Fortify - Application Security
Recent statistics show that almost half of breaches that cause material damage occur via applications. HP Fortify provides software and services that help organization secure applications to prevent those attacks. This blog serves as a platform for our penetration testers, product managers and marketers, and software engineers to provide analysis and insight regarding both web application security and how organizations can utilize our products and services to better secure their applications. For more information, visit

Application security is hard

Doh.jpgIt seems as though we can’t go a day without news breaking of the latest security breach to compromise an application or company. In today’s digital age, with many smart people creating applications and systems, why is securing them so difficult?

How secure is your IM?

smile emoji.pngThe majority of us utilizing some sort of instant messaging appliction daily. But are they really safe? Read this article to learn more about flaws found in instant messaging applications. 

Thoughts from “Blackhat” the movie

or ‘How I stopped worrying and started to love the SCADA bomb’

I recently saw “Blackhat”, and part of the plot made me wonder if certain parts of the vulnerability world had changed much.

Validating SQL injection security findings with WebInspect’s SQL Injector tool

In the process of application security testing, vulnerability scanning tools like HP WebInspect will report that they’ve found a SQL injection vulnerability. Because this type of vulnerability will sometimes produce a false positive, it is important to validate the finding.

Tags: Fortify

Top 5 Application Security Posts of 2014

Top5.jpegIn case you missed them or want to revisit these posts, we decided to call out our top blogs of 2104.

Application Security Testing – A journey from XSS to System Shell


Is it possible to go from a Cross-Site Scripting (XSS) flaw to obtain a system shell? During a web application security test earlier this year, I noticed an XSS flaw that allowed me to do just that. So how do we go from XSS to server access? Read on to find out!



Application Security training on-the-cheap

2014-12-15_14-02-56.pngThere's no denying that having an appsec savvy crew of IT professionals on hand, even if they are not dedicated to security, can mitigate costs. It speeds up remediation times, improves communication with your devs/consultants, and generally provides better peace of mind. Join us in the article below outlining our favorite free training resources to get your IT staff up to speed in appsec!

SAP and HP Fortify team up to bring application security solutions to SAP customers

Today we’re able to announce an exciting new partnership between HP Fortify and SAP where SAP will now resell HP Fortify application security software as part of its quality assurance solutions portfolio to SAP customers.

December in Application Security: HP Discover in Barcelona

December is not jam packed with events, but there is one special reason to go to Spain every holiday season - HP Discover. december.jpg

Tags: appsec| December

Clickjacking and the X-Frame-Options Header

1272px-Internet1.jpgSounding like an attack right out of an action movie, Clickjacking can be particularly nasty. However, with the headers available today to web applications, there’s a viable option for defense.

The Future of CyberSecurity

The world we live in is changing rapidly and the pace is only going to accelerate. The impact of these changes will be immense. Changes in technology and the way we use it will impact each and every one of us. And one of the biggest will be the impact to our online security – the ubiquity of online devices coupled with the use of intelligent machines will alter the security landscape forever.  IoT.png

Apple Pay, CurrentC, and Security

apple-pay-google-wallet-currentc.jpgIt's an exciting time for mobile payments, with two new technologies aiming to replace the decades-old practice of swiping the credit card.


Apple's Apple Pay offering is already launched, and it faces potential competition from CurrentC.


We'll take a look here at the two technologies and what they mean for consumer security and privacy.

Where Will The Next Big Application Security Vulnerability Come From?

Want to know where the next big security vulnerability will be found? Based on past history it will probably be in code that you have been using for years.

October in Application Security

On the heels of what was our busiest month this year, October is no less busy and it nearly got away from me. In fact, it just happens to be Cyber Security Awareness month.ncsam.jpg

Defending in Depth – The HTTP Strict Transport Security header

13792583873_2682af02b5_z.jpgOne (relatively) recent specification available to web applications, which provides an extra layer of protection, is the HTTP Strict Transport Security (HSTS) header. Despite it’s availability however, many developers still fail to utilize HSTS.

Application-Level Denial of Service Testing Doesn’t Have To Be Dangerous

Dont_DOS_Me.jpgWorried about application-level Denial of Service testing?  Let me help put you at ease.

Authenticated application security tests vs. unauthenticated



It’s generally true that unauthenticated tests are faster and cheaper than authenticated scans but are they really giving a complete picture of an application's security posture?

September in Application Security

There coudn't be a busier month for Application Security and the HP Fortify team. September in Application Security.png

Fix it before you find out it's broken: Integrating security into your SDLC

Start remediating your vulnerabilities before you test your applications.                 tacoma-narrows-bridge-401bb546f41f3309d4f99d07e6c8acba03e5fb4b-s6-c30.jpg

Tags: infosec| SDLC

Security Demystified: SQL Injection

large_3173827605.jpgDespite very good options for defense, SQL injection is still one of the most common vulnerabilities found across web applications.  What is it, and how can we defend against it?

Application Security during Government Shutdown



We’re in the middle of a government shutdown, and the Wall Street Journal just published an article about how the government is handling cybersecurity risk during the interruption.  


Keep reading to find out how having a "skeleton crew" keeping an eye on things might just not be enough.


Showing results for 
Search instead for 
Do you mean 
About the Author(s)
HP Blog

HP Software Solutions Blog


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.