Captain Captain

Fortify SSC - same person uploaded FPR file should not modify Analysis Tag but can do it for others

A customer asked me if there exist a possiblity to modify / configure the Fortify SSC Server to establish a simpler 4-eyes principle process so it can be used by small team which all  have the same role .i.e. Developer. Goal is that a person which uploads the FPR file can not modify the Analysis Tag of that application but may can change the Analysis Tag on other applications. This would allow that the review has to be done by another developer which did not made the scan.

I know that you can use restricted Tags but this requires that people will need a separate role like security lead. The customer  doesn't want to add the review privileges to a single person / role, so it should just make sure that it can not be done by the same person who did the scan (=uploaded the FPR). Exists therefore a possiblity to configrue such a 4-eyes process?

Tags (1)
0 Replies
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.