Fortify - Application Security
Recent statistics show that almost half of breaches that cause material damage occur via applications. HP Fortify provides software and services that help organization secure applications to prevent those attacks. This blog serves as a platform for our penetration testers, product managers and marketers, and software engineers to provide analysis and insight regarding both web application security and how organizations can utilize our products and services to better secure their applications. For more information, visit www.hp.com/go/fortify

Displaying articles for: November 2013

What Your Binary Says About You, Part 1: Hello, My (User) Name Is…

120px-Hello_my_name_is_sticker.svg.pngIf you’ve ever run the “strings” command on an iOS binary, you know that quite a bit of information can be gleaned about an application just from the output of that one command.  In the first part of our series examining iOS binary protections in more detail, we'll look at a specific information disclosure vulnerability and the Xcode settings required to prevent it from occurring.

Tags: appsec| iOS| mobile| Xcode

Fortify on Demand Mobile releases the HP Mobile Application Security Vulnerability Report

HP Fortify on Demand Mobile examined more than 2,000 mobile applications from more than 600 companies to ascertain the true current state of mobile application security. The statistics reveal in alarming detail just how far mobile application security efforts need to grow to catch up to the pace of mobile application development and innovation. Read the full post for more information concerning these findings.

SANS reviews HP WebInspect

The SANS Institute recently did an in-depth evaluation of WebInspect to determine how well it meets market demands and its effectiveness in securing web applications. Read the article for more information and links to download the report and watch the webinar.

Low Risk Mobile Vulnerabilities Can Lead to High Risk Exposure pt. 2


database_security_yzS.jpgWhen we deliver results to customers on mobile assessments there is always a bit of a learning curve pertaining to risk levels assigned to certain findings. In most cases, by themselves, low risk vulnerabilities can be non-issues. This is true for appsec vulns or mobile vulns. In reality some companies do not even fix them.

  

In part two of this blog I’ll go over a two new examples of vulnerabilities thought to be low risk but high yielded results. Hopefully this will remind people that combinations of these vulns (or bad applications of them) can be just as critical as any High risk finding on an assessment. We will use iOS examples below.

Heading to OWASP AppSec 2013

small.jpegThe annual AppSec conference is approaching, and this year looks to be a great one.

 

The talks and training look phenomenal for this year, and I'll be on a few panels myself: a mobile security discussion talking about real-world challenges facing companies today around BYoD, and a panel discussion upcoming changes to the OWASP Mobile Top 10. 

 

Whether you're coming for training, talks, panels, networking, or just to visit NYC for a week, I definitely look forward to seeing you there.

 

We'll be at booth 21 on the vendor floor, and we're hosting a reception on Wednesday as well. Definitely reach out to me at @danielmiessler if you want to get together and chat while at the con.

 

For more information about the con, check out this post.

Tags: 2013| appsec| owasp
Labels: 2013| appsec| OWASP

When To Choose Static vs. Dynamic Testing for a Website

Screen Shot 2013-11-05 at 3.01.32 PM.pngHere at Fortify on Demand we often get asked whether it's best to perform an adhoc website using static or dynamic testing.

 

Happily, we have the option to recommend either and both with our suite of solutions, but seperate from products it's worth looking at what sort of criteria would go into making such a decision.

 

 

Search
Showing results for 
Search instead for 
Do you mean 
About the Author(s)
  • Abhishek Rath is a Security Consultant with Fortify on Demand based out of New York City, New York. His areas of expertise are application security testing, risk management and building application security programs for the Global and Fortune 100. He can be reached at Abhishek.Rath@hp.com
  • Adam Cazzolla is a Sr. Security Consultant with HP Fortify on Demand.
  • http://www.danielmiessler.com/about
  • hacker, developer, script junkie [python,ruby,php]
  • Hacks for a living.
  • Jason Johnson is a Sr. Security Consultant with HP Fortify on Demand.
  • I have a passion for security and endeavor to participate in strong security defenses.
  • Lucas Gates is an Advanced Dynamic Tester with the Fortify On Demand team who enjoys responsible hacking.
  • US Army veteran. IT and infoSec professional since 1994. Founder of HouSecCon. aka m1a1vet
  • Rick Dunnam is an IS security professional with 15+ years experience in Enterprise Security and has consulted for many industry verticals: Banking, CPG, Healthcare, Government, Hospitality, and more
  • Sam Denard is a Senior Security Engineer with HP Enterprise Security.
HP Blog

HP Software Solutions Blog

Featured


Follow Us
Labels
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.