Fortify - Application Security
Recent statistics show that almost half of breaches that cause material damage occur via applications. HP Fortify provides software and services that help organization secure applications to prevent those attacks. This blog serves as a platform for our penetration testers, product managers and marketers, and software engineers to provide analysis and insight regarding both web application security and how organizations can utilize our products and services to better secure their applications. For more information, visit www.hp.com/go/fortify

Building an Application Security Program – Part 4

This is the final post in the series of four posts. In the first post, we covered the overview of our 3 phase approach to build an application security program followed by a second post describing the first phase i.e. Assessment and 3rd post providing details on our second phase i.e. Design.

 

Today, we will discuss the final step i.e. implementing the application security program. This is the phase where we will make a decision on the strategy to implement and actually implement the program.2.png

WebInspect and WebInspect Enterprise 10.30 Now Available!

HP Fortify and the WebInspect team are proud to announce the release of WebInspect and WebInspect Enterprise 10.30. Current customers can upgrade WebInspect version 10.30 using the SmartUpdate utility. Additionally, customers can download the latest release from the ‘MY Updates’ portal.

 

64-roadsign.png    .Net picture.png

 

WebInspect 10.30

HP WebInspect 10.30 has several new features and many improvements to existing features:

  • Platform Upgrade – 64-bit and .Net 4.5.1
  • Underlying Performance Improvements
  • Expansion of the WebInspect API
  • Scan Comparison view enhancement
  • Scan Dashboard Visualization Improvements
  • Additional supported systems
  • Support for Windows Phone added to mobile testing

WebInspect Enterprise 10.30

WebInspect Enterprise 10.30 also contains new enhancements to existing features:

  • 64-bit WebInspect Enterprise Sensors
  • 64-bit WIE Admin Console
  • Scan Comparison view enhancement
  • Dashboard Enhancements

3 Things to Know About the Shellshock Vulnerability

openssl-feat.jpgThe Shellshock bug, which is based on a vulnerability in Bash, is getting more serious as people realize its potential.

 

There is significant conversation and speculation regarding this issue, and in this short article we'll simplify things down to the three (3) basic you should know:

 

1) What the vulnerability is, 2) the potential downsides, and 3) how to protect yourself.

iCloud Security: How do we get from here to there?

Recently, news about the leak of several celebrity photos of a compromising nature has A-lister’s and followers alike abuzz. Many of the celebs involved have claimed the photos are faked and some, like Mary E. Winstead, have stated that the images were taken and deleted years ago. This suggests her pictures were either stored in the cloud (e.g., iCloud storage), or were grabbed at the time.

Labels: Fortify

AppSec USA is this Week in Denver!

One of our favorite application security events is upon us. It seems like it was just yesterday that we were in NYC for AppSec 2013, which makes sense since it hasn't been a full year.European_Wasp.jpg

Labels: Fortify

Modern Hacking - May I have your password please?

One of the most important ways an organization can  protect its assets is password.jpgto ensure that usernames and passwords remain secret. In this article we will discuss one of the methods attackers can use to discover usernames and passwords and what you can do to prevent it.

Simplicity for application security—HP Application Defender

HP introduces HP Application Defender, the first application self-protection service managed from the cloud that provides immediate visibility and actively defends production applications against attacks. 

Fortify on Demand Now Testing Swift Applications

Apple_Swift_Logo.pngWith the release of the iPhone 6, iOS 8 and a number of other announcements, many will be focused on Apple for the next month or so when it comes to mobile and consumer electronics.

 

One of Apple's recent announcements was the creation and release of a new programming language, called Apple Swift.

 

Continue reading...

 

Tags: apple| mobile| Swift
Labels: Apple| mobile| Swift

The BREACH attack explained

breach_diagram.jpgBecause the BREACH attack has been difficult to understand for penetration testers and developers alike, the risk associated with this attack has been unclear. We are going to go through the basics of the attack to better determine the potential risk to vulnerable application servers.

Authenticated application security tests vs. unauthenticated

robots.jpg

 

It’s generally true that unauthenticated tests are faster and cheaper than authenticated scans but are they really giving a complete picture of an application's security posture?

Cover your apps: How application security protects your enterprise

coveraps.jpgHP Protect is right around the corner! Watch this informative video where Paul Muller and Jacob West discuss how to cover your apps! 

Labels: Fortify

Security issues in WordPress XML-RPC DDoS Explained

A number of months ago a DDoS attack against a website used a functionality in all WordPress sites since 2005 as an amplification vector. According to one report more than 162,000 WordPress Sites sent requests to the target. 

Labels: DDoS| Wordpress| xml-rpc

How to Properly Defend Your Applications Against Authentication Attacks

Screen Shot 2014-09-03 at 8.44.24 AM.pngThe recent celebrity hack has raised awareness around an important topic: authentication security in your applications.

 

We don't yet have all the details, but we have enough to prompt a reminder to those who build applications of any type--especially web applications--that there are multiple authentication surface areas that you must secure when defending your app.

 

Read on to see what needs to be done…

HP Fortify on Demand Mobile Application Now Available

I am happy to announce a new way to monitor your application security while on the go. The HP Fortify on Demand mobile application for iPhone and Android is out of beta and officially available for download.  

 

Using the new Fortify on Demand app, users can:

  • View dashboards
  • Monitor status of ongoing assessments
  • View summary of findings
  • Drill down into vulnerabilities—Status, location, vuln type, description

XML External Entity Injection For Fun and Maybe Profit

XML External Enitity is appearing more regularly in the news. What is it and how do you do it?

Tags: XML

Defend your applications and your users against insecure login

Don't lose sight of the less complex vulnerabilities that can have a big impact on your users security.  opened-lock-152-188460.png

Your mobile travel application may not be as secure as you think

mobile apps.jpgWhile you’ve been planning your vacation destinations, HP Security Research and HP Fortify on Demand have been hard at work. So…how safe IS your mobile travel app?  

Header security – The new novelette

PHYSED blog480 with credit.jpgDo you want to provide extra layers of protection for your website users without a great deal of investment? With some simple HTTP header configurations, your website can boost the defense against injection attacks, SSL enforcement issues, information aggregation, and more.

5 trends in the future of software security

software security 2.jpgSoftware security—over the past decade, we’ve seen a lot of changes. At HP Protect, we'll be looking forward and discussing the 5 trends that you can expect to see in the future of software security.  

Sacrificing application security to meet demands? Not with HP Fortify!

HP-Fortify-On-Demand.jpgHP Protect is coming up fast, and there’s so much to take in while you’re there. Surrounded by the best in security, you’ll want to make time to attend a few HP Fortify demos. Remember: There's no need to sacrifice your application security when you've got HP Fortify in your corner!

Come Play HP's Capture the Flag Event at BlackHat

ctf.jpgIt's that time again for the annual InfoSec pilgramage to Las Vegas.

 

HP has been at BlackHat for a number of years in the past, but this year we'll be there in force. We have a rather large booth this year, tons more staff, many more of our technical team attending, and, most importantly: A CTF!

 

Tags: ctf| infosec
Labels: cft| infosec

WebInspect and Imperva SecureSphere Web Application Firewall

The OWASP site shows research that it can take up to 138 days for a company to remediate a vulnerability in their application once it is found. For a critical system housing customer data 138 days is exactly 138 too many. WebInspect, as one of the leading dynamic application security testing solutions can help your company identify the vulnerabilities in your applications, but it is ultimately up to your developers to fix them. What about those 138 days in between?

Building an Application Security Program – Part 2

sandeep.pngThis is second in the series of 4 posts. In this series, we are discussing the recipe to build and implement an effective application security program. The first step of an organization’s application security journey should be “Assess” i.e. Assessment.

 




Labels: Fortify

Is the ‘Iron Dome’ doomed?

If we let down our guard, the bad guys will take our stuff. Don't make it easy for others to get through your defenses. Stay educated. Stay aware. And by all means, don't click that link!

Labels: Fortify

HP Study Reveals 70 Percent of Internet of Things Devices Vulnerable to Attack

Screen Shot 2014-07-28 at 3.23.04 PM.png

HP Fortify on Demand's is pleased to announce the release of its Internet of Things State of the Union Report revealing 70 percent of the most commonly used Internet of Things (Io) devices contain serious vulnerabilities.

 

10 devices were tested in various categories, including TVs, webcams, home thermostats, remote power outlets, sprinkler controllers, hubs for controlling multiple devices, door locks, home alarms, scales and garage door openers…

 

 

Labels: Fortify
Search
Showing results for 
Search instead for 
Do you mean 
About the Author(s)
  • Adam Cazzolla is a Sr. Security Consultant with HP Fortify on Demand.
  • http://www.danielmiessler.com/about
  • hacker, developer, script junkie [python,ruby,php]
  • Jason Johnson is a Sr. Security Consultant with HP Fortify on Demand.
  • I have a passion for security and endeavor to participate in strong security defenses.
  • Lucas Gates is an Advanced Dynamic Tester with the Fortify On Demand team who enjoys responsible hacking.
  • US Army veteran. IT and infoSec professional since 1994. Founder of HouSecCon. aka m1a1vet
  • Rick Dunnam is an IS security professional with 15+ years experience in Enterprise Security and has consulted for many industry verticals: Banking, CPG, Healthcare, Government, Hospitality, and more
  • Sam Denard is a Senior Security Engineer with HP Enterprise Security.
Follow Us


HP Blog

HP Software Solutions Blog

The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation