Fortify - Application Security
Recent statistics show that almost half of breaches that cause material damage occur via applications. HP Fortify provides software and services that help organization secure applications to prevent those attacks. This blog serves as a platform for our penetration testers, product managers and marketers, and software engineers to provide analysis and insight regarding both web application security and how organizations can utilize our products and services to better secure their applications. For more information, visit www.hp.com/go/fortify

Expanding the Horizons of Dynamic Scanning

horizon.jpgAt this year’s HP Protect conference in Washington DC I will be co-presenting 2 separate talks, one about the WebInspect API and another about HP Fortify and Continuous Monitoring.  The WebInspect API talk will focus on how organizations can become more efficient. We will discuss how the API can be used to sort out issues of integrating dynamic scanning with the development cycle as well as how it can help resolve issues with growing pains or inconsistent demand on the dynamic scanning infrastructure.

 

Building an Application Security Programme – Part 1

when we are talking about introducing ‘secure development lifecycle’ at an enterprise level, we are looking at investment from the management; and whenever there is an investment there are expectations. This first blog post (in the series of 3) describes what are these expectations and how an application security programme can be built and implemented to meet these expectations.

Application Security Program

Dynamic protection with HP TippingPoint and HP Fortify

Tipping Point and HP Fortify.jpegWhat happens during the time you discover an app vulnerability until you can actually fix it? If you’re an HP TippingPoint or Fortify customer—don’t worry about it—we’ve got you covered.  

Making the Case for Application Security Testing

small__5474825330.jpgRunning into the seemingly never-ending struggle to get some priority in your organization for application security testing? Consider the following thoughts which may aid your cause.

How Safe is Your Data in the Cloud?

hp-a-cloudsecurity.jpgThe age-old debate for cloud storage comes down to one very real question, "Is your data safe?" 

 

Recently, "Team DoulCi," a Dutch-Moroccan team of hackers, claimed to have compromised a protective feature on Apple's iCloud system that could leverage an attacker to remove security measures on lost or stolen iPhone devices. 

Labels: Fortify

Modern Web Hacking – Accessing Data through Insecure Direct References

hackers gonna hack.jpgIn times past, traditional web application security vulnerabilities were everywhere. Today, it is very common to come across SQL injection and Cross-Site Scripting in older applications. Those vulnerabilities are commonly attributed to poor input validation and poorly formed SQL queries. In my experience, modern development frameworks have contributed to greatly reducing the number of traditional web application issues. So what should a modern hacker do?

Labels: Fortify

Introducing the OWASP Internet of Things Top 10

Unknown.jpegWe're highly enthused to announce the initial (draft) version of the OWASP Internet of Things Top 10 project.

 

This project highlights ten key areas of risk for Internet of Things devices that span multiple attack surface areas.

 

HP Fortify on Demand has just completed a research project using this project as the basis for its testing methodology. Expect to hear about findings from this very soon.

Tags: appsec| infosec| IoT
Labels: appsec| infosec| IoT

XSS and App Security through HTML5's PostMessage()

html5-xss.jpgIn my last post I mentioned how the attack surface of Cross Site Scripting (XSS) is continually growing with the release of new web technologies, specifically HTML5. This is going to be a technical dive into the new HTML5 postMessage() method which can be exploited to launch XSS attacks against a site which otherwise was properly filtering client provided input.

Labels: Fortify

WebInspect Release 10.20 in-depth series - Part 1 - The WebInspect API

WebInspect released version 10.20 back in April (to existing Fortify customers) with several new features and enhancements, so I thought I would start a series to talk a little deeper about each of these. I will start this series off with what I believe to be the one of the most important features: the new WebInspect API.

Labels: Fortify| WebInspect

GWT App, meet application security via WebInspect

hand-shake-love.jpgI am particularly excited about the newest 10.2 release of WebInspect as it is now the first scanner that has real Google Web Toolkit (GWT) support.  Come on in to find out the details...

Labels: WebInspect

Fix it before you find out it's broken: Integrating security into your SDLC

Start remediating your vulnerabilities before you test your applications.                 tacoma-narrows-bridge-401bb546f41f3309d4f99d07e6c8acba03e5fb4b-s6-c30.jpg

Tags: infosec| SDLC

The Slow Death of Manual Testing

2014-06-04_11-51-21.pngWe’ve seen the future and the future is scary...read a bit more about an alarming trend in the assessment and security consulting industry.

 

Understanding Cross-Frame Scripting

websec.jpgThere’s a lot of confusion around Cross-frame Scripting.

 

I’ve seen a number of online resources that describe it as just another type of Cross-site scripting, which only makes sense if you also misunderstand Cross-site scripting.

 

A significant part of the misunderstanding comes from authoritative sources being unclear at best—if not outright incorrect—in how they explain the issue…

Tags: webappsec| XSRF| XSS
Labels: webappsec| xsrf| XSS

XSS--Beyond the Alert Box

blog_alertbox.jpgCross-site scripting is one of the most prominent web application vulnerabilities, which comes in many different shapes and sizes. Are we effectively communicating the business impact of XSS through the traditional alert box technique? The attack vector for this vulnerability is constantly growing and so should our testing efforts and demonstration of XSS.

Labels: Fortify

Security Demystified: SQL Injection

large_3173827605.jpgDespite very good options for defense, SQL injection is still one of the most common vulnerabilities found across web applications.  What is it, and how can we defend against it?

random(Security) at ScriptEd Hackathon

ScriptEd.pngOn Saturday, May 17, HP Fortify on Demand  participated as both technical speakers and judges at the annual ScriptEd Hackathon in New York City.  ScriptEd is a nonprofit organization that offers programming classes to under-served high school students in NYC.

How HP is making it matter when it comes to cybersecurity

MiM-Phase1-Image15.jpgSee how HP’s next-generation security solutions are helping 10,000+ companies stay safe from cyberattacks and other security threats. 

Labels: HP| security

Fortify on Demand is now available in Spanish and Japanese

global_security.jpg

 

 

The most recent release of Fortify on Demand is a major one that includes new functionality (including localization!) and enhancements to API, reporting and support.


HP Fortify #Security Team judges Annual #ScriptEdHackathon

scripted-logo.jpgBack in November during AppSec USA, HP made a donation to a cool "kids and code" non-profit, ScriptEd in New York City. This month part of our team is back in the Big Apple for their annual Hackathon. 

WebInspect Enterprise 10.20 Release

Yesterday I blogged about the great new features in the WebInspect 10.20 release, today I am going to cover the WebInspect Enterprise features in the 10.20 release.  HP Fortify and the WebInspect team announced the release of WebInspect and WebInspect Enterprise 10.20 on April 17th.  Current customers can upgrade WebInspect version 10.20 using the SmartUpdate utility. Additionally, customers can download the latest release from https://download.hpsmartupdate.com/webinspect/ and https://download.hpsmartupdate.com/wie/.  

WebInspect 10.20 Release

HP Fortify and the WebInspect team announced the release of WebInspect and WebInspect Enterprise 10.20 on April 17th.  Current customers can upgrade WebInspect version 10.20 using the SmartUpdate utility. Additionally, customers can download the latest release from https://download.hpsmartupdate.com/webinspect/ and https://download.hpsmartupdate.com/wie/.  

HP Security and The Internet of Things

IoT.png

The Internet of Things is…well, many things. It's a combination of reality and hype, peril and promise, present and future. Gartner says that by the year 2020 there will be 30 billion Internet of Things devices, and the current technology market is brimming with competitors in this space.

 

In this short article we'll walk through what the Internet of Things is and isn't, talk about some of its security and privacy implications, and introduce a few initiatives HP Fortify on Demand is working on in this exciting and developing area.

 

 

 

Looking back on a decade of Fortify

calendar.jpgIt’s been 11 years since I founded Fortify, and I’m still at it. But, it’s fun to look back and see just how far we’ve come…and even more fun to see where we’re headed. 

Labels: HP| security
Search
About the Author(s)
  • Adam Cazzolla is a Sr. Security Consultant with HP Fortify on Demand.
  • http://www.danielmiessler.com/about
  • hacker, developer, script junkie [python,ruby,php]
  • Jason Johnson is a Sr. Security Consultant with HP Fortify on Demand.
  • I have a passion for security and endeavor to participate in strong security defenses.
  • Lucas Gates is an Advanced Dynamic Tester with the Fortify On Demand team who enjoys responsible hacking.
  • US Army veteran. IT and infoSec professional since 1994. Founder of HouSecCon. aka m1a1vet
  • Rick Dunnam is an IS security professional with 15+ years experience in Enterprise Security and has consulted for many industry verticals: Banking, CPG, Healthcare, Government, Hospitality, and more
  • Sam Denard is a Senior Security Engineer with HP Enterprise Security.
Follow Us


HP Blog

HP Software Solutions Blog

The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation