HPSR Software Security Content 2014 Update 2

HP Security Research and the Software Security Research group are pleased to announce the immediate availability of updates to HP WebInspect SecureBase (available via SmartUpdate), the HP Fortify Secure Coding Rulepacks (English language, version 2014.2.0), HP Fortify Runtime Application Protection, and HP Fortify Premium Content.


The Software Security Research group translates cutting-edge security research into security intelligence that powers the HP Enterprise Security Products portfolio. Today, HPSR Software Security Content supports over 860 vulnerability categories across 21 programming languages and spanning more than 737,000 individual APIs.

HP SecureBase (WebInspect)
SecureBase combines checks for thousands of vulnerabilities with policies that guide users in identifying critical weaknesses in web and mobile software.

Zero-day advisory support
In order to provide more critical coverage of zero-day vulnerabilities, the following security content has been added to this quarterly update:


Apache Struts ClassLoader manipulation
Support for detecting Apache Struts installations vulnerable to remote code execution through ClassLoader manipulation as described in CVE-2014-0112 and CVE-2014-0114. A new “Apache Struts” scan policy is provided for quick and comprehensive coverage of these advisories.


Heartbleed detection
A buffer read overrun vulnerability in the OpenSSL library presents a critical threat to the confidentiality assured by SSL/TLS. Since the off-cycle SecureBase content update in April, additional support for detecting if the server supports a Perfect Forward Secrecy-enabled cipher suite has been added to ensure proper risk assignment.

Declarative security headers
The declarative security approach allows developers to forgo the need to implement custom security measures in their application code for client-side protection and, instead, rely on the controls offered by the browser. With this update, HP WebInspect can detect potential exposure to client-side exploitation as a result of missing or misconfigured HTTP headers, including:

 

Content security policy
Misconfiguration of Content Security Policy (CSP) directives diminishes the mechanisms effectiveness against client-side attacks.

 

Strict transport security
The HTTP Strict Transport Security (HSTS) header ensures that interactions are confined to secure connections. This category reports the absence of HSTS enforcement and insecure HSTS configuration.

 

X-Frame-Options
A new category to detect misconfigured X-Frame-Options response headers will identify and report ineffective protection against Cross-Frame Scripting attacks.


Content-type
This update includes support for detecting the lack of character set enforcement via the HTTP Content-Type response header.

Compliance templates
DISA STIG
Support for latest versions of the Defense Information Systems Agency Application Security STIG, versions 3.6 and 3.7.

HP Fortify Secure Coding Rulepacks (SCA)
With this release the Fortify Secure Coding Rulepacks detect 603 unique categories of vulnerabilities across 21 programming languages and span over 737,000 individual APIs. In summary, the release includes the following:

Improved Python support*
Revamped support for python built-in types and functions, including support for 45 new system libraries and seven third-party libraries: simplejson, requests, httplib2, pycurl, MySQLdb, psycopg2, and lxml. This update also includes the addition of 25 new python categories, including Dynamic Code Evaluation: Unsafe Pickle Deserialization, Insecure Temporary File, and XML External Entity Injection. *Requires HP Fortify SCA 6.20 or later for some features

 

Heartbleed detection
Support for detecting the underlying cause of the OpenSSL Heartbleed vulnerability.

 

Struts 1 remote code execution detection
Support for detecting applications vulnerable to the Struts 1 ClassLoader Manipulation zero day discovered by one of our researchers, including the addition of a new category, Bean Manipulation, to identify the root cause of the vulnerability in the source code.

 

New Server-Side Request Forgery (SSRF) Category
Support for new Server-Side Request Forgery (SSRF) category across four major languages (Java, .NET, PHP, and Python) and improved coverage for related categories, such as Open Redirect, Header Manipulation, HTTP Parameter Pollution, and Dangerous File Disclosure.

 

iOS property list files support
Support for the iOS Property List files, including two new categories: System Information Leak: iOS Property List and Privacy Violation: iOS Property List.

 

Apache HTTPComponents
Support for latest version of the Apache HttpComponents library, for both Android and Java.

 

SAP ABAP support
- Improved descriptions for 14 existing vulnerability categories with the addition of SAP-specific examples, recommendations, tips, and references.
- Detection of new vulnerability category Access Control: Privilege Escalation.

 

DISA STIG 3.6/3.7

Support for latest versions of the Defense Information Systems Agency Application Security STIG, versions 3.6 and 3.7.

HP Fortify Runtime Application Protection (RTAP)
HP Fortify Runtime Application Protection provides application vulnerability monitoring and protection, and can operate as a standalone product, in conjunction with HP ArcSight Logger/Enterprise Security Manager, or with HP Fortify Software Security Center. New for this release is the following content:

 

Major updates to core categories
Completely revamped detection algorithms bolster both the accuracy and effectiveness of core categories to provide unparalleled protection against input injection attacks such as SQL Injection, Cross-site Scripting, and Command Injection.

HP Fortify Premium Content
The research team builds, extends, and maintains a variety of resources outside our core security intelligence products.

DISA STIG 3.7 report
A new report bundle with support for DISA STIG 3.7 is available for download from the Fortify Customer Portal under Premium Content.

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
Showing results for 
Search instead for 
Do you mean 
About the Author


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation