Fortify - Application Security
Recent statistics show that almost half of breaches that cause material damage occur via applications. HP Fortify provides software and services that help organization secure applications to prevent those attacks. This blog serves as a platform for our penetration testers, product managers and marketers, and software engineers to provide analysis and insight regarding both web application security and how organizations can utilize our products and services to better secure their applications. For more information, visit

When does it make sense to use application self-protection and HP Application Defender?

There are several circumstances that scream for application self-protection:

  • You lack access to the code of critical applications
  • Your security scan just found 100+ app vulnerabilities
  • Your vendor told you a patch will be ready in 3 months
  • You have no idea what vulnerabilities you have
  • Your application has been breached and you need protection quick – before an audit

Let’s look at these a little closer.cyber security button.jpg

WebInspect Enterprise 10.40 Release - available NOW!

HP Fortify and the WebInspect Dynamic Application Security Testing (DAST) team are proud to announce the release of WebInspect 10.40.  Current customers can upgrade their WebInspect Enterprise sensors to version 10.40 using the SmartUpdate utility. Customers may also download the latest release from the My Software Updates portal.

HP WebInspect 10.40 Available Now!

Software Security.pngThe HP WebInspect (DAST) team has been working diligently on the latest enhancements to the software and the product is finally ready for release. HP Fortify and the WebInspect team are proud to announce the release of WebInspect 10.40.  Current customers can upgrade their installation to version 10.40 using the SmartUpdate utility. Additionally, customers can download the latest release from the My Software Updates portal.


Meet The App Defender

Application Security is hard - but it doesn't have to be.  Meet the App Defender!  Come to the HP booth on Tuesday at 11:40 to learn about this new kind of defense.  And follow The App Defender on Facebook for the latest news: TheAppDefender facebook cover.jpg

Secure the code that runs your business--Join HP at SAP SAPPHIRE NOW 2015

fraud analytics.jpgJoin HP at SAP SAPPHIRE NOW 2015 in Orlando, Florida, May 5-7! We will be presenting, “Secure the code that runs your business,” on Thursday, May 7th at 3pm in Center Demo Theatre PS605. 

Labels: Fortify

HP Fortify Static Code Analyzer (SCA) & Software Security Center (SSC) 4.3 Available Now!

We are happy to announce new and exciting enhancements to our Fortify suite of application security offerings.  New_and_Improved.pngFortify customers can upgrade to the latest and greatest versions beginning today. 

Foundations of an AppSec program: Part 2--The building codes

Software Security.pngThis is Part 2 in a series discussing the foundations of a good application security program. In Part 1, we discussed guiding philosophy. Additional topics will cover knowing your assets, key components in the SDLC, testing strategies, reporting, and auditing. Your feedback is always welcome.

Labels: Fortify

HP Cyber Risk Report 2015: spotlight on the applications

cover.PNGIn the modern era, you simply can't understand your true security risk unless you account for the applications. It’s one of the reasons the HP Security Research group (HPSR) places such a heavy emphasis on application vulnerabilities in its annual HP Cyber Risk Report. For the 2015 report, audits performed by Fortify on Demand (FoD) on over 375 mobile and 6,500 Web applications were analyzed to create the report’s application security findings. For highlights from this year's results, read the article.

Yet another SSL/TLS Vulnerability


The past week or so the factoring attack on RSA-EXPORT keys was revealed (CVE-2015-0204).  This attack also known as FREAK, has application developers and server administrators scrambling to develop patches and update configurations.  This blog is an attempt to create a simplified explanation of this vulnerability. 

Foundations of an Application Security program: Part 1--Guiding Philosophy

Software Security.pngPost one in a series that will discuss the foundations of a good application security program.  Some topics that will be covered are: philosophy, knowing your assets, key components in the SDLC, testing strategies, reporting, and auditing. Your feedback is always welcome.

Labels: Fortify

XPATH Assisted XXE Attacks

XXE Image (1).pngWhen testing applications which are employing XML, whether it be a web service for a mobile application or an ajax-mashup website, two of the main vulnerabilities you will see and hear about are XPath injection and XXE (XML External Entity) processing. While each of these on their own are interesting vulnerabilities, there is a unique situation that allows you to chain the two together in order to read data off a target system.

Labels: Fortify

HP Fortify on Demand is the first Security SaaS to achieve FedRAMP Authorization

logo3.pngFortify on Demand began the process of gaining FedRAMP certification back in Fedbruary 2014. This was the work of a very small team, including Daniel Miessler, Eric Adams,  Brooks Garrett, Chris Paire, and others. Thanks for all who have helped reach our goal.  

What You Need to Know About the FREAK SSL Vulnerability

Screen Shot 2015-03-03 at 1.42.18 PM.pngThere's a new SSL vulnerability out called FREAK.


Here's what you need to know about it.


  • It's a cipher strength issue, i.e. it makes it easy to break keys in mere hours
  • Successfully breaking those keys means gaining access to the data encrypted in the SSL session
  • It's legacy functionality based on encryption export laws
  • The solution is to patch both the server side (your version of SSL in your webserver) and the client side (if you're using a vulnerable browser)


Tags: appsec| FREAK| infosec| SSL
Labels: appsec| FREAK| infosec| SSL

Demystifying Shellcode

An introduction to shellcodes, what to do with them, and a few lessons on executing a successful exploit.

Labels: Fortify

Spam, phishing, and pharming: How secure are you?

Security should always have its place on top of the information we share, especially now when most people are face- down and focused on their communication devices. Cyber threats are just one click away.



Labels: Fortify

App Planet, the center of the HP Mobility Universe at Mobile World Congress

MWC_Barcelona.pngMobile World Congress is just around the corner. Find out how Fortify on Demand is participating and why you should attend.

Application security is hard

Doh.jpgIt seems as though we can’t go a day without news breaking of the latest security breach to compromise an application or company. In today’s digital age, with many smart people creating applications and systems, why is securing them so difficult?

How secure is your IM?

smile emoji.pngThe majority of us utilizing some sort of instant messaging appliction daily. But are they really safe? Read this article to learn more about flaws found in instant messaging applications. 

Achieving PCI DSS Compliance through HP Fortify SSA Framework

In HP’s Fortify Solution Consulting Group, we assist our customers in building effective and scalable application security programmes using our SSA (Software Security Assurance) framework. Hence, I often get asked if programmes built upon the SSA framework can help in fulfilling the PCI DSS Requirements related to Application Security.


The answer is: Yes!




IoT is the Frankenbeast of Information Security

It seems that every time we introduce a new space in IT we lose 10 years from our collective security knowledge.


We started with network security, and even that isn't solid yet. But 20 years later we're doing pretty well there.


Then around 10 years ago we started talking about applications being the horizon technology, and we proceeded to build a global application portfolio ignoring the security lessons learned from the network world. 


Then, five years ago, we decided that mobile was the real place to be. So everyone started building mobile apps while ignoring everything we've learned from securing web and thick-client applications.


And now we have the Internet of Things (IoT). If we continued in this trend we'd have a new space that ignores the security lessons from mobile, but it's actually much worse than that.

Your TVs Are Watching You Back

telesurveillance-f7000-f8000-samsung.jpgWe've all heard the dystopian thrashings about how "in the future" your TV might be watching you just like you're watching it.


Unfortuanely, that time seems to have arrived already.


One of the world's largest manufacturers of modern televisions just updated its privacy statement to say the following:


"Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through your use of Voice Recognition."

Information Security as an Emergent Property


Earlier today I heard Jason Schmitt say something worth exploring: He referred to information security as an emergent property.


Emergence is a fascinating concept. It basically means that when simple things combine to a certain degree, new properties, patterns, and behaviors develop that often cannot be explained or understood in the context of their components.


It's difficult to explain human happiness in terms of the strong and weak nuclear force, for example. Or to reduce an economic law like supply and demand down to covalent bonds...


Capture the Flag: One of the best team building events ever!

ctf1.jpgEngaging security staff can be difficult. We're here to give you a little secret of ours, Capture the Flag competitions rock. Here at Fortify on Demand we have done internal CTF's at application security events several years in a row with great success. These games can be for more than just engineers, in fact, we have done several for our account managers and sales folk! We even did one at BlackHat USA last year for everyone! Join us as we give you some tips and tools on creating a great event.

Fortify on Demand recognized as Best SaaS

winner-2014-15.jpgIn its fourth year and recognized as the de facto recognition platform in the international Cloud Computing space, the Cloud Awards recently announced the 2014-15 winners. HP Fortify on Demand made the final cut.

Curiosity and the "hacking" mindset



I have always been curious. Too curious sometimes.


Curiosity drives me. I was in school to learn how to develop software, but found taking it apart much more interesting.

Thoughts from “Blackhat” the movie

or ‘How I stopped worrying and started to love the SCADA bomb’

I recently saw “Blackhat”, and part of the plot made me wonder if certain parts of the vulnerability world had changed much.

Owning SQLi vulnerability with SQLmap

Injection flaws, often found in legacy code, is the #1 security risk on the OWASP Top 10. SQLi (or SQL Injection) is an injection flaw attack method defined as "insertion or "injection" of a SQL query via the input data from the client to the application".


This blog aims to give you the nuts & bolts on using SQLmap and learn basic techniques to properly evaluate SQLi injections and understand some SQL attack methods.


Posted on behalf of Medz Barao, Fortify on Demand Security Team.

Integrated security: Next-Generation secure web application development

hp secure.jpgWhat does the future look like for web application security defense? While there have been many advancements in web application firewalls (WAF), a WAF cannot fully understand the functionality and implication of each and every custom web application. 


How would the web application security landscape change if we could build security enhancements that fully understood your custom web application?

Showing results for 
Search instead for 
Do you mean 
About the Author(s)
HP Blog

HP Software Solutions Blog


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.