Fortify - Application Security
Recent statistics show that almost half of breaches that cause material damage occur via applications. HP Fortify provides software and services that help organization secure applications to prevent those attacks. This blog serves as a platform for our penetration testers, product managers and marketers, and software engineers to provide analysis and insight regarding both web application security and how organizations can utilize our products and services to better secure their applications. For more information, visit

Do you know where your mobile application’s data is going?

Mobility_RGB_blue_NT.pngAt Fortify on Demand, we frequently test mobile applications that communicate with many web-endpoints, including some surprising sites. Developers often implement some type of functionality that unknowingly sends data to third-party web backends. This is frequently seen in advertising and analytic frameworks. Do you know where you mobile application’s data is going?

Application Security Testing – A journey from XSS to System Shell


Is it possible to go from a Cross-Site Scripting (XSS) flaw to obtain a system shell? During a web application security test earlier this year, I noticed an XSS flaw that allowed me to do just that. So how do we go from XSS to server access? Read on to find out!



When to Get a Penetration Test vs. A Vulnerability Assessment

Nmap_logo.pngMany organizations are eager to start their security efforts with penetration testing. This is understandable given that penetration testing sounds cool and is easy to sell.


The problem is that in the vast majority of cases, organizations will largely be wasting their money on a penetration test when compared to other available security assessment offerings.


In this short piece, we'll take a look at some of the security offerings that are commonly available with the hopes of helping you pick the best option…

Appsec training on-the-cheap

2014-12-15_14-02-56.pngThere's no denying that having an appsec savvy crew of IT professionals on hand, even if they are not dedicated to security, can mitigate costs. It speeds up remediation times, improves communication with your devs/consultants, and generally provides better peace of mind. Join us in the article below outlining our favorite free training resources to get your IT staff up to speed in appsec!

Network Infiltration – Part 2: Bypassing Fingerprint Biometrics

fingerprintLast time, we got inside our target network via a rouge wireless access point that we were able to exploit because of its weak security implementation.


This time, we’re going to try and escalate what we can do inside the network.

SAP and HP Fortify team up to bring application security solutions to SAP customers

Today we’re able to announce an exciting new partnership between HP Fortify and SAP where SAP will now resell HP Fortify application security software as part of its quality assurance solutions portfolio to SAP customers.

Network Infiltration – Part 1: Rouge Wireless Access Point

regin.jpgUnless you hack for a living like I do, you might not realize how incredibly easy it is to infiltrate a network – and how very important software security is.


In this two part series we will go through multiple phase of exploiting vulnerabilities from wireless networks to a biometric system that controls access to doors and other network devices. By the end we’ll go from someone with zero to full access both physically and through digital networks.

Leveraging SimpleHTTPServer as a Simple Web Honeypot

As an application security professional, I am always intrigued with new attack schemes or techniques, so I study hackers to understand their ways of working by setting up a honeypot.




Three questions for mobile developers

Blog - iPhone Data.pngWhen assessing mobile applications, Fortify on Demand often finds exposed sensitive data. We find mobile apps that write sensitive data to the file system without protection. Many mobile applications write confidential data carelessly to plist files or SQLite databases in plaintext. We also regularly see private data written to system device logs or to public locations on the device where the data could be accessible to other applications. In the interest of protecting passwords, credit card numbers, social security numbers, account details, API keys, and other sensitive data elements, I have three questions to ask mobile developers.

December in Application Security: HP Discover in Barcelona

December is not jam packed with events, but there is one special reason to go to Spain every holiday season - HP Discover. december.jpg

Tags: appsec| December

Clickjacking and the X-Frame-Options Header

1272px-Internet1.jpgSounding like an attack right out of an action movie, Clickjacking can be particularly nasty. However, with the headers available today to web applications, there’s a viable option for defense.

HP Application Defender extends capabilities

HP Application Defender launches additional capabilities including protection for .NET applications, robust reporting capabilities, and online try and buy ability.  

tm graph full smaller size.jpg

Labels: Fortify

A certificate free-for-all: Transport layer security ubiquity coming soon? (part 2)

In part 1 of this two part article, we covered some of the history and background around deploying HTTPS in securing the web and how the Public Key Infrastructure works.  Here, we'll explore the challenges we face in deploying certificates to secure web sites at scale and some new solutions which could enable universally secure web communications.

Is application self protection right for you?

appdefender_3.jpgThis article looks at scenarios where application self-protection can quickly bring benefit to your enterprise.

Understanding your mobile apps: Examining the backend

Screen Shot 2014-11-18 at 4.30.41 PM.png

Many mobile developers assume web obscurity.  The assumption that users (and bad guys) will only interact with the web-backend through the mobile device interface leads to vulnerabilities. I challenge you to get know your mobile backend(s) by going directly to the websites and web services they connect to. To better understand your mobile apps, I encourage you to proxy your HTTP traffic and analyze your web backend(s).

A certificate free-for-all: Transport layer security ubiquity coming soon? (part 1)

Web site owners and users seem to be finally embracing the idea that transport layer security should be applied everywhere. In the last four years, Google, Yahoo, Twitter, Facebook and many other popular sites have forced the use of secure HTTPS rather than clear-text HTTP.


Prior to this, most applications either used insecure transport exclusively or made both insecure and secure options available. Some secured only communications for the authentication portion of a user’s session. The 2010 release of Firesheep (a browser plugin which enabled point-and-click session hijacking) and other man-in-the-middle attack tools raised public awareness of the problem, and since then, migration to HTTPS-only sites has been on the upswing.

A culture of security and the impact it has on organizations

ssa.jpgThe new edition of the HP Discover Podcast series is live: Heartland Payment systems talks business value gained by implementing a software security assurance (SSA) program.

Tags: Fortify


sql nosql.jpgDatabase Management System is an broad term that refers to an array of completely different tools (i.e. computer programs or embedded libraries), working in different ways to handle dealing with collections of information. Since information itself can come in various shapes and sizes, several DBMS have been developed to help solve different programming and computerisation needs. In today's age, which choice is best for your implementation?  This article will describe a newer DBMS and some of its pitfalls and solutions.

Information Leakage - It Might Be a Bigger Problem Than You Think

Information leakage doesn't directly result in an exploit, but it does disclose critical information about the technology, environment and logic of an application.  Attackers will use this information as a starting point to find and exploit vulnerabilities in your application.

Common Mobile Mistake: Assumption of Web Obscurity

Screen Shot 2014-11-03 at 1.46.47 PM.pngFortify on Demand analyzes numerous mobile applications, a substantial number of which contain serious web vulnerabilities. Backend web vulnerabilities are so common in mobile applications that Weak Server Side Controls is listed as #1 on OWASP’s list of Top Ten Mobile Risks. Many of these web weaknesses exist because developers assume web obscurity.

Bypassing CAPTCHAs

CAPTCHAs can prevent spam and functionality abuse but are they implemented properly?

Make WebInspect Scan Faster and Use Fewer Resources

clivsgui.pngWebInspect comes with a Command Line tool which works the same as the GUI, but consumes fewer resources for CPU, Memory, Disk and Network.  I tested this using freely available online sites to scan and Performance Monitor to gather statistics. Some counters improved almost 100% when using one over the other and some counters deteriorated. I’ve included a table to show the difference between running the same scan using the GUI and using the Command Line.

The Future of CyberSecurity

The world we live in is changing rapidly and the pace is only going to accelerate. The impact of these changes will be immense. Changes in technology and the way we use it will impact each and every one of us. And one of the biggest will be the impact to our online security – the ubiquity of online devices coupled with the use of intelligent machines will alter the security landscape forever.  IoT.png

November in Application Security

We're over the hump in terms of the calendar year, but for HP it's the beginning of our first quarter, fiscal year 2015. November is traditionally a month to spend time with family, thought you might find a few events and webinars that will help you get a start on your security planning for 2015.november.png

Labels: appsec| Fortify

Hacking in the physical world - ATM Safety

cut card.jpgCyber Security Month is almost at an end. Following up on my last article, I had talked about creating unique and secure Pin Codes. One of the easiest ways for that pin code to become compromised is to use an ATM. We use ATM machines all the time now, sometimes more often than paying cash. It’s often faster and more convenient than digging through your pockets for that last penny. But what are the dangers of using an ATM?


Labels: ATM| Pin Codes| Safety

Apple Pay, CurrentC, and Security

apple-pay-google-wallet-currentc.jpgIt's an exciting time for mobile payments, with two new technologies aiming to replace the decades-old practice of swiping the credit card.


Apple's Apple Pay offering is already launched, and it faces potential competition from CurrentC.


We'll take a look here at the two technologies and what they mean for consumer security and privacy.

Two-Factor Authentication – Are Two Factors Better Than One?



Two-Factor Authentication adds an extra layer security to the authentication process by requiring more than just a password. This article will discuss what exactly this control is and why you should care.

Where Will The Next Big Application Security Vulnerability Come From?

Want to know where the next big security vulnerability will be found? Based on past history it will probably be in code that you have been using for years.

Showing results for 
Search instead for 
Do you mean 
About the Author(s)
  • Abhishek Rath is a Security Consultant with Fortify on Demand based out of New York City, New York. His areas of expertise are application security testing, risk management and building application security programs for the Global and Fortune 100. He can be reached at
  • Adam Cazzolla is a Sr. Security Consultant with HP Fortify on Demand.
  • hacker, developer, script junkie [python,ruby,php]
  • Hacks for a living.
  • Jason Johnson is a Sr. Security Consultant with HP Fortify on Demand.
  • I have a passion for security and endeavor to participate in strong security defenses.
  • Lucas Gates is an Advanced Dynamic Tester with the Fortify On Demand team who enjoys responsible hacking.
  • US Army veteran. IT and infoSec professional since 1994. Founder of HouSecCon. aka m1a1vet
  • Rick Dunnam is an IS security professional with 15+ years experience in Enterprise Security and has consulted for many industry verticals: Banking, CPG, Healthcare, Government, Hospitality, and more
  • Sam Denard is a Senior Security Engineer with HP Enterprise Security.
HP Blog

HP Software Solutions Blog


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.