Fortify - Application Security
Recent statistics show that almost half of breaches that cause material damage occur via applications. HP Fortify provides software and services that help organization secure applications to prevent those attacks. This blog serves as a platform for our penetration testers, product managers and marketers, and software engineers to provide analysis and insight regarding both web application security and how organizations can utilize our products and services to better secure their applications. For more information, visit

A New Look at Security - Pin Codes

A new look at Security

I see a lot of posts and information come across from various sources talking about new and exciting hacks or vulnerabilities that were discovered and what they mean to other security professionals. But what about those that are not full time security testers? I have been on plenty of calls with customers where the engineers, security managers and sales people on calls have no reference for what is being discussed. It is all too high-level.

So why not make security simple? I have been in a security mindset for most of my life, but information security or info-sec for short has really been a new experience for me, and I am sure for a lot of other people out there as well.

Tags: Pin Codes
Labels: 2014| authentication

Application Security...In an ideal scenario


As the software world just adopts new technology without thinking much about security, we need to start working towards creating a culture of accelerated security evolution with transparency.

Labels: Fortify

WebInspect Web Proxy Attack String Obfuscation Automation

Web Inspect.jpgSee how HP WebInspect Web Proxy application tool can be a useful feature for obfuscation of attack strings with various types of character set encodings to help bypass Web Application Firewalls (WAF).

User Enumeration: Too Much Information


Over the years, the state of application security and the awareness of application vulnerabilities has gradually improved. Developers are increasingly aware of common pitfalls and certain kinds of vulnerabilities are becoming less common. Despite that, there are still some basic application vulnerabilities which remain very common even long after being discovered and written about. One of those is User Enumeration.

Labels: Fortify

Insight on the SSLv3 POODLE Vulnerability

Poodle-3.jpgThe SSLv3 POODLE attack has been publicly released. Now the questions are being asked about the risks that are involved with the attack and what the steps are to mitigate. We will break down the POODLE attack to the basics to help answer these questions.

Securing our homes with outbound DNS Filtering

home sec.jpgRecently, there was a study released that 70 Percent of Internet of Things Devices are vulnerable to attack. As a security professional, and a parent, this made me think about the network security in my home. Lets explore one layer of security in this battle.


Labels: Fortify

HP Fortify Software Security Center and Static Code Analyzer 4.2 available now

The HP Fortify team is happy to release Fortify Software Security Center and Fortify Static Code Analyzer 4.2 

This release cycle continues our focus on productivity and helping AppSec teams get more from their testing programs.


Current customers can download upgrades at:


Let us know what you think and keep the feedback coming --

Labels: Fortify| release| SCA| SSC

WebInspect Plugin for Burp

Among the new features for the HP WebInspect 10.30 release that I wrote about in my last blog was a plugin for integrating HP WebInspect with PortSwigger’s Burp. The feature has garnered some attention in the last few days so I thought it was worth talking about on its own blog post. The plugin allows users of HP WebInspect to transfer vulnerability details back and forth between Burp and their WebInspect instance via the WebInspect API. This will empower customers currently using Burp as a part of their dynamic analysis process with a more efficient workflow.

Personal Security: Things you must do to Protect Your Online Identity

personal-security-why-you-should-always-use-https.jpgIn the spirit of National Cyber Safety Awareness Month, Geno Hermanos on the Fortify on Demand team put together a list of good practices for safe web behavior to help protect your online identity. Of course, these are just suggestions.

October in Application Security

On the heels of what was our busiest month this year, October is no less busy and it nearly got away from me. In fact, it just happens to be Cyber Security Awareness month.ncsam.jpg

Personal Security: Where is my Chip-Based Credit card?

personal Security | Chip based credit card.jpgIt's a wonder, with so many credit card breaches in the news, that the US is just beginning to implement a technology that is over a decade old. What is the technology and why did we wait so long?

Defending in Depth – The HTTP Strict Transport Security header

13792583873_2682af02b5_z.jpgOne (relatively) recent specification available to web applications, which provides an extra layer of protection, is the HTTP Strict Transport Security (HSTS) header. Despite it’s availability however, many developers still fail to utilize HSTS.

Building an Application Security Program – Part 4

This is the final post in the series of four posts. In the first post, we covered the overview of our 3 phase approach to build an application security program followed by a second post describing the first phase i.e. Assessment and 3rd post providing details on our second phase i.e. Design.


Today, we will discuss the final step i.e. implementing the application security program. This is the phase where we will make a decision on the strategy to implement and actually implement the program.2.png

WebInspect and WebInspect Enterprise 10.30 Now Available!

HP Fortify and the WebInspect team are proud to announce the release of WebInspect and WebInspect Enterprise 10.30. Current customers can upgrade WebInspect version 10.30 using the SmartUpdate utility. Additionally, customers can download the latest release from the ‘MY Updates’ portal.


64-roadsign.png    .Net picture.png


WebInspect 10.30

HP WebInspect 10.30 has several new features and many improvements to existing features:

  • Platform Upgrade – 64-bit and .Net 4.5.1
  • Underlying Performance Improvements
  • Expansion of the WebInspect API
  • Scan Comparison view enhancement
  • Scan Dashboard Visualization Improvements
  • Additional supported systems
  • Support for Windows Phone added to mobile testing

WebInspect Enterprise 10.30

WebInspect Enterprise 10.30 also contains new enhancements to existing features:

  • 64-bit WebInspect Enterprise Sensors
  • 64-bit WIE Admin Console
  • Scan Comparison view enhancement
  • Dashboard Enhancements

3 Things to Know About the Shellshock Vulnerability

openssl-feat.jpgThe Shellshock bug, which is based on a vulnerability in Bash, is getting more serious as people realize its potential.


There is significant conversation and speculation regarding this issue, and in this short article we'll simplify things down to the three (3) basic you should know:


1) What the vulnerability is, 2) the potential downsides, and 3) how to protect yourself.

iCloud Security: How do we get from here to there?

Recently, news about the leak of several celebrity photos of a compromising nature has A-lister’s and followers alike abuzz. Many of the celebs involved have claimed the photos are faked and some, like Mary E. Winstead, have stated that the images were taken and deleted years ago. This suggests her pictures were either stored in the cloud (e.g., iCloud storage), or were grabbed at the time.

Labels: Fortify

AppSec USA is this Week in Denver!

One of our favorite application security events is upon us. It seems like it was just yesterday that we were in NYC for AppSec 2013, which makes sense since it hasn't been a full year.European_Wasp.jpg

Labels: Fortify

Modern Hacking - May I have your password please?

One of the most important ways an organization can  protect its assets is password.jpgto ensure that usernames and passwords remain secret. In this article we will discuss one of the methods attackers can use to discover usernames and passwords and what you can do to prevent it.

Simplicity for application security—HP Application Defender

HP introduces HP Application Defender, the first application self-protection service managed from the cloud that provides immediate visibility and actively defends production applications against attacks. 

Fortify on Demand Now Testing Swift Applications

Apple_Swift_Logo.pngWith the release of the iPhone 6, iOS 8 and a number of other announcements, many will be focused on Apple for the next month or so when it comes to mobile and consumer electronics.


One of Apple's recent announcements was the creation and release of a new programming language, called Apple Swift.


Continue reading...


Tags: apple| mobile| Swift
Labels: Apple| mobile| Swift

The BREACH attack explained

breach_diagram.jpgBecause the BREACH attack has been difficult to understand for penetration testers and developers alike, the risk associated with this attack has been unclear. We are going to go through the basics of the attack to better determine the potential risk to vulnerable application servers.

Authenticated application security tests vs. unauthenticated



It’s generally true that unauthenticated tests are faster and cheaper than authenticated scans but are they really giving a complete picture of an application's security posture?

Cover your apps: How application security protects your enterprise

coveraps.jpgHP Protect is right around the corner! Watch this informative video where Paul Muller and Jacob West discuss how to cover your apps! 

Labels: Fortify

Security issues in WordPress XML-RPC DDoS Explained

A number of months ago a DDoS attack against a website used a functionality in all WordPress sites since 2005 as an amplification vector. According to one report more than 162,000 WordPress Sites sent requests to the target. 

Labels: DDoS| Wordpress| xml-rpc

How to Properly Defend Your Applications Against Authentication Attacks

Screen Shot 2014-09-03 at 8.44.24 AM.pngThe recent celebrity hack has raised awareness around an important topic: authentication security in your applications.


We don't yet have all the details, but we have enough to prompt a reminder to those who build applications of any type--especially web applications--that there are multiple authentication surface areas that you must secure when defending your app.


Read on to see what needs to be done…

HP Fortify on Demand Mobile Application Now Available

I am happy to announce a new way to monitor your application security while on the go. The HP Fortify on Demand mobile application for iPhone and Android is out of beta and officially available for download.  


Using the new Fortify on Demand app, users can:

  • View dashboards
  • Monitor status of ongoing assessments
  • View summary of findings
  • Drill down into vulnerabilities—Status, location, vuln type, description

Building an Application Security Program – Part 3

In this 3rd post in the series of four posts, we will discuss the proven approach to designing an effective and scalable application security program for an enterprise.



Labels: Fortify APJ
Showing results for 
Search instead for 
Do you mean 
About the Author(s)
  • Abhishek Rath is a Security Consultant with Fortify on Demand based out of New York City, New York. His areas of expertise are application security testing, risk management and building application security programs for the Global and Fortune 100. He can be reached at
  • Adam Cazzolla is a Sr. Security Consultant with HP Fortify on Demand.
  • hacker, developer, script junkie [python,ruby,php]
  • Hacks for a living.
  • Jason Johnson is a Sr. Security Consultant with HP Fortify on Demand.
  • I have a passion for security and endeavor to participate in strong security defenses.
  • Lucas Gates is an Advanced Dynamic Tester with the Fortify On Demand team who enjoys responsible hacking.
  • US Army veteran. IT and infoSec professional since 1994. Founder of HouSecCon. aka m1a1vet
  • Rick Dunnam is an IS security professional with 15+ years experience in Enterprise Security and has consulted for many industry verticals: Banking, CPG, Healthcare, Government, Hospitality, and more
  • Sam Denard is a Senior Security Engineer with HP Enterprise Security.
HP Blog

HP Software Solutions Blog


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.