Security Research
Showing results for 
Search instead for 
Do you mean 

Q3 2013 HP Fortify Software Security Content Update

joy_forsythe ‎10-01-2013 09:36 AM - edited ‎10-01-2013 09:39 AM

HP SecureBase (WebInspect)

SecureBase combines checks for thousands of vulnerabilities with policies that guide users in identifying critical weaknesses in web applications. In summary, the release includes the following:

  • OWASP Top 10 2013 Policy 
    A new policy to identify critical risks based on the guidelines offered by the latest release of the OWASP Top 10 document. 
  • NIST Special Publication 800-53 Compliance Template
    A new compliance template to report on the latest security and privacy controls, as described in NIST Special Publication 800-53 Revision 4.
  • Apache Struts 2 Remote Command Execution
    Support for detecting Apache Struts 2 versions susceptible to remote code execution through injection of OGNL expressions as described in CVE-2013-2251 and CVE-2013-1996.
  • User-Controllable Character Set
    Detect use of unvalidated user input in character set selection using direct reflection techniques, header injection and html tag injection.
  • Enhanced Detection of HTTP Response Splitting
    An improved approach for detecting HTTP Response Splitting through CRLF Header Injection to enable accuracy and performance enhancements.
  • Offline SecureBase 
    Offline copies of SecureBase are now officially available on a quarterly basis with each update to HP Fortify Software Security Content. Please contact for details.



HP Fortify Secure Coding Rulepacks (SCA)

As of this release, the Fortify Secure Coding Rulepacks detect 574 unique categories of vulnerabilities across 21 programming languages and over 720,000 individual APIs. In summary, the release includes the following:

  • New XSLT and XPath Injection Categories
    Support for popular Java and Microsoft .NET libraries to detect XSLT and XPath injection issues. Java support covers Apache Xalan, JAXP, XDK, XQJ, XPath, and Saxon. Microsoft .NET support covers Saxon.
  • Enhanced Microsoft .NET MVC and Razor Support 
    Enhanced support for .NET MVC actions, including Cross-Site Scripting, to reduce false positives and improve accuracy. Seven new categories detect bad practices in MVC and Razor views.
  • iOS Data Protection Support
    Support for the iOS data protection API, including two new categories.
  • Google Android Recommendations
    Extended descriptions and recommendations for categories identified within Android applications. Specific guidance will allow developers to better address categories such as Cross-Site Scripting, SQL Injection and Password Management.
  • Context Sensitive Ranking: Spring Validators*
    Context sensitive ranking has been enhanced to reprioritize issues based on the presence of Spring Validators and provide additional evidence.
  • Expanded System Information Leak Support
    System Information Leak issues reported as either Internal or External, with appropriate descriptions and prioritization.
  • OWASP Top 10 2013*
    Mapping to the latest update to the latest revision of the OWASP Top 10.

 * Requires HP Fortify SCA 4.01 or later  



HP Fortify Runtime Rulepack Kits (Runtime)

As of this release, there are three Runtime Rulepack Kits: HP Fortify Runtime Application Protection, with 41 unique categories; HP Fortify SecurityScope, with 13 unique categories; and HP Fortify Runtime Application Logging, with 67 unique categories. In summary, this update includes:

  • Runtime Application Protection Rulepack Kit
    Rules changes to improve the accuracy of the findings by reducing false positives for various categories.
  • SecurityScope Rulepack Kit (HP WebInspect)
    Improved unused parameter detection and general maintenance and bug fixes.
  • Runtime Application Logging Rulepack Kit (HP ArcSight Application View)
    Major improvements to Runtime Application Logging, a key component in the HP ArcSight Application View solution. Enhancements include support to extract information from the application around Security and Crypto exceptions, User Management, and WebAccess  logs.

0 Kudos
About the Author


27 Feb - 2 March 2017
Barcelona | Fira Gran Via
Mobile World Congress 2017
Hewlett Packard Enterprise at Mobile World Congress 2017, Barcelona | Fira Gran Via Location: Hall 3, Booth 3E11
Read more
Each Month in 2017
Software Expert Days - 2017
Join us online to talk directly with our Software experts during online Expert Days. Find information here about past, current, and upcoming Expert Da...
Read more
View all