Q2 2013 HP Fortify Software Security Content Update

HP SecureBase (WebInspect)

SecureBase combines checks for thousands of vulnerabilities with policies that guide users in identifying critical weaknesses in web applications under test. In summary, our latest release includes the following updates:

 

Next Generation Security Testing Features

The following capabilities are available using HP WebInspect with the SecurityScope runtime agent:

 

  • OAuth Protocol Vulnerabilities
    Detects the use of vulnerable OAuth protocols susceptible to session fixation (OWASP Top 10 2013 - A2)and reports implementation flaws that transfer sensitive information over insecure communication channels (OWASP Top 10 2013 - A6).
  • Unused Parameter Detection
    Identifies hidden HTTP request parameters that escape testing during traditional dynamic scans and adds them to the audit queue for thorough analysis.

XML External Entity Injection (XXE) 
Detects weaknesses in XML parsing logic that could expose web applications and services to file inclusion or denial of service attacks.

 

Intelligent Privacy Policy Analysis
Enhanced detection of missing privacy policy declarations to support multiple languages and incorporate more intelligent logic to minimize false positives.

 

Offline SecureBase 
Offline copies of SecureBase are now officially available on a quarterly basis with each update to HP Fortify Software Security Content. Please contact fortifytechsupport@hp.com for details.

 

 

HP Fortify Secure Coding Rulepacks (SCA)

As of this release, the Fortify Secure Coding Rulepacks detect 563 unique categories of vulnerabilities across 21 programming languages and over 720,000 individual APIs. In summary, our this release includes the following:

 

  • Validation Support for Microsoft ASP.NET WebForms 
    Enhanced support for common Microsoft .NET validation libraries allows for improved accuracy detecting cross-site scripting in ASP.NET Webforms. Validation libraries covered include Microsoft Web Protection Library (AntiXss) and OWASP AntiSamy. 
  • New XML Injection Categories (XXE and XEE)
    The capability to identify XML External Entity Injection (XXE) and XML Entity Expansion Injection (XEE) vulnerabilities. Java support covers JAXP, JAXB, XPath, StAX, JAX-RS and Spring REST. Microsoft .NET support covers System.Xml and System.Xml.XPath 
  • Java Server Faces (JSF) 2
    Expanded JSF 2 coverage includes annotations, tags and built-in support for AJAX. 
  • JAX-RS 
    Support for Java RESTful Services (JAX-RS) API includes identification of web entrypoints using annotations and coverage of 13 vulnerability categories, including cross-Site scripting and privacy violation. 
  • OWASP AntiSamy*
    Coverage for AntiSamy validation in both Microsoft .NET and Java. Support includes updates to the built-in Data Validation filterset in HP Fortify AuditWorkbench. (*Requires HP Fortify AuditWorkbench 4.0 or later.)
  • Context Sensitive Ranking: Access Control
    Context sensitive ranking has been enhanced to re-prioritize access control database issues based on evidence of tainted primary keys.
  • NIST SP 800-53 Mapping
    Mapping to the latest security and privacy controls, as described in NIST Special Publication 800-53 Revision 4. 18 controls are covered including access enforcement, least privilege and information input validation.


HP Fortify Runtime Rulepack Kits (Runtime)

As of this release, there are three Runtime Rulepack Kits: HP Fortify Runtime Application Protection, with 43 unique categories, HP Fortify SecurityScope, with 18 unique categories, and HP Fortify Runtime Application Logging, with 24 unique categories. In summary, this update includes:

 

  • Runtime Application Protection (RTAP) Rulepack Kit
    Support for hardcoded SQL connection and enhancements to privacy violation detection. 
  • SecurityScope Rulepack Kit
    Five additional categories have been added, including value shadowing, open redirect, and insecure randomness.
  • Runtime Application Logging (RTAL) Rulepack Kit
    Support for unified logging frameworks, including Log4j, java.util.logging, Apache Common Logging, Slf4j, Log4Net, NLog and Microsoft Enterprise Logging Library. Other updates include additional categories and performance improvements.

Labels: HP Fortify| HPSR| SSR
Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
About the Author


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation