Fortify - Application Security
Recent statistics show that almost half of breaches that cause material damage occur via applications. HP Fortify provides software and services that help organization secure applications to prevent those attacks. This blog serves as a platform for our penetration testers, product managers and marketers, and software engineers to provide analysis and insight regarding both web application security and how organizations can utilize our products and services to better secure their applications. For more information, visit

What You Need to Know About the Logjam Vulnerability

Unknown-1.jpegThere's a new encryption vulnerability called Logjam that's currently getting some attention.


Similar to the Freak SSL vulnerability it has to do with using encryption algorithms that have been deprecated, but the details are slightly different in this case.


Here are a few things you should know about the issue and what you should do about it.

You're Invited to a Software Security Assurance Summit!

logo_TEN.jpgPlease be our guest at one of 7 events in an upcoming Software Security Assurance Summit Series put on by T.E.N. and sponsored by HP Enterprise Security.

Foundations of an AppSec Program: Part 3--Key phases of the SDLC

appsec.jpgPost 3 in a series that discusses the foundations of a good application security program. Some topics that are covered are: philosophy, knowing your assets, key components in the SDLC, testing strategies, reporting, and auditing.  Your feedback is always welcome.

Labels: Fortify

The State of IoT Security (2015)


I just returned from IoT World 2015, which is held at Moscone Center in San Francisco. It's a decent sized event with a good spread of vendors, speakers, and panels.


What I'd like to do here is give some analysis of what the most common IoT conversations seem to be, where the vendors are playing, and what the security landscape looks like.



Tags: IoT| IoT Security
Labels: IoT| IoT Security

HP Security Strategists get down in the dirt when it comes to security

cio forum.jpgOften, HP experts are asked to weigh in on a wide array of security topics, on a variety of platforms. For thought-leadership at it's best, we recommend you visit the Enterprise CIO Forum--where we feature truly outstanding work by a group of former CISOs and executive security practitioners within HP who help develop our security strategies. After all: the best information, is real-world information.

Labels: Fortify

I'm energized after my RSA booth duty!

I just spent a week at the RSA conference. Yes, I am tired. But guess what… I’m also energized. Why? Because I got to do booth duty all week. Yep, you heard me right. I enjoyed booth duty at RSA!

Announcing ShadowOS

Announcing ShadowOS, a free mobile application testing tool from Fortify on Demand.  ShadowOS helps your security and QA teams find vulnerabilities in Android applications early in your testing process.



Tags: mobile| security

When does it make sense to use application self-protection and HP Application Defender?

There are several circumstances that scream for application self-protection:

  • You lack access to the code of critical applications
  • Your security scan just found 100+ app vulnerabilities
  • Your vendor told you a patch will be ready in 3 months
  • You have no idea what vulnerabilities you have
  • Your application has been breached and you need protection quick – before an audit

Let’s look at these a little closer.cyber security button.jpg

WebInspect Enterprise 10.40 Release - available NOW!

HP Fortify and the WebInspect Dynamic Application Security Testing (DAST) team are proud to announce the release of WebInspect 10.40.  Current customers can upgrade their WebInspect Enterprise sensors to version 10.40 using the SmartUpdate utility. Customers may also download the latest release from the My Software Updates portal.

HP WebInspect 10.40 Available Now!

Software Security.pngThe HP WebInspect (DAST) team has been working diligently on the latest enhancements to the software and the product is finally ready for release. HP Fortify and the WebInspect team are proud to announce the release of WebInspect 10.40.  Current customers can upgrade their installation to version 10.40 using the SmartUpdate utility. Additionally, customers can download the latest release from the My Software Updates portal.


Meet The App Defender

Application Security is hard - but it doesn't have to be.  Meet the App Defender!  Come to the HP booth on Tuesday at 11:40 to learn about this new kind of defense.  And follow The App Defender on Facebook for the latest news: TheAppDefender facebook cover.jpg

Secure the code that runs your business--Join HP at SAP SAPPHIRE NOW 2015

fraud analytics.jpgJoin HP at SAP SAPPHIRE NOW 2015 in Orlando, Florida, May 5-7! We will be presenting, “Secure the code that runs your business,” on Thursday, May 7th at 3pm in Center Demo Theatre PS605. 

Labels: Fortify

HP Fortify Static Code Analyzer (SCA) & Software Security Center (SSC) 4.3 Available Now!

We are happy to announce new and exciting enhancements to our Fortify suite of application security offerings.  New_and_Improved.pngFortify customers can upgrade to the latest and greatest versions beginning today. 

Foundations of an AppSec program: Part 2--The building codes

Software Security.pngThis is Part 2 in a series discussing the foundations of a good application security program. In Part 1, we discussed guiding philosophy. Additional topics will cover knowing your assets, key components in the SDLC, testing strategies, reporting, and auditing. Your feedback is always welcome.

Labels: Fortify

HP Cyber Risk Report 2015: spotlight on the applications

cover.PNGIn the modern era, you simply can't understand your true security risk unless you account for the applications. It’s one of the reasons the HP Security Research group (HPSR) places such a heavy emphasis on application vulnerabilities in its annual HP Cyber Risk Report. For the 2015 report, audits performed by Fortify on Demand (FoD) on over 375 mobile and 6,500 Web applications were analyzed to create the report’s application security findings. For highlights from this year's results, read the article.

Yet another SSL/TLS Vulnerability


The past week or so the factoring attack on RSA-EXPORT keys was revealed (CVE-2015-0204).  This attack also known as FREAK, has application developers and server administrators scrambling to develop patches and update configurations.  This blog is an attempt to create a simplified explanation of this vulnerability. 

Foundations of an Application Security program: Part 1--Guiding Philosophy

Software Security.pngPost one in a series that will discuss the foundations of a good application security program.  Some topics that will be covered are: philosophy, knowing your assets, key components in the SDLC, testing strategies, reporting, and auditing. Your feedback is always welcome.

Labels: Fortify

XPATH Assisted XXE Attacks

XXE Image (1).pngWhen testing applications which are employing XML, whether it be a web service for a mobile application or an ajax-mashup website, two of the main vulnerabilities you will see and hear about are XPath injection and XXE (XML External Entity) processing. While each of these on their own are interesting vulnerabilities, there is a unique situation that allows you to chain the two together in order to read data off a target system.

Labels: Fortify

HP Fortify on Demand is the first Security SaaS to achieve FedRAMP Authorization

logo3.pngFortify on Demand began the process of gaining FedRAMP certification back in Fedbruary 2014. This was the work of a very small team, including Daniel Miessler, Eric Adams,  Brooks Garrett, Chris Paire, and others. Thanks for all who have helped reach our goal.  

What You Need to Know About the FREAK SSL Vulnerability

Screen Shot 2015-03-03 at 1.42.18 PM.pngThere's a new SSL vulnerability out called FREAK.


Here's what you need to know about it.


  • It's a cipher strength issue, i.e. it makes it easy to break keys in mere hours
  • Successfully breaking those keys means gaining access to the data encrypted in the SSL session
  • It's legacy functionality based on encryption export laws
  • The solution is to patch both the server side (your version of SSL in your webserver) and the client side (if you're using a vulnerable browser)


Tags: appsec| FREAK| infosec| SSL
Labels: appsec| FREAK| infosec| SSL

Demystifying Shellcode

An introduction to shellcodes, what to do with them, and a few lessons on executing a successful exploit.

Labels: Fortify

Spam, phishing, and pharming: How secure are you?

Security should always have its place on top of the information we share, especially now when most people are face- down and focused on their communication devices. Cyber threats are just one click away.



Labels: Fortify

App Planet, the center of the HP Mobility Universe at Mobile World Congress

MWC_Barcelona.pngMobile World Congress is just around the corner. Find out how Fortify on Demand is participating and why you should attend.

Application security is hard

Doh.jpgIt seems as though we can’t go a day without news breaking of the latest security breach to compromise an application or company. In today’s digital age, with many smart people creating applications and systems, why is securing them so difficult?

How secure is your IM?

smile emoji.pngThe majority of us utilizing some sort of instant messaging appliction daily. But are they really safe? Read this article to learn more about flaws found in instant messaging applications. 

Achieving PCI DSS Compliance through HP Fortify SSA Framework

In HP’s Fortify Solution Consulting Group, we assist our customers in building effective and scalable application security programmes using our SSA (Software Security Assurance) framework. Hence, I often get asked if programmes built upon the SSA framework can help in fulfilling the PCI DSS Requirements related to Application Security.


The answer is: Yes!




IoT is the Frankenbeast of Information Security

It seems that every time we introduce a new space in IT we lose 10 years from our collective security knowledge.


We started with network security, and even that isn't solid yet. But 20 years later we're doing pretty well there.


Then around 10 years ago we started talking about applications being the horizon technology, and we proceeded to build a global application portfolio ignoring the security lessons learned from the network world. 


Then, five years ago, we decided that mobile was the real place to be. So everyone started building mobile apps while ignoring everything we've learned from securing web and thick-client applications.


And now we have the Internet of Things (IoT). If we continued in this trend we'd have a new space that ignores the security lessons from mobile, but it's actually much worse than that.

Showing results for 
Search instead for 
Do you mean 
About the Author(s)
Top Kudoed Posts
HP Blog

HP Software Solutions Blog


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.