Fortify Software Security Content 2017 Update 4 December 15, 2017

Similar documents
HPE Security Fortify Audit Workbench

Continuously Discover and Eliminate Security Risk in Production Apps

Solutions Business Manager Web Application Security Assessment

Secure Development Guide

Exploiting and Defending: Common Web Application Vulnerabilities

HPE Security Fortify Plugins for Eclipse

OWASP Top 10 The Ten Most Critical Web Application Security Risks

RiskSense Attack Surface Validation for Web Applications

Protect your apps and your customers against application layer attacks

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

CSWAE Certified Secure Web Application Engineer

SOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications

HPE Security Fortify Plugins for Eclipse Software Version: Installation and Usage Guide

HPE Security Fortify WebInspect Enterprise Software Version: Windows operating systems. Installation and Implementation Guide

FedRAMP Fortify on Demand

C1: Define Security Requirements

Engineering Your Software For Attack

Web 2.0 and AJAX Security. OWASP Montgomery. August 21 st, 2007

COMP9321 Web Application Engineering

Web Application Threats and Remediation. Terry Labach, IST Security Team

Excerpts of Web Application Security focusing on Data Validation. adapted for F.I.S.T. 2004, Frankfurt

EasyCrypt passes an independent security audit

SAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

Mobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing

1 About Web Security. What is application security? So what can happen? see [?]

Scan Report Executive Summary

HPE Security Fortify Audit Workbench Software Version: User Guide

HP Fortify Software Security Center

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

Defend Your Web Applications Against the OWASP Top 10 Security Risks. Speaker Name, Job Title

HPE Security Fortify Software Security Center

Brochure. Security. Fortify on Demand Dynamic Application Security Testing

Welcome to the OWASP TOP 10

"Charting the Course to Your Success!" Securing.Net Web Applications Lifecycle Course Summary

CNIT 129S: Securing Web Applications. Ch 3: Web Application Technologies

Fortify Security Report. Sep 30, 2010 Aleks

Web Application Penetration Testing

Certified Secure Web Application Engineer

Robust Defenses for Cross-Site Request Forgery

IEEE Sec Dev Conference

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

Application Layer Security

HP Fortify Technical Publications. Glossary

Chrome Extension Security Architecture

Copyright

Sichere Software vom Java-Entwickler

86% of websites has at least 1 vulnerability and an average of 56 per website WhiteHat Security Statistics Report 2013

En partenariat avec CA Technologies. Genève, Hôtel Warwick,

Web Application Vulnerabilities: OWASP Top 10 Revisited

CIS 4360 Secure Computer Systems XSS

Don't Trust The Locals: Exploiting Persistent Client-Side Cross-Site Scripting in the Wild

HPE Security Fortify WebInspect Enterprise Software Version: Windows operating systems. User Guide

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

Saving Time and Costs with Virtual Patching and Legacy Application Modernizing

The Top 6 WAF Essentials to Achieve Application Security Efficacy

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

COMP9321 Web Application Engineering

Advanced Web Technology 10) XSS, CSRF and SQL Injection

Micro Focus Fortify Application Security

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

Development Security Guide Oracle Banking Virtual Account Management Release July 2018

Development Security Guide Oracle Banking Credit Facilities Process Management Release [July] [2018]

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

Security Communications and Awareness

Using the Cisco ACE Application Control Engine Application Switches with the Cisco ACE XML Gateway

Common Websites Security Issues. Ziv Perry

Web Application Security. Philippe Bogaerts

Web Application Whitepaper

Scan Report Executive Summary

Application and Data Security with F5 BIG-IP ASM and Oracle Database Firewall

WEB SECURITY: XSS & CSRF

SOLUTION BRIEF CA API MANAGEMENT. Enable and Protect Your Web Applications From OWASP Top Ten With CA API Management

Surrogate Dependencies (in

RBS NetGain Enterprise Manager Multiple Vulnerabilities of 11

PROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

GOING WHERE NO WAFS HAVE GONE BEFORE

Security Engineering by Ross Andersson Chapter 18. API Security. Presented by: Uri Ariel Nepomniashchy 31/05/2016

High -Tech Bridge s Web Server Security Service API Developer Documentation Version v1.3 February 13 th 2018

HP 2012 Cyber Security Risk Report Overview

Discover Best of Show März 2016, Düsseldorf

Course 834 EC-Council Certified Secure Programmer Java (ECSP)

Web basics: HTTP cookies

Scan Report Executive Summary. Part 2. Component Compliance Summary Component (IP Address, domain, etc.):

ShiftLeft. Real-World Runtime Protection Benchmarking

(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Penetration Test Report

Integrated Web Application Firewall (WAF) & Distributed Denial Of Service (DDoS) Mitigation For Today s Enterprises

Is Browsing Safe? Web Browser Security. Subverting the Browser. Browser Security Model. XSS / Script Injection. 1. XSS / Script Injection

How is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach

Automating the Top 20 CIS Critical Security Controls

Application. Security. on line training. Academy. by Appsec Labs

Web Application Security GVSAGE Theater

The Android security jungle: pitfalls, threats and survival tips. Scott

Evaluating the Security Risks of Static vs. Dynamic Websites

DEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology

Transcription:

Software Security Research Release Announcement Micro Focus Security Fortify Software Security Content 2017 Update 4 December 15, 2017 About Micro Focus Security Fortify SSR The Software Security Research team translates cutting-edge research into security intelligence that powers the Micro Focus Security Fortify product portfolio including SCA, WebInspect, & AppDefender. Today, Micro Focus Security Fortify Software Security Content supports 968 vulnerability categories across 25 programming languages and spans more than 970,000 individual APIs. Learn more at https://software.microfocus.com/en-us/software/security-research

Fortify Software Security Research (SSR) is pleased to announce the immediate availability of updates to Fortify Secure Coding Rulepacks (English language, version 2017.4.0), Fortify WebInspect SecureBase (available via SmartUpdate), Fortify Application Defender, and Fortify Premium Content. Micro Focus Security Fortify Secure Coding Rulepacks [SCA] With this release, the Fortify Secure Coding Rulepacks detect 770 unique categories of vulnerabilities across 25 programming languages and span over 970,000 individual APIs. In summary, the release includes the following: Scala Play framework 1 Initial support has been added for the Scala Play framework in security content. Play is a web framework developed by Lightbend for building web applications in Scala. Four new vulnerability categories can now be detected in applications using Scala Play: JSON Path Manipulation Missing Form Field Constraints Missing Form Field Validation Same-Origin Method Execution Additionally, many categories already supported in Scala are extended to cover Play APIs, including the following: Cookie Security: Cookie not Sent Over SSL Cookie Security: HttpOnly not Set Cookie Security: Overly Broad Domain Cookie Security: Overly Broad Path Cross Site Scripting: Reflected Cross Site Scripting: Persistent Cross Site Scripting: Poor Validation Header Manipulation Open Redirect Privacy Violation Server-Side Request Forgery System Information Leak Scala Slick library 1 Slick is a Functional Relational Model library developed by Lightbend to ease the access to databases. While numerous categories are now supported, in relation to Slick, the two principally supported vulnerability categories of interest are SQL Injection and Access Control: Database. Same-Origin Method Execution Coverage for a new vulnerability category, Same-Origin Method Execution (SOME), has been added for Scala Play and Java Spring frameworks. SOME is a web application attack which abuses callback endpoints by forcing a victim into executing arbitrary scripting methods of any page on the endpoint s domain. 1 Translation of Scala using Fortify SCA requires a Lightbend subscription and requires SCA version 17.20

Support for Oracle JDBC Java rulepacks now contain extended JDBC support for the Oracle JDBC Java API. Vulnerability category coverage includes the following: Access Control: Database Password Management: Empty Password Password Management: Hardcoded Password Password Management: Null Password SQL Injection NoSQL Injection: MongoDB A new category, NoSQL Injection: MongoDB, has been added to detect insecure MongoDB queries. This vulnerability category may allow attackers to change the query structure, bypass query conditions, or cause the application to throw unexpected exceptions. This release supports both the Java and.net MongoDB client SDKs. OWASP Java Encoder project Java rulepacks also contain added support for the OWASP Java Encoder project used in Java applications as well as with JSP tags. The OWASP Java Encoder project is maintained by OWASP and created to help Java developers defend against Cross-Site Scripting vulnerabilities through contextual output encoding. ASP.NET improvements Improvements have been made to existing vulnerability category support for ASP.NET. Support has been added for new attributes and APIs available for use for model and request validation under multiple namespaces including the following: System.Web.Mvc System.Web.Mvc.Ajax System.Web.Mvc.Html System.Web.WebPages Objective-C AFNetworking library Coverage for the most popular Objective-C HTTP client library, AFNetworking, has been introduced in this release. Amongst others, detection of the following vulnerability categories is now possible in applications using AFNetworking: Header Manipulation Insecure SSL: Overly Broad Certificate Trust Insecure SSL: Server Identity Verification Disabled Insecure Storage: HTTP Response Cache Leak Insecure Transport Insecure Transport: Weak SSL Transport Password Management: Empty Password Password Management: Hardcoded Password Password Management: Null Password Path Manipulation Privacy Violation Privacy Violation: Health Information Privacy Violation: HTTP GET Resource Injection System Information Leak: External

OWASP Top 10 2017 In order to support customers wanting to mitigate Web Application risk, correlation of the Micro Focus Fortify Taxonomy to the newly released OWASP Top 10 2017 has been added. DISA STIG 4.4 In order to support our federal customers in the area of compliance, correlation of the Micro Focus Fortify Taxonomy to the Defense Information Systems Agency Application Security and Development STIG, version 4.4 has been added. Micro Focus Security Fortify SecureBase [Fortify WebInspect] Fortify SecureBase combines checks for thousands of vulnerabilities with policies that guide users in the following updates available immediately via SmartUpdate: Vulnerability support Cross Site Scripting Enhancements Dangling tag injection can be used to bypass Content-Security-Policy protections, execute malicious script and exfiltrate sensitive information (e.g. CSRF tokens from HTTP response). This release includes enhancements for the Cross-Site Scripting check to detect dangling tag injection vulnerabilities in web applications. Further payloads to detect DOM-based XSS have been enhanced to detect additional instances where the payload is reflected in script block. Performance improvements Optimizations to WebInspect checks to reduce the amount of WebInspect traffic generated during a scan are also included. Depending on the nature of the application being scanned, these updates will reduce the duration of scan times. Compliance report OWASP Top 10 2017 compliance template This release includes a new compliance report template that provides correlation between OWASP Top 10 2017 categories and WebInspect checks. DISA STIG 4.4 In order to support our federal customers in the area of compliance, this release contains a correlation of the WebInspect checks to the latest version of the Defense Information Systems Agency Application Security and Development STIG, version 4.4. SANS Top 25 2011 compliance template This release also includes a new compliance report template correlating WebInspect checks to the 2011 CWE/SANS TOP 25 Most Dangerous Software Errors list.

Policy Updates In order to support customers in the area of compliance, this release includes the following new Policies: OWASP Top 10 2017 DISA STIG V4R4 SANS Top 25 2011 These policies contain a subset of the available WebInspect checks that allow customers to run compliance specific WebInspect scans. In our constant effort to improve performance and relevancy of results from WebInspect scans, we have also improved the existing OWASP 2013 policy and compliance to exclude checks that are considered legacy and deprecated. Applications can be evaluated against these excluded checks by running deprecated checks policy. Micro Focus Security Fortify Application Defender Fortify Application Defender is a runtime application self-protection (RASP) solution that helps organizations manage and mitigate risk from homegrown or third-party applications. It provides centralized visibility into application use and abuse while protecting from software vulnerability exploits and other violations in real time. For this release, the Micro Focus Security Fortify Software Security Research team provides the following feature improvements: Improved Runtime Taint rulepack for IAST Performance optimization when repeatedly reading the same database column across multiple rows. This release has also improved support on Microsoft WebApi which maps more.net Attributes as Taint sources. Micro Focus Security Fortify Premium Content The research team builds, extends, and maintains a variety of resources outside our core security intelligence products. Insider Threat Rulepacks The Fortify Insider Threat rulepacks were designed for security experts who want help finding malicious code in software. The rulepacks previously identified 22 categories of potentially malicious code, including Time Bombs, Custom Authentication, and Password Bypass. With this update, the Insider Threat Rulepacks now supports a new category, Insider Threat: Static SQLite Query, and expands coverage of Insider Threat: Runtime Compilation to the following four Java libraries: ObjectWeb ASM Apache BECL Javassist CGLib Insider Threat rulepacks are available for both Java and.net on the Fortify Customer Support Portal under Premium Content.

OWASP Top 10 2017 and DISA STIG 4.4 reports To accompany the new correlations, this release also contains a new report bundle with support for OWASP Top 10 2017 and DISA STIG 4.4, which is available for download from the Fortify Customer Support Portal under Premium Content. Micro Focus Security Fortify Taxonomy: Software Security Errors The Fortify Taxonomy site, containing descriptions for newly added category support, is available at https://vulncat.fortify.com and https://vulncat.hpefod.com Customers looking for the legacy site, with the last supported update, may obtain it from the Micro Focus Security Fortify Support Portal.

Contact Fortify Technical Support Micro Focus Security Fortify fortifytechsupport@hpe.com +1 (844) 260-7219 Contact SSR Alexander M. Hoole Manager, Software Security Research Micro Focus Security Fortify hoole@microfocus.com +1 (650) 258-5916 Copyright 2017 Micro Focus or one of its affiliates. The only warranties for products and services of Micro Focus and its affiliates and licensors ( Micro Focus ) are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Micro Focus shall not be liable for technical or editorial errors or omissions contained herein. The information contained herein is subject to change without notice.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback