Q3 2013 HP Fortify Software Security Content Update

HP SecureBase (WebInspect)

SecureBase combines checks for thousands of vulnerabilities with policies that guide users in identifying critical weaknesses in web applications. In summary, the release includes the following:

  • OWASP Top 10 2013 Policy 
    A new policy to identify critical risks based on the guidelines offered by the latest release of the OWASP Top 10 document. 
  • NIST Special Publication 800-53 Compliance Template
    A new compliance template to report on the latest security and privacy controls, as described in NIST Special Publication 800-53 Revision 4.
  • Apache Struts 2 Remote Command Execution
    Support for detecting Apache Struts 2 versions susceptible to remote code execution through injection of OGNL expressions as described in CVE-2013-2251 and CVE-2013-1996.
  • User-Controllable Character Set
    Detect use of unvalidated user input in character set selection using direct reflection techniques, header injection and html tag injection.
  • Enhanced Detection of HTTP Response Splitting
    An improved approach for detecting HTTP Response Splitting through CRLF Header Injection to enable accuracy and performance enhancements.
  • Offline SecureBase 
    Offline copies of SecureBase are now officially available on a quarterly basis with each update to HP Fortify Software Security Content. Please contact fortifytechsupport@hp.com for details.

 

 

HP Fortify Secure Coding Rulepacks (SCA)

As of this release, the Fortify Secure Coding Rulepacks detect 574 unique categories of vulnerabilities across 21 programming languages and over 720,000 individual APIs. In summary, the release includes the following:

  • New XSLT and XPath Injection Categories
    Support for popular Java and Microsoft .NET libraries to detect XSLT and XPath injection issues. Java support covers Apache Xalan, JAXP, XDK, XQJ, XPath, and Saxon. Microsoft .NET support covers Saxon.
  • Enhanced Microsoft .NET MVC and Razor Support 
    Enhanced support for .NET MVC actions, including Cross-Site Scripting, to reduce false positives and improve accuracy. Seven new categories detect bad practices in MVC and Razor views.
  • iOS Data Protection Support
    Support for the iOS data protection API, including two new categories.
  • Google Android Recommendations
    Extended descriptions and recommendations for categories identified within Android applications. Specific guidance will allow developers to better address categories such as Cross-Site Scripting, SQL Injection and Password Management.
  • Context Sensitive Ranking: Spring Validators*
    Context sensitive ranking has been enhanced to reprioritize issues based on the presence of Spring Validators and provide additional evidence.
  • Expanded System Information Leak Support
    System Information Leak issues reported as either Internal or External, with appropriate descriptions and prioritization.
  • OWASP Top 10 2013*
    Mapping to the latest update to the latest revision of the OWASP Top 10.

 * Requires HP Fortify SCA 4.01 or later  

 

 

HP Fortify Runtime Rulepack Kits (Runtime)

As of this release, there are three Runtime Rulepack Kits: HP Fortify Runtime Application Protection, with 41 unique categories; HP Fortify SecurityScope, with 13 unique categories; and HP Fortify Runtime Application Logging, with 67 unique categories. In summary, this update includes:

  • Runtime Application Protection Rulepack Kit
    Rules changes to improve the accuracy of the findings by reducing false positives for various categories.
  • SecurityScope Rulepack Kit (HP WebInspect)
    Improved unused parameter detection and general maintenance and bug fixes.
  • Runtime Application Logging Rulepack Kit (HP ArcSight Application View)
    Major improvements to Runtime Application Logging, a key component in the HP ArcSight Application View solution. Enhancements include support to extract information from the application around Security and Crypto exceptions, User Management, and WebAccess  logs.

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
Showing results for 
Search instead for 
Do you mean 
About the Author
Featured


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.