Security Research
Showing results for 
Search instead for 
Do you mean 

HPE Security Fortify Software Security Content 2017 Update 1

Security_Guest ‎03-31-2017 12:37 PM - edited ‎03-31-2017 12:52 PM

small logo.PNGHPE Security Fortify Software Security Research (SSR) is pleased to announce the immediate availability of updates to HPE Security Fortify Secure Coding Rulepacks (English language, version 2017.1.0), HPE Security Fortify WebInspect SecureBase (available via SmartUpdate), HPE Security Fortify Application Defender, and HPE Security Fortify Premium Content. Reference the release announcement for all the details.

HPE Security Fortify Secure Coding Rulepacks [SCA]

With this release, the Fortify Secure Coding Rulepacks detect 751 unique categories of vulnerabilities across 24 programming languages and span over 860,000 individual APIs. In summary, the release includes rules enhancement and support for the following:

.NET TAP[i] and Entity Framework 6

  • Coverage of all supported .NET vulnerability categories which pass data through Task-based Asynchronous Pattern (TAP) constructs
  • Coverage for Entity Framework 6 and extended coverage for the Web.* namespaces in .NET 4.6.2 (extended support covers 12 existing categories and a new category, Insecure Transport: Database)

Swift 3[ii]

  • Coverage for all SDK changes introduced in Swift 2.3, to account for renamed APIs and variables

iOS enhancements[iii]

  • Detection of the new vulnerability category Predicate Injection
  • Detection of four new vulnerability categories for authentication bad practices related to NSURLConnection and NSURLSession


  • Detection of eight vulnerability categories in applications written for the Salesforce platform


  • Coverage of 15 vulnerability categories for AngularJS1.x core APIs with the ability to track malicious data through the Model-View-ViewModel (MVVM) architecture


  • Following malicious data through the library’s utility functions for detection of both Client-Side Template Injection and Server-Side Template Injection categories

Formula Injection

  • Detection of untrusted data used in CSV, TSV, or spreadsheet files that can lead to Formula Injection vulnerabilities across Java and .NET native APIs as well as several third-party libraries


  • Correlation of the HPE Security Fortify Taxonomy to the latest version of the Defense Information Systems Agency Application Security and Development STIG, version 4.2 to simplify federal customer compliance.

HPE Security Fortify SecureBase [
Fortify WebInspect
HPE SecureBase combines checks for thousands of vulnerabilities with policies that guide users in the following updates available immediately via SmartUpdate:

Vulnerability support

  • Insecure Swagger Specifications[vi]
  • Struts 2 OGNL Expression Injection (S2-045, S2-046[vii]), including a newly added attack vector.
  • SSLv3/TLS Renegotiation Stream Injection Enhancement including vulnerable server configuration[viii]
  • XSS Enhancement for new attack vectors[ix]

New policies

Introduction of two new policies to support workflows in new DevOps process implementations:

  • Client-side policy
  • Server-side policy

Compliance report

  • DISA STIG 4.2 Compliance Template.

HPE Security Fortify Application Defender

HPE Security Fortify Application Defender is a runtime application self-protection (RASP) solution that helps organizations manage and mitigate risk from homegrown or third-party applications. It provides centralized visibility into application use and abuse while protecting from software vulnerability exploits and other violations in real time. For this release, the HPE Security Fortify Software Security Research team provides the following feature improvements:

New protection for zero-day Struts2 S2-045 OGNL Injection

  • New protection rule, Malformed Request: Bad Content-Type, for detecting and blocking Struts2 S2-045 (CVE-2017-5638)

Jetty application server

  • RTAP and RTAL rulepack kits support for Jetty application server


  • Improved accuracy for Cross-Site Scripting and SQL Injection signatures.

HPE Security Fortify Premium Content

The research team builds, extends, and maintains a variety of resources outside our core security intelligence products.

DISA STIG 4.2 report

  • New SSC report bundle providing support for DISA STIG 4.2, to accompany the new correlation in this release.

HPE Security Fortify Taxonomy: Software Security Errors

  • The HPE Security Fortify Taxonomy site, containing descriptions for newly added category support, is available at and
  • Customers looking for the legacy site, with the last supported update, may obtain it from the HPE Security Fortify Support Portal.

Reference the release announcement for all the details.
 We hope that you continue to find our products helpful and we welcome any feedback. If you have any questions, please don’t hesitate to contact me.

Alexander M. Hoole
Manager, Software Security Research
HPE Security Fortify
+1 (650)265-5296

[i] TAP Syntax support requires HPE Security Fortify SCA 17.10 or newer.

[ii] Requires HPE Security Fortify SCA 17.10 or newer.

[iii] Requires HPE Security Fortify SCA 16.10 or newer.

[iv] Requires HPE Security Fortify SCA 17.10 or newer.

[v] Requires HPE Security Fortify SCA 17.10 or newer and JavaScript to be enabled as a language using higher order analysis for analysis and DOM modelling enabled during translation.

[vi] Requires HPE Security Fortify WebInspect 17.10 or newer.

[vii] Detecting the new attack vector requires HPE Security Fortify WebInspect 17.10 or newer.

[viii] Requires HPE Security Fortify WebInspect 17.10 or newer.

[ix] Requires HPE Security Fortify WebInspect 17.10 or newer.

0 Kudos
About the Author


June 6 - 8, 2017
Las Vegas, Nevada
Discover 2017 Las Vegas
Join us for HPE Discover 2017 in Las Vegas. The event will be held at the Venetian | Palazzo from June 6-8, 2017.
Read more
Apr 18, 2017
Houston, TX
HPE Tech Days - 2017
Follow a group of tech bloggers for a new HPE Tech Day, a full day of sessions about how to create a hybrid IT, from hyperconverged to Composable Infr...
Read more
View all
//Add this to "OnDomLoad" event