Fortify - Application Security
Recent statistics show that almost half of breaches that cause material damage occur via applications. HP Fortify provides software and services that help organization secure applications to prevent those attacks. This blog serves as a platform for our penetration testers, product managers and marketers, and software engineers to provide analysis and insight regarding both web application security and how organizations can utilize our products and services to better secure their applications. For more information, visit

Displaying articles for: March 2014

The Vuln Less Common series, Part 1: Mass Assignment Vulnerabilities

search-icon-red-th.pngIn this series, we'll seek to go beyond the well-known and dive into some of the less common, but still significant, vulnerabilities often overlooked.

Tags: fod| Fortify
Labels: HP| security

HP WebInspect Integration with HP TippingPoint

A week ago I blogged about the WebInspect integration with F5 Networks.  Many may have noticed that in one of the pictures I uploaded there is also the option to send results to HP TippingPoint.

Security Fundamentals Part 1: Fail Open vs. Fail Closed

OpenClosed.pngIn this series we will explore several core security concepts and discuss how they relate not just to security teams but also to software development teams.  Part one covers the concept of Fail Open vs. Fail Closed.

This just in from APPSEC APAC in Japan

The OWASP Japan Chapter  hosted the Global AppSec APAC 2014 Conference this week. Just a few years ago there was no OWASP chapter in Japan but this chapter has shown the most rapid growth of an OWASP chapter ever, rivaled only by their enthusiasm. This event was attended by over 400 enthusiasts, not bad for a chapter that has only existed since 2011. And earlier this year Japan's second chapter was born in Kansai. The future of APPSEC is alive and well in Japan.

Bypassing web application firewalls using HTTP headers

2014-03-19_12-47-41.pngWeb application firewalls (WAF’s) are part of the defense in depth model for web applications.  While not a substitute for secure code, they offer great options for filtering malicious input. Below is a story from a real assessment where an enterprise deployment of such a device was vulnerable to being bypassed. The vulnerability is one of a bad design and/or configuration and as an attacker it was very useful. Read below to find out more!


HP WebInspect and F5 Integration

Do you know how long it takes your developers to fix a vulnerability in a web application? Even in a perfect world it could take days, or more likely, weeks to develop a fix for a vulnerability that was found in a production web application, push it through the QC department to make sure it doesn’t impact functionality, and then deploy it to production.  During those weeks the vulnerability is open to the world, waiting to be discovered and exploited.

The Secure Web Series, Part 3: Protecting Against Cross-site Request Forgery (CSRF)

Screen Shot 2014-03-10 at 3.13.15 PM.pngIn Part 3 of the Secure Web Series, we'll be talking about Cross-site Request Forgery (CSRF). CSRF is a wicked vulnerability that allows attackers to force victims to perform actions without their knowledge. 


We'll be talking about what CSRF is, how to look for CSRF within your own applications, and how to defend against it.

Release Announcement - Fortify on Demand

The Fortify on Demand development and product management teams work closely with our Technical Account Managers (TAMs) to add features and improve functionality that will help our customers get the most from their Fortify subscriptions. These updates are released bimonthly.

Showing results for 
Search instead for 
Do you mean 
About the Author(s)
HP Blog

HP Software Solutions Blog


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.