Fortify - Application Security
Recent statistics show that almost half of breaches that cause material damage occur via applications. HP Fortify provides software and services that help organization secure applications to prevent those attacks. This blog serves as a platform for our penetration testers, product managers and marketers, and software engineers to provide analysis and insight regarding both web application security and how organizations can utilize our products and services to better secure their applications. For more information, visit

Fortify on Demand Now Testing Swift Applications

Apple_Swift_Logo.pngWith the release of the iPhone 6, iOS 8 and a number of other announcements, many will be focused on Apple for the next month or so when it comes to mobile and consumer electronics.


One of Apple's recent announcements was the creation and release of a new programming language, called Apple Swift.


Continue reading...


Tags: apple| mobile| Swift
Labels: Apple| mobile| Swift

10 ways your mobile phone leaks your sensitive information

Mobile Data Leakage.pngWe all use mobile phones, but few of us are aware of how careless they can be with our information.


It's not really the phones by themselves, though. It's the applications and how they interact with the operating system.


This article will walk through a few of the common dangers to your data security and privacy that come from poorly coded mobile applications.

5 Reasons Jailbreaking Your Phone is a Bad Idea

 Screen Shot 2014-01-07 at 3.07.13 PM.pngAs you may already know, the Evasi0n7 jailbreak for iOS7 was released during the holidays, and many scrambled to get it installed as soon as possible.


What many don’t know is how utterly bad jailbreaking is for your device. Let us count the ways…

Certificate Pinning for Mobile Applications


Here at Fortify on Demand, one of the most common surprises for customers when they see their results from one of our Mobile Application Assessments is that we were able to view and modify all traffic passing between their mobile device and their mobile backend—commonly called a Man in the Middle (MiTM) attack.


Certificate Pinning is a solution that many implement to counter this, but there is a general lack of understanding around thetechnique. Many think (incorrectly) that it's a silver bullet for traffic interception and aren't aware of the potential downsides.


This article will give an overview of mobile certificate pinning and will cover basics, misconceptions, implementation, gotchas, and generally get you up to speed on the topic.

Mobile Security: Threat Modeling Apple's TouchID

Screen Shot 2013-09-24 at 10.32.11 AM.png


There are three main ways that mobile devices are attacked. With TouchID, Apple is trying to increase mobile device security and protect your device from attacks. 


But is it really effective? Keep reading to hear my thoughts on this technology and what it means for InfoSec.  


Tags: 5s| apple| iphone| TouchID

2 Reasons iOS is More Secure Than Android



When I tell people I test the security of mobile applications one of the most common questions people ask is, "Which platform is more secure: Android or iOS?"


There are many ways to answer this, but each of them have their issues. You can look at malware stats, you can look at marketshare, you can look at lists of vulnerabilities. But at some point you're comparing apples and...well, not apples.


There are always other factors, one of which being the user bases. Are people buying the cheapest phones available making the same security choices as those buying the more expensive and popular options? And if not, then aren't we then dealing with poor security choices instead of an insecure platform?


Two Points 


This all being true, there are two reasons iOS will continue to be the more secure platform going forward. Not only will it be more secure, but its position as security lead will actually grow.

Labels: Android| iOS| mobile| security
Showing results for 
Search instead for 
Do you mean 
About the Author(s)
  • Abhishek Rath is a Security Consultant with Fortify on Demand based out of New York City, New York. His areas of expertise are application security testing, risk management and building application security programs for the Global and Fortune 100. He can be reached at
  • Adam Cazzolla is a Sr. Security Consultant with HP Fortify on Demand.
  • hacker, developer, script junkie [python,ruby,php]
  • Hacks for a living.
  • Jason Johnson is a Sr. Security Consultant with HP Fortify on Demand.
  • I have a passion for security and endeavor to participate in strong security defenses.
  • Lucas Gates is an Advanced Dynamic Tester with the Fortify On Demand team who enjoys responsible hacking.
  • US Army veteran. IT and infoSec professional since 1994. Founder of HouSecCon. aka m1a1vet
  • Rick Dunnam is an IS security professional with 15+ years experience in Enterprise Security and has consulted for many industry verticals: Banking, CPG, Healthcare, Government, Hospitality, and more
  • Sam Denard is a Senior Security Engineer with HP Enterprise Security.
HP Blog

HP Software Solutions Blog


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.