Fortify - Application Security
Recent statistics show that almost half of breaches that cause material damage occur via applications. HP Fortify provides software and services that help organization secure applications to prevent those attacks. This blog serves as a platform for our penetration testers, product managers and marketers, and software engineers to provide analysis and insight regarding both web application security and how organizations can utilize our products and services to better secure their applications. For more information, visit

XML External Entity Injection For Fun and Maybe Profit

XML External Enitity is appearing more regularly in the news. What is it and how do you do it?

Tags: XML

Defend your applications and your users against insecure login

Don't lose sight of the less complex vulnerabilities that can have a big impact on your users security.  opened-lock-152-188460.png

Your mobile travel application may not be as secure as you think

mobile apps.jpgWhile you’ve been planning your vacation destinations, HP Security Research and HP Fortify on Demand have been hard at work. So…how safe IS your mobile travel app?  

Header security – The new novelette

PHYSED blog480 with credit.jpgDo you want to provide extra layers of protection for your website users without a great deal of investment? With some simple HTTP header configurations, your website can boost the defense against injection attacks, SSL enforcement issues, information aggregation, and more.

5 trends in the future of software security

software security 2.jpgSoftware security—over the past decade, we’ve seen a lot of changes. At HP Protect, we'll be looking forward and discussing the 5 trends that you can expect to see in the future of software security.  

Sacrificing application security to meet demands? Not with HP Fortify!

HP-Fortify-On-Demand.jpgHP Protect is coming up fast, and there’s so much to take in while you’re there. Surrounded by the best in security, you’ll want to make time to attend a few HP Fortify demos. Remember: There's no need to sacrifice your application security when you've got HP Fortify in your corner!

Come Play HP's Capture the Flag Event at BlackHat

ctf.jpgIt's that time again for the annual InfoSec pilgramage to Las Vegas.


HP has been at BlackHat for a number of years in the past, but this year we'll be there in force. We have a rather large booth this year, tons more staff, many more of our technical team attending, and, most importantly: A CTF!


Tags: ctf| infosec
Labels: cft| infosec

WebInspect and Imperva SecureSphere Web Application Firewall

The OWASP site shows research that it can take up to 138 days for a company to remediate a vulnerability in their application once it is found. For a critical system housing customer data 138 days is exactly 138 too many. WebInspect, as one of the leading dynamic application security testing solutions can help your company identify the vulnerabilities in your applications, but it is ultimately up to your developers to fix them. What about those 138 days in between?

Building an Application Security Program – Part 2

sandeep.pngThis is second in the series of 4 posts. In this series, we are discussing the recipe to build and implement an effective application security program. The first step of an organization’s application security journey should be “Assess” i.e. Assessment.


Labels: Fortify

Is the ‘Iron Dome’ doomed?

If we let down our guard, the bad guys will take our stuff. Don't make it easy for others to get through your defenses. Stay educated. Stay aware. And by all means, don't click that link!

Labels: Fortify

HP Study Reveals 70 Percent of Internet of Things Devices Vulnerable to Attack

Screen Shot 2014-07-28 at 3.23.04 PM.png

HP Fortify on Demand's is pleased to announce the release of its Internet of Things State of the Union Report revealing 70 percent of the most commonly used Internet of Things (Io) devices contain serious vulnerabilities.


10 devices were tested in various categories, including TVs, webcams, home thermostats, remote power outlets, sprinkler controllers, hubs for controlling multiple devices, door locks, home alarms, scales and garage door openers…



Labels: Fortify

HP Protect sessions--Expanding the horizons of dynamic scanning

horizon.jpgAt this year’s HP Protect conference in Washington DC, I will be co-presenting 2 separate talks, one about the WebInspect API and another about HP Fortify and Continuous Monitoring.  Read this blog post for more information.


Labels: Fortify

Building an Application Security Program – Part 1

When we are talking about introducing ‘secure development lifecycle’ at an enterprise level, we are looking at investment from the management; and whenever there is an investment there are expectations. This first blog post (in the series of 3) describes what are these expectations and how an application security program can be built and implemented to meet these expectations.

Application Security Program

Labels: Fortify

Dynamic protection with HP TippingPoint and HP Fortify

Tipping Point and HP Fortify.jpegWhat happens during the time you discover an app vulnerability until you can actually fix it? If you’re an HP TippingPoint or Fortify customer—don’t worry about it—we’ve got you covered.  

Making the Case for Application Security Testing

small__5474825330.jpgRunning into the seemingly never-ending struggle to get some priority in your organization for application security testing? Consider the following thoughts which may aid your cause.

How Safe is Your Data in the Cloud?

hp-a-cloudsecurity.jpgThe age-old debate for cloud storage comes down to one very real question, "Is your data safe?" 


Recently, "Team DoulCi," a Dutch-Moroccan team of hackers, claimed to have compromised a protective feature on Apple's iCloud system that could leverage an attacker to remove security measures on lost or stolen iPhone devices. 

Labels: Fortify

Modern Web Hacking – Accessing Data through Insecure Direct References

hackers gonna hack.jpgIn times past, traditional web application security vulnerabilities were everywhere. Today, it is very common to come across SQL injection and Cross-Site Scripting in older applications. Those vulnerabilities are commonly attributed to poor input validation and poorly formed SQL queries. In my experience, modern development frameworks have contributed to greatly reducing the number of traditional web application issues. So what should a modern hacker do?

Labels: Fortify

Introducing the OWASP Internet of Things Top 10

Unknown.jpegWe're highly enthused to announce the initial (draft) version of the OWASP Internet of Things Top 10 project.


This project highlights ten key areas of risk for Internet of Things devices that span multiple attack surface areas.


HP Fortify on Demand has just completed a research project using this project as the basis for its testing methodology. Expect to hear about findings from this very soon.

Tags: appsec| infosec| IoT
Labels: appsec| infosec| IoT

XSS and App Security through HTML5's PostMessage()

html5-xss.jpgIn my last post I mentioned how the attack surface of Cross Site Scripting (XSS) is continually growing with the release of new web technologies, specifically HTML5. This is going to be a technical dive into the new HTML5 postMessage() method which can be exploited to launch XSS attacks against a site which otherwise was properly filtering client provided input.

Labels: Fortify

WebInspect Release 10.20 in-depth series - Part 1 - The WebInspect API

WebInspect released version 10.20 back in April (to existing Fortify customers) with several new features and enhancements, so I thought I would start a series to talk a little deeper about each of these. I will start this series off with what I believe to be the one of the most important features: the new WebInspect API.

Labels: Fortify| WebInspect

GWT App, meet application security via WebInspect

hand-shake-love.jpgI am particularly excited about the newest 10.2 release of WebInspect as it is now the first scanner that has real Google Web Toolkit (GWT) support.  Come on in to find out the details...

Labels: WebInspect

Fix it before you find out it's broken: Integrating security into your SDLC

Start remediating your vulnerabilities before you test your applications.                 tacoma-narrows-bridge-401bb546f41f3309d4f99d07e6c8acba03e5fb4b-s6-c30.jpg

Tags: infosec| SDLC

The Slow Death of Manual Testing

2014-06-04_11-51-21.pngWe’ve seen the future and the future is a bit more about an alarming trend in the assessment and security consulting industry.


Showing results for 
Search instead for 
Do you mean 
About the Author(s)
  • Adam Cazzolla is a Sr. Security Consultant with HP Fortify on Demand.
  • hacker, developer, script junkie [python,ruby,php]
  • Jason Johnson is a Sr. Security Consultant with HP Fortify on Demand.
  • I have a passion for security and endeavor to participate in strong security defenses.
  • Lucas Gates is an Advanced Dynamic Tester with the Fortify On Demand team who enjoys responsible hacking.
  • US Army veteran. IT and infoSec professional since 1994. Founder of HouSecCon. aka m1a1vet
  • Rick Dunnam is an IS security professional with 15+ years experience in Enterprise Security and has consulted for many industry verticals: Banking, CPG, Healthcare, Government, Hospitality, and more
  • Sam Denard is a Senior Security Engineer with HP Enterprise Security.
Follow Us

HP Blog

HP Software Solutions Blog

The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation