Fortify - Application Security
Recent statistics show that almost half of breaches that cause material damage occur via applications. HP Fortify provides software and services that help organization secure applications to prevent those attacks. This blog serves as a platform for our penetration testers, product managers and marketers, and software engineers to provide analysis and insight regarding both web application security and how organizations can utilize our products and services to better secure their applications. For more information, visit

AppSec USA is this Week in Denver!

One of our favorite application security events is upon us. It seems like it was just yesterday that we were in NYC for AppSec 2013, which makes sense since it hasn't been a full year.European_Wasp.jpg

Labels: Fortify

Modern Hacking - May I have your password please?

One of the most important ways an organization can  protect its assets is password.jpgto ensure that usernames and passwords remain secret. In this article we will discuss one of the methods attackers can use to discover usernames and passwords and what you can do to prevent it.

Simplicity for application security—HP Application Defender

HP introduces HP Application Defender, the first application self-protection service managed from the cloud that provides immediate visibility and actively defends production applications against attacks. 

Fortify on Demand Now Testing Swift Applications

Apple_Swift_Logo.pngWith the release of the iPhone 6, iOS 8 and a number of other announcements, many will be focused on Apple for the next month or so when it comes to mobile and consumer electronics.


One of Apple's recent announcements was the creation and release of a new programming language, called Apple Swift.


Continue reading...


Tags: apple| mobile| Swift
Labels: Apple| mobile| Swift

The BREACH attack explained

breach_diagram.jpgBecause the BREACH attack has been difficult to understand for penetration testers and developers alike, the risk associated with this attack has been unclear. We are going to go through the basics of the attack to better determine the potential risk to vulnerable application servers.

Authenticated application security tests vs. unauthenticated



It’s generally true that unauthenticated tests are faster and cheaper than authenticated scans but are they really giving a complete picture of an application's security posture?

Cover your apps: How application security protects your enterprise

coveraps.jpgHP Protect is right around the corner! Watch this informative video where Paul Muller and Jacob West discuss how to cover your apps! 

Labels: Fortify

Security issues in WordPress XML-RPC DDoS Explained

A number of months ago a DDoS attack against a website used a functionality in all WordPress sites since 2005 as an amplification vector. According to one report more than 162,000 WordPress Sites sent requests to the target. 

Labels: DDoS| Wordpress| xml-rpc

How to Properly Defend Your Applications Against Authentication Attacks

Screen Shot 2014-09-03 at 8.44.24 AM.pngThe recent celebrity hack has raised awareness around an important topic: authentication security in your applications.


We don't yet have all the details, but we have enough to prompt a reminder to those who build applications of any type--especially web applications--that there are multiple authentication surface areas that you must secure when defending your app.


Read on to see what needs to be done…

HP Fortify on Demand Mobile Application Now Available

I am happy to announce a new way to monitor your application security while on the go. The HP Fortify on Demand mobile application for iPhone and Android is out of beta and officially available for download.  


Using the new Fortify on Demand app, users can:

  • View dashboards
  • Monitor status of ongoing assessments
  • View summary of findings
  • Drill down into vulnerabilities—Status, location, vuln type, description

XML External Entity Injection For Fun and Maybe Profit

XML External Enitity is appearing more regularly in the news. What is it and how do you do it?

Tags: XML

Defend your applications and your users against insecure login

Don't lose sight of the less complex vulnerabilities that can have a big impact on your users security.  opened-lock-152-188460.png

Your mobile travel application may not be as secure as you think

mobile apps.jpgWhile you’ve been planning your vacation destinations, HP Security Research and HP Fortify on Demand have been hard at work. So…how safe IS your mobile travel app?  

Header security – The new novelette

PHYSED blog480 with credit.jpgDo you want to provide extra layers of protection for your website users without a great deal of investment? With some simple HTTP header configurations, your website can boost the defense against injection attacks, SSL enforcement issues, information aggregation, and more.

5 trends in the future of software security

software security 2.jpgSoftware security—over the past decade, we’ve seen a lot of changes. At HP Protect, we'll be looking forward and discussing the 5 trends that you can expect to see in the future of software security.  

Sacrificing application security to meet demands? Not with HP Fortify!

HP-Fortify-On-Demand.jpgHP Protect is coming up fast, and there’s so much to take in while you’re there. Surrounded by the best in security, you’ll want to make time to attend a few HP Fortify demos. Remember: There's no need to sacrifice your application security when you've got HP Fortify in your corner!

Come Play HP's Capture the Flag Event at BlackHat

ctf.jpgIt's that time again for the annual InfoSec pilgramage to Las Vegas.


HP has been at BlackHat for a number of years in the past, but this year we'll be there in force. We have a rather large booth this year, tons more staff, many more of our technical team attending, and, most importantly: A CTF!


Tags: ctf| infosec
Labels: cft| infosec

WebInspect and Imperva SecureSphere Web Application Firewall

The OWASP site shows research that it can take up to 138 days for a company to remediate a vulnerability in their application once it is found. For a critical system housing customer data 138 days is exactly 138 too many. WebInspect, as one of the leading dynamic application security testing solutions can help your company identify the vulnerabilities in your applications, but it is ultimately up to your developers to fix them. What about those 138 days in between?

Building an Application Security Program – Part 2

sandeep.pngThis is second in the series of 4 posts. In this series, we are discussing the recipe to build and implement an effective application security program. The first step of an organization’s application security journey should be “Assess” i.e. Assessment.


Labels: Fortify

Is the ‘Iron Dome’ doomed?

If we let down our guard, the bad guys will take our stuff. Don't make it easy for others to get through your defenses. Stay educated. Stay aware. And by all means, don't click that link!

Labels: Fortify

HP Study Reveals 70 Percent of Internet of Things Devices Vulnerable to Attack

Screen Shot 2014-07-28 at 3.23.04 PM.png

HP Fortify on Demand's is pleased to announce the release of its Internet of Things State of the Union Report revealing 70 percent of the most commonly used Internet of Things (Io) devices contain serious vulnerabilities.


10 devices were tested in various categories, including TVs, webcams, home thermostats, remote power outlets, sprinkler controllers, hubs for controlling multiple devices, door locks, home alarms, scales and garage door openers…



Labels: Fortify

HP Protect sessions--Expanding the horizons of dynamic scanning

horizon.jpgAt this year’s HP Protect conference in Washington DC, I will be co-presenting 2 separate talks, one about the WebInspect API and another about HP Fortify and Continuous Monitoring.  Read this blog post for more information.


Labels: Fortify

Building an Application Security Program – Part 1

When we are talking about introducing ‘secure development lifecycle’ at an enterprise level, we are looking at investment from the management; and whenever there is an investment there are expectations. This first blog post (in the series of 3) describes what are these expectations and how an application security program can be built and implemented to meet these expectations.

Application Security Program

Labels: Fortify

Dynamic protection with HP TippingPoint and HP Fortify

Tipping Point and HP Fortify.jpegWhat happens during the time you discover an app vulnerability until you can actually fix it? If you’re an HP TippingPoint or Fortify customer—don’t worry about it—we’ve got you covered.  

Making the Case for Application Security Testing

small__5474825330.jpgRunning into the seemingly never-ending struggle to get some priority in your organization for application security testing? Consider the following thoughts which may aid your cause.

Showing results for 
Search instead for 
Do you mean 
About the Author(s)
  • Adam Cazzolla is a Sr. Security Consultant with HP Fortify on Demand.
  • hacker, developer, script junkie [python,ruby,php]
  • Jason Johnson is a Sr. Security Consultant with HP Fortify on Demand.
  • I have a passion for security and endeavor to participate in strong security defenses.
  • Lucas Gates is an Advanced Dynamic Tester with the Fortify On Demand team who enjoys responsible hacking.
  • US Army veteran. IT and infoSec professional since 1994. Founder of HouSecCon. aka m1a1vet
  • Rick Dunnam is an IS security professional with 15+ years experience in Enterprise Security and has consulted for many industry verticals: Banking, CPG, Healthcare, Government, Hospitality, and more
  • Sam Denard is a Senior Security Engineer with HP Enterprise Security.
Follow Us

HP Blog

HP Software Solutions Blog

The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation