HP Fortify Software Security Content - Update 4

HP Software Security Research is pleased to announce the immediate availability of updates to HP WebInspect SecureBase (available via SmartUpdate), the HP Fortify Secure Coding Rulepacks (English language, version 2013.4.0.0007), and HP Fortify Premium Content.

 

HP SecureBase (WebInspect)

SecureBase combines checks for thousands of vulnerabilities with policies that guide users in identifying critical weaknesses in web applications. In summary, the release includes the following features:

 

Advanced BREACH Attack Detection

Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext (BREACH) is a side-channel attack that could allow attackers to steal sensitive information from HTTP responses that reflect user-controlled input and are encoded using Gzip compression even when the application is served over an SSL/TLS channel.

 

OWASP Top 10 2013 and DISA STIG version 3.5 Compliance Templates

A new compliance template to report on the critical risks as described in the OWASP Top 10 2013 releaseand support for the latest version of the Defense Information Systems Agency (DISA) Application Security and Development STIG, version 3.5.

 

Intelligent Cross-Frame Scripting (XFS) Detection
Applies context-aware severity assignment based on the sensitivity of information.

 

Joomla! Arbitrary File Upload
Support for detecting vulnerable Joomla! versions that could enable attackers to gain control of a website through dangerous file uploads as described in CVE-2013-5576.

 

Offline SecureBase
Offline copies of SecureBase are now officially available with each update to HP Fortify Software Security Content. Please contact fortifytechsupport@hp.com for details.

 

 

HP Fortify Secure Coding Rulepacks (SCA)

With this release the Fortify Secure Coding Rulepacks detect 582 unique categories of vulnerabilities across 21 programming languages and spanning over 725,000 individual APIs. In summary, the release includes the following:

Windows Azure
Support for the Azure Storage API allows SCA to analyze applications built for Microsoft’s cloud platform. Support includes Resource Injection, Cross-Site Scripting, Path Manipulation, and Setting Manipulation and one new category: Cross-Site Scripting: Inter-Component Communication (Cloud).


Restlet Framework
Now, in addition to the existing REST coverage of JAX-RS, customers will be able to track security weaknesses through the Restlet 2.1 API. Support now includes the Restlet Framework, covering multiple editions (including Java SE, Java EE, Android, and GWT), and spanning 14 vulnerability categories.  Supported categories include: Insecure Transport, Cross-Site Scripting and XML Entity Expansion Injection.


WebSockets
Support for Java JSR 356 WebSocket specification and Microsoft .NET WebSockets library and SignalR framework. In addition to supporting existing categories, two new categories have been added: Cross-Site WebSocket Hijacking and System Information Leak: SignalR Exposed JavaScript Proxy.


OGNL Expression Injection
New categories identify OGNL Expression Injection both in applications using the Apache Object Graph Navigation library directly and Struts 2 applications using APIs that evaluate OGNL expressions


OWASP ESAPI JSP Tag Library
Support for the OWASP Enterprise Security API JSP Tag library identifies validation against Cross-Site Scripting and other web security flaws.


DISA STIG 3.5
Support for the latest version of the Defense Information Systems Agency Application Security and Development STIG, version 3.5.

 

HP Fortify Premium Content

The research team continues to extend and build upon security artifacts outside HP WebInspect SecureBase, the Fortify Secure Coding Rulepacks, and Fortify Runtime Rulepack kits.

OWASP Top 10 2013 and DISA STIG 3.5 Reports
A new report bundle with support for OWASP Top 10 2013 and DISA STIG 3.5 is available for download from the Fortify Customer Portal under Premium Content.


HP Fortify Runtime Performance Tuning Guide
This guide provides effective solutions to performance bottlenecks when using HP Fortify Runtime and supplements the installation and configuration guides.


Sample Custom Rules for Runtime Application Logging (HP ArcSight Application View)
When using custom or third-party authentication frameworks, tailored runtime rules are essential to observing the behavior of your applications with HP ArcSight Application View. The professional services kit contains a sample rule for a quick start to creating custom rules along with practical examples, such as:

  • SSL Client Authentication
  • Unique authentication events commonly encountered in ERP/CRM solutions
  • Custom exceptions

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
Showing results for 
Search instead for 
Do you mean 
About the Author


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation