Fortify - Application Security
Recent statistics show that almost half of breaches that cause material damage occur via applications. HP Fortify provides software and services that help organization secure applications to prevent those attacks. This blog serves as a platform for our penetration testers, product managers and marketers, and software engineers to provide analysis and insight regarding both web application security and how organizations can utilize our products and services to better secure their applications. For more information, visit

3 things you can do today to improve the security of your web or mobile application


Have you been thinking about taking steps to make sure your company isn't the next security breach headline? All the major software companies agree…it is better to do anything at all than do nothing. In other words, just get started. Take a look at the latest new book on threat modeling by Adam Shostack, Microsoft’s Threat Modeling Expert, who commands in his title for Chapter 1 – “Dive Right in and Threat Model." But you don’t even have to open the book to get ideas on where to start! On the back cover of the book he lists 7 bullet items which summarize the contents. Bullet #1:

  • “Find and fix security issues before they hurt you or your customers.”

So where do you start? Think it will take months to change how your organization develops software? Here are 3 simple things you can do today to get started:


1. Talk to your developers.

Or better yet, take a developer to lunch. Developers are the ones who write the code so why not start there? Whether you have a code assurance program in place or are just now becoming aware of the value of reviewing and testing code, the developers are the ones who can either be your best friend or your worst enemy. (See the blog Don’t Play the AppSec Blame Game: Positive Interactions Between the Security and Development Teams)


2. Start Threat Modeling.

Your organization should set its own standard. This doesn't have to be as hard as it sounds. If you don't want to create one from scratch, you can adopt an existing one. You can find many such models on the web - a few common ones can be found on the OWASP Threat Risk Modeling page.


3. Identify the top critical vulnerabilities in your software.

Often the most critical vulnerabilities are the easiest to find and the simplest to fix. This can be as easy as having a peer review your code. Or you can submit it to HP's Fortify on Demand and have your entire application reviewed for you. HP's new website Pronq allows you to try the software that helps you get stuff done - right here, right now. Just go to , go to the Fortify on Demand tab, and click on the [Try Me] button.


  1. Talk to your developers
  2. Start Threat Modeling
  3. Identify the top vulnerabilities in your web and mobile applications with Fortify on Demand.

Try it for free at 

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Showing results for 
Search instead for 
Do you mean 
About the Author

Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.