Fortify - Application Security
Recent statistics show that almost half of breaches that cause material damage occur via applications. HP Fortify provides software and services that help organization secure applications to prevent those attacks. This blog serves as a platform for our penetration testers, product managers and marketers, and software engineers to provide analysis and insight regarding both web application security and how organizations can utilize our products and services to better secure their applications. For more information, visit

You're Invited to a Software Security Assurance Summit!

logo_TEN.jpgPlease be our guest at one of 7 events in an upcoming Software Security Assurance Summit Series put on by T.E.N. and sponsored by HP Enterprise Security.

Foundations of an AppSec Program: Part 3--Key phases of the SDLC

appsec.jpgPost 3 in a series that discusses the foundations of a good application security program. Some topics that are covered are: philosophy, knowing your assets, key components in the SDLC, testing strategies, reporting, and auditing.  Your feedback is always welcome.

Labels: Fortify

WebInspect Enterprise 10.40 Release - available NOW!

HP Fortify and the WebInspect Dynamic Application Security Testing (DAST) team are proud to announce the release of WebInspect 10.40.  Current customers can upgrade their WebInspect Enterprise sensors to version 10.40 using the SmartUpdate utility. Customers may also download the latest release from the My Software Updates portal.

Foundations of an AppSec program: Part 2--The building codes

Software Security.pngThis is Part 2 in a series discussing the foundations of a good application security program. In Part 1, we discussed guiding philosophy. Additional topics will cover knowing your assets, key components in the SDLC, testing strategies, reporting, and auditing. Your feedback is always welcome.

Labels: Fortify

Foundations of an Application Security program: Part 1--Guiding Philosophy

Software Security.pngPost one in a series that will discuss the foundations of a good application security program.  Some topics that will be covered are: philosophy, knowing your assets, key components in the SDLC, testing strategies, reporting, and auditing. Your feedback is always welcome.

Labels: Fortify

XPATH Assisted XXE Attacks

XXE Image (1).pngWhen testing applications which are employing XML, whether it be a web service for a mobile application or an ajax-mashup website, two of the main vulnerabilities you will see and hear about are XPath injection and XXE (XML External Entity) processing. While each of these on their own are interesting vulnerabilities, there is a unique situation that allows you to chain the two together in order to read data off a target system.

Labels: Fortify

Demystifying Shellcode

An introduction to shellcodes, what to do with them, and a few lessons on executing a successful exploit.

Labels: Fortify

Spam, phishing, and pharming: How secure are you?

Security should always have its place on top of the information we share, especially now when most people are face- down and focused on their communication devices. Cyber threats are just one click away.



Labels: Fortify

Application Security and Client-initiated Renegotiation

How this hack from the past is still alive and well and why performing server checks are still a required area of concern when performing a dynamic application assessment.

Labels: Fortify

Validating SQL injection security findings with WebInspect’s SQL Injector tool

In the process of application security testing, vulnerability scanning tools like HP WebInspect will report that they’ve found a SQL injection vulnerability. Because this type of vulnerability will sometimes produce a false positive, it is important to validate the finding.

Tags: Fortify

POODLE strikes back--this time affecting TLS security protocol

The POODLE vulnerability is back in the news, but now it’s affecting the TLS security protocol. Security researchers have now discovered that the issue also affects some implementations of TLS in products that don’t properly check the structure of the “padding” used in TLS packets.

Labels: Fortify

Poor Mobile Auth

M5.pngMany mobile applications suffer from weak authentication and authorization schemes. In fact, Poor Mobile Authorization and Authentication is #5 on the OWASP list of Top 10 Mobile Risks. Some common mobile auth flaws include weak password rules (i.e. 4 digit pins), exploitable remember-me functionality, and broken authorization controls. These weaknesses could lead to sensitive information disclosure as well as other severe implications.

Labels: Fortify

Fortify on Demand Year in Review 2014

As we close out 2014, I’d like to reflect on the great progress the Fortify on Demand team has made throughout the year.

Labels: Fortify

SAP and HP Fortify team up to bring application security solutions to SAP customers

Today we’re able to announce an exciting new partnership between HP Fortify and SAP where SAP will now resell HP Fortify application security software as part of its quality assurance solutions portfolio to SAP customers.

HP Application Defender extends capabilities

HP Application Defender launches additional capabilities including protection for .NET applications, robust reporting capabilities, and online try and buy ability.  

tm graph full smaller size.jpg

Labels: Fortify

November in Application Security

We're over the hump in terms of the calendar year, but for HP it's the beginning of our first quarter, fiscal year 2015. November is traditionally a month to spend time with family, thought you might find a few events and webinars that will help you get a start on your security planning for 2015.november.png

Labels: appsec| Fortify

Application Security...In an ideal scenario


As the software world just adopts new technology without thinking much about security, we need to start working towards creating a culture of accelerated security evolution with transparency.

Labels: Fortify

WebInspect Web Proxy Attack String Obfuscation Automation

Web Inspect.jpgSee how HP WebInspect Web Proxy application tool can be a useful feature for obfuscation of attack strings with various types of character set encodings to help bypass Web Application Firewalls (WAF).

User Enumeration: Too Much Information


Over the years, the state of application security and the awareness of application vulnerabilities has gradually improved. Developers are increasingly aware of common pitfalls and certain kinds of vulnerabilities are becoming less common. Despite that, there are still some basic application vulnerabilities which remain very common even long after being discovered and written about. One of those is User Enumeration.

Labels: Fortify

Securing our homes with outbound DNS Filtering

home sec.jpgRecently, there was a study released that 70 Percent of Internet of Things Devices are vulnerable to attack. As a security professional, and a parent, this made me think about the network security in my home. Lets explore one layer of security in this battle.


Labels: Fortify

HP Fortify Software Security Center and Static Code Analyzer 4.2 available now

The HP Fortify team is happy to release Fortify Software Security Center and Fortify Static Code Analyzer 4.2 

This release cycle continues our focus on productivity and helping AppSec teams get more from their testing programs.


Current customers can download upgrades at:


Let us know what you think and keep the feedback coming --

Labels: Fortify| release| SCA| SSC

October in Application Security

On the heels of what was our busiest month this year, October is no less busy and it nearly got away from me. In fact, it just happens to be Cyber Security Awareness month.ncsam.jpg

iCloud Security: How do we get from here to there?

Recently, news about the leak of several celebrity photos of a compromising nature has A-lister’s and followers alike abuzz. Many of the celebs involved have claimed the photos are faked and some, like Mary E. Winstead, have stated that the images were taken and deleted years ago. This suggests her pictures were either stored in the cloud (e.g., iCloud storage), or were grabbed at the time.

Labels: Fortify

AppSec USA is this Week in Denver!

One of our favorite application security events is upon us. It seems like it was just yesterday that we were in NYC for AppSec 2013, which makes sense since it hasn't been a full year.European_Wasp.jpg

Labels: Fortify

Simplicity for application security—HP Application Defender

HP introduces HP Application Defender, the first application self-protection service managed from the cloud that provides immediate visibility and actively defends production applications against attacks. 

Cover your apps: How application security protects your enterprise

coveraps.jpgHP Protect is right around the corner! Watch this informative video where Paul Muller and Jacob West discuss how to cover your apps! 

Labels: Fortify

Keep hackers out—Managing your application security

stop sign.pngThe network is secure, so how can hackers break into an enterprise to steal sensitive data? The answer: software.

Labels: Fortify

Header security – The new novelette

PHYSED blog480 with credit.jpgDo you want to provide extra layers of protection for your website users without a great deal of investment? With some simple HTTP header configurations, your website can boost the defense against injection attacks, SSL enforcement issues, information aggregation, and more.

Showing results for 
Search instead for 
Do you mean 
About the Author(s)
HP Blog

HP Software Solutions Blog


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.