workbook report

A report targeted for project managers and developers that contains all of the information
needed to understand and fix issues discovered during an application version audit.
development phase
A required application version attribute for both basic remediation and SSA application versions.
development strategy
A required application version attribute for both basic remediation and SSA application versions.
Digest Authentication
The protocol implemented by the Windows Server 2003 operating system as a security support
provider (SSP), a dynamic-link library (DLL) that is supplied with the operating system. Using digest
authentication, a password is never sent across the network in the clear, but is always
transmitted as an MD5 digest of the user’s password. In this way, the password cannot be
determined by sniffing network traffic.
dispatch
An asynchronous event routing as specified by an event handler. HP Fortify Runtime Application
Protection can dispatch events to a log file, an external system such as syslog, or to a Federation
Controller. The Federation Controller can dispatch events to the database or to an alert.
document activity
An activity that requires the submission of an external process document.

Glossary
Glossary
document artifact
Any type of file containing information or tasks pertinent to the secure development of an HP
Fortify Software Security Assurance (SSA) application version. Document artifacts are used only in
HP Fortify Software Security Center SSA applications.
document artifacts
Any type of file containing information or tasks pertinent to the secure development of an HP
Fortify Software Security Assurance (SSA) application version. Document artifacts are used only in
HP Fortify Software Security Center SSA applications.
Duplicates report
Report available in HP WebInspect that presents information about vulnerabilities detected by
WebInspect Agent that were traceable to the same source. It includes a bar chart comparing the
total number of uncorrelated vulnerabilities to the number of unique vulnerabilities.
dynamic application security testing

See DAST
dynamic scan
Tests your website for vulnerabilities.
E
EAM
See Enterprise Assessment Management
Encoders/Decoders
A diagnostic and penetration scan tool that enables testers using HP WebInspect to decode
strings suspected to be encoded or encrypted. While analyzing scan results, the tester can encode
and decode values using Base64, hexadecimal, MD5, and other schemes; and can also encode a
string into a Unicode string and use special characters in URL construction.
Enterprise Assessment Management (EAM)

An HP Fortify on Demand offering that assesses application security of in-house software,
whether deployed or in development.
event
A hierarchical collection of attributes, assembled by monitors from information in a rule and from
the state of the target program. An event can include information such as the name of a
vulnerability category, the HTTP request that generated the event, information about an attack,
and the stack trace with the program point for the monitor that created the event.
event attribute
A labeled value contained in an event. For example, an event related to SQL injection could carry
the following attribute: category: SQL Injection This event attribute has the label category and the
value SQL Injection.

Glossary
Glossary
event handler
A configuration element that interprets and acts on events. When an event handler detects an
event, it can optionally dispatch the event, or, if the event handler is operating in the context of
HP Fortify Runtime Application Protection, it can carry out an action in the target program.
event handler chain

An ordered set of event handlers that defines a response to one or more events. Each event
handler in the chain is given an opportunity to handle an event. By default the evaluation of the
event handler chain stops after the first matching event handler fires. The default event handler
is carried out if no other event handlers match the event.
event type
Each reported event is of one or more of the following three types: attack, vulnerability, and audit.
• Attack type: the event is triggered by an intruder trying to attack a system. • Vulnerability type:
the event is triggered by a vulnerability found during program execution. • Audit type: the event is
an unexpected or abnormal behavior observed while a program is executing.
Event-Based IE Compatible Web Macro Recorder

See Web Macro Recorder (Event-Based IE Compatible)
Executive Summary report

Report available in HP WebInspect that lists basic statistics, and charts and graphs that reflect
the application’s level of vulnerability.
external metadata
External metadata include mappings from the HP Fortify categories to alternative categories
(such as OWASP 20xx, PCI 1.2, and CWE). See also security content.
F
False Positives report
Report available in HP WebInspect that displays information about URLs that WebInspect
originally classified as vulnerabilities, but were subsequently determined to be false positives.
Federated mode
The operating mode in which a Runtime instance coordinates its activities with other instances,
such that a group of HP Fortify Runtime Application Protection instances are managed as a single
logical entity. Members of a federation are configured by a Federation Controller, and the
members can report events back to the Federation Controller.
federation
A group of HP Fortify Runtime Application Protection instances managed as a single logical entity.
Federation Controller
The HP Fortify Software Security Center (SSC) that coordinates the activities of hosts operating
together in a federation.

Glossary
Glossary
filter set
Determines which issues are displayed in the auditing interface. The filter set customizes the
analysis results panel by determining the number and types of containers (folders) and how issues
are displayed.
finite state machine

A mathematical abstraction sometimes used in programming to design digital logic that uses
behavioral states as its model.
FIPS
A set of standards developed by the United States federal government that include cryptographic
requirements for encoding data. WebInspect and WebInspect Enterprise can be run in either
normal mode or FIPS-compliant mode. Scan data from non FIPS-compliant instances of
WebInspect cannot be shared with FIPS-compliant versions. The data these instances create is not
interchangeable.
FISMA
The Federal Information Security Management Act. Act passed in 2002, that requires each U.S.
federal agency “to develop, document, and implement an agency-wide program to provide
information security for the information and information systems that support the operations
and assets of the agency, including those provided or managed by another agency, contractor, or
other source.” FISMA relies on guidelines published by NIST, the National Institute of Standards
and Technology. For more information, see http://csrc.nist.gov/groups/SMA/fisma/index.html and
http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final_updated-errata_05-
01-2010.pdf
Fortify Priority Order (Fortify on Demand)

The hierarchy of vulnerability seriousness (Critical, High, Medium, Low, Best Practices, Info).
Fortify Priority Order (SCA)

A designation of the seriousness of an issue detected by HP Fortify Static Code Analyzer (SCA),
applied automatically to FPR files. A category of Critical, High, Medium, or Low is assigned to an
issue to denote the impact and likelihood of exploitation.
Fortify project results (FPR)

The HP Fortify Static Code Analyzer (SCA) output file format.
fortifyclient
A command-line utility for managing files and performing common automated tasks (such as
analysis result uploads) on HP Fortify Software Security Center (SSC).
fortifyupdate
A command-line utility for downloading the latest HP Fortify Secure Coding Rulepacks.
FPO
See Fortify priority order

Glossary
Glossary
FPR
See Fortify project results
fprUtility
A command-line utility for manipulating FPRs.
FSM
See finite state machine
G
General Page
An HP Fortify Project Details page that provides information on the HP Fortify application version,
business attributes, technical attributes, and analysis results processing rules.
governance module
An optional component of HP Fortify Software Security Center (SSC) which provides
comprehensive identification and removal of security vulnerabilities in software and
enhancement of an organization’s existing development and software procurement processes to
ensure that security is given appropriate consideration
Guided Scan
A function of HP WebInspect and HP WebInspect Enterprise that directs users through the best
steps to configure a scan that is tailored to an application. Guided Scan is the preferred
alternative to a standard Web Site scan.
H
Hierarchical Summary Report
An HP Fortify Software Security Center Portfolio Report that enables you to create a historical
summary of issues based on HP Fortify Software Security Center application version and issue
categorization.
HIPAA
Health Insurance Portability and Accountability Act.
Host
In HP ArcSight Application View, a computer running one or more instances of HP Fortify Runtime.
host configuration
The set of files that determines the behavior of HP Fortify Runtime Application Protection on a
host. The host configuration includes rules files and a configuration file specifying global settings,
rules, and event handlers.

Glossary
Glossary
HP Fortify Ant Compiler Adapter

Translates Java source files for projects that use an Ant build file.
HP Fortify application version

See HP Fortify Software Security Center (SSC) application version
HP Fortify Audit Workbench (AWB)

An HP Fortify component that provides a graphical user interface for HP Fortify Static Code
Analyzer (SCA). Use Audit Workbench to scan software projects and to organize, investigate, and
prioritize analysis results. Audit Workbench can also open results from HP Fortify Software
Security Center (SSC) through a collaborative audit.
HP Fortify CloudScan
A product that enables users of HP Fortify Static Code Analyzer (SCA) to efficiently manage
computing resources by offloading the processor-intensive scanning phase of the analysis from
build machines.
HP Fortify on Demand
A way to quickly, accurately, and affordably test the security of certain enterprise applications,
without the need to install or manage additional software.
HP Fortify Runtime Application Protection (RTAP)

An HP Fortify application that addresses security vulnerabilities in software that has already been
deployed. HP Fortify Runtime Application Protection automatically blocks attacks for common
vulnerabilities from inside applications. A single invocation of HP Fortify Runtime Application
Protection monitors one and only one target program.
HP Fortify Secure Coding Rulepack

Rules that HP Fortify Static Code Analyzer (SCA) uses to model important attributes of the
program under analysis. These rules provide meaning to relevant data values and enforce secure
coding standards applicable to the code base. The Rulepacks describe general secure coding
idioms for popular languages and out-of-the-box public APIs.
HP Fortify Software Security Center (SSC)

A centralized system that helps application developers find, fix, and verify security vulnerabilities,
to comply with application security standards and to meet audit, regulatory, customer, and
partner requirements. HP Fortify Software Security Center (SSC) combines results from HP Fortify
Static Code Analyzer (SCA), HP WebInspect, HP Fortify Runtime Application Protection, and other
industry analyzers.
HP Fortify Software Security Center application template

A template that governs how HP Fortify products categorize, summarize, and report application
data and enable customized application settings.
HP Fortify Software Security Center application version

An iteration, or specific incidence, of a project. An application version contains data, auditing, and
project attributes for a particular version of the project's code base. Users should create a new HP

Glossary
Glossary
Fortify application version for each new version of the code base, rather than creating a new
project. A project may have one or more application versions. An application version may track
results from one or more analysis artifacts.
HP Fortify Software Security Center Dashboard

A user interface that appears when you log on to the HP Fortify Software Security Center (SSC).
The dashboard contains multiple pods that provide access to the SSC application versions and
features.
HP Fortify Software Security Center Process Designer

A utility that enables default work owners to be assigned to process template requirements and
activities. Because there is no way to predict which HP Fortify Software Security Center (SSC) user
account names may be assigned as work owners, the Process Designer client tool assigns work
owners to requirements and activities by persona.
HP Fortify Static Code Analyzer (SCA)

A product that uses a set of software security analyzers to search source code for violations of
security-specific coding rules and guidelines in a variety of languages. The rich data provided by
SCA’s language technology enables the analyzers to pinpoint and prioritize violations so that fixes
can be fast and accurate.
HP scanner
As used in HP WebInspect and HP WebInspect Enterprise, an aggressive Web application analyzer
that rigorously inspects an entire Web site for real and potential security vulnerabilities.
HP Support Tool
A diagnostic and penetration scan tool that enables testers using HP WebInspect to upload files
that may help HP support personnel to analyze problems encountered using products. The tool
offers a quick and simple method for uploading the files and all communications use Secure
Sockets Layer (SSL) or FTP Secure (FTPS).
HP WebInspect
A software package that performs web application security testing and assessment for complex
web applications, by identifying security vulnerabilities undetectable by other scanners.
HP WebInspect Agent
WebInspect Agent (named SecurityScope in Software Security Center 4.00 and earlier versions)
runs atop HP Fortify’s Runtime platform, allowing it to monitor your code for software
vulnerabilities as it runs. When used in conjunction with HP Fortify Static Code Analyzer (SCA) and
HP WebInspect. SecurityScope provides Runtime technology to help connect your dynamic results
to your static results.
HP WebInspect Enterprise
A distributed network of HP scanners controlled by a system manager with a centralized
database. WebInspect Enterprise must be integrated with HP Fortify Software Security Center
(SSC) and it provides SSC with information detected through dynamic scans of Web sites and Web
services.

Glossary
Glossary
HTTP
Hyper Text Transfer Protocol. HTTP is the set of conventions that governs how HTML documents
are transmitted and received across the World Wide Web. When browsing Web sites, your Web
browser is a client program that makes requests (for example, that a certain Web page be
displayed) from a Web server somewhere on the Internet. An important element of HTTP is in how
servers (the computers hosting the Web applications, in this instance) handle requests from
clients (remote computers connecting to the server via the World Wide Web). A session can be
defined as the matched pair of a client request and a server response. HTTP is a stateless
protocol-no concept of session state is maintained by HTTP when handling client-server
communications. While that sounds complicated, it is really quite simple when broken down. Each
request made by a client is handled individually by a server. Multiple requests made by the same
client are each treated as unique by the responding server. In other words, the server does not
attempt to maintain a connection with the client at any time.
HTTP Basic Authentication

A widely used, industry-standard method for collecting user name and password information. The
Web browser displays a window for a user to enter a previously assigned user name and
password, also known as credentials. The Web browser then attempts to establish a connection to
a server using the user’s credentials. If a user’s credentials are rejected, the browser displays an
authentication window to re-enter the user’s credentials. Internet Explorer allows the user three
connection attempts before failing the connection and reporting an error to the user. If the Web
server verifies that the user name and password correspond to a valid user account, a connection
is established. The advantage of HTTP Basic authentication is that it is part of the HTTP
specification and is supported by most browsers. The disadvantage is that Web browsers using
Basic authentication transmit passwords in an unencrypted form. By monitoring communications
on your network, an attacker can easily intercept and decode these passwords using publicly
available tools. Therefore, Basic authentication is not recommended unless you are confident that
the connection between the user and your Web server is secure.
HTTP Editor
A diagnostic and penetration scan tool that enables testers using HP WebInspect to create or edit
requests, send them to a server, and view the response either in raw HTML or as rendered in a
browser. The HTTP Editor is a manual hacking tool that requires a working knowledge of HTML,
HTTP, and request methods.
Hybrid 2.0 Technology

The presentation and grouping of correlated results from HP WebInspect penetration tests, HP
Fortify SecurityScope, and HP Fortify Runtime Application Protection.
I
IDS
Intrusion Detection System. This kind of system supplements perimeter security applications
(such as firewalls) and identifies attacks that have passed through those defenses.

Glossary
Glossary
image map
In Internet development, an image map is a graphic defined so that different areas of the image
are linked to different destinations.
impact
The potential damage an attacker could do to your assets by successfully exploiting a
vulnerability. This damage could be in the form of financial loss, compliance violation, loss of
brand reputation, negative publicity, and more.
individual auditor
A user who performs a single security review of an HP Fortify Software Security Center application
for a specific organization. An individual auditor uses custom rules to focus on a subset of security
issues rather than trying to address all areas of the application.
Issue report group

A group of reports that summarize the presence of specific categories of vulnerabilities in a single
HP Fortify Software Security Center (SSC) application version.
Issue Trending Report

One of the HP Fortify Software Security Center Portfolio Reports, which provides an overview of
changes to project risk over time.
Issues page
The default HP Fortify Project Details page. Provides current state and trending data on the
selected HP Fortify application version.
J
Java Agent Mode
The default Java integration mode for the Runtime Platform. Java Agent Mode is available in JVM
version 1.5 and later.
K
Kerberos Authentication
A network authorization protocol, designed to provide strong authentication for client/server
applications by using secret key cryptography. The strong cryptography of the protocol enables a
client to prove its identity to a server (and vice versa) across an insecure network connection.
After a client and server have used Kerberos to prove their identity, they can also encrypt all of
their communications to assure privacy and data integrity and go about their business.
Key Performance Indicators Report

An HP Fortify Software Security Center Portfolio Report that condenses multiple software security
performance indicators and organizes them by project attributes. Managers can use this view of
the project portfolio to do basic comparisons among the attribute groupings.

Glossary
Glossary
L
LDAP injection
A common coding error that affects security, in which a dynamic LDAP filter is constructed with
user input, allowing an attacker to modify the statement's meaning. For more information, see
likelihood
The probability that a vulnerability is accurately identified by an outsider and successfully
exploited.
link token
A unique number, generated by HP Fortify on Demand, which authorizes tenants to upload source
code for analysis.
log forging
A common coding error that affects security, in which unvalidated user input is written to log files,
allowing an attacker to forge log entries or inject malicious content into the logs. For more
information, see http://www.hpenterprisesecurity.com/vulncat/index.html
Log Viewer
A diagnostic and penetration scan tool that enables testers using HP WebInspect to inspect the
various logs maintained by WebInspect. This feature is used mainly by the HP Product Support
group to investigate reported incidents.
login macro
A type of macro (or recording) used for Web form authentication. A tester can also incorporate
logic that prevents HP WebInspect from terminating prematurely if it inadvertently logs out of the
application.
M
method
An action that a web service performs. For instance, one web service may have one WSDL that
contains four operations. Those might be, for example, Update, Create, Delete, and Diagnostic.
(Same as operation).
MIME type
Multipurpose Internet Mail Extensions (MIME) is a specification for formatting non-ASCII messages
so they can be sent over the Internet. The Content-Type header indicates the type and subtype of
the message content, for example. The combination of type and subtype is generally called a
MIME type (also known as Internet media type). Examples include: • text/html • image/jpeg •
image/gif • audio/mpeg • video/mpeg • application/zip

Glossary
Glossary
missing dependency
Code you submitted for analysis contains references to files not included in the payload. When the
software scans each line of your code, it looks for the source of each reference; if it does not find
them, it flags a missing dependency.
mobile build session

A mobile build session (MBS file) created after the SCA translation phase includes the files
required for analysis and allows a project to be translated on one machine and analyzed on
another.
monitor
A Java or .NET class built to watch program points. Monitors are connected to the target program
as specified by rules. Monitors can create events. HP Fortify Runtime Application Protection
includes a set of predefined monitors, but users can also add their own monitors.
MonitorID
A unique identifier for the monitor that generated a particular event. (The value is hardcoded in
the rule.) Note: One rule can contain multiple monitors.
N
navigation pane
When conducting or viewing a scan, the navigation pane is on the left side of the HP WebInspect
window. It includes the Site, Sequence, Search, and Step Mode buttons, which determine the
contents (or "view”) presented in the navigation pane.
NTLM Authentication
NTLM (NT LanMan) is an authentication process that is used by all members of the Windows NT
family of products. Like its predecessor LanMan, NTLM uses a challenge/response process to
prove the client’s identity without requiring that either a password or a hashed password be sent
across the network.
O
operation
An action that a web service performs. For instance, one web service may have one WSDL that
contains four operations. Those might be, for example, Update, Create, Delete, and Diagnostic.
(Same as method)
OWASP Reports
An HP Fortify Software Security Center Issue Report that provides a summary of OWASP
vulnerabilities in a single HP Fortify Software Security Center application version.

Glossary
Glossary
OWASP Top Ten policy

An HP scanner policy for an HP WebInspect or HP WebInspect Enterprise scan that tests for the
Open Web Application Security Project (OWASP) Top Ten Web application vulnerabilities. This is an
industry-wide best practice for ensuring the security of a Web application, and the policy reflects
OWASP 2013, which is the latest version.
Owner
The person assigned to an issue or application.
P
parameter
An item of information, such as a name, a selection, or a number, passed to a program by another
program or an end-user.
partial cleanse
A taint cleanse rule that specifies the taint flags to be added or removed.
Passive Scan policy

An HP scanner policy for an HP WebInspect or HP WebInspect Enterprise scan that scans an
application for vulnerabilities detectable without active exploitation, making it safe to run against
production servers. Vulnerabilities detected by this policy include issues of path disclosure, error
messages, and others of a similar nature.
path manipulation
A type of security vulnerability that enables an attacker to specify a path used in an operation on
a file system, overwrite the specified file, or run the application with a configuration controlled by
the attacker.
payload
A discrete software unit deployed over a network.
PCI Compliance: Application Security Report

An HP Fortify Software Security Center (SSC) Issue Report that provides detailed information on
the completion status of the security requirements issues for a single SSC application version. The
Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to
ensure that all companies that process, store, or transmit credit card information maintain a
secure environment.
penetration test
A method of evaluating the security of a computer system or network by simulating an attack
from a malicious source known as a black hat hacker. The internal process involves an active
analysis of the system for any potential vulnerabilities that could result from poor or improper
system configuration, known or unknown flaws in hardware and software, and operational
weaknesses in process or technical counter-measures. Note that penetration tests can be

Glossary
Glossary
inefficient because testing cannot be done until software is complete, and there is often a very
narrow window for testing before software goes live.
Penetration Testing Correlation Report

An HP Fortify Software Security Center (SSC) Issue Report that correlates results from third-party
penetration testing tools with issues detected by HP Fortify Runtime Application Protection, and
HP Fortify Static Code Analyzer (SCA) for a single SSC application version.
performance indicators
Customized metrics that are normalized across application version boundaries and that can
represent complex higher-level abstractions such as monetary costs.
personas
A functional organization or job title that has responsibility for one or more portions of an HP
Fortify Software Security Center (SSC) application version. A persona has sign-off responsibility
for requirements and activities defined in an SSA application version's process template.
Platform policy
security assessment of your Web application platform by submitting attacks specifically against
the Web server and known Web applications. When performing assessments of enterprise-level
Web applications, the Platform policy is used in conjunction with the Application policy to optimize
an assessment in terms of speed and memory usage.
pod
A window or unit of information presented to the customer via the HP Fortify Software Security
Center (SSC) dashboard.
policy
A collection of audit engines and attack agents that HP WebInspect and HP WebInspect Enterprise
use when auditing or crawling a Web application. Each component has a specific task, such as
testing for susceptibility to cross-site scripting, building the site tree, probing for known server
vulnerabilities, etc. These components are organized into the following groups: • Audit Engines •
General Application Testing • General Text Searching • Third-Party Web Applications • Web
Frameworks/Languages • Web Servers • Web Site Discovery • Custom Checks
Policy Manager
A diagnostic and penetration scan tool that enables testers using HP WebInspect to manage any
one of several prepackaged vulnerability check and attack methodology policies in WebInspect.
Testers can view policies, edit policies by enabling or disabling audit engines and/or attack agents,
and create new policies.
Portfolio report group

A group of reports that enable you to compare issues, trends, and indicators across multiple HP
Fortify Software Security Center (SSC) application versions.

Glossary
Glossary
Process Designer
A tool used to edit HP Fortify Software Security Center (SSC) process templates.
process template
A hierarchical construction of requirements and activities. When you create a new SSA application
version, HP Fortify Software Security Center (SSC) suggests a process template.
process template (SSA)

A guide for the secure development team, used to navigate through the various requirements and
activities needed to fulfill an enterprise’s secure development standards. (Required only when
creating an SSA project version.)
program point
A location within a target program specified by a rule in Runtime products.
Project
Application. The HP Fortify Software Security Center entities that were referred to as projects and
project versions in 4.30 and earlier releases are referred to as applications and application
versions, respectively, in version 4.40.
project (Fortify on Demand)

A customer code base that is evaluated by HP Fortify security software.
Project Report Group

A group of reports that enables you to summarize user-selectable categories of information for a
single HP Fortify Software Security Center application version.
Project template
Issue template. The HP Fortify Software Security Center entities that were referred to as Project
template versions in 4.30 and earlier releases are referred to as and Issue template, respectively,
in version 4.40.
Project Version
Application Version. The HP Fortify Software Security Center entities that were referred to as
projects and project versions in 4.30 and earlier releases are referred to as applications and
application versions, respectively, in version 4.40.
proxy server
A computer that serves as an intermediary between a workstation user and the Internet.
Requests for Internet services made by the client (the workstation) must pass through the proxy
server, as also do the web server responses. A proxy server can be used to increase network
security, provide adequate caching space, and regulate administrative control.

Glossary
Glossary
Q
QA policy
An HP scanner policy for an HP WebInspect or HP WebInspect Enterprise scan that is designed to
help QA professionals make project release decisions in terms of Web application security. It
performs checks for both known and unknown Web application vulnerabilities. However, it does
not submit potentially hazardous checks, making it safe to run on production systems.
QA Summary report
Report available in HP WebInspect that lists the URLs of all pages containing broken links, server
errors, external links, and timeouts.
query string
The extra bit of data in the URI after the question mark that is used to pass variables. The query
string is used to transfer data between the client and the server. Web applications often use
query strings as a simple method of passing data from the client and the server. Query strings are
a way to add data calls to a hyperlink, and then retrieve that information on the linked page when
it is displayed. By manipulating query strings, an attacker can easily steal information from a
database, learn details about the architecture of your Web application, or possibly execute
commands on your Web server.
Quick policy
automated crawl of the server and performs checks for known vulnerabilities in major packages
and unknown vulnerabilities at the Web server, Web application server, and Web application
layers. A Quick scan does not run checks that are likely to create denial-of-service conditions, so it
is safe to run on production systems. Smart Assessment is enabled in a Quick scan.
quick scan
A method of quickly scanning a project to provide a subset of the findings of a full scan. In quick
scan mode, HP Fortify Static Code Analyzer searches for high-confidence and high-severity issues.
R
regular expression
A regular expression is a pattern that describes a set of strings. Regular expressions are
constructed similarly to mathematical expressions by using various operators to combine smaller
expressions.
Regular Expression Editor

A diagnostic and penetration scan tool that enables advanced testers using HP WebInspect to
verify regular expressions. A regular expression is a pattern that describes a set of strings.
Regular expressions are constructed similarly to mathematical expressions by using various
operators to combine smaller expressions.

Glossary
Glossary
release (Fortify on Demand)

A customer code base that is evaluated by HP Fortify security software.
remediated
Customer has modified their code with an intent to remove an identified security issue but the
corrective action has not been validated by a subsequent scan.
report
A document generated by HP Fortify Software Security Center (SSC), Audit Workbench (AWB),
BIRTReportGenerator, or ReportGenerator, containing information on one or more FPRs.
Report Designer
A diagnostic and penetration scan tool that enables testers using HP WebInspect to create and
modify reports. This tool is an HP integration of ActiveReports®.
ReportGenerator
A command-line utility for generating PDF, rtf, or xml reports from FPRs.
requirement
Along with activities, one of a series of primary and constituent tasks that must be signed off to
complete the secure development of a particular application version.
results certification
A verification that the analysis has not been altered since it was produced by HP Fortify Static
Code Analyzer (SCA), HP WebInspect Agent, or HP Fortify Runtime Application Protection. Results
certification shows specific information about the scanned code.
rule
A rule specifies a set of program points and names a set of monitors. Runtime Application
Protection applies a rule by attaching the named monitors to the specified program points. A rule
may include a configuration for each named monitor including information such as the attributes
that the monitor should set when it creates an event or other settings that determine the
behavior of the monitor.
RuleID
A unique identifier for the rule that generated a particular event. (The value is hardcoded in the
rule.)
Rulepack
A collection of rules used to model important attributes of the program under analysis. These
rules provide meaning to relevant data values and enforce secure coding standards applicable to
the code base.
runtime agent
The runtime platform embedded in an application (Runtime Application Protection and HP
Application Defender)

Glossary
Glossary
Runtime Analyst
A person responsible for monitoring Runtime Application Protection and HP Application Defender
on an ongoing basis and for making limited configuration changes. Looks at Runtime output and
makes decisions, modifies event handlers, and adjusts settings as necessary.
Runtime Application Protection

See HP Fortify Runtime Application Protection
Runtime Host
A computer running one or more instances of Runtime products.
Runtime Operator
A person responsible for installation, basic configuration, and ongoing maintenance of the
Runtime, HP Application Defender, and HP Application View.
Runtime Platform
The common elements underlying HP Fortify Runtime Application Protection, HP ArcSight
Application View, HP Application Defender, and WebInspect Agent, including configuration and rule
formats, system requirements, and supported environments.
Runtime solution designer

A person responsible for configuring and customizing HP Fortify Runtime Application Protection,
HP ArcSight Application View, HP Application Defender, or WebInspect Agent for a given
application.
S
SaaS
Software as a Service
Safe policy
automated crawl of the server and performs checks for most known vulnerabilities in major
packages and some unknown vulnerabilities at the Web server, Web application server, and Web
application layers. A Safe scan does not run any checks that could potentially trigger a denial-of-
service condition, even on sensitive systems. Smart Assessment is enabled in a Safe scan.
SAST
Static application security testing. Vulnerability tests conducted on an application’s static code.
See also HP Fortify Static Code Analyzer (SCA)
SCA
See HP Fortify Static Code Analyzer (SCA)

Glossary
Glossary
SCA Tools
A collection of tools that extend the reach of SCA by providing a connection to SCA via graphical
desktop clients, IDE plugins, and command-line tools that allow you to view, search on, audit, and
generate reports on security vulnerabilities.
scan
A generic term for the investigation of a Web site or enterprise. The actual task may be either a
crawl, audit, or a combined crawl and audit. (same as assessment)
Scan Difference report

Report available in HP WebInspect that compares two scans and reports the differences, such as
vulnerabilities, pages, and file-not-found responses that occur in one website but not the other.
Scan Log report

Report available in HP WebInspect that presents a sequential list of the activities conducted by
WebInspect during the scan (and as the information appears on the Scan Log tab of the
WebInspect summary pane).
scanner
See HP scanner
SCAState
Provides current state analysis information during an SCA scan phase.
SDK
Software Development Kit
SDL
See Security Development Lifecycle
SDLC
See Secure Development Life Cycle. Note that SDLC can also stand for Software Development Life
Cycle.
Secure Development Life Cycle (SDLC)

A plan designed to ensure that security is inherent in enterprise software design and
development, rather than an afterthought addressed during the development phase.
Security at a Glance Report

An HP Fortify Software Security Center Portfolio Report that provides a high-level overview of the
potential security risk and current security findings across the five highest-risk application
versions.
security content
Security content consists of Secure Coding Rulepacks and external metadata. The external
metadata include mappings from the HP Fortify categories to alternative categories (such as

Glossary
Glossary
OWASP, PCI, and CWE). You can modify the existing mapping in the external metadata document
(externalmetadata.xml) or create your own files to map HP Fortify issues to different taxonomies,
such as internal application security standards or additional compliance obligations (which is
recommended).
Security Development Lifecycle (SDL)

An established approach to producing secure code, as defined by Microsoft.
Security Research Group (SRG)

See Software Security Research.
Semantic Analyzer
A component of HP Fortify Static Code Analyzer (SCA) that detects potentially dangerous uses of
functions and APIs at the intra-procedural level.
sensor
A scanner supported by the HP WebInspect and HP WebInspect Enterprise applications when
connected to AMP and/or WebInspect Enterprise for the purpose of performing remotely
scheduled or requested scans with no direct user interaction through its graphical user interface.
It receives its instructions exclusively from the configurable connection to an AMP or WebInspect
Enterprise Manager.
server
In the Web application client/server model, a server (a program housed in a computer) uses HTTP
to serve files that form Web sites to users. The user’s system contain an HTTP client (e.g. the Web
browser) that forwards requests to the Web server, which responds with the appropriate data.
Two leading Web servers are Apache and Microsoft’s Internet Information Server (IIS).
Server Analyzer
A diagnostic and penetration scan tool for testers using HP WebInspect that interrogates a server
to determine the server’s operating system, banners, cookies, and other information.
Service Level Objective (SLO)

Target turnaround time, specified in business days.
session
A session is a matched set containing both the client request and server response. For Internet
applications, each session is associated with a particular port. A session may contain up to three
components: • A link to a URL • The HTTP request that HP WebInspect generates as a result of
that link (but does not necessarily send) • The associated HTTP response returned by the server
session hijacking
Allows an attacker to masquerade as another user and gain access to Web service without having
to authenticate. By using session hijacking, an attacker has access to the Web application with
permissions of the original user.

Glossary
Glossary
session ID
Authentication credentials that are stored so the user does not have to enter them repeatedly.
Since the session ID can be used instead of a user name and password combination, an attacker
who discovers and provides a valid session ID in a request could perform session hijacking or
replay attacks.
Seven Pernicious Kingdoms Report

An HP Fortify Software Security Center Issue Report based on a taxonomy of the same name that
summarizes the presence of several HP Fortify-defined issues for a single HP Fortify Software
Security Center application version. For more information, see
severity
The hierarchy of vulnerability seriousness (Critical, High, Medium, Low, Best Practices, Info). (Same
as Fortify Priority Order)
signing-off activities
As secure development proceeds, the HP Fortify Software Security Center persona or personas
must sign off on assigned activities.
sign-off state
The state of an activity, requirement, or process template. Valid states: Awaiting sign-off, Signed
off with exemption, Signed off, and Document rejected
Sink
A place in the code where a potentially harmful function call or operation can take place.
SLO
Service Level Objective - Target turnaround time, specified in business days.
Smart Scan
Smart Scan discovers the type of server that is hosting a website and checks for known
vulnerabilities against that specific server type. For example, if scanning a site hosted on an IIS
server, HP WebInspect probes only for those vulnerabilities to which IIS is susceptible. It does not
check for vulnerabilities that affect other servers, such as Apache or iPlanet.
SOAP policy
An HP scanner policy for an HP WebInspect or HP WebInspect Enterprise scan that is rooted in the
fact that most Web services use SOAP to send XML data between the Web service and the client
Web application making the information request. The SOAP policy is used to determine the
security vulnerabilities of a Web service. Applying the SOAP policy against a Web site is not
recommended.
Software as a Service (SaaS)

Also referred to as “on-demand software,” SaaS is a software delivery model in which software
and its associated data are hosted centrally (typically in the Internet “cloud”). The software and
data are usually accessed over the Internet using a web browser.

Glossary
Glossary
Software Security Assurance (SSA)

A holistic approach to software development and procurement aimed at making critical business
software more secure and impervious to attack by addressing security risks at the application
code level.
Software Security Research (SSR)

A team of security experts dedicated to conducting research and providing customers with
knowledge and services relevant to a broad range of security topics. The security knowledge and
services are delivered in many forms, including HP Fortify Secure Coding Rulepacks, HP Fortify
Runtime Rulepack Kits, HP WebInspect SecureBase, premium content, and advanced services and
training. Note: Software Security Research (SSR) comprises the former HP Fortify Security
Research Group (SRG) and WebInspect Software Research Group (WSRG).
Source
A place in the code where malicious data can enter.
SQL injection
A technique for exploiting Web applications that use client-supplied data in SQL queries without
first removing potentially harmful characters. The attack allows code to be injected and exploits a
security vulnerability in the database layer of an application.
SQL Injection policy

security assessment of a Web application for SQL injection vulnerabilities. SQL injection is an
attack technique that takes advantage of non-validated input vulnerabilities to pass arbitrary SQL
queries and/or commands through the Web application for execution by a backend database.
SQL Injector
A diagnostic and penetration scan tool that enables testers using HP WebInspect that tests for
SQL injection vulnerabilities by creating and submitting HTTP requests that may be processed by
the SQL server. The SQL Injector supports MS-SQL, Oracle, Postgress, MySQL, and DB2 as database
types, and also supports multiple language systems including Japanese.
SRG
Security Research Group. See Software Security Research (SSR).
SSA
See Software Security Assurance
SSA application version

A Software Security Assurance (SSA) type of application version that manages ongoing code
development through activities listed in a process template.
SSA application version process template

A hierarchical arrangement of requirements and activities that must be signed off to complete
the secure development of a particular application version.

Glossary
Glossary
SSA Progress Report

An HP Fortify Software Security Center SSA Project Report that summarizes the completion of
Secure Software Assurance requirements and activities across one or more HP Fortify Software
Security Center application versions.
SSR
See Software Security Research (SSR)
stack trace
A report of the active stack frames at a given point during the execution of a program. It is
commonly used during interactive and post-mortem debugging and can be displayed to the user
of a program as part of an error message that the user can report to the programmer. A stack
trace is reported as a string of events. When a function produces an error and is then called by
other functions, an error chain is created. This is the stack trace.
Standalone Mode
The self-sufficient operating mode for HP Fortify Runtime Application Protection. Runtime
depends only on locally available resources (rules, configuration, and monitors). It does not
coordinate its activities with HP Fortify Software Security Center (SSC). A contrasting alternative
to Federated Mode.
Standard policy
Web server, Web application server, and Web application layers. A Standard scan does not run
checks that are likely to create denial-of-service conditions, so it is safe to run on production
systems. Smart Assessment is enabled in a Standard scan.
startup macro
A type of macro used most often to focus on a particular subsection of an application. It specifies
URLs that HP WebInspect uses to navigate to that area. It can also include login information, but
does not contain logic that prevents WebInspect from logging out of an application.
static application security testing

See SAST
static source code analysis (static analysis)

Any computer software analysis that is performed without actually executing the programs under
consideration. (Analysis performed on executing programs is known as dynamic analysis.) Static
analysis is powerful because it allows for the quick consideration of many possibilities. The tool
can explore many “what if” scenarios without performing the computations necessary to execute
the code for all scenarios.
STIG
Security Technical Implementation Guides. The official security configuration guidance and
policies used by the United States Department of Defense. As of June 2012, STIG v3.0 is the
current document. For more information, see http://iase.disa.mil/stigs/index.html.

Glossary
Glossary
string
A block of values or symbols, such as a character string (a sequence of alphanumeric characters),
or a binary string (a sequence of binary values).
Structural Analyzer
A component of HP Fortify Static Code Analyzer (SCA) that identifies potentially dangerous flaws in
the structure or definition of a program. It identifies violations of secure programming practices
and techniques that are often difficult to detect.
structural rule
A rule that identifies a problematic code pattern. Examples of such a code pattern include: a
source code comment, a bad method call, or a dangerous setting for a field in a class.
structural tree
An organizational system for the Structural Analyzer that organizes program source code into a
structural tree made up of nodes. The nodes represent program constructs such as classes,
functions, fields, code blocks, statements, and expressions.
SVN
Subversion. A type of Version Control System, or VCS.
SWFScan
An HP WebInspect tool that identifies many of the vulnerabilities that affect Adobe Flash
applications and provides definitive insight on how to remove or avoid them.
T
taint
Data that a user inputs into the system. Insufficient validation of user input can lead to security
issues.
taint cleanse
A rule that describes a point in the taint propagation path at which validation is unnecessary and
no additional taint flags should be added or removed. The Dataflow Analyzer stops taint
propagation completely at this point.
taint entrypoint
A type of taint source invoked by the environment or framework that has tainted input.
taint flags
An attribute of tainted data that enables the Dataflow Analyzer to accurately identify issues.
taint passthrough
A Dataflow Analyzer function that automatically derives passthrough behaviors for functions
defined in the source code. Externally derived functions with passthrough behavior must be
modeled with a rule.

Glossary
Glossary
taint path
A sequence of method calls, stores (assignment variables or fields), and loads (reads from
variables or fields). A taint path denotes a path along which tainted data is propagated from a
taint source point to a taint sink point. Since a program may contain loops or recursion, there may
be an infinite number of paths. The Dataflow Analyzer considers at least one taint path for each
set of possible taint flags from a source to a sink.
taint sink
A program point where tainted data must not flow. When the Dataflow Analyzer finds a point
where data can flow from source to sink, it reports an issue.
taint source
A program point through which tainted data enters, such as a function that reads data from an
untrusted data source.
tainted data
User-controlled data that has the potential to be put to dangerous use.
TAM
Technical Account Manager. Often your primary contact at HP Fortify.
target program or target application

The program being monitored by all Runtime products. The target program can be any Java or
.NET program, an application server with multiple applications running under it, or an independent
application.
technical attributes
Metadata used to make comparisons across projects. Technical attributes cover development-
related activities and apply to a project’s version.
tenant
A client organization that has secured space on the HP Fortify on Demand server.
tenant ID
The unique identifier given to a client organization, allowing the organization to access its
designated space on the HP Fortify on Demand server.
test
scan, analysis
ticket
A support request.
time lapse activity

HP Fortify Software Security Center activity that should be performed within a particular time
period.

Glossary
Glossary
Tool Finder
HP Fortify Static Code Analyzer tool used to integrate SCA into a simple build process without
making any changes to the build system.
total issues
The total number of unique issues in the selected project. Accessible from the Issues page of the
HP Fortify Software Security Center (SSC).
Trend report
Report available in HP WebInspect that enables monitoring a development team’s progress
toward resolving vulnerabilities. The report shows an analysis of the results of all scans conducted
to date and includes a graph showing the number of vulnerabilities, by severity, plotted on a
timeline defined by the date on which the scan was conducted.
Trending tab
A tab located on the Issues page of HP Fortify Software Security Center (SSC), which presents a
graphical summary of the selected application version's historical trend data.
Trojan
A Trojan horse attack, or Trojan, is a non-self-replicating type of malware program containing
malicious code that, when executed, carries out actions determined by the nature of the Trojan,
typically causing loss or theft of data, and possible system harm. The term is derived from the
story of the wooden horse used to trick defenders of Troy into taking concealed warriors into
their city in ancient Anatolia. Seemingly benign data or programming is used to hide malicious or
harmful code in such a way that it can instigate its chosen form of damage without the computer
operator’s knowledge.
U
Unified Web Macro Recorder
See Web Macro Recorder (Unified)
user role
The function performed by any individual person who uses HP Fortify software. We most often use
this term as a way of identifying the Rulepacks and custom rules that apply to a particular
contributor. See also • central security team • development team • individual auditor
V
variable
Building blocks for performance indicators; storage for measurement values that count issues,
conditions, and similar categories of numeric data.
VCS
Version Control System

Glossary
Glossary
Vendor Security Management (VSM)

An HP Fortify on Demand offering that assesses the software security of third-party applications.
verification event
An event triggered by matching a guard, specifically the user data matching some predefined
attack payload created by the HP Fortify Security Research Group. If an event matches this
criterion, then the event most likely denotes an attack.
VSM
See Vendor Security Management
vulnerability
A weakness that allows an attacker to reduce a system’s information assurance. Vulnerability is
the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw,
and attacker capability to exploit the flaw. To exploit a vulnerability, an attacker must have at
least one applicable tool or technique that can connect to a system weakness. (same as issue)
Vulnerability (Legacy) report

Report available in HP WebInspect the presents detailed information about discovered
vulnerabilities, with recommendations for remediation.
Vulnerability report
Report available in HP WebInspect that presents detailed information about discovered
vulnerabilities, sorted by severity.
W
WADL
Web Application Description Language. An XML-based file format that provides a machine-
readable description of HTTP-based web applications. These applications are typically REST web
services. The purpose of WADL is to allow services on the internet (or any other IP network) to be
described in a machine-processable way, making it easier to create Web 2.0 style applications and
create a dynamic way of creating and configuring services. WADL can be thought of as the REST
equivalent of Web Services Description Language version 1.1. However, version 2.0 of WSDL can be
used to describe REST Web services, thus competing with WADL.
Web Application Description Language

See WADL
Web Brute
An HP WebInspect tool that determines if users in an organization are employing user names and
passwords that an unauthorized intruder might be able to guess easily. Web Brute attempts a
“brute force” attack of a login form or authentication page using prepared lists of user names
and passwords.

Glossary
Glossary
Web Discovery
An HP WebInspect tool used to find all open hosts in an enterprise environment. The tester can
then save the list of discovered servers to a text file for analysis.
Web form authentication

Many Web applications contain HTML forms that a user must complete successfully before being
allowed to access the remainder of the application. Typically, the user types a “user name” in a
single-line text input control and “password” in a password control, and then submits the form to
a server-based agent for processing.
Web Form Editor

An HP WebInspect tool used to submit appropriate data for each form of a website that is being
tested. The tool enables the tester to create or modify a file with the names of input controls and
their associated values to be submitted when testing forms on the website.
Web Macro Recorder (Event-Based IE Compatible)

An HP WebInspect tool that enables a website tester to create and run login macros for Web form
authentication. This Web Macro Recorder has been replaced with the Unified Web Macro Recorder
in newer versions of WebInspect and WebInspect Enterprise.
Web Macro Recorder (Unified)

An HP WebInspect tool used to create and run a login macro for Web form authentication.
Web Proxy
An HP WebInspect tool used to monitor traffic from a scanner, a Web browser, or any other tool
that submits HTTP requests and receives responses from a server.
Web Proxy Autodiscovery Protocol

Protocol used in HP WebInspect to automatically detect proxy settings. It locates a proxy
autoconfig file and uses this to configure the browser’s Web proxy settings.
Web service
Web services are programs that communicate with other applications (rather than with users)
and answer requests for information. Most Web services use SOAP (Simple Object Access Protocol)
to send XML data between the Web service and the client Web application making the information
request. Unlike HTML, which only describes how Web pages are displayed, XML provides a
framework to describe and contain structured data. The client Web application can readily
understand the returned data and display that information to the end user. A client Web
application that accesses a Web service receives a WSDL (Web Services Definition Language)
document so that it understands how to communicate with the service. The WSDL document
describes what programmed procedures the Web service includes, what parameters those
procedures expect, and the type of return information the client Web application receives.
Web Service Definition Language

See WSDL

Glossary
Glossary
Web Service Test Designer

An HP WebInspect tool used to create a Web Service Test Design file (.wsd) containing the values
that WebInspect should submit when conducting a web service scan.
WebInspect
See HP WebInspect
WebInspect Enterprise
See HP WebInspect Enterprise
WebInspect Enterprise Administrative Console

Administrative console component of HP WebInspect Enterprise that is used for administrative
and security functions.
WebInspect Enterprise Services Manager

Interface component of HP WebInspect Enterprise that is used to configure or modify services
associated with WebInspect Enterprise. Also known as the WebInspect Enterprise Services
Configuration Utility.
WebInspect Enterprise Thin Client

The HP WebInspect Enterprise application that is downloaded and installed to a local machine and
contains the Guided Scan and Report generation functions. The Guided Scan function directs
users through best steps to configure a scan that is tailored to an application. The Report
generation function creates a new report from a scan the user selects.
WebInspect Enterprise Web Console

A browser-based interface component of HP WebInspect Enterprise designed for non-
administrative functions such as running and managing scans.
WebInspect SDK
The WebInspect Software Development Kit (SDK) is a Visual Studio extension that enables
software developers to create an audit extension to test for a specific vulnerability in a session
response.
WebInspect Sensor
An instance of HP WebInspect that runs as a Windows service connected to HP WebInspect
Enterprise to perform remotely scheduled or requested scans.
WebInspect Software Research Group (WSRG)

See Software Security Research (SSR)
webroot
In a computer file system organized in a hierarchical or tree structure, the root directory is the
directory that includes all other directories (for example. C:\). For Web sites, the webroot is the
uppermost level of the tree hierarchy of the site.

Glossary
Glossary
work owners
Individual user accounts in HP Fortify Software Security Center (SSC) that are tasked with
performing certain activities and requirements in given application versions. The Process Designer
client tool permits default work owners to be assigned to process template requirements and
activities.
WPAP
See Web Proxy Autodiscovery Protocol
WSDL
Web Service Definition Language. An XML format for describing network services as a set of
endpoints operating on messages containing either document-oriented or procedure-oriented
information. The operations and messages are described abstractly, and then bound to a
concrete network protocol and message format to define an endpoint. Related concrete
endpoints are combined into abstract endpoints (services).
WSRG
WebInspect Software Research Group. See Software Security Research (SSR).
X
XML injection
A common coding error that affects security in which unvalidated data is written into an XML
document, allowing an attacker to change the structure and contents of the XML. For more
information see http://www.hpenterprisesecurity.com/vulncat/index.html
Xpath injection
A common coding error that affects security, in which a dynamic XPath query is constructed with
user input, allowing an attacker to modify the statement’s meaning. For more information see
XSS
See cross-site scripting

HP Fortify Glossary PDF

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

HP Fortify Glossary PDF

Încărcat de

Drepturi de autor:

Formate disponibile

HP Fortify

Software Version: SSC 4.40 and HP WebInspect 10.50

Document Release Date: November 2015

Restricted Rights Legend

HP Fortify (SSC 4.40 and HP WebInspect 10.50) Page 2 of 44

HP Fortify (SSC 4.40 and HP WebInspect 10.50) Page 3 of 44

For More Information

About the HP Fortify Software Security Center

HP Fortify (SSC 4.40 and HP WebInspect 10.50) Page 4 of 44

Aggressive SQL Injection policy

HP Fortify (SSC 4.40 and HP WebInspect 10.50) Page 5 of 44

Alert View report

All Checks policy

analysis evidence panel

HP Fortify (SSC 4.40 and HP WebInspect 10.50) Page 6 of 44

Application Security Center (ASC)

application state activity

application version attributes

HP Fortify (SSC 4.40 and HP WebInspect 10.50) Page 7 of 44

Security Assurance) applications.

application version type

Application Vulnerability Description Language

Attack Status report

HP Fortify (SSC 4.40 and HP WebInspect 10.50) Page 8 of 44

Audit Inputs Editor

HP Fortify (SSC 4.40 and HP WebInspect 10.50) Page 9 of 44

basic remediation application version

build adapter command

HP Fortify (SSC 4.40 and HP WebInspect 10.50) Page 10 of 44

chief information security officer

client (in HP WebInspect Enterprise)

HP Fortify (SSC 4.40 and HP WebInspect 10.50) Page 11 of 44

common rule elements

HP Fortify (SSC 4.40 and HP WebInspect 10.50) Page 12 of 44

Common Weakness Enumeration

HP Fortify (SSC 4.40 and HP WebInspect 10.50) Page 13 of 44

Control flow Analyzer

Crawled URLs report

Critical and Highs policy

cross-site scripting (XSS)

Cross-Site Scripting policy

HP Fortify (SSC 4.40 and HP WebInspect 10.50) Page 14 of 44

Custom Rules Editor (CRE)

Dataflow cleanse rule

Dataflow entrypoint rule

Dataflow pass-through rule

HP Fortify (SSC 4.40 and HP WebInspect 10.50) Page 15 of 44

Dataflow sink rule

Dev (Developer) policy

Developer Reference report

Developer Workbook report

HP Fortify (SSC 4.40 and HP WebInspect 10.50) Page 16 of 44

dynamic application security testing

Enterprise Assessment Management (EAM)

HP Fortify (SSC 4.40 and HP WebInspect 10.50) Page 17 of 44

event handler chain

Event-Based IE Compatible Web Macro Recorder

Executive Summary report

HP Fortify (SSC 4.40 and HP WebInspect 10.50) Page 18 of 44

finite state machine

Fortify Priority Order (Fortify on Demand)

Fortify Priority Order (SCA)

Fortify project results (FPR)