OpenText Application Security Content
OpenText SAST uses a knowledge base of rules to enforce secure coding standards applicable to the codebase for static analysis. Application Security content consists of OpenText Secure Coding Rulepacks and external metadata:
- OpenText Secure Coding Rulepacks describe general secure coding idioms for popular languages and public APIs
- External metadata includes mappings from the Fortify vulnerability categories to alternative categories (such as CWE, OWASP Top 10, and PCI)
OpenText provides the ability to write custom rules that add to the functionality of OpenText SAST and the OpenText Secure Coding Rulepacks. For example, you might need to enforce proprietary security guidelines or analyze a project that uses third-party libraries or other pre-compiled binaries that are not already covered by the OpenText Secure Coding Rulepacks. You can also customize the external metadata to map Fortify issues to different taxonomies, such as internal application security standards or additional compliance obligations. For instructions on how to create your own custom rules or custom external metadata, see the OpenText™ Static Application Security Testing Custom Rules Guide.
If you are using collaborative auditing with Application Security, make sure that any custom rules or external metadata changes are also made in Application Security.
Typically, you obtain the current Application Security content when you install OpenText SAST. For information about updating Application Security content, see Updating Security Content.