Fortify - Application Security
Recent statistics show that almost half of breaches that cause material damage occur via applications. HP Fortify provides software and services that help organization secure applications to prevent those attacks. This blog serves as a platform for our penetration testers, product managers and marketers, and software engineers to provide analysis and insight regarding both web application security and how organizations can utilize our products and services to better secure their applications. For more information, visit

Curiosity and the "hacking" mindset



I have always been curious. Too curious sometimes.


Curiosity drives me. I was in school to learn how to develop software, but found taking it apart much more interesting.

Thoughts from “Blackhat” the movie

or ‘How I stopped worrying and started to love the SCADA bomb’

I recently saw “Blackhat”, and part of the plot made me wonder if certain parts of the vulnerability world had changed much.

Owning SQLi vulnerability with SQLmap

Injection flaws, often found in legacy code, is the #1 security risk on the OWASP Top 10. SQLi (or SQL Injection) is an injection flaw attack method defined as "insertion or "injection" of a SQL query via the input data from the client to the application".


This blog aims to give you the nuts & bolts on using SQLmap and learn basic techniques to properly evaluate SQLi injections and understand some SQL attack methods.


Posted on behalf of Medz Barao, Fortify on Demand Security Team.

Integrated security: Next-Generation secure web application development

hp secure.jpgWhat does the future look like for web application security defense? While there have been many advancements in web application firewalls (WAF), a WAF cannot fully understand the functionality and implication of each and every custom web application. 


How would the web application security landscape change if we could build security enhancements that fully understood your custom web application?

Application Security and Client-initiated Renegotiation

How this hack from the past is still alive and well and why performing server checks are still a required area of concern when performing a dynamic application assessment.

Labels: Fortify

Burp tips & tricks

When searching for an integrated platform for security testing, Burp Suite has always been one of the favorite tools of application security testers. For good reasons! It’s easy to use, it’s not platform dependent and, in the right hands, it can do wonders. It’s definitely a great value for the money.


This post is on behalf of Jayson Vallente from our Dynamic testing team.

POODLE strikes back--this time affecting TLS security protocol

The POODLE vulnerability is back in the news, but now it’s affecting the TLS security protocol. Security researchers have now discovered that the issue also affects some implementations of TLS in products that don’t properly check the structure of the “padding” used in TLS packets.

Labels: Fortify

Poor Mobile Auth

M5.pngMany mobile applications suffer from weak authentication and authorization schemes. In fact, Poor Mobile Authorization and Authentication is #5 on the OWASP list of Top 10 Mobile Risks. Some common mobile auth flaws include weak password rules (i.e. 4 digit pins), exploitable remember-me functionality, and broken authorization controls. These weaknesses could lead to sensitive information disclosure as well as other severe implications.

Labels: Fortify

Top 5 Application Security Posts of 2014

Top5.jpegIn case you missed them or want to revisit these posts, we decided to call out our top blogs of 2104.

Tokenization - The future of e-commerce transaction security

Credit cards are one of the most common forms of payment for e-commerce.  Consumers are still inputting their name, date of birth, and chain of numbers from their credit card to complete a transaction.  This is not only inconvenient, but also not very secure.  Credit card transactions over the internet expose sensitive cardholder information both in the communication and storage of the data.  Thanks to the adoption of the EMV standard POS (point of sale) credit card transaction security has been improved but what can be done to improve security of e-commerce credit card transactions?

Fortify on Demand Year in Review 2014

As we close out 2014, I’d like to reflect on the great progress the Fortify on Demand team has made throughout the year.

Labels: Fortify

Do you know where your mobile application’s data is going?

Mobility_RGB_blue_NT.pngAt Fortify on Demand, we frequently test mobile applications that communicate with many web-endpoints, including some surprising sites. Developers often implement some type of functionality that unknowingly sends data to third-party web backends. This is frequently seen in advertising and analytic frameworks. Do you know where you mobile application’s data is going?

Application Security Testing – A journey from XSS to System Shell


Is it possible to go from a Cross-Site Scripting (XSS) flaw to obtain a system shell? During a web application security test earlier this year, I noticed an XSS flaw that allowed me to do just that. So how do we go from XSS to server access? Read on to find out!



When to Get a Penetration Test vs. A Vulnerability Assessment

Nmap_logo.pngMany organizations are eager to start their security efforts with penetration testing. This is understandable given that penetration testing sounds cool and is easy to sell.


The problem is that in the vast majority of cases, organizations will largely be wasting their money on a penetration test when compared to other available security assessment offerings.


In this short piece, we'll take a look at some of the security offerings that are commonly available with the hopes of helping you pick the best option…

Application Security training on-the-cheap

2014-12-15_14-02-56.pngThere's no denying that having an appsec savvy crew of IT professionals on hand, even if they are not dedicated to security, can mitigate costs. It speeds up remediation times, improves communication with your devs/consultants, and generally provides better peace of mind. Join us in the article below outlining our favorite free training resources to get your IT staff up to speed in appsec!

Network Infiltration – Part 2: Bypassing Fingerprint Biometrics

fingerprintLast time, we got inside our target network via a rogue wireless access point that we were able to exploit because of its weak security implementation.


This time, we’re going to try and escalate what we can do inside the network.

SAP and HP Fortify team up to bring application security solutions to SAP customers

Today we’re able to announce an exciting new partnership between HP Fortify and SAP where SAP will now resell HP Fortify application security software as part of its quality assurance solutions portfolio to SAP customers.

Network Infiltration – Part 1: Rogue Wireless Access Point

regin.jpgUnless you hack for a living like I do, you might not realize how incredibly easy it is to infiltrate a network – and how very important software security is.


In this two part series we will go through multiple phase of exploiting vulnerabilities from wireless networks to a biometric system that controls access to doors and other network devices. By the end we’ll go from someone with zero to full access both physically and through digital networks.

Leveraging SimpleHTTPServer as a Simple Web Honeypot

As an application security professional, I am always intrigued with new attack schemes or techniques, so I study hackers to understand their ways of working by setting up a honeypot.




Three questions for mobile developers

Blog - iPhone Data.pngWhen assessing mobile applications, Fortify on Demand often finds exposed sensitive data. We find mobile apps that write sensitive data to the file system without protection. Many mobile applications write confidential data carelessly to plist files or SQLite databases in plaintext. We also regularly see private data written to system device logs or to public locations on the device where the data could be accessible to other applications. In the interest of protecting passwords, credit card numbers, social security numbers, account details, API keys, and other sensitive data elements, I have three questions to ask mobile developers.

December in Application Security: HP Discover in Barcelona

December is not jam packed with events, but there is one special reason to go to Spain every holiday season - HP Discover. december.jpg

Tags: appsec| December

Clickjacking and the X-Frame-Options Header

1272px-Internet1.jpgSounding like an attack right out of an action movie, Clickjacking can be particularly nasty. However, with the headers available today to web applications, there’s a viable option for defense.

HP Application Defender extends capabilities

HP Application Defender launches additional capabilities including protection for .NET applications, robust reporting capabilities, and online try and buy ability.  

tm graph full smaller size.jpg

Labels: Fortify

A certificate free-for-all: Transport layer security ubiquity coming soon? (part 2)

In part 1 of this two part article, we covered some of the history and background around deploying HTTPS in securing the web and how the Public Key Infrastructure works.  Here, we'll explore the challenges we face in deploying certificates to secure web sites at scale and some new solutions which could enable universally secure web communications.

Is application self protection right for you?

appdefender_3.jpgThis article looks at scenarios where application self-protection can quickly bring benefit to your enterprise.

Understanding your mobile apps: Examining the backend

Screen Shot 2014-11-18 at 4.30.41 PM.png

Many mobile developers assume web obscurity.  The assumption that users (and bad guys) will only interact with the web-backend through the mobile device interface leads to vulnerabilities. I challenge you to get know your mobile backend(s) by going directly to the websites and web services they connect to. To better understand your mobile apps, I encourage you to proxy your HTTP traffic and analyze your web backend(s).

A certificate free-for-all: Transport layer security ubiquity coming soon? (part 1)

Web site owners and users seem to be finally embracing the idea that transport layer security should be applied everywhere. In the last four years, Google, Yahoo, Twitter, Facebook and many other popular sites have forced the use of secure HTTPS rather than clear-text HTTP.


Prior to this, most applications either used insecure transport exclusively or made both insecure and secure options available. Some secured only communications for the authentication portion of a user’s session. The 2010 release of Firesheep (a browser plugin which enabled point-and-click session hijacking) and other man-in-the-middle attack tools raised public awareness of the problem, and since then, migration to HTTPS-only sites has been on the upswing.

A culture of security and the impact it has on organizations

ssa.jpgThe new edition of the HP Discover Podcast series is live: Heartland Payment systems talks business value gained by implementing a software security assurance (SSA) program.

Tags: Fortify
Showing results for 
Search instead for 
Do you mean 
About the Author(s)
  • Abhishek Rath is a Security Consultant with Fortify on Demand based out of New York City, New York. His areas of expertise are application security testing, risk management and building application security programs for the Global and Fortune 100. He can be reached at
  • Adam Cazzolla is a Sr. Security Consultant with HP Fortify on Demand.
  • hacker, developer, script junkie [python,ruby,php]
  • Hacks for a living.
  • Jason Johnson is a Sr. Security Consultant with HP Fortify on Demand.
  • I have a passion for security and endeavor to participate in strong security defenses.
  • Lucas Gates is an Advanced Dynamic Tester with the Fortify On Demand team who enjoys responsible hacking.
  • US Army veteran. IT and infoSec professional since 1994. Founder of HouSecCon. aka m1a1vet
  • Rick Dunnam is an IS security professional with 15+ years experience in Enterprise Security and has consulted for many industry verticals: Banking, CPG, Healthcare, Government, Hospitality, and more
  • Sam Denard is a Senior Security Engineer with HP Enterprise Security.
HP Blog

HP Software Solutions Blog


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.