About OpenText SAST Application Security Content

OpenText Application Security Software products use a knowledge base of rules to enforce secure coding standards applicable to the codebase for analysis. OpenText SAST Application Security Content consists of OpenText Secure Coding Rulepacks and external metadata:

• Rulepacks describe general secure coding idioms for popular languages and public APIs.

  You can write custom rules that add to the functionality of OpenText SAST and the OpenText Secure Coding Rulepacks. For example, you might need to enforce proprietary security guidelines or analyze an application that uses third-party libraries or other pre-compiled binaries that are not already covered by the OpenText Secure Coding Rulepacks. For instructions on how to write custom rules, see the OpenText™ Static Application Security Testing Custom Rules Guide.

  For information on how to manage OpenText Secure Coding Rulepacks, see:

  • Updating Rulepacks from the Rulepack update server
  • Importing OpenText SAST Application Security Content
  • Deleting Rulepacks
  • Exporting Rulepacks
  • Seeding the database with report seed bundles delivered with quarterly OpenText SAST Application Security Content releases

• External metadata provides mappings from the OpenText Application Security Software vulnerability categories to alternative categories (such as CWE, OWASP Top 10, and PCI).

  OpenText recommends that you not modify the external metadata file. If you do, your changes are overwritten whenever you update your Rulepacks with quarterly releases. You can, however, create a custom external metadata XML file in which you can create new, and extend existing, mappings. You can map Fortify issues to different taxonomies, such as internal application security standards or additional compliance obligations. This custom file is left undisturbed when you update your OpenText SAST Application Security Content. For instructions on how to create your own custom rules or custom external metadata, see the OpenText™ Static Application Security Testing Custom Rules Guide.

  The provided external metadata mappings file is located in the <ssc_deploy_dir>/WEB-INF/Core/config/ExternalMetadata/ directory.

  For information on how to manage your external metadata, see:

  • Extending a current mapping
  • Creating a new mapping

It is important that you work with the newest OpenText Secure Coding Rulepacks available. OpenText recommends that you periodically update your OpenText SAST Application Security Content.