HPSR Software Security Content - 2014 Update 1

HP Security Research and the Software Security Research group are pleased to announce the immediate availability of updates to HP WebInspect SecureBase (available via SmartUpdate), the HP Fortify Secure Coding Rulepacks (English language, version 2014.1.0), HP ArcSight Application View, HP Fortify Runtime Application Protection, and Premium Content.

 

HP SecureBase (WebInspect)

 

SecureBase combines checks for thousands of vulnerabilities with policies that guide users in identifying critical weaknesses in web and mobile software.

 

Faster time to accurate results with the WebInspect Agent*

Increased accuracy, improved quality results, and scans completing 5x faster than before are all benefits realized with the new and improved WebInspect Agent for Java. The new WebInspect Agent also supports enhanced detection of XML injection attacks with two new categories for XML Entity Injection and XML Entity Expansion.

 

New PCI DSS 3.0 compliance template
Support for the latest Payment Card Industry Data Security Standard (PCI DSS), version 3.0.

 

Mobile and HTML5
Mobile is arguably one of the hottest areas in security circles today and cross-platform development using HTML5 is only growing in popularity. With this update, HP WebInspect can detect multiple security threats plaguing both mobile and HTML5-based software, including:

 

Device ID detection*
Unique Device Identifiers (UDID) or Universal Unique Identifiers (UUID) should not cross the wire without significant justification. Two categories have been added that specifically address this concern and uncover this behavior in mobile applications.

Sensitive information disclosure*

Mobile devices only amplify existing privacy concerns. This release contains three categories that detect mixed-scheme use of HTTP and HTTPS, communicating sensitive information to third parties, and the disturbing practice of doing the same with geolocation information.

Sensitive data in HTML5 storage*

The HTML5 LocalStorage object is an enticing place to store application-related data for many reasons, the strongest being convenience. But, when developers misuse this feature, user information is at risk. This category identifies misuses of LocalStorage and recommended fixes.

Insecure HTML5 PostMessage usage*

Sending messages between windows is convenient, however, there are both safe and unsafe ways to do so. We’ve added a category that identifies unsafe PostMessage communication and teaches developers how to safely and securely incorporate this HTML5 feature in software.

 

*Requires HP WebInspect 10.20 or later

 

HP Fortify Secure Coding Rulepacks (SCA)

 

With this release the Fortify Secure Coding Rulepacks detect 594 unique categories of vulnerabilities across 21 programming languages and spanning over 730,000 individual APIs. In summary, the release includes the following:

 

Apple iOS and Google Android Support*

  • Expanded support for cryptographic best practices across both major mobile development platforms. Support for iOS and Android includes both new and existing categories.
  • Updated Objective C support allows identification of 9 additional categories in iOS applications, including Cookie Security: Cookie not Sent Over SSL and System Information Leak.
  • Improvements to Android support, including a new category: Intent Manipulation.

Microsoft Best Practices

Support for best practices identified by Microsoft in ASP.NET, Windows 8 and Silverlight. Additional support includes 8 new categories, including ASP.NET Misconfiguration: Cross-Site Scripting Protection and Database Bad Practices: Use of Restricted Account.

 

Dynamic Code Evaluation

  • Added coverage for detecting Dynamic Code Evaluation: Code Injection vulnerabilities in the Java Scripting Engine, as well as Rhino and Nashorn APIs.
  • Identification of Dynamic Code Evaluation: Unsafe XStream Deserialization in XStream core library and Spring MVC extension.

Hibernate 4

Support for latest version of the Hibernate library includes identifying database input and related categories, including SQL Injection, Resource Injection and Access Control: Database.

 

SAP ABAP Support

  • Improved SQL Injection detection, including support for ADBC native SQL and object services
  • Support for Path Manipulation in the ABAP file utility framework and logical file names and paths.
  • Detection of Code Injection when programs and subroutine pools are created using ABAP.

PCI DSS 3.0

Support for latest Payment Card Industry Data Security Standard (PCI DSS), version 3.0.

 

Java 8 (Technical Preview)*

Support for new Java 8 APIs, such as Stream, Time, Collections, Concurrency, IO/NIO and Nashorn.

 

*Requires HP Fortify SCA 6.10 or later for some features

 

HP ArcSight Application View

HP ArcSight Application View automatically monitors your applications to provide you with intelligence that help you defend your applications and data against threats that would otherwise be unknown. This release contains the following new features and enhancements:

 

Expanded Visibility with Custom Authentication Event Support

Application View now has the capability to support custom Java authentication frameworks; continuing to increase the already expansive visibility into application layer events.

 

Deeper Insight and Enhanced Performance

Dashboard views now display comprehensive HTTP POST request data to provide a clearer, more accurate picture of the behavior of your applications.

 

HP Fortify Runtime Application Protection (RTAP)

HP Fortify Runtime Application Protection provides application vulnerability monitoring and protection, and can operate as a standalone product, in conjunction with HP ArcSight Logger/Enterprise Security Manager, or HP Fortify Software Security Center. New for this release is the following content:

 

XML Injection Attacks

Protection against two new vulnerability categories for XML External Entity Injection (XXE) and XML Entity Expansion (XEE).

 

HP Fortify Premium Content

The research team builds, extends, and maintains a variety of resources outside our core security intelligence products.

 

PCI DSS 3.0 Reports

A new report bundle with support for PCI DSS 3.0 is available for download from the Fortify Customer Portal under Premium Content.

 

 

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
Showing results for 
Search instead for 
Do you mean 
About the Author


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation