Fortify - Application Security
Recent statistics show that almost half of breaches that cause material damage occur via applications. HP Fortify provides software and services that help organization secure applications to prevent those attacks. This blog serves as a platform for our penetration testers, product managers and marketers, and software engineers to provide analysis and insight regarding both web application security and how organizations can utilize our products and services to better secure their applications. For more information, visit

What You Need to Know About the FREAK SSL Vulnerability

Screen Shot 2015-03-03 at 1.42.18 PM.pngThere's a new SSL vulnerability out called FREAK.


Here's what you need to know about it.


  • It's a cipher strength issue, i.e. it makes it easy to break keys in mere hours
  • Successfully breaking those keys means gaining access to the data encrypted in the SSL session
  • It's legacy functionality based on encryption export laws
  • The solution is to patch both the server side (your version of SSL in your webserver) and the client side (if you're using a vulnerable browser)


Tags: appsec| FREAK| infosec| SSL
Labels: appsec| FREAK| infosec| SSL

Information Security as an Emergent Property


Earlier today I heard Jason Schmitt say something worth exploring: He referred to information security as an emergent property.


Emergence is a fascinating concept. It basically means that when simple things combine to a certain degree, new properties, patterns, and behaviors develop that often cannot be explained or understood in the context of their components.


It's difficult to explain human happiness in terms of the strong and weak nuclear force, for example. Or to reduce an economic law like supply and demand down to covalent bonds...


Validating SQL injection security findings with WebInspect’s SQL Injector tool

In the process of application security testing, vulnerability scanning tools like HP WebInspect will report that they’ve found a SQL injection vulnerability. Because this type of vulnerability will sometimes produce a false positive, it is important to validate the finding.

Tags: Fortify

3 Things to Know About the Shellshock Vulnerability

openssl-feat.jpgThe Shellshock bug, which is based on a vulnerability in Bash, is getting more serious as people realize its potential.


There is significant conversation and speculation regarding this issue, and in this short article we'll simplify things down to the three (3) basic you should know:


1) What the vulnerability is, 2) the potential downsides, and 3) how to protect yourself.

How to Properly Defend Your Applications Against Authentication Attacks

Screen Shot 2014-09-03 at 8.44.24 AM.pngThe recent celebrity hack has raised awareness around an important topic: authentication security in your applications.


We don't yet have all the details, but we have enough to prompt a reminder to those who build applications of any type--especially web applications--that there are multiple authentication surface areas that you must secure when defending your app.


Read on to see what needs to be done…

Come Play HP's Capture the Flag Event at BlackHat

ctf.jpgIt's that time again for the annual InfoSec pilgramage to Las Vegas.


HP has been at BlackHat for a number of years in the past, but this year we'll be there in force. We have a rather large booth this year, tons more staff, many more of our technical team attending, and, most importantly: A CTF!


Tags: ctf| infosec
Labels: cft| infosec

Introducing the OWASP Internet of Things Top 10

Unknown.jpegWe're highly enthused to announce the initial (draft) version of the OWASP Internet of Things Top 10 project.


This project highlights ten key areas of risk for Internet of Things devices that span multiple attack surface areas.


HP Fortify on Demand has just completed a research project using this project as the basis for its testing methodology. Expect to hear about findings from this very soon.

Tags: appsec| infosec| IoT
Labels: appsec| infosec| IoT

Thoughts on the Heartbleed Bug

heartbleed.pngThe Heartbleed bug is big. It's bigger than most thought it was when they heard about it, and now that the patching dance has begun, people are finally starting to feel the weight of it.


In this short article, we'll cover some basics (what the bug is, what the risks are to organizations) and we'll offer some analysis and commentary, as well.

10 ways your mobile phone leaks your sensitive information

Mobile Data Leakage.pngWe all use mobile phones, but few of us are aware of how careless they can be with our information.


It's not really the phones by themselves, though. It's the applications and how they interact with the operating system.


This article will walk through a few of the common dangers to your data security and privacy that come from poorly coded mobile applications.

The Secure Web Series, Part 3: Protecting Against Cross-site Request Forgery (CSRF)

Screen Shot 2014-03-10 at 3.13.15 PM.pngIn Part 3 of the Secure Web Series, we'll be talking about Cross-site Request Forgery (CSRF). CSRF is a wicked vulnerability that allows attackers to force victims to perform actions without their knowledge. 


We'll be talking about what CSRF is, how to look for CSRF within your own applications, and how to defend against it.

The Secure Web Series, Part 1: Securing Your Password Reset Mechanism

Screen Shot 2014-02-09 at 12.37.04 PM.pngWelcome to a new series on how to avoid common web application vulnerabilities, called The Secure Web Series.

In this series of posts I’ll be exploring some of the most common vulnerabilities we see in our testing practice here at Fortify on DemandThe focus of the series will be on vulnerabilities that aren’t easily identified via automation, as these are harder to find using readily available tools and many testing offerings tend to miss them during assessments.
In this first installment, we'll be talking about vulnerabilities in the Password Reset Mechanism

When To Choose Static vs. Dynamic Testing for a Website

Screen Shot 2013-11-05 at 3.01.32 PM.pngHere at Fortify on Demand we often get asked whether it's best to perform an adhoc website using static or dynamic testing.


Happily, we have the option to recommend either and both with our suite of solutions, but seperate from products it's worth looking at what sort of criteria would go into making such a decision.



Certificate Pinning for Mobile Applications


Here at Fortify on Demand, one of the most common surprises for customers when they see their results from one of our Mobile Application Assessments is that we were able to view and modify all traffic passing between their mobile device and their mobile backend—commonly called a Man in the Middle (MiTM) attack.


Certificate Pinning is a solution that many implement to counter this, but there is a general lack of understanding around thetechnique. Many think (incorrectly) that it's a silver bullet for traffic interception and aren't aware of the potential downsides.


This article will give an overview of mobile certificate pinning and will cover basics, misconceptions, implementation, gotchas, and generally get you up to speed on the topic.

Mobile Security: Threat Modeling Apple's TouchID

Screen Shot 2013-09-24 at 10.32.11 AM.png


There are three main ways that mobile devices are attacked. With TouchID, Apple is trying to increase mobile device security and protect your device from attacks. 


But is it really effective? Keep reading to hear my thoughts on this technology and what it means for InfoSec.  


Tags: 5s| apple| iphone| TouchID

Are developers responsible for the security of their code?


One debate that remains incandescent in the security world is the question of "How much developers should be held accountable for the security of the applications they build?"

Many argue that security should be handled by security professionals, i.e., that infosec types should stop rubbing developers’ noses in their mistakes and instead focus on making security transparent so developers don’t need to think about it.

This is mostly a horrible idea. Continue reading to find out why I think this idea could use a renovation.

Understanding and Validating Cross-site Request Forgery

Screen Shot 2013-06-11 at 8.49.46 AM.png


Cross-site Request Forgery--often written CSRF and pronounced "Sea-surf"--is a common web applicaiton vulnerability that's far too misunderstood. It's stunning to see the number of experienced professionals in our space who struggle even to describe how CSRF differs from XSS--let alone how to validate it or defend against it.


This article will discuss the basics of the vulnerability, how to validate that it's present in real-world applications, some common attack vectors, and ways to defend against it.


Tags: appsec| CSRF| infosec
Labels: appsec| csrf| infosec

Ending the Debate: Vulnerability Assessment vs. Penetration Testing


Few topics in the infosec world create as much heat as the classic "vulnerability assessment vs. penetration test" debate, and it's no different in the web application security space. Sadly, the discussion isn't usually around which is better. That would actually be an improvement. Instead the debate is usually semantic in nature, i.e. the flustered participants are usually disagreeing on what the terms actually mean. Step 1: agree on terms.

So, I'll be ambitious here and will tackle both subcomponents of the debate here: 1) what the terms actually mean, and 2) which is better for organizations to pursue.

Web Vulnerability Assessment vs. Web Penetration Test


It's worth stating explicitly that these two types of security test are in fact quite different. Many make the mistake of thinking that a penetration test is simply a vulnerability assessment with exploitation, or that a vulnerability assessment is a penetration test without exploitation. This is incorrect. If that were the case then we'd simply have one term that we'd qualify with "with or without exploitation".


A web application vulnerability assessment is fundamentally different from a penetration because its focus is on creating a list of as many findings as possible for a given web application. A penetration test, on the other hand, has a completely different purpose. Rather than yield a list of problems, a penetration test's focus is the achievement of a specific goal set by the customer, e.g. "dump the customer database", or "become an administrative user within the application". Also important to note is the fact that a penetration test is successful if and when the goal is acheived--not when a massive list of vulnerabilities is produced. That's what a vulnerability assessment is for.




Some are tempted to say that this is a goal-based penetration test. My question to them is simple: "As opposed to what other type?" Penetration testing is goal-based. That's its entire purpose. Even a customer direction as nebulous as "see what you can do" is absolutely a goal. It's an implicit goal of getting as far as you can given whatever constraints are in place.


The question of exploitation is another obstacle to clarity on this topic. Many have a simple binary switch for using the terms: "If there's exploitation it's a penetration test and if not it's a vulnerability assessment." Again, the key difference here is list-based vs. goal-based--not exploitation. It's possible do do (or not do) exploitation in both types of test. You can have a web vulnerability assessment where you are to exploit anything you find, and you can have a penetration test where you are asked to confirm that you can do something but not do it. Exploitation is an independent attribute that can be attached to either type of test.


When to Use One vs. the Other


Now that we see a distinction between terms, the next question is, "Which one is best?" Which should we be offering customers? As you may expect, the answer is that it depends on the customer and the project, but in my experience the answer will usually end up being a vulnerability assessment. Why? Because vulnerability assessments (getting a list of everything that needs fixing) is usually where most customers are in terms of maturity.


To tightly summarize:




For questions or comments I can be reached at and on Twitter at @danielmiessler. ::

Showing results for 
Search instead for 
Do you mean 
About the Author(s)
HP Blog

HP Software Solutions Blog


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.