当前位置：文档库 › HP_Fortify_Runtime_Performance_Tuning_Guide_4.21

HP_Fortify_Runtime_Performance_Tuning_Guide_4.21

HP Fortify Runtime Software Version 4.21

Performance Tuning Guide

Software Release Date: October 2014

Legal Notices

Warranty

The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.

The information contained herein is subject to change without notice.

Restricted Rights Legend

Confidential computer software. A valid license from HP is required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. Copyright Notice

Documentation Updates

The title page of this document contains the following identifying information:

?Software Version number, which indicates the software version

?Document Release Date, which changes each time the document is updated

?Software Release Date, which indicates the release date of this version of the software

To check for recent updates or to verify that you are using the most recent edition of a document, go to: https://www.wendangku.net/doc/cf14805150.html,/selfsolve/manuals

This site requires that you register for an HP Passport and sign in. To register for an HP Passport ID, go to: https://www.wendangku.net/doc/cf14805150.html,/passport-registration.html

You will also receive updated or new editions if you subscribe to the appropriate product support service. Contact your HP sales representative for details.

Part Number: 1‐142‐2014‐10-421‐01

Contents

Preface (iv)

Contacting HP Fortify (iv)

Technical Support (iv)

Corporate Headquarters (iv)

Website (iv)

About the HP Fortify Software Security Center Documentation Set (iv)

Change Log (v)

Chapter 1: Introduction to this Guide (6)

Intended Audience (6)

Related Documents

HP Fortify Runtime: Java Edition Installation and Configuration Guide

This document provides system and database administrators with complete instructions on how to install and configure HP Fortify Runtime for the Java platform.

HP Fortify Runtime: .NET Edition Installation and Configuration Guide

This document provides system and database administrators with complete instructions on how to install and configure HP Fortify Runtime for the .NET platform.

HP Fortify Runtime: .NET Edition Designer Guide

This document provides content to aid in the configuration and customization of Runtime for a given application that operates on a .NET platform. The audience for this guide may be a Runtime Solution Designer who often creates Event Handlers and chooses values for settings, sometimes writes rules, and occasionally creates a Monitor. The Runtime Solution Designer must understand both software and security.

HP Fortify RTAP Rulepack Guide

This document describes the detection capabilities of RTAP and the HP Fortify RTAP Rulepacks. Specifically, each category of attack, vulnerability, or audit Event detected by RTAP is described in this document.

HP Fortify Demonstration Suite Installation and Usage Guide for HP Fortify Software Security Center

This document combines information and procedures used both to install and to run the HP Fortify Software Security Center Demonstration Suite on Java and .NET platforms. It provides the instructions for performing simulated attacks against both Java and .NET demonstration applications and also presents the outcomes of these simulated attacks. The outcomes presented indicate what happens when you are protected by RTAP and when you are not.

HP Fortify Runtime Configuration Editor Technical Note

This document provides content that describes the usage of the Runtime Configuration Editor. The Runtime Configuration Editor is a GUI editor that enables you to modify configuration settings for the Runtime Platform whether you are running in standalone or federated mode.

HP Fortify Runtime Diagnostic Tool Technical Note

This document provides content that describes the usage of the Runtime Diagnostic Tool. The Runtime Diagnostic Tool is a command line tool that surveys and validates that an application host system meets minimum Runtime requirements and dependencies for fully functioning installation and usage. It is used as a pre-install checker and as a tool that gathers and checks important diagnostic information such as unsupported environments and manual configuration changes.

HP Fortify Software Security Center Installation and Configuration Guide

This document provides system and database administrators with complete instructions on how to install and configure Software Security Center server software.

HP Fortify Software Security Center User Guide

Software Security Center provides security team leads with a high-level overview of the history and current status of a project. It helps your security and development teams work together to resolve security flaws quickly and accurately by making correlated data from HP Fortify Static Code Analyzer (SCA), HP WebInspect, and HP Fortify Runtime Application Protection available through its online collaboration environment. This document is intended for use by enterprise security leads, development team managers, and developers.

HP Fortify Software Security Center System Requirements

This document provides system and database administrators with the minimum and recommended requirements for installing and using Software Security Center server software.

Chapter 2:HP Fortify Runtime Performance Tuning Overview

Specific recommendations are given for the following HP Fortify Runtime solutions at the end of this document.

?Runtime Application Protection (RTAP)

?Runtime Application Logging (RTAL), the default HP Fortify Runtime installation that comes with HP ArcSight Application View

Introduction to Event Dispatching

The following figure shows the relationship of HP Fortify Runtime components and illustrates an operational overview for HP Fortify Runtime Event dispatching.

Figure 1: Overview of Runtime Components

1.When the target program executes a monitored Program Point (a method), the predefined Monitor

(5) is invoked.

2.If the Monitor (5) finds what it is looking for, it creates an Event (6).

3.The Event (6) is then passed to the Event Handler Chain (7) as configured in rt_config.xml.

4.When an Event Handler matches, it can dispatch the Event to a log file (8, 9) or to a network service

(8, 9).

Therefore, any of the following can cause performance issues:

? A Program Point has been executed too many times. The monitor must perform a non-trivial task even if no Event is generated.

?Too many Events have been generated. Event generation requires some thread synchronization and data copying and consumes some CPU cycles even if it is dropped immediately after being created.

?With the exception of EventFilters, Event Handler Chain operations usually involve simple string comparisons only and should not be performance sensitive.

?Writing Events to event.log and syslog are handled by a daemon thread. However, other actions may consume CPU cycles of the application thread.

Disabling Monitors that Generate Too Many Events

Dropping an unwanted Event is not the best way to improve performance because HP Fortify Runtime must still monitor the Program Point, generate the Event, and go through the Event Handler Chain.

The best way to ignore unwanted Events is to disable the corresponding rule. This is done by adding the

block shown below to your rt_config.xml under the section.

If you just want to disable a particular rule (for example, a particular type of SQL Injection), you can disable by rule ID or monitor ID as shown in the following figure.

Notes:

?Each category usually consists of one or multiple rules and each rule may consist of one or multiple monitors.

?The XML tag is called DisableRules, but for , only the matched monitor is disabled.

Enabling the Diagnostic Log

The diagnostic log is a powerful tool that enables you to easily and quickly locate the performance bottlenecks in HP Fortify Runtime. HP Fortify Runtime dumps monitor counters and timers in the diagnostic log when it is enabled. To enable the diagnostic log, set Diangostics_Enabled to true in

rt_config.xml under the section. Optionally, you may set the

Diagnostics_LogFile to direct the diagnostic log to another file location. The default diagnostic log file path is ${FortifyHome}/log/diagnostic.log.

Note: For .NET, notice diagnostic1.log, diagnostic2.log, and so forth, for each website processes.

Add a typical diagnostic log as follows.

The HP Fortify Runtime platform dumps the timers and counters to diagnostic.log every 10 seconds. Usually, you must pay attention to the last output block. Most items are self-explanatory: Monitors are in the format of Monitor.; while others are platform internal Events. Timer times are in seconds and counters are the number of executions regardless of whether an Event is generated or not.

A utility program is provided which can add extra monitor descriptions right next to the monitor IDs. To use this utility, simply run the following command.

A typical output of DiagnosticLogMarker is as follows.

By using the diagnostic log, you are able to discover which monitor(s) used most of the CPU times or executed too many times. You may then try to disable the corresponding monitor and re-run performance test. Notes:

?The first two items in the Timers section, i.e., ClassTransformer and ConfigLoader are startup Events and only affect the startup time.

?The third item in the Timers section, i.e., LogDispatcher is the time used to write the Event to event.log. This is done in a daemon thread.

Runtime Application Protection (RTAP) Specific Tuning

The following categories may cause performance issues in some applications. Disable the rule(s) if they cause performance issues in your application.

?Insecure Randomness - By default, rules transform insecure random numbers into secure random numbers. Although the operation does not require a great number of CPU cycles, transforming too many insecure random numbers will cause a significant degradation in performance.

?Method Call Failure - It has been reported that some MySQL driver versions throw a SQLException on almost every transaction. This rule is an informational rule. It is safe to disable this rule, if necessary.

If you are sure your application does not need to handle a credit card number or a social security number, disabling the following two categories helps boost overall performance.

?Privacy Violation: Credit Card Number

?Privacy Violation: Social Security Number

Runtime Application Logging (RTAL) Specific Tuning

For Unified Logging, setting a log level to DEBUG or equivalent generates a large number of Events. The default level is WARN. It is not recommended that you set log level lower than INFO.

File Read/Write/Delete/Create trace can generate many Events. While the configuration parameter FileTraceExclusion supports the syntax of %{ContextPath}, exclude using absolute path is relatively faster and is recommended.