Security Research
Showing results for 
Search instead for 
Do you mean 

HP Fortify Software Security Content - Update 4

joe_sechman on ‎12-20-2013 11:00 AM

HP Software Security Research is pleased to announce the immediate availability of updates to HP WebInspect SecureBase (available via SmartUpdate), the HP Fortify Secure Coding Rulepacks (English language, version 2013.4.0.0007), and HP Fortify Premium Content.


HP SecureBase (WebInspect)

SecureBase combines checks for thousands of vulnerabilities with policies that guide users in identifying critical weaknesses in web applications. In summary, the release includes the following features:


Advanced BREACH Attack Detection

Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext (BREACH) is a side-channel attack that could allow attackers to steal sensitive information from HTTP responses that reflect user-controlled input and are encoded using Gzip compression even when the application is served over an SSL/TLS channel.


OWASP Top 10 2013 and DISA STIG version 3.5 Compliance Templates

A new compliance template to report on the critical risks as described in the OWASP Top 10 2013 releaseand support for the latest version of the Defense Information Systems Agency (DISA) Application Security and Development STIG, version 3.5.


Intelligent Cross-Frame Scripting (XFS) Detection
Applies context-aware severity assignment based on the sensitivity of information.


Joomla! Arbitrary File Upload
Support for detecting vulnerable Joomla! versions that could enable attackers to gain control of a website through dangerous file uploads as described in CVE-2013-5576.


Offline SecureBase
Offline copies of SecureBase are now officially available with each update to HP Fortify Software Security Content. Please contact for details.



HP Fortify Secure Coding Rulepacks (SCA)

With this release the Fortify Secure Coding Rulepacks detect 582 unique categories of vulnerabilities across 21 programming languages and spanning over 725,000 individual APIs. In summary, the release includes the following:

Windows Azure
Support for the Azure Storage API allows SCA to analyze applications built for Microsoft’s cloud platform. Support includes Resource Injection, Cross-Site Scripting, Path Manipulation, and Setting Manipulation and one new category: Cross-Site Scripting: Inter-Component Communication (Cloud).

Restlet Framework
Now, in addition to the existing REST coverage of JAX-RS, customers will be able to track security weaknesses through the Restlet 2.1 API. Support now includes the Restlet Framework, covering multiple editions (including Java SE, Java EE, Android, and GWT), and spanning 14 vulnerability categories.  Supported categories include: Insecure Transport, Cross-Site Scripting and XML Entity Expansion Injection.

Support for Java JSR 356 WebSocket specification and Microsoft .NET WebSockets library and SignalR framework. In addition to supporting existing categories, two new categories have been added: Cross-Site WebSocket Hijacking and System Information Leak: SignalR Exposed JavaScript Proxy.

OGNL Expression Injection
New categories identify OGNL Expression Injection both in applications using the Apache Object Graph Navigation library directly and Struts 2 applications using APIs that evaluate OGNL expressions

Support for the OWASP Enterprise Security API JSP Tag library identifies validation against Cross-Site Scripting and other web security flaws.

Support for the latest version of the Defense Information Systems Agency Application Security and Development STIG, version 3.5.


HP Fortify Premium Content

The research team continues to extend and build upon security artifacts outside HP WebInspect SecureBase, the Fortify Secure Coding Rulepacks, and Fortify Runtime Rulepack kits.

OWASP Top 10 2013 and DISA STIG 3.5 Reports
A new report bundle with support for OWASP Top 10 2013 and DISA STIG 3.5 is available for download from the Fortify Customer Portal under Premium Content.

HP Fortify Runtime Performance Tuning Guide
This guide provides effective solutions to performance bottlenecks when using HP Fortify Runtime and supplements the installation and configuration guides.

Sample Custom Rules for Runtime Application Logging (HP ArcSight Application View)
When using custom or third-party authentication frameworks, tailored runtime rules are essential to observing the behavior of your applications with HP ArcSight Application View. The professional services kit contains a sample rule for a quick start to creating custom rules along with practical examples, such as:

  • SSL Client Authentication
  • Unique authentication events commonly encountered in ERP/CRM solutions
  • Custom exceptions

0 Kudos
About the Author


27 Feb - 2 March 2017
Barcelona | Fira Gran Via
Mobile World Congress 2017
Hewlett Packard Enterprise at Mobile World Congress 2017, Barcelona | Fira Gran Via Location: Hall 3, Booth 3E11
Read more
Each Month in 2017
Software Expert Days - 2017
Join us online to talk directly with our Software experts during online Expert Days. Find information here about past, current, and upcoming Expert Da...
Read more
View all