Fortify - Application Security
Recent statistics show that almost half of breaches that cause material damage occur via applications. HP Fortify provides software and services that help organization secure applications to prevent those attacks. This blog serves as a platform for our penetration testers, product managers and marketers, and software engineers to provide analysis and insight regarding both web application security and how organizations can utilize our products and services to better secure their applications. For more information, visit

Demystifying Shellcode

An introduction to shellcodes, what to do with them, and a few lessons on executing a successful exploit.

Labels: Fortify

Spam, phishing, and pharming: How secure are you?

Security should always have its place on top of the information we share, especially now when most people are face- down and focused on their communication devices. Cyber threats are just one click away.



Labels: Fortify

App Planet, the center of the HP Mobility Universe at Mobile World Congress

MWC_Barcelona.pngMobile World Congress is just around the corner. Find out how Fortify on Demand is participating and why you should attend.

Application security is hard

Doh.jpgIt seems as though we can’t go a day without news breaking of the latest security breach to compromise an application or company. In today’s digital age, with many smart people creating applications and systems, why is securing them so difficult?

How secure is your IM?

smile emoji.pngThe majority of us utilizing some sort of instant messaging appliction daily. But are they really safe? Read this article to learn more about flaws found in instant messaging applications. 

Achieving PCI DSS Compliance through HP Fortify SSA Framework

In HP’s Fortify Solution Consulting Group, we assist our customers in building effective and scalable application security programmes using our SSA (Software Security Assurance) framework. Hence, I often get asked if programmes built upon the SSA framework can help in fulfilling the PCI DSS Requirements related to Application Security.


The answer is: Yes!




IoT is the Frankenbeast of Information Security

It seems that every time we introduce a new space in IT we lose 10 years from our collective security knowledge.


We started with network security, and even that isn't solid yet. But 20 years later we're doing pretty well there.


Then around 10 years ago we started talking about applications being the horizon technology, and we proceeded to build a global application portfolio ignoring the security lessons learned from the network world. 


Then, five years ago, we decided that mobile was the real place to be. So everyone started building mobile apps while ignoring everything we've learned from securing web and thick-client applications.


And now we have the Internet of Things (IoT). If we continued in this trend we'd have a new space that ignores the security lessons from mobile, but it's actually much worse than that.

Your TVs Are Watching You Back

telesurveillance-f7000-f8000-samsung.jpgWe've all heard the dystopian thrashings about how "in the future" your TV might be watching you just like you're watching it.


Unfortuanely, that time seems to have arrived already.


One of the world's largest manufacturers of modern televisions just updated its privacy statement to say the following:


"Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through your use of Voice Recognition."

Information Security as an Emergent Property


Earlier today I heard Jason Schmitt say something worth exploring: He referred to information security as an emergent property.


Emergence is a fascinating concept. It basically means that when simple things combine to a certain degree, new properties, patterns, and behaviors develop that often cannot be explained or understood in the context of their components.


It's difficult to explain human happiness in terms of the strong and weak nuclear force, for example. Or to reduce an economic law like supply and demand down to covalent bonds...


Capture the Flag: One of the best team building events ever!

ctf1.jpgEngaging security staff can be difficult. We're here to give you a little secret of ours, Capture the Flag competitions rock. Here at Fortify on Demand we have done internal CTF's at application security events several years in a row with great success. These games can be for more than just engineers, in fact, we have done several for our account managers and sales folk! We even did one at BlackHat USA last year for everyone! Join us as we give you some tips and tools on creating a great event.

Fortify on Demand recognized as Best SaaS

winner-2014-15.jpgIn its fourth year and recognized as the de facto recognition platform in the international Cloud Computing space, the Cloud Awards recently announced the 2014-15 winners. HP Fortify on Demand made the final cut.

Curiosity and the "hacking" mindset



I have always been curious. Too curious sometimes.


Curiosity drives me. I was in school to learn how to develop software, but found taking it apart much more interesting.

Thoughts from “Blackhat” the movie

or ‘How I stopped worrying and started to love the SCADA bomb’

I recently saw “Blackhat”, and part of the plot made me wonder if certain parts of the vulnerability world had changed much.

Owning SQLi vulnerability with SQLmap

Injection flaws, often found in legacy code, is the #1 security risk on the OWASP Top 10. SQLi (or SQL Injection) is an injection flaw attack method defined as "insertion or "injection" of a SQL query via the input data from the client to the application".


This blog aims to give you the nuts & bolts on using SQLmap and learn basic techniques to properly evaluate SQLi injections and understand some SQL attack methods.


Posted on behalf of Medz Barao, Fortify on Demand Security Team.

Integrated security: Next-Generation secure web application development

hp secure.jpgWhat does the future look like for web application security defense? While there have been many advancements in web application firewalls (WAF), a WAF cannot fully understand the functionality and implication of each and every custom web application. 


How would the web application security landscape change if we could build security enhancements that fully understood your custom web application?

Application Security and Client-initiated Renegotiation

How this hack from the past is still alive and well and why performing server checks are still a required area of concern when performing a dynamic application assessment.

Labels: Fortify

Burp tips & tricks

When searching for an integrated platform for security testing, Burp Suite has always been one of the favorite tools of application security testers. For good reasons! It’s easy to use, it’s not platform dependent and, in the right hands, it can do wonders. It’s definitely a great value for the money.


This post is on behalf of Jayson Vallente from our Dynamic testing team.

POODLE strikes back--this time affecting TLS security protocol

The POODLE vulnerability is back in the news, but now it’s affecting the TLS security protocol. Security researchers have now discovered that the issue also affects some implementations of TLS in products that don’t properly check the structure of the “padding” used in TLS packets.

Labels: Fortify

Poor Mobile Auth

M5.pngMany mobile applications suffer from weak authentication and authorization schemes. In fact, Poor Mobile Authorization and Authentication is #5 on the OWASP list of Top 10 Mobile Risks. Some common mobile auth flaws include weak password rules (i.e. 4 digit pins), exploitable remember-me functionality, and broken authorization controls. These weaknesses could lead to sensitive information disclosure as well as other severe implications.

Labels: Fortify

Tokenization - The future of e-commerce transaction security

Credit cards are one of the most common forms of payment for e-commerce.  Consumers are still inputting their name, date of birth, and chain of numbers from their credit card to complete a transaction.  This is not only inconvenient, but also not very secure.  Credit card transactions over the internet expose sensitive cardholder information both in the communication and storage of the data.  Thanks to the adoption of the EMV standard POS (point of sale) credit card transaction security has been improved but what can be done to improve security of e-commerce credit card transactions?

Fortify on Demand Year in Review 2014

As we close out 2014, I’d like to reflect on the great progress the Fortify on Demand team has made throughout the year.

Labels: Fortify

Do you know where your mobile application’s data is going?

Mobility_RGB_blue_NT.pngAt Fortify on Demand, we frequently test mobile applications that communicate with many web-endpoints, including some surprising sites. Developers often implement some type of functionality that unknowingly sends data to third-party web backends. This is frequently seen in advertising and analytic frameworks. Do you know where you mobile application’s data is going?

Application Security Testing – A journey from XSS to System Shell


Is it possible to go from a Cross-Site Scripting (XSS) flaw to obtain a system shell? During a web application security test earlier this year, I noticed an XSS flaw that allowed me to do just that. So how do we go from XSS to server access? Read on to find out!



When to Get a Penetration Test vs. A Vulnerability Assessment

Nmap_logo.pngMany organizations are eager to start their security efforts with penetration testing. This is understandable given that penetration testing sounds cool and is easy to sell.


The problem is that in the vast majority of cases, organizations will largely be wasting their money on a penetration test when compared to other available security assessment offerings.


In this short piece, we'll take a look at some of the security offerings that are commonly available with the hopes of helping you pick the best option…

Application Security training on-the-cheap

2014-12-15_14-02-56.pngThere's no denying that having an appsec savvy crew of IT professionals on hand, even if they are not dedicated to security, can mitigate costs. It speeds up remediation times, improves communication with your devs/consultants, and generally provides better peace of mind. Join us in the article below outlining our favorite free training resources to get your IT staff up to speed in appsec!

Network Infiltration – Part 2: Bypassing Fingerprint Biometrics

fingerprintLast time, we got inside our target network via a rogue wireless access point that we were able to exploit because of its weak security implementation.


This time, we’re going to try and escalate what we can do inside the network.

SAP and HP Fortify team up to bring application security solutions to SAP customers

Today we’re able to announce an exciting new partnership between HP Fortify and SAP where SAP will now resell HP Fortify application security software as part of its quality assurance solutions portfolio to SAP customers.

Network Infiltration – Part 1: Rogue Wireless Access Point

regin.jpgUnless you hack for a living like I do, you might not realize how incredibly easy it is to infiltrate a network – and how very important software security is.


In this two part series we will go through multiple phase of exploiting vulnerabilities from wireless networks to a biometric system that controls access to doors and other network devices. By the end we’ll go from someone with zero to full access both physically and through digital networks.

Showing results for 
Search instead for 
Do you mean 
About the Author(s)
HP Blog

HP Software Solutions Blog


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.