Q4 2012 Update from Software Security Research

HP Software Security Research is pleased to announce the immediate availability of updates to HP WebInspect SecureBase (available via SmartUpdate), the HP Fortify Secure Coding Rulepacks (English language, version 2012.4.0.0006), and HP Fortify Runtime Rulepack Kits (version 2012.4.0.40).

 

HP WebInspect SecureBase (WebInspect)

SecureBase combines checks for thousands of vulnerabilities with policies that guide users in identifying critical weaknesses in web applications under test. In summary, our latest release includes the following updates:

 

Session Management

Capabilities to detect insecure domain access policies for session cookies and predictable session identifiers are now available as enhanced features.

 

NoSQL and Server-Side JavaScript

Expanded capabilities have been added to detect poor input validation routines that affect applications powered by emerging technologies such as MongoDB and Node.js.

 

Enhanced Injection Attacks

Additional techniques, such as expression language injection and HTTP parameter pollution, have been added to an already robust collection of injection attacks.

 

Compliance Templates

Support for the latest version of the Defense Information Systems Agency (DISA) Application Security and Development STIG, 3.4.

 

Enhanced Vulnerability Descriptions

Improved visualizations have been added for common input injection attacks to convey exploitation concepts and affected application components more clearly. 

 

HP Fortify Secure Coding Rulepacks (SCA)

As of this release, theFortify Secure Coding Rulepacks detect 549 unique categories of vulnerabilities across 21 programming languages and over 715,000 individual APIs.  In summary, our latest update includes the following features:

 

Microsoft .NET Entity Framework

Expanded ADO.NET coverage now supports the .NET Entity Framework (EF). New rules cover model-first and schema-first use of the framework.

 

Apache Hadoop

Initial support for applications utilizing the Apache Hadoop framework covers 10 categories (two unique to Hadoop), spanning all major packages of Hadoop Common.

 

Google Android Enhancements

Enhancements to Android this quarter include accuracy improvements to existing rules related to the correct use of permissions, recognition of JavaScript taint sources, and 10 new categories.

 

PHP Zend Framework 1.x

Initial support for version 1.x of the Zend PHP framework covers 14 modules, 21 existing categories and one new category.

 

PHP DOMXPath and Standard Library Enhancements

Support for ADODb, SPL (Standard PHP Library), PHP DOM, PHP SimpleXML, PHP XML Parser, PHP DOMXPath, and Zorba XQuery libraries.

 

2011 CWE/SANS Top 25

Support for the (current) 2011 CWE/SANS Top 25 Most Dangerous Software Errors.

 

HP Fortify Runtime Rulepack Kits

As of this release, the HP Fortify Runtime Rulepack Kits detect 42 unique categories with RTA, 22 unique categories with AppSM, 13 unique categories for SecurityScope, and 10 unique categories for Runtime Taint. In summary, this update includes the following:

 

RTA and AppSM Rulepack Kit

Enhanced support in existing categories, such as Session Fixation, and two additional categories: Hidden Field Manipulation and Leftover Debug Code.

 

SecurityScope Rulepack Kit

Identifies improper logging practices and enhances detection of core categories, such as SQL Injection and Cross-Site Scripting. Support for Java 7, IIS7, and .NET REST attack surface enumeration has also been added.

 

Premium Content

SSR continues to extend and build upon security artifacts outside HP WebInspect SecureBase, the Fortify Secure Coding Rulepacks, and Fortify Runtime Rulepack kits.

 

  • 2011 CWE/SANS Top 25 Report
  • LATAM Hardcoded Password Rulepack
  • ABAP Template for Custom Rules Editor

As always, we hope that you have found our products helpful and we welcome any feedback you may have.

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
Showing results for 
Search instead for 
Do you mean 
About the Author
Featured


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.