How to catch log CVV code with Fortify Custom Rules ?

We want to use Fortify to catch the credit card CVV code logging issue in "Privacy Violation" category, just like Fortify could catch the password logging issue.

We want to use custom rules to help us to implement this function. But we don't know how to start it.

There is very limited document about how to setup the Fortify Custom Rules to catch the Privacy Violation in .net code

Could you give me some samples or documents to help us ?


1 Reply
Micro Focus Expert
Micro Focus Expert

Custom rule authoring is an advanced Fortify topic, so in general we recommend to get Fortify Professional Services involved for custom rule training and mentoring, and assist you in developing custom rules. Please contact you Fortify sales representative or Professional Services contact for more information.

SCA comes with some custom rule documentation and samples in the SCA <install dir>\samples\advanced\customrules directory. However many vulnerabilities are being reported based on a combination of rules. For example, for data flow analysis you will need to have both data flow source and sink rules. Depending on the use case, you may need to develop custom data flow source rules that work together with standard Fortify data flow sink rules, and vice versa.

Being intellectual property, unfortunately we cannot provide full details on standard Fortify rules. As such, in many cases the documentation and samples are not sufficient for effective custom rule development. For example, there is no public list of data flow taint flags used by the standard Fortify rules, hence the recommendation to work with a Fortify Professional Services consultant for effective development of custom rules.

For this specific use case, you will probably need to develop one or more data flow source rules that add the PRIVATE taint flag to any fields that may hold such private information, i.e. adding this taint flag to all fields named 'cvv'. Based on the standard Fortify rules, SCA will then automatically propagate the PRIVATE taint flag throughout function calls and variable assignments, and then trigger Privacy Violation issues (based on standard Fortify data flow sink rules) whenever such data is used inappropriately, for example when included in logging statements.

Best regards,
Ruud Senden

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.