HP Fortify Software Security Center v3.

60
System Requirements
Part Number: 1-184-2012-09-360-01
The HP Fortify Technical Communications team strives to provide the most comprehensive and accurate
documentation possible. To ensure that your documents are up to date, visit the HP Software Product Manuals site
at http://support.openview.hp.com/selfsolve/manuals.

HP Fortify Software Licenses

Before you begin working in HP Fortify software, you will need to download the appropriate licenses for your
purchases. To do this, go to https://support.fortify.com. You will need the user name and password provided to
you by HP Fortify Customer Support.

HP Fortify Software Security Center Server Requirements

Hardware Requirements
HP Fortify Software Security Center requires the following:
2 GHz+ processor, 32-bit, or 64-bit (recommended)
4 GB+ RAM
Platforms and Architectures
HP Fortify Software Security Center supports the following platforms and architectures:
Operating System
Versions
Architectures
Linux
Red Hat ES 4, ES 5
x86: 32-bit or
Novell SUSE 10, Oracle EL 5.2
64-bit (recommended)
Windows
2003 SP2, 2008, 2008 R2
x86: 32-bit or
64-bit (recommended)
Oracle Solaris
10
SPARC
Application Servers
HP Fortify Software Security Center supports the following application servers:
Application Server
Versions
Java Versions
Tomcat
6.0 or
Java 6 or 7
7.0 (recommended)
WebLogic
10.3.4 or
Java 6 or 7
10.3.5 (recommended)
WebSphere
6.1* or
Java 6 or 7
7.0 (recommended)
JBoss
5.0.1
Java 6 or 7
*Note: We will be deprecating WebSphere 6.1 in future versions.

MOFFETT TOWERS, 1140 ENTERPRISE WAY, SUNNYVALE, CA94089 USA P 650.735.2215

Databases
HP Fortify Software Security Center supports the following databases in a production environment:
Databases
Character Sets
Drivers
MS SQL Server 2005 or
SQL_Latin1_General_
JTDS (Recommended)
2008 (recommended)
CP1_CI_AS, Unicode
JDBC 3.0 Type 4 driver for Microsoft SQL
Server version 1.2.2
Driver class:
net.sourceeforge.jtds.jdbc.Driver
Jar file: jtds-1.2.2.jar

MySQL 5.0.x: 5.0.45 and

higher
MySQL 5.1.x: 5.1.30 or
5.1.39 and higher
(recommended)

UTF8, Latin1

Oracle 10g and 11g

AL32UTF8 for all

languages
WE8MSWIN1252 for
US English

DB2 9.5, 9.7

UTF8, IBM-1252

Microsoft
Microsoft SQL Server JDBC Driver 2.0
Type 4
Driver class:
com.microsoft.sqlserver.jdbc.SQLServerDr
iver
Jar files:
sqljdbc4.jar (Java 6)
sqljdbc.jar (Java 5)
MySQL Connector/J 5.1 or 5.1.11
Driver class:
com.mysql.jdbc.driver
Jar file:
mysql-connector-java<Version_Number>-bin.jar
Oracle Database 11g Release 1
(11.1.0.7.0) JDBC Drivers
Driver class: oracle.jdbc.OracleDriver
Jar files:
jdbc6.jar (Java 6)
jdbc5.jar (Java 5)
Note: IBM DB2 drivers also require that
you add at least one of the following
driver license files to the CLASSPATH
before loading the JDBC driver and
seeding your database.
db2jcc_license_cisuz.jar
db2jcc_license_cu.jar

IBM DB2 JDBC Driver v9.5 FP4 3.53.95

Driver class:
com.ibm.db2.jcc.DB2Driver
Jar files:
db2jcc.jar (Java 5)
db2jcc4.jar (Java 6)
Note: If SQL Server is configured to use any character encoding other than unicode, you must append
"sendStringParametersAsUnicode=false" to the end of your jdbc URL. For example:
jdbc:jtds:sqlserver://dbhost:1433/ssc;sendStringParametersAsUnicode=false
HP Fortify Software Security Center Demonstration Server includes an Apache Derby database for
MOFFETT TOWERS, 1140 ENTERPRISE WAY, SUNNYVALE, CA94089 USA P 650.735.2215

Databases
Character Sets
Drivers
evaluation purposes only. This database cannot be expanded or upgraded. Do not use it to store critical
data.
Database Disk Space
Use the following formula to estimate the size (in GB) of the HP Fortify Software Security Center database disk
space:
DB_Space (GB) =

( TotalIssues *30kb) TotalArtif acts in kb

1,000,000

where:
<TotalIssues> = Total number of issues in the system
<TotalArtifacts> = Total size of all uploaded artifacts and scan results
Notes: This equation produces only a rough estimate for the allocation of database disk space. The formula is not
intended for use in estimating disk space requirements for long term projects. The disk requirements for the HP
Fortify Software Security Center databases grow in proportion to the number of projects, scans, and issues in the
system.
Browsers
HP Fortify Software Security Center requires Flash Player version 10.2 or later. For the best experience, we
recommend that you use one of the following browsers with a minimum resolution of 1280x1024:
Browser
Flash Plugin
Firefox
Flash Player 11 (recommended)
Internet Explorer
Flash Player 11 (recommended)
Safari
Flash Player 11 (recommended)
Chrome
Flash Player 11 (recommended)
JAWS (See HP Fortify Assistive
Flash Player 11 (recommended)
Technologies Section 508)
Authentication Systems
Windows Active Directory Service
LDAP
Service Integrations
HP Fortify Software Security Center supports the following service integrations:
Service
Applications
Versions
Bug Creation
Bugzilla
3.0
HP ALM
11
JIRA
4.0
Authentication
CA SiteMinder
12
Active Directory
2003, 2008
Issue Import
AppDetective
6.0
AppScan

Dynamic Assessments

7.7, 7.9, 8.0

For compatibility with HP Fortify Static Code Analyzer (SCA), HP

WebInspect, and HP AMP, see HP Fortify 3.60 Compatibility Matrix
WebInspect Enterprise

Notes:
ALM 11 changeset mapping is only supported in conjunction with VisualSVN.
Importing third-party issues may lose some functionality of the third-party format

MOFFETT TOWERS, 1140 ENTERPRISE WAY, SUNNYVALE, CA94089 USA P 650.735.2215

Documentation
The documents listed in the following table apply to HP Fortify Software Security Center:
Document Name
PDF
HTML Help
HP Fortify Software
HP_Fortify_SSC_User_Guide_3.60.pdf
HP Fortify Software
Security Center User
Security Center Help
Guide
HP Fortify Software
N/A
Within the web
Security Center Process
application at
Guide
/ssc/guide/
HP Fortify Software
HP_Fortify_SSC_Installation_and_
HP Fortify Software
Security Center
Configuration_Guide_3.60.pdf
Security Center
Installation and
Installation and
Configuration Guide
Configuration Help
HP Fortify Software
HP_Fortify_Real_Time_Hybrid_Analysis_U
N/A
Security Center Real-Time
ser_Guide_3.60.pdf
Hybrid Analysis User
Guide

MOFFETT TOWERS, 1140 ENTERPRISE WAY, SUNNYVALE, CA94089 USA P 650.735.2215

HP Fortify Static Code Analyzer Requirements

Hardware Requirements
HP Fortify Software recommends that you install HP Fortify Static Code Analyzer (SCA) on a high-end processor
with at least 4 GB of RAM. If your software is particularly complex, you may need more RAM.
Platforms and Architectures
SCA supports the following platforms and architectures:
Operating System
Architectures
Linux
x86: 32-bit or
64-bit (recommended)
Windows

x86: 32-bit or
64-bit (recommended)

Mac OS
Solaris

x86
SPARC
x86
Itanium

HP-UX

Versions
Red Hat ES 4, ES5
Novell SUSE 10, Oracle EL 5.2
2003 SP1, 2008, XP,
Vista Business, Vista Ultimate,
Windows 7
10.6, 10.7
10
10
11.31

Notes:
Audit Workbench, Process Designer, Custom Rules Editor, and Scan Wizard are not supported on HP-UX, and
Oracle Solaris.
SCA has not been tested on all Linux variants, but most distributions are not known to cause issues.
SCA has been supported on other platforms in the past. If the operating system that you require is not in the
table above, please contact HP Fortify support for more information.
Languages
SCA supports the programming languages listed in the following table:
Language
Versions
ABAP/BSP
6
ActionScript/MXML (Flex)
3, 4
ASP.NET, VB.NET, C#
1.1, 2.0, 3.0, 3.5, 4.0
(.NET)
C/C++
See Compilers on page 6.
Classic ASP (with VBScript)
2, 3
COBOL
IBM Enterprise Cobol for z/OS 3.4.1 with IMS, DB2, CICS, MQ
CFML
5, 7, 8
HTML
4 and earlier
Java
1.3, 1.4, 1.5, 1.6, 1.7
JavaScript/AJAX
1.7
JSP
1.2, 2.1
Objective-C
See Compilers on page 6.
PHP
5.0 5.2
PL/SQL
8.1.6
Python
2.6
T-SQL
SQL Server 2005 and 2008
Visual Basic
6
VBScript
2.0, 5.0
XML
1.0
Note: iOS projects compiled using Objective-C require 4.3 or 4.5 of the iOS SDK.
MOFFETT TOWERS, 1140 ENTERPRISE WAY, SUNNYVALE, CA94089 USA P 650.735.2215

Build Tools
SCA supports the build tools listed in the following table:
Build Tool
Versions
Ant
1.5.x, 1.6.x, 1.7.x, 1.8.x
Maven
2.0.9 to 2.x.x
MSBuild
2, 3.5, 4
Xcodebuild
4.1, 4.2, 4.2.1, 4.3
Compilers
SCA supports the compilers listed in the following table:
Compilers
Operating Systems
Clang 2.9, 3.0
Mac OS
LLVM-GCC 4.2, 4.3
Mac OS
GNU gcc 2.9 4
Linux, HP-UX, Mac OS, Solaris, Windows
GNU g++ 3 4
Linux, HP-UX, Mac OS, Solaris, Windows
Intel icc 8.0
Linux
Microsoft cl 12.x 13.x
Windows
Sun cc / Sun CC 5.9, 5.10, 5.11
Solaris
Sun javac 1.3 1.6
Linux, HP-UX, Mac OS, Solaris, Windows
Integrated Development Environments
SCA supports the following integrated development environments:
Auditing and Scanning Plugins
Remediation Plugins (audit-only)
Eclipse 3.3, 3.4, 3.5, 3.6, 3.7
JDeveloper 10.1.3, 11.1.1
RAD 7, 7.5, 8.0, 8.5; RSA 7, 7.5, 8.0
IntelliJ 10, 11
JBuilder 2008 R2
Microsoft Visual Studio 2010
Microsoft Visual Studio 2003 (scanning only)
Microsoft Visual Studio 2005, 2008, 2010
Note: The HP Fortify Software Security Center Plugin for Eclipse requires JRE 1.5 or greater.
HP Fortify Build Monitor
HP Fortify Build Monitor supports the following Windows platforms and architectures:
Operating System
Architectures
Versions
Windows
x86: 32-bit and 64-bit
2003 SP1, 2008, XP
Windows
x86: 32-bit
2000
Note: Build Monitor is not supported on Windows Vista or later.
Service Integrations
HP Fortify Audit Workbench and Secure Code Plugins (SCP) support the following service integrations:
Service
Applications
Versions
Supported Tools
Bug Creation
Bugzilla
3.0
Audit Workbench,
Visual Studio SCP, Eclipse
SCP
HP Quality Center
9.2, 10.0
Audit Workbench,
Eclipse SCP
Microsoft Team
2005, 2008, 2010
Visual Studio SCP
Foundation Server
Software Security Center
3.60
Audit Workbench,
Bugtracker
Eclipse SCP
Issue Import
AppDetective
6.0
Issue Import
MOFFETT TOWERS, 1140 ENTERPRISE WAY, SUNNYVALE, CA94089 USA P 650.735.2215

Service

Applications
Versions
Supported Tools
AppScan
7.7, 7.9, 8.0
For compatibility with HP Fortify SSC, HP WebInspect, and HP AMP, see the HP
Fortify 3.60 Compatibility Matrix on page 15.

MOFFETT TOWERS, 1140 ENTERPRISE WAY, SUNNYVALE, CA94089 USA P 650.735.2215

Notes:
HP Quality Center integration requires that you install the HPQC Client-Side Add-in software.
Team Foundation Server integration requires that you install the Visual Studio Team Explorer software. When
integrating with TFS 2010, Visual Studio SCP must be installed on a machine running Visual Studio 2010.
Documentation
The documents listed in the following table apply to HP Fortify Static Code Analyzer:
Document Name
PDF
HTML Help
HP Fortify Audit
HP_Fortify_Audit_Workbench_User_Guide_
HP Fortify Audit
Workbench User Guide
3.60.pdf
Workbench User Guide
Help
HP Fortify Eclipse
HP_Fortify_Eclipse_Plugin_Guide_3.60.pdf
HP Fortify Eclipse
Plugin Guide
Plugin Help
HP Fortify JDeveloper
HP_Fortify_JDeveloper_Install_and_Usage_
HP Fortify JDeveloper
Installation and Usage
Guide_3.60.pdf
Help
Guide
HP Fortify Package for
HP_Fortify_Visual_Studio_Install_and_
HP Fortify Visual Studio
Visual Studio
Config_3.60.pdf
Package Help
Installation and
Configuration Guide
HP Fortify Remediation
HP_Fortify_VS_2010_Remediation_3.60.pdf
HP Fortify Visual Studio
Package for Microsoft
2010 Remediation
Visual Studio 2010
Package Help
Installation and Usage
Guide
HP Fortify Remediation
HP_Fortify_IntelliJ_Remediation_3.60.pdf
HP Fortify IntelliJ
Plugin for IntelliJ
Remediation Plugin
Installation and Usage
Help
Guide
HP Fortify Software
HP_Fortify_Process_Designer_User_Guide_3.
N/A
Security Center Process
60.pdf
Designer User Guide
HP Fortify Static Code
HP_Fortify_SCA_Custom_Rules_3.60.pdf
N/A
Analyzer Custom Rules
Guide
HP Fortify Static Code
HP_Fortify_SCA_COBOL_Addendum_3.60.pdf
N/A
Analyzer for COBOL
Addendum
HP Fortify Static Code
HP_Fortify_SCA_Install_and_Config_3.60.pdf
HP Fortify v3.60 SCA
Analyzer Installation
Install & Config Help
and Configuration
Guide
HP Fortify Static Code
HP_Fortify_SCA_User_Guide_3.60.pdf
HP Fortify v3.60 SCA
Analyzer User Guide
User Help
HP Fortify Static Code
HP_Fortify_SCA_Utilities_User_Guide_
N/A
Analyzer Utilities User
3.60.pdf
Guide

MOFFETT TOWERS, 1140 ENTERPRISE WAY, SUNNYVALE, CA94089 USA P 650.735.2215

HP Fortify CloudScan
HP Fortify CloudScan has three major components: CloudScan CLI, CloudScan Controller, and CloudScan Cloud. The
requirements for each component are listed below.

CloudScan CLI
Hardware Requirements
CloudScan CLI will run on any machine that supports HP Fortify Static Code Analyzer. Because CloudScan CLI is
installed on build machines running SCA, hardware requirements will be met.

CloudScan Controller
Hardware Requirements
HP Fortify Software recommends that you install the CloudScan Controller on a high-end processor running at 2
GHz with at least 4 GB of RAM.
Platforms and Architectures
The CloudScan Controller supports the following platforms and architectures:
Operating System
Architectures
Versions
Linux
x86: 32-bit or
Red Hat ES 4, ES5, Novell SUSE 10, Oracle EL 5.2
64-bit (recommended)
Windows
x86: 32-bit or
2003 SP1, 2008, XP
64-bit (recommended)
Vista Business, Vista Ultimate, Windows 7
Disk Space Requirement
To estimate the amount of disk space you will need on the machine running the CloudScan Controller, use the
following equation:
(number of jobs per day) (average size of mobile build session) (number of days data is persisted)
100MB is a conservative estimate for the average size of the mobile build session.
Seven days is the default for the number of days the data is persisted.

CloudScan Cloud
The CloudScan Cloud is created using the Cloudera CDH3u0 release of the Apache Hadoop distribution.
Your Cloudera Hadoop cluster will require at least two machines.
For information on creating your Hadoop network: https://ccp.cloudera.com/display/DOC/Documentation
Notes:
64-bit nodes with 8GB+ RAM are recommended.
The Hadoop slave nodes will require SCA to be installed. The official range of supported platforms for Cloudera
includes Linux distributions not officially supported by SCA. However, there are no known SCA issues on these
additional Linux variants.
The size and resource requirements of HP Fortify jobs running in this cluster are not typical. Leveraging an
existing Hadoop cluster may adversely affect the performance of other jobs running on the system. Create a
separate Cloudera Apache Hadoop cluster to use with CloudScan.

MOFFETT TOWERS, 1140 ENTERPRISE WAY, SUNNYVALE, CA94089 USA P 650.735.2215

Documentation
The documents listed in the following table apply to HP Fortify CloudScan:
Document Name
PDF
HP Fortify CloudScan
HP_Fortify_CloudScan_Guide_3.60.pdf
Installation, Configuration,
and Usage Guide

HTML Help
HP Fortify CloudScan Help

MOFFETT TOWERS, 1140 ENTERPRISE WAY, SUNNYVALE, CA94089 USA P 650.735.2215

10

HP Fortify Software Security Center Real-Time Analyzer Requirements

Hardware Requirements
HP Fortify Software recommends that you install HP Fortify Real-Time Analyzer (RTA) on a high-end processor or
equivalent with at least 1 GB of RAM and 545 MB of available hard disk space for the software. The installation also
requires at least 60 MB of available space in the temp directory.
Supported Java Runtime Environments
RTA supports the following Java runtime environments:
JRE Type
Major Versions
IBM J9
1.4.2, 1.5.0, 1.6.0
Oracle HotSpot
1.4.2, 1.5.0, 1.6.0
Oracle JRockit
1.4.2, 1.5.0, 1.6.0
RTA for Java is supported on Windows, Linux, and Solaris.
Supported Application Servers
RTA supports the following application servers:
Application Server
Versions
RedHat JBoss
4.0, 5.0, 5.1, 6.0
Apache Tomcat
Oracle WebLogic
IBM WebSphere

5.0, 5.5, 6.0, 7.0

8.1, 9.0, 9.2, 10.0, 10.3, 11g, 11gR1
6.0, 6.1, 7.0

Supported .NET Runtime Environments

RTA supports the following .NET runtime environments:
Operating System
CLR Architectures
Windows XP
32-bit
Windows Server 2003
32-bit, 64-bit
Windows Server 2008
32-bit, 64-bit
Windows Server 2008 R2
64-bit
Windows 7
32-bit, 64-bit

CLR .NET Versions

2.0, 3.0, 3.5, 4.0
2.0, 3.0, 3.5, 4.0
2.0, 3.0, 3.5, 4.0
2.0, 3.0, 3.5, 4.0
2.0, 3.0, 3.5, 4.0

Supported .NET Application Server

RTA supports the following .NET application server:
Application Server
Versions
IIS
5.1, 6, 7, 7.5

MOFFETT TOWERS, 1140 ENTERPRISE WAY, SUNNYVALE, CA94089 USA P 650.735.2215

11

Documentation
The following documentation applies to HP Fortify Real-Time Analyzer:
Document Name
PDF
HP Fortify Real-Time
HP_Fortify_RTA_Operator_Guide_3
Analyzer Operator Guide
.60.pdf
HP Fortify Real-Time
HP_Fortify_RTA_Java_Install_and_
Analyzer: Java Edition
Config_Guide_3.60.pdf
Installation and
Configuration Guide
HP Fortify Real-Time
HP_Fortify_RTA_DOTNET_Install_a
Analyzer: Microsoft .NET
nd_Config_Guide.3.60.pdf
Edition Installation and
Configuration Guide
HP Fortify Real-Time
HP_Fortify_RTA_Java_Designer_Gu
Analyzer: Java Edition
ide_3.60.pdf
Designer Guide
HP Fortify Real-Time
HP_Fortify_RTA_Rulepack_Kit_Gui
Analyzer: Rulepack Kit
de_
Guide
3.60.pdf
HP Fortify Real-Time
HP_Fortify_RTA_Net_Designer_Gui
Analyzer: .NET Edition
de_3.60.pdf
Designer Guide

HTML Help
HP Fortify v3.60 RTA Operator
Guide Help
HP Fortify v3.60 RTA Java
Install & Config Help
HP Fortify v3.60 RTA NET
Install & Config Help
N/A
N/A
N/A

MOFFETT TOWERS, 1140 ENTERPRISE WAY, SUNNYVALE, CA94089 USA P 650.735.2215

12

HP Fortify Software Security Center SecurityScope Requirements

Hardware Requirements
HP Fortify Software recommends that you install HP Fortify SecurityScope on a high-end processor or equivalent
with at least 1 GB of RAM and 545 MB of available hard disk space for the software. The installation also requires at
least 60 MB of available space in the temp directory.
Supported Java Runtime Environments
SecurityScope supports the following Java runtime environments:
JRE Type
Major Versions
IBM J9
1.4.2, 1.5.0, 1.6.0
Oracle HotSpot
1.4.2, 1.5.0, 1.6.0
Oracle JRockit
1.4.2, 1.5.0, 1.6.0
SecurityScope for Java is supported on Windows, Linux, and Solaris.
Supported Application Servers
SecurityScope supports the following application servers:
Application Server
Versions
RedHat JBoss
4.0, 5.0, 5.1, 6.0
Apache Tomcat
5.0, 5.5, 6.0, 7.0
Oracle WebLogic
8.1, 9.0, 9.2, 10.0, 10.3, 11g, 11gR1
IBM WebSphere
6.0, 6.1, 7.0
Supported .NET Runtime Environments
SecurityScope supports the following .NET runtime environments:
Operating System
CLR Architectures
Windows XP
32-bit
Windows Server 2003
32-bit, 64-bit
Windows Server 2008
32-bit, 64-bit
Windows Server 2008 R2
64-bit
Windows 7
32-bit, 64-bit

CLR .NET Versions

2.0, 3.0, 3.5, 4.0
2.0, 3.0, 3.5, 4.0
2.0, 3.0, 3.5, 4.0
2.0, 3.0, 3.5, 4.0
2.0, 3.0, 3.5, 4.0

Supported .NET Application Server

SecurityScope supports the following .NET application server:
Application Server
Versions
IIS
5.1, 6, 7, 7.5

MOFFETT TOWERS, 1140 ENTERPRISE WAY, SUNNYVALE, CA94089 USA P 650.735.2215

13

Documentation
The following documentation applies to HP Fortify SecurityScope:
Document Name
PDF
HP Fortify SecurityScope
HP_Fortify_SecurityScope_User_
User Guide
Guide_3.60.pdf
HP Fortify SecurityScope:
HP_Fortify_SecurityScope_
Microsoft .NET Edition
DOTNET_Install_and_Config_3.6
Installation and
0.pdf
Configuration Guide
HP Fortify SecurityScope:
HP_Fortify_SecurityScope_Java_
Java Edition Installation
Install_and_Config_3.60.pdf
and Configuration Guide
HP Fortify SecurityScope
HP_Fortify_SecurityScope_Taint
Taint Rulepack Guide
_ Rulepack_Guide_3.60.pdf
HP Fortify Software
HP_Fortify_Real_Time_Hybrid_
Security Center Real-Time
Analysis_User_Guide_3.60.pdf
Hybrid Analysis User
Guide

HTML Help
HP Fortify SecurityScope User
Help
HP Fortify SecurityScope .NET
Edition Help
HP Fortify SecurityScope Java
Edition Help
N/A
N/A

MOFFETT TOWERS, 1140 ENTERPRISE WAY, SUNNYVALE, CA94089 USA P 650.735.2215

14

HP Fortify 3.60 Compatibility Matrix

Summary
This section provides compatibility information for HP Fortify Software Security Center and components.
HP Fortify Software Security Center 3.60
HP Fortify Software Security Center works with the following component versions:
Component
Versions
Audit Workbench
2.0, 2.1, 2.5, 2.6, 2.6.1, 2.6.5, 3.0, 3.1, 3.20, 3.30, 3.40, 3.50,
3.60
Secure Coding Plugin
2.0, 2.1, 2.5, 2.6, 2.6.1, 2.6.5, 3.0, 3.1, 3.20, 3.30, 3.40, 3.50,
3.60
HP Fortify Client
2.0, 2.1, 2.5, 2.6, 2.6.1, 2.6.5, 3.0, 3.1, 3.20, 3.30, 3.40, 3.50,
3.60
HP Fortify RTA
2.6, 2.6.1, 2.6.5, 3.0, 3.1, 3.20, 3.30, 3.40, 3.50, 3.60
Process Designer
2.6, 2.6.1, 2.6.5, 3.0, 3.1, 3.20, 3.30, 3.40, 3.50, 3.60
JDeveloper Plugin
2.6, 2.6.1, 2.6.5, 3.0, 3.1, 3.20, 3.30, 3.40, 3.50, 3.60
Visual Studio 2010 Remediation Plugin
3.40, 3.50, 3.60
IntelliJ Remediation Plugin
3.50, 3.60
HP Fortify SecurityScope
3.0, 3.1, 3.20, 3.30, 3.40, 3.50, 3.60
HP WebInspect
8.0, 8.10, 9.00, 9.10, 9.20, 9.30
HP AMP
9.10, 9.20, 9.30
FPR Compatibility
Later versions of HP Fortify products can open and read FPR files generated by earlier versions of HP Fortify
products. For example, Audit Workbench 3.20 can read 2.1 FPR files.
Earlier versions of HP Fortify products cannot open and read FPR files generated by later versions of HP Fortify
products. For example, Audit Workbench 2.1 cannot read 3.20 FPR files.
FPR versions are determined as follows:
The version of an FPR is the same as the version of the analyzer that initially generates it. For example, an FPR
generated by SCA 2.1 will be version 2.1.
If two FPRs are merged, the resulting FPR has the version of the later one. For example, if a 2.1 and a 2.5 FPR are
merged, the resulting FPR will be version 2.5.
Caution:
HP Fortify Software Security Center keeps a project file FPR that contains the latest scan results and audit
information for each project. Audit Workbench and the Secure Coding Plugins also use this project file for
collaborative auditing.
Each time an FPR is uploaded to HP Fortify Software Security Center, it is merged with the project file. If the FPR
has a later version number than the project file, the project files version will change to match the FPR.
In order for Audit Workbench and the Secure Coding Plugins to work with the updated FPR, they must be at least
the same version as the FPR. For example, Audit Workbench 2.0 cannot read a 2.5 FPR.
Seed Bundle
HP Fortify Software Security Center 3.60 supports seed bundle 3.60.

MOFFETT TOWERS, 1140 ENTERPRISE WAY, SUNNYVALE, CA94089 USA P 650.735.2215

15

Process Templates
HP Fortify Software Security Center 3.60 supports the following process templates:
Process Templates

2.0, 2.1, 2.5, 2.6, 2.6.1, 3.0, 3.1, 3.20, 3.30, 3.40, 3.50, and 3.60
(If you have older versions of Process Templates, you might need to open them
in 3.60 Process Designer first and make appropriate changes before they can be
accepted by HP Fortify Software Security Center 3.60.)

Runtime Configuration Bundle and Template

HP Fortify Software Security Center 3.60 supports Runtime Configuration Bundle and Template 3.60.

MOFFETT TOWERS, 1140 ENTERPRISE WAY, SUNNYVALE, CA94089 USA P 650.735.2215

16

Acquiring HP Fortify Software

HP Fortify Software is available on DVD or as an electronic download. You must have a SAID access account
number in order to download HP Fortify Software from the HP Software Support Online site. Table 1 lists the
available packages and describes their contents.
Table 1: Packages
File Name
Software_HP_Fortify_3.60_Eng_SW_Media_T
F302-15060.iso
Software_HP_Fortify_3.60_Eng_SW_Media_T
F302-15060.iso.sig
Software_HP_Fortify_3.60_Linux_Unix_Mac_
TF302-15061.iso
Software_HP_Fortify_3.60_Linux_Unix_Mac_
TF302-15061.iso.sig
HP_Fortify_Scan_Wizard_3.60_Windows_TF
302-15073.zip
HP_Fortify_Scan_Wizard_3.60_Windows_TF
302-15073.zip.sig
HP_Fortify_Scan_Wizard_3.60_MacOSX_TF3
02-15072.tar.gz
HP_Fortify_Scan_Wizard_3.60_MacOSX_TF3
02-15072.tar.gz.sig
HP_Fortify_Scan_Wizard_3.60_Linux_TF30215071.tar.gz
HP_Fortify_Scan_Wizard_3.60_Linux_TF30215071.tar.gz.sig
HP_Fortify_SSC_Demo_Suite_3.60_Windows_
x86_TF302-15077.zip
HP_Fortify_SSC_Demo_Suite_3.60_Windows_
x86_TF302-15077.zip.sig
HP_Fortify_SSC_Demo_Suite_3.60_Windows_
x64_TF302-15076.zip
HP_Fortify_SSC_Demo_Suite_3.60_Windows_
x64_TF302-15076.zip.sig
HP_Fortify_SSC_Demo_Suite_3.60_Unix_TF3
02-15075.tar.gz
HP_Fortify_SSC_Demo_Suite_3.60_Unix_TF3
02-15075.tar.gz.sig
HP_Fortify_SSC_Server_3.60_TF30215078.zip
HP_Fortify_SSC_Server_3.60_TF30215078.zip.sig
HP_Fortify_CloudScan_Controller_3.60_TF3
02-15062.zip

Description
Disc image of the entire Software Security Center product line.
After downloading, you will need to either mount the ISO image
or burn it to a DVD before installation. For Windows operating
systems.
Signature file for the Software Security Center product line ISO
for Windows.
Disc image of the entire Software Security Center product line.
After downloading, you will need to either mount the ISO image
or burn it to a DVD before installation. For Linux, Unix, and
Macintosh operating systems.
Signature File for the Software Security Center product line ISO
for Linux, Unix, and Macintosh operating systems.
HP Fortify Scan Wizard for Windows.
Signature file for HP Fortify Scan Wizard for Windows.
HP Fortify Scan Wizard for Macintosh OSX.
Signature file for HP Fortify Scan Wizard for Macintosh OSX.
HP Fortify Scan Wizard for Linux.
Signature file for HP Fortify Scan Wizard for Linux.
HP Fortify Demo Suite for Windows (x86)
Signature file for HP Fortify Demo Suite for Windows (x86)
HP Fortify Demo Suite for Windows (x64)
Signature file for HP Fortify Demo Suite for Windows (x64)
HP Fortify Demo Suite for Unix
Signature file for HP Fortify Demo Suite for Unix
HP Fortify Software Security Center
Signature file for HP Fortify Software Security Center
HP Fortify CloudScan Controller

MOFFETT TOWERS, 1140 ENTERPRISE WAY, SUNNYVALE, CA94089 USA P 650.735.2215

17

File Name
HP_Fortify_CloudScan_Controller_3.60_TF3
02-15062.zip.sig
HP_Fortify_SecurityScope_3.60_TF30215074.zip
HP_Fortify_SecurityScope_3.60_TF30215074.zip.sig
HP_Fortify_RTA_3.60_TF302-15063.zip
HP_Fortify_RTA_3.60_TF302-15063.zip.sig
HP_Fortify_SCA_and_Apps_3.60_Windows_T
F302-15070.zip

HP_Fortify_SCA_and_Apps_3.60_Windows_T
F302-15070.zip.sig
HP_Fortify_SCA_and_Apps_3.60_Mac_TF30215069.tar.gz

HP_Fortify_SCA_and_Apps_3.60_Mac_TF30215069.tar.gz.sig
HP_Fortify_SCA_and_Apps_3.60_Linux_TF30
2-15068.tar.gz

HP_Fortify_SCA_and_Apps_3.60_Linux_TF30
2-15068.tar.gz.sig

Description
Signature file for HP Fortify CloudScan Controller
HP Fortify SecurityScope
Signature file for HP Fortify SecurityScope
HP Fortify RTA
Signature file for HP Fortify RTA
The HP Fortify SCA and Apps package for Windows includes:
Static Code Analyzer

Audit Workbench
HP Fortify SCA plugin for Eclipse
HP Fortify SCA plugin for Visual Studio 2003
HP Fortify SCA plugin for Visual Studio 2005
HP Fortify SCA plugin for Visual Studio 2008
HP Fortify SCA plugin for Visual Studio 2010
HP Fortify SCA plugin for Visual Studio 2010
Remediation
Note: The plugins for IntelliJ and Jdeveloper are available only on
DVD and as part of the ISO.
Signature files for the HP Fortify SCA and Apps package for
Windows
The HP Fortify SCA and Apps package for Macintosh includes:
Static Code Analyzer
Audit Workbench
HP Fortify SCA plugin for Eclipse
HP Fortify SCA plugin for Visual Studio 2003
HP Fortify SCA plugin for Visual Studio 2005
HP Fortify SCA plugin for Visual Studio 2008
HP Fortify SCA plugin for Visual Studio 2010
HP Fortify SCA plugin for Visual Studio 2010
Remediation
Note: The plugins for IntelliJ and Jdeveloper are available only on
DVD and as part of the ISO.
Signature file for the HP Fortify SCA and Apps package for
Macintosh
The HP Fortify SCA and Apps package for Linux includes:
Static Code Analyzer
Audit Workbench
HP Fortify SCA plugin for Eclipse
HP Fortify SCA plugin for Visual Studio 2003
HP Fortify SCA plugin for Visual Studio 2005
HP Fortify SCA plugin for Visual Studio 2008
HP Fortify SCA plugin for Visual Studio 2010
HP Fortify SCA plugin for Visual Studio 2010
Remediation
Note: The plugins for IntelliJ and Jdeveloper are available only on
DVD and as part of the ISO.
Signature file for the HP Fortify SCA and Apps package for Linux

MOFFETT TOWERS, 1140 ENTERPRISE WAY, SUNNYVALE, CA94089 USA P 650.735.2215

18

File Name
HP_Fortify_SCA_3.60_HPUX_TF30215066.tar.gz
HP_Fortify_SCA_3.60_HPUX_TF30215066.tar.gz.sig
HP_Fortify_SCA_3.60_Solaris_TF30215067.tar.gz
HP_Fortify_SCA_3.60_Solaris_TF30215067.tar.gz.sig

Description
HP Fortify SCA for HPUX
Signature file for HP Fortify SCA for HPUX
HP Fortify SCA for Solaris
Signature file for HP Fortify SCA for Solaris

Downloading the Software

To download HP Fortify Software from the HP Software Support Online site:
1.
2.
3.

Navigate to https://support.openview.hp.com.
Click the Downloads tab to enter the software downloads section.
Click the Login button and sign in using your HP Passport credentials.
Note: If you dont have an HP Passport, click the >>New users please register link.
The Downloads screen appears.

4.

Click the Software Updates link.

The Software updates screen appears.

5.

Click My Updates.
The My software updates screen appears.
If you dont have SAID access for HP Fortify products associated with your HP Passport, you will
need to select the Directly enter an SAID: radio button and type in your HP Fortify SAID account
number.

MOFFETT TOWERS, 1140 ENTERPRISE WAY, SUNNYVALE, CA94089 USA P 650.735.2215

19

6.

Select the terms and conditions check box and click the View available products button.
The My software updates product list page appears.

7.

Expand the Application Security Center product node.

The list of product names that fall under the Application Security Center category are revealed.

8.

From the Product name box select the desired version of the HP Fortify English Software EMedia software. For information on the available packages, see Table 1: Packages on page 17.

9.

From the Downloads box, select the package you want to download.

10. Click the Download Directly>> or Use HP Download Manager>> button.

Note: If your organization requires that you verify the download, you will also need to download
the like-named signature file. For example, if you download the
HP_Fortify_3.60_Eng_SW_Media_TF302-15039.iso file, you will also need to download the
associated signature file, HP_Fortify_3.60_Eng_SW_Media_TF302-15039.iso.sig. In rare cases,
the signature file you download will have the wrong extension (either .zip or .gz). If this occurs,
change the final extension to .sig.
Verifying Software Downloads
The following instructions walk you through the process of verifying the HP Fortify package you acquired from the
Downloads section of the HP Software Support Online site (http://support.openview.hp.com). Successful verification
ensures that the package has not been altered since it was signed by HP and posted to the site. Before proceeding with
the verification process, download the HP Fortify product files and their associated signature (*.sig) files. This process
is not required for use of the software, but may be required by your organization for security reasons.
Preparing Your System for Electronic Media Verification
1.
2.

Download and install version 1.4.x or 2.0.x of GnuPG: http://www.gnupg.org/download/.

Generate a private key:
$ gpg --gen-key
NOTE: Issue the command without '$' prompt on Windows.
When prompted for key type, select DSA and Elgamal.
When prompted for a key size, select 2048.
When prompted for the length of time the key should be valid, select key does not expire.
Answer the user identification questions and provide a passphrase to protect your private
key.
3. Create an HP public key file:
https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=HPLinuxCodeSigning&ju
mpid=reg_r1002_usen
Follow the instructions on the linked page to create an HP public key file. Per the instructions, name the key file
hpPublicKey.pub.
4.

Import the HP public key into GnuPG.

a. Move the hpPublicKey.pub file to the GNU installation directory.
b. Navigate to the GNU installation directory.
c. Run gpg --import hpPublicKey.pub

MOFFETT TOWERS, 1140 ENTERPRISE WAY, SUNNYVALE, CA94089 USA P 650.735.2215

20

Verify that the Signature File Matches the Downloaded Software Package
1.

Navigate to the directory where you stored the downloaded package and signature file.
On Windows machines, issue the following command:
gpg --verify <Signature_File_Name> <Downloaded_File_Name>
On Unix/Linux:
gpg -verify <Signature_File_Name> <Downloaded_File_Name>

2.

Examine the output to insure you receive verification that the software you downloaded has been signed
by HP and has not been altered. Your output should include something like the following:
c: .sig HP.Fortify_3 .SEng_SW.Media_TF302-15039.iso
\Users\username\<downloadDirectory>gpg --uerif HPFortify_3
.5Eng_SWJ1edia_TF3O2-15039.iso
gpg: Signature made 04/18/12 15:05:36 Pacific Daylight Time using DSA key
ID 2689BB87
gpg: Good signature from Hewlett-Packard Company(HP Codesigning Service)
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: FB41 0E68 CEDF 95D0 6681 1E95 527B CS3A 2689 B887

Note: The warning message occurs because the HP public key is not known to the system. You can ignore this warning
or set up your environment to identify the HP public key as a trusted signature.
For more information on downloading, verifying, and installing HP Fortify Software, please see "Acquiring HP Fortify
Software" on page 17.

MOFFETT TOWERS, 1140 ENTERPRISE WAY, SUNNYVALE, CA94089 USA P 650.735.2215

21

The ISO Download

If you choose to download an ISO file of the entire suite, you will need to either burn the ISO to a DVD or mount the
ISO file prior to installing the software.
To Burn the ISO File to a DVD:
Windows
Windows 7 natively supports
burning an ISO to a DVD.
1.
2.
3.
4.

Put a writable DVD disc

in your writable DVD
drive.
Navigate to the ISO file
that you downloaded.
Right-click the file name.
Select Burn disc image
from the menu.

Unix/Linux
The following instructions are
general command line instructions;
your distro might require alterations
to these steps.
1.
2.
3.

The Windows Disc Image Burner

window appears
5.
6.
7.

Select your system's

writable DVD drive.
(optional) Check the
Verify disc after
burning box.
Click the Burn button.

4.

Put a writable DVD disc in your

writable DVD drive.
To find the path to your disc
drive, type: wodim
devices and press Enter.
Burn the ISO file to disc by
typing: wodim
dev=/dev/cdrw v data
<downloaded_ISO_file>.
iso, replacing /dev/cdrw
with the path to your disc
drive.
Press Enter.

MacOSX
1. Insert a blank DVD into
the drive.
2. Run Disk Utility.
3. From the File menu,
choose Open Disk Image
and select the ISO to be
burned.
4. Select the item
representing the ISO file
from the list of volumes.
5. Click the Burn button and
follow the instructions.

Note: You can also burn an ISO file

using software included with a GUI
shell.

Note: Windows versions prior to

Windows 7 do not natively
support burning an ISO file to a
DVD. You will need to acquire
software that supports burning
an ISO to disc.

MOFFETT TOWERS, 1140 ENTERPRISE WAY, SUNNYVALE, CA94089 USA P 650.735.2215

22

To Mount the ISO File:

Windows
If you choose not to
burn the ISO image to a
disc, you can mount
the ISO on your hard
drive and run the
installation from there.
Windows does not
include native support
for mounting ISO files.
You will need to use a
third-party application
if you choose to mount
the ISO file to a
directory in Windows
rather than burning it
to disc.

Linux / Unix
The following instructions are general
command-line instructions; your distribution
might require alterations to these steps.
1.
2.
3.
4.
5.
6.

Open a terminal in Linux.

Become root or an administrator user.
Create a mount point for the ISO file:
mkdir/media/<folder_name_for_mount
_point>
Navigate to the directory you just
created.
Type: mount o loop file.iso
/media/<folder_name_for_mount_point
>
Type Enter.

MacOSX
1. Run Disk Utility.
2. Select Open Image File from
the Disk Utility menu.
3. Select the HP Fortify ISO file.
The ISO should appear on the Mac
OS desktop.

MOFFETT TOWERS, 1140 ENTERPRISE WAY, SUNNYVALE, CA94089 USA P 650.735.2215

23

HP Fortify Assistive Technologies (Section 508)

In accordance with section 508 of the Rehabilitation Act, HP Fortify Software Security Center and HP Fortify Audit
Workbench have been engineered to work with the JAWS screen reading software package from Freedom
Scientific. JAWS provides text-to-speech support for use by the visually impaired. With JAWS, labels, text boxes, and
other textual components can be read aloud, providing greater access to these technologies.
Using JAWS with HP Fortify Products
When using JAWS to generate text-to-speech translations of the text in Audit Workbench or Software Security
Center's graphical user interface, there are a number of keyboard combinations that will help you get the most out
of the interaction. The following table provides a list of useful keyboard commands.
Note: For best results, run JAWS before launching your browser and logging on to your HP Fortify program.
JAWS Keyboard Combinations
The following table lists keyboard combinations that will help you use JAWS with HP Fortify products. For more
information on using JAWS, consult the JAWS documentation.
To do this
Use this keyboard combination
To read values in combo boxes.
Press Ctrl + down arrow key to turn on Form
mode, or press Enter.
Tab through multi-line text boxes.
Press Ctrl + Tab to move from one multiline text
box to another.
Read multi-line labels.
Press Insert + down arrow to read all lines in
label.
Read disabled items (grayed-out).
Press Insert + B or Insert + down arrow.
Read disabled check boxes.
Press ESC to leave Forms mode and enter Virtual
Cursor mode.
Enable table headings to be read.
1. Press Insert + F2.
The Run JAWS Manager dialog box appears.
2. Click the OK button.
Switch between pods or panels.
1. Hold down CTRL + F7 while you select the
new pane
2. Release CTRL + F7
Return focus to the application (JAWS is reading
Press CTRL + R to refresh the display. By
the web browser application rather than the
refreshing the display, your session will be
content of the browser).
aborted and any data you have typed into the
page will be lost.
For more information or assistance, please visit HP Accessibility at: http://www.hp.com/accessibility.

MOFFETT TOWERS, 1140 ENTERPRISE WAY, SUNNYVALE, CA94089 USA P 650.735.2215

24