Fortify - Application Security
Recent statistics show that almost half of breaches that cause material damage occur via applications. HP Fortify provides software and services that help organization secure applications to prevent those attacks. This blog serves as a platform for our penetration testers, product managers and marketers, and software engineers to provide analysis and insight regarding both web application security and how organizations can utilize our products and services to better secure their applications. For more information, visit www.hp.com/go/fortify

Introducing the OWASP Internet of Things Top 10

Unknown.jpegWe're highly enthused to announce the initial (draft) version of the OWASP Internet of Things Top 10 project.

 

This project highlights ten key areas of risk for Internet of Things devices that span multiple attack surface areas.

 

HP Fortify on Demand has just completed a research project using this project as the basis for its testing methodology. Expect to hear about findings from this very soon.

Tags: appsec| infosec| IoT
Labels: appsec| infosec| IoT

Fortify on Demand is now available in Spanish and Japanese

global_security.jpg

 

 

The most recent release of Fortify on Demand is a major one that includes new functionality (including localization!) and enhancements to API, reporting and support.


HP Fortify #Security Team judges Annual #ScriptEdHackathon

scripted-logo.jpgBack in November during AppSec USA, HP made a donation to a cool "kids and code" non-profit, ScriptEd in New York City. This month part of our team is back in the Big Apple for their annual Hackathon. 

The Secure Web Series, Part 2: How to Avoid User Account Harvesting

Screen Shot 2014-02-23 at 8.50.33 PM.pngWelcome to the second post in a series on how to avoid common web application vulnerabilities, called The Secure Web Series.

 
In this series of posts I’ll be exploring some of the most common vulnerabilities we see in our testing practice here at Fortify on Demand. The focus of the series will be on vulnerabilities that aren’t easily identified via automation, as these are harder to find using readily available tools and many testing offerings tend to miss them during assessments.
 
In the first post of the series we talked about Building a Secure Password Reset Mechanism, and in this installment we will cover Account Harvesting

The Secure Web Series, Part 1: Securing Your Password Reset Mechanism

Screen Shot 2014-02-09 at 12.37.04 PM.pngWelcome to a new series on how to avoid common web application vulnerabilities, called The Secure Web Series.

 
In this series of posts I’ll be exploring some of the most common vulnerabilities we see in our testing practice here at Fortify on DemandThe focus of the series will be on vulnerabilities that aren’t easily identified via automation, as these are harder to find using readily available tools and many testing offerings tend to miss them during assessments.
 
In this first installment, we'll be talking about vulnerabilities in the Password Reset Mechanism

Heading to OWASP AppSec 2013

small.jpegThe annual AppSec conference is approaching, and this year looks to be a great one.

 

The talks and training look phenomenal for this year, and I'll be on a few panels myself: a mobile security discussion talking about real-world challenges facing companies today around BYoD, and a panel discussion upcoming changes to the OWASP Mobile Top 10. 

 

Whether you're coming for training, talks, panels, networking, or just to visit NYC for a week, I definitely look forward to seeing you there.

 

We'll be at booth 21 on the vendor floor, and we're hosting a reception on Wednesday as well. Definitely reach out to me at @danielmiessler if you want to get together and chat while at the con.

 

For more information about the con, check out this post.

Tags: 2013| appsec| owasp
Labels: 2013| appsec| OWASP

Understanding and Validating Cross-site Request Forgery

Screen Shot 2013-06-11 at 8.49.46 AM.png

 

Cross-site Request Forgery--often written CSRF and pronounced "Sea-surf"--is a common web applicaiton vulnerability that's far too misunderstood. It's stunning to see the number of experienced professionals in our space who struggle even to describe how CSRF differs from XSS--let alone how to validate it or defend against it.

 

This article will discuss the basics of the vulnerability, how to validate that it's present in real-world applications, some common attack vectors, and ways to defend against it.

 

Tags: appsec| CSRF| infosec
Labels: appsec| csrf| infosec
Search
Showing results for 
Search instead for 
Do you mean 
About the Author(s)
  • Adam Cazzolla is a Sr. Security Consultant with HP Fortify on Demand.
  • http://www.danielmiessler.com/about
  • hacker, developer, script junkie [python,ruby,php]
  • Jason Johnson is a Sr. Security Consultant with HP Fortify on Demand.
  • I have a passion for security and endeavor to participate in strong security defenses.
  • Lucas Gates is an Advanced Dynamic Tester with the Fortify On Demand team who enjoys responsible hacking.
  • US Army veteran. IT and infoSec professional since 1994. Founder of HouSecCon. aka m1a1vet
  • Rick Dunnam is an IS security professional with 15+ years experience in Enterprise Security and has consulted for many industry verticals: Banking, CPG, Healthcare, Government, Hospitality, and more
  • Sam Denard is a Senior Security Engineer with HP Enterprise Security.
Follow Us


HP Blog

HP Software Solutions Blog

The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation