Security Research
Showing results for 
Search instead for 
Do you mean 

Q2 2013 HP Fortify Software Security Content Update

joe_sechman on ‎07-01-2013 05:46 AM

HP SecureBase (WebInspect)

SecureBase combines checks for thousands of vulnerabilities with policies that guide users in identifying critical weaknesses in web applications under test. In summary, our latest release includes the following updates:


Next Generation Security Testing Features

The following capabilities are available using HP WebInspect with the SecurityScope runtime agent:


  • OAuth Protocol Vulnerabilities
    Detects the use of vulnerable OAuth protocols susceptible to session fixation (OWASP Top 10 2013 - A2)and reports implementation flaws that transfer sensitive information over insecure communication channels (OWASP Top 10 2013 - A6).
  • Unused Parameter Detection
    Identifies hidden HTTP request parameters that escape testing during traditional dynamic scans and adds them to the audit queue for thorough analysis.

XML External Entity Injection (XXE) 
Detects weaknesses in XML parsing logic that could expose web applications and services to file inclusion or denial of service attacks.


Intelligent Privacy Policy Analysis
Enhanced detection of missing privacy policy declarations to support multiple languages and incorporate more intelligent logic to minimize false positives.


Offline SecureBase 
Offline copies of SecureBase are now officially available on a quarterly basis with each update to HP Fortify Software Security Content. Please contact for details.



HP Fortify Secure Coding Rulepacks (SCA)

As of this release, the Fortify Secure Coding Rulepacks detect 563 unique categories of vulnerabilities across 21 programming languages and over 720,000 individual APIs. In summary, our this release includes the following:


  • Validation Support for Microsoft ASP.NET WebForms 
    Enhanced support for common Microsoft .NET validation libraries allows for improved accuracy detecting cross-site scripting in ASP.NET Webforms. Validation libraries covered include Microsoft Web Protection Library (AntiXss) and OWASP AntiSamy. 
  • New XML Injection Categories (XXE and XEE)
    The capability to identify XML External Entity Injection (XXE) and XML Entity Expansion Injection (XEE) vulnerabilities. Java support covers JAXP, JAXB, XPath, StAX, JAX-RS and Spring REST. Microsoft .NET support covers System.Xml and System.Xml.XPath 
  • Java Server Faces (JSF) 2
    Expanded JSF 2 coverage includes annotations, tags and built-in support for AJAX. 
  • JAX-RS 
    Support for Java RESTful Services (JAX-RS) API includes identification of web entrypoints using annotations and coverage of 13 vulnerability categories, including cross-Site scripting and privacy violation. 
  • OWASP AntiSamy*
    Coverage for AntiSamy validation in both Microsoft .NET and Java. Support includes updates to the built-in Data Validation filterset in HP Fortify AuditWorkbench. (*Requires HP Fortify AuditWorkbench 4.0 or later.)
  • Context Sensitive Ranking: Access Control
    Context sensitive ranking has been enhanced to re-prioritize access control database issues based on evidence of tainted primary keys.
  • NIST SP 800-53 Mapping
    Mapping to the latest security and privacy controls, as described in NIST Special Publication 800-53 Revision 4. 18 controls are covered including access enforcement, least privilege and information input validation.

HP Fortify Runtime Rulepack Kits (Runtime)

As of this release, there are three Runtime Rulepack Kits: HP Fortify Runtime Application Protection, with 43 unique categories, HP Fortify SecurityScope, with 18 unique categories, and HP Fortify Runtime Application Logging, with 24 unique categories. In summary, this update includes:


  • Runtime Application Protection (RTAP) Rulepack Kit
    Support for hardcoded SQL connection and enhancements to privacy violation detection. 
  • SecurityScope Rulepack Kit
    Five additional categories have been added, including value shadowing, open redirect, and insecure randomness.
  • Runtime Application Logging (RTAL) Rulepack Kit
    Support for unified logging frameworks, including Log4j, java.util.logging, Apache Common Logging, Slf4j, Log4Net, NLog and Microsoft Enterprise Logging Library. Other updates include additional categories and performance improvements.

0 Kudos
About the Author


27 Feb - 2 March 2017
Barcelona | Fira Gran Via
Mobile World Congress 2017
Hewlett Packard Enterprise at Mobile World Congress 2017, Barcelona | Fira Gran Via Location: Hall 3, Booth 3E11
Read more
Each Month in 2017
Software Expert Days - 2017
Join us online to talk directly with our Software experts during online Expert Days. Find information here about past, current, and upcoming Expert Da...
Read more
View all