Fortify - Application Security
Recent statistics show that almost half of breaches that cause material damage occur via applications. HP Fortify provides software and services that help organization secure applications to prevent those attacks. This blog serves as a platform for our penetration testers, product managers and marketers, and software engineers to provide analysis and insight regarding both web application security and how organizations can utilize our products and services to better secure their applications. For more information, visit

Understanding your mobile apps: Examining the backend

Screen Shot 2014-11-18 at 4.30.41 PM.png

Many mobile developers assume web obscurity.  The assumption that users (and bad guys) will only interact with the web-backend through the mobile device interface leads to vulnerabilities. I challenge you to get know your mobile backend(s) by going directly to the websites and web services they connect to. To better understand your mobile apps, I encourage you to proxy your HTTP traffic and analyze your web backend(s).

A certificate free-for-all: Transport layer security ubiquity coming soon? (part 1)

Web site owners and users seem to be finally embracing the idea that transport layer security should be applied everywhere. In the last four years, Google, Yahoo, Twitter, Facebook and many other popular sites have forced the use of secure HTTPS rather than clear-text HTTP.


Prior to this, most applications either used insecure transport exclusively or made both insecure and secure options available. Some secured only communications for the authentication portion of a user’s session. The 2010 release of Firesheep (a browser plugin which enabled point-and-click session hijacking) and other man-in-the-middle attack tools raised public awareness of the problem, and since then, migration to HTTPS-only sites has been on the upswing.

A culture of security and the impact it has on organizations

ssa.jpgThe new edition of the HP Discover Podcast series is live: Heartland Payment systems talks business value gained by implementing a software security assurance (SSA) program.

Tags: Fortify


sql nosql.jpgDatabase Management System is an broad term that refers to an array of completely different tools (i.e. computer programs or embedded libraries), working in different ways to handle dealing with collections of information. Since information itself can come in various shapes and sizes, several DBMS have been developed to help solve different programming and computerisation needs. In today's age, which choice is best for your implementation?  This article will describe a newer DBMS and some of its pitfalls and solutions.

Information Leakage - It Might Be a Bigger Problem Than You Think

Information leakage doesn't directly result in an exploit, but it does disclose critical information about the technology, environment and logic of an application.  Attackers will use this information as a starting point to find and exploit vulnerabilities in your application.

Common Mobile Mistake: Assumption of Web Obscurity

Screen Shot 2014-11-03 at 1.46.47 PM.pngFortify on Demand analyzes numerous mobile applications, a substantial number of which contain serious web vulnerabilities. Backend web vulnerabilities are so common in mobile applications that Weak Server Side Controls is listed as #1 on OWASP’s list of Top Ten Mobile Risks. Many of these web weaknesses exist because developers assume web obscurity.

Bypassing CAPTCHAs

CAPTCHAs can prevent spam and functionality abuse but are they implemented properly?

Make WebInspect Scan Faster and Use Fewer Resources

clivsgui.pngWebInspect comes with a Command Line tool which works the same as the GUI, but consumes fewer resources for CPU, Memory, Disk and Network.  I tested this using freely available online sites to scan and Performance Monitor to gather statistics. Some counters improved almost 100% when using one over the other and some counters deteriorated. I’ve included a table to show the difference between running the same scan using the GUI and using the Command Line.

The Future of CyberSecurity

The world we live in is changing rapidly and the pace is only going to accelerate. The impact of these changes will be immense. Changes in technology and the way we use it will impact each and every one of us. And one of the biggest will be the impact to our online security – the ubiquity of online devices coupled with the use of intelligent machines will alter the security landscape forever.  IoT.png

November in Application Security

We're over the hump in terms of the calendar year, but for HP it's the beginning of our first quarter, fiscal year 2015. November is traditionally a month to spend time with family, thought you might find a few events and webinars that will help you get a start on your security planning for 2015.november.png

Labels: appsec| Fortify

Hacking in the physical world - ATM Safety

cut card.jpgCyber Security Month is almost at an end. Following up on my last article, I had talked about creating unique and secure Pin Codes. One of the easiest ways for that pin code to become compromised is to use an ATM. We use ATM machines all the time now, sometimes more often than paying cash. It’s often faster and more convenient than digging through your pockets for that last penny. But what are the dangers of using an ATM?


Labels: ATM| Pin Codes| Safety

Apple Pay, CurrentC, and Security

apple-pay-google-wallet-currentc.jpgIt's an exciting time for mobile payments, with two new technologies aiming to replace the decades-old practice of swiping the credit card.


Apple's Apple Pay offering is already launched, and it faces potential competition from CurrentC.


We'll take a look here at the two technologies and what they mean for consumer security and privacy.

Two-Factor Authentication – Are Two Factors Better Than One?



Two-Factor Authentication adds an extra layer security to the authentication process by requiring more than just a password. This article will discuss what exactly this control is and why you should care.

Where Will The Next Big Application Security Vulnerability Come From?

Want to know where the next big security vulnerability will be found? Based on past history it will probably be in code that you have been using for years.

A New Look at Security - Pin Codes

A new look at Security

I see a lot of posts and information come across from various sources talking about new and exciting hacks or vulnerabilities that were discovered and what they mean to other security professionals. But what about those that are not full time security testers? I have been on plenty of calls with customers where the engineers, security managers and sales people on calls have no reference for what is being discussed. It is all too high-level.

So why not make security simple? I have been in a security mindset for most of my life, but information security or info-sec for short has really been a new experience for me, and I am sure for a lot of other people out there as well.

Tags: Pin Codes
Labels: 2014| authentication

Application Security...In an ideal scenario


As the software world just adopts new technology without thinking much about security, we need to start working towards creating a culture of accelerated security evolution with transparency.

Labels: Fortify

WebInspect Web Proxy Attack String Obfuscation Automation

Web Inspect.jpgSee how HP WebInspect Web Proxy application tool can be a useful feature for obfuscation of attack strings with various types of character set encodings to help bypass Web Application Firewalls (WAF).

User Enumeration: Too Much Information


Over the years, the state of application security and the awareness of application vulnerabilities has gradually improved. Developers are increasingly aware of common pitfalls and certain kinds of vulnerabilities are becoming less common. Despite that, there are still some basic application vulnerabilities which remain very common even long after being discovered and written about. One of those is User Enumeration.

Labels: Fortify

Insight on the SSLv3 POODLE Vulnerability

Poodle-3.jpgThe SSLv3 POODLE attack has been publicly released. Now the questions are being asked about the risks that are involved with the attack and what the steps are to mitigate. We will break down the POODLE attack to the basics to help answer these questions.

Securing our homes with outbound DNS Filtering

home sec.jpgRecently, there was a study released that 70 Percent of Internet of Things Devices are vulnerable to attack. As a security professional, and a parent, this made me think about the network security in my home. Lets explore one layer of security in this battle.


Labels: Fortify

HP Fortify Software Security Center and Static Code Analyzer 4.2 available now

The HP Fortify team is happy to release Fortify Software Security Center and Fortify Static Code Analyzer 4.2 

This release cycle continues our focus on productivity and helping AppSec teams get more from their testing programs.


Current customers can download upgrades at:


Let us know what you think and keep the feedback coming --

Labels: Fortify| release| SCA| SSC

WebInspect Plugin for Burp

Among the new features for the HP WebInspect 10.30 release that I wrote about in my last blog was a plugin for integrating HP WebInspect with PortSwigger’s Burp. The feature has garnered some attention in the last few days so I thought it was worth talking about on its own blog post. The plugin allows users of HP WebInspect to transfer vulnerability details back and forth between Burp and their WebInspect instance via the WebInspect API. This will empower customers currently using Burp as a part of their dynamic analysis process with a more efficient workflow.

Personal Security: Things you must do to Protect Your Online Identity

personal-security-why-you-should-always-use-https.jpgIn the spirit of National Cyber Safety Awareness Month, Geno Hermanos on the Fortify on Demand team put together a list of good practices for safe web behavior to help protect your online identity. Of course, these are just suggestions.

October in Application Security

On the heels of what was our busiest month this year, October is no less busy and it nearly got away from me. In fact, it just happens to be Cyber Security Awareness month.ncsam.jpg

Personal Security: Where is my Chip-Based Credit card?

personal Security | Chip based credit card.jpgIt's a wonder, with so many credit card breaches in the news, that the US is just beginning to implement a technology that is over a decade old. What is the technology and why did we wait so long?

Defending in Depth – The HTTP Strict Transport Security header

13792583873_2682af02b5_z.jpgOne (relatively) recent specification available to web applications, which provides an extra layer of protection, is the HTTP Strict Transport Security (HSTS) header. Despite it’s availability however, many developers still fail to utilize HSTS.

Showing results for 
Search instead for 
Do you mean 
About the Author(s)
  • Abhishek Rath is a Security Consultant with Fortify on Demand based out of New York City, New York. His areas of expertise are application security testing, risk management and building application security programs for the Global and Fortune 100. He can be reached at
  • Adam Cazzolla is a Sr. Security Consultant with HP Fortify on Demand.
  • hacker, developer, script junkie [python,ruby,php]
  • Jason Johnson is a Sr. Security Consultant with HP Fortify on Demand.
  • I have a passion for security and endeavor to participate in strong security defenses.
  • Lucas Gates is an Advanced Dynamic Tester with the Fortify On Demand team who enjoys responsible hacking.
  • US Army veteran. IT and infoSec professional since 1994. Founder of HouSecCon. aka m1a1vet
  • Rick Dunnam is an IS security professional with 15+ years experience in Enterprise Security and has consulted for many industry verticals: Banking, CPG, Healthcare, Government, Hospitality, and more
  • Sam Denard is a Senior Security Engineer with HP Enterprise Security.
HP Blog

HP Software Solutions Blog


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.