Fortify - Application Security
Recent statistics show that almost half of breaches that cause material damage occur via applications. HP Fortify provides software and services that help organization secure applications to prevent those attacks. This blog serves as a platform for our penetration testers, product managers and marketers, and software engineers to provide analysis and insight regarding both web application security and how organizations can utilize our products and services to better secure their applications. For more information, visit

Fortify on Demand Heartbleed Update

heartlock.jpgA more personal response to the Heartbleed fiasco and what the Fortify on Demand team is doing to protect customers.

Thoughts on the Heartbleed Bug

heartbleed.pngThe Heartbleed bug is big. It's bigger than most thought it was when they heard about it, and now that the patching dance has begun, people are finally starting to feel the weight of it.


In this short article, we'll cover some basics (what the bug is, what the risks are to organizations) and we'll offer some analysis and commentary, as well.

Ethical there a benefit when it comes to security?

Ethical, or legal, hacking is in the news every day. Is this really a saving grace for cybersecurity? hacked.jpg

Labels: HP| security

10 ways your mobile phone leaks your sensitive information

Mobile Data Leakage.pngWe all use mobile phones, but few of us are aware of how careless they can be with our information.


It's not really the phones by themselves, though. It's the applications and how they interact with the operating system.


This article will walk through a few of the common dangers to your data security and privacy that come from poorly coded mobile applications.

HP Security and CSC team up to announce AppSec on Demand

Cyber threats are on the rise and are growing in complexity. Read on to see how organizations can cut down on operational expenses, which maintaining an aggressive security posture. 

Labels: HP| security

3 things you can do today to improve the security of your web or mobile application

fod_review.pngHave you been thinking about taking steps to make sure your company isn't the next security breach headline? All the major software companies agree…it is better to do anything at all than do nothing. In other words, just get started.

Labels: HP| security

Don’t Play the AppSec Blame Game: Positive Interactions Between the Security and Development Teams

Mark Twain said, “If yApp_security_RGB_blue_NT.pngou hold a cat by the tail you learn things you cannot learn any other way.” Now substitute “hold a cat by the tail” with “tell a developer their code stinks." Either scenario will teach you valuable lessons, and both will give you scratches. But how do you minimize the scratches? By not playing the AppSec Blame Game. 

The Vuln Less Common series, Part 1: Mass Assignment Vulnerabilities

search-icon-red-th.pngIn this series, we'll seek to go beyond the well-known and dive into some of the less common, but still significant, vulnerabilities often overlooked.

Tags: fod| Fortify
Labels: HP| security

HP WebInspect Integration with HP TippingPoint

A week ago I blogged about the WebInspect integration with F5 Networks.  Many may have noticed that in one of the pictures I uploaded there is also the option to send results to HP TippingPoint.

Security Fundamentals Part 1: Fail Open vs. Fail Closed

OpenClosed.pngIn this series we will explore several core security concepts and discuss how they relate not just to security teams but also to software development teams.  Part one covers the concept of Fail Open vs. Fail Closed.

This Just in From APPSEC APAC in Japan

The OWASP Japan Chapter  hosted the Global AppSec APAC 2014 Conference this week. Just a few years ago there was no OWASP chapter in Japan but this chapter has shown the most rapid growth of an OWASP chapter ever, rivaled only by their enthusiasm. This event was attended by over 400 enthusiasts, not bad for a chapter that has only existed since 2011. And earlier this year Japan's second chapter was born in Kansai. The future of APPSEC is alive and well in Japan.

Bypassing web application firewalls using HTTP headers

2014-03-19_12-47-41.pngWeb application firewalls (WAF’s) are part of the defense in depth model for web applications.  While not a substitute for secure code, they offer great options for filtering malicious input. Below is a story from a real assessment where an enterprise deployment of such a device was vulnerable to being bypassed. The vulnerability is one of a bad design and/or configuration and as an attacker it was very useful. Read below to find out more!


HP WebInspect and F5 Integration

Do you know how long it takes your developers to fix a vulnerability in a web application? Even in a perfect world it could take days, or more likely, weeks to develop a fix for a vulnerability that was found in a production web application, push it through the QC department to make sure it doesn’t impact functionality, and then deploy it to production.  During those weeks the vulnerability is open to the world, waiting to be discovered and exploited.

The Secure Web Series, Part 3: Protecting Against Cross-site Request Forgery (CSRF)

Screen Shot 2014-03-10 at 3.13.15 PM.pngIn Part 3 of the Secure Web Series, we'll be talking about Cross-site Request Forgery (CSRF). CSRF is a wicked vulnerability that allows attackers to force victims to perform actions without their knowledge. 


We'll be talking about what CSRF is, how to look for CSRF within your own applications, and how to defend against it.

Release Announcement - Fortify on Demand

The Fortify on Demand development and product management teams work closely with our Technical Account Managers (TAMs) to add features and improve functionality that will help our customers get the most from their Fortify subscriptions. These updates are released bimonthly.

Open Source Security is the focus for Fortify/Sonatype Integration

threat.jpgOrganizations want visibility into both the security vulnerabilities that exist in their application code, as well as know security and license vulnerabilities in open source components used within their applications. A just-released integration of open source analysis within Fortify on Demand gives users that visibility.

The Secure Web Series, Part 2: How to Avoid User Account Harvesting

Screen Shot 2014-02-23 at 8.50.33 PM.pngWelcome to the second post in a series on how to avoid common web application vulnerabilities, called The Secure Web Series.

In this series of posts I’ll be exploring some of the most common vulnerabilities we see in our testing practice here at Fortify on Demand. The focus of the series will be on vulnerabilities that aren’t easily identified via automation, as these are harder to find using readily available tools and many testing offerings tend to miss them during assessments.
In the first post of the series we talked about Building a Secure Password Reset Mechanism, and in this installment we will cover Account Harvesting

Is it love, or your sensitive data, in the air this Valentine’s Day?




Users of popular dating apps may find love easier, but are they giving away sensitive information to get it?

The Secure Web Series, Part 1: Securing Your Password Reset Mechanism

Screen Shot 2014-02-09 at 12.37.04 PM.pngWelcome to a new series on how to avoid common web application vulnerabilities, called The Secure Web Series.

In this series of posts I’ll be exploring some of the most common vulnerabilities we see in our testing practice here at Fortify on DemandThe focus of the series will be on vulnerabilities that aren’t easily identified via automation, as these are harder to find using readily available tools and many testing offerings tend to miss them during assessments.
In this first installment, we'll be talking about vulnerabilities in the Password Reset Mechanism

Application Security SaaS Vendors: Why Fortify on Demand is the right choice

On a daily basis I get asked by prospects on why they should choose Fortify on Demand (FoD) over other a-vote-mark-the-right-choice.jpgApplication Security SaaS vendors.  Over the next few months I intend to answer those questions and bring clarity as to why FoD is highly unique in the marketplace and experiencing remarkable growth.

Your Compliance Auditor Needs Access – Choose Your Security Tools Wisely


Do you like running reports over and over again when your compliance auditor comes to call? Or would you rather sit your auditor in front of a screen with all the access to data that he needs, then walk off and get your job done? If it's the former, stop reading because you have some issues that we probably can't fix. If it is the latter, then read on for some ideas.

Games and Security



We love gaming at Fortify. We also love security. So we just launched a new project. The aim is to design a new OWASP project to help classify the diverse types of game hacks that exist for some of the world’s biggest game types. We are hoping his will benefit the game industry as a whole. The project aims to classify past problems in games, break down those flaws as much as possible (technically), and create a do-not-do list of flaws that new game companies (we love you QA engineers) can reference when creating new games. Read more about this alpha project.

SecLists: A Security Tester's Companion

Screen Shot 2014-01-23 at 4.08.21 PM.pngAs security testers we always need good lists. Whether we're doing netpen, web assessments, or even forensics or static analysis--having a solid source of usernames, passwords, strings used for grep searches, etc. is critical.


SecLists is an OWASP project that consolidates all these lists into one place. It includes multiple types of lists, such as usernames, passwords, URLs, sensitive data grep strings, fuzzing payloads, URL lists, and many more…

Should mobile device info be considered private? Some apps are pulling this data.

Mobile Device PrivacyShould your device information be considered private?  Some companies are pulling this data and most users don't know this is happening. Let's take a look at the type of info that a real mobile app collects from your device.  

Why WAFs and MDM are not Security Silver Bullets

silverbullet.jpegApplication security is tough to accomplish, and people often fall to the temptation to look for a silver bullet that solves the problem. Two of these potential "silver bullets” are the good old web application firewall (WAF) and the relatively new Mobile Device Management (MDM). Let’s take a look at these two products to see why they are not silver bullets and where they can fit as pieces of an application security program.

5 Reasons Jailbreaking Your Phone is a Bad Idea

 Screen Shot 2014-01-07 at 3.07.13 PM.pngAs you may already know, the Evasi0n7 jailbreak for iOS7 was released during the holidays, and many scrambled to get it installed as soon as possible.


What many don’t know is how utterly bad jailbreaking is for your device. Let us count the ways…

Creating a iOS7 Application Assessment Environment

iOS7-jailbreak.pngNow that you have your shiny new Evasion7 jailbreak running it's time to set up the environment for application testing!

Happy Holidays from the Fortify Security Team (and OddTodd).

OddTodd Holiday.pngOddTodd shares some of his most interesting gifts and the one he wished he got.

What Your Binary Says About You, Part 2: I'm Not Worried About Exploits!

When an attacker analyzes your binary, you don't want it to reveal a developer who throws caution to the wind!  In the second part of our series on iOS binary protections, we'll examine settings that detect and mitigate buffer overflow attacks.

WebInspect Demo Site Update

The web site used by the WebInspect product to demonstrate its functionality and effectiveness was significantly upgraded earlier this year.  The new version of was developed to allow WebInspect to showcase its enhanced capabilities against a website that more closely imitates the atmosphere of the modern web.

About the Author(s)
  • Adam Cazzolla is a Sr. Security Consultant with HP Fortify on Demand.
  • hacker, developer, script junkie [python,ruby,php]
  • Jason Johnson is a Sr. Security Consultant with HP Fortify on Demand.
  • I have a passion for security and endeavor to participate in strong security defenses.
  • Lucas Gates is an Advanced Dynamic Tester with the Fortify On Demand team who enjoys responsible hacking.
  • US Army veteran. IT and infoSec professional since 1994. Founder of HouSecCon. aka m1a1vet
  • Rick Dunnam is an IS security professional with 15+ years experience in Enterprise Security and has consulted for many industry verticals: Banking, CPG, Healthcare, Government, Hospitality, and more
  • Sam Denard is a Senior Security Engineer with HP Enterprise Security.
Follow Us

HP Blog

HP Software Solutions Blog

The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation