Micro Focus Fortify Software Security Research (SSR) is pleased to announce the immediate availability of updates to Micro Focus Fortify Secure Coding Rulepacks (English language, version 2017.2.0), Micro Focus Fortify WebInspect SecureBase (available via SmartUpdate), Micro Focus Fortify Application Defender, and Micro Focus Fortify Premium Content.
The Micro Focus Software Security Research team translates cutting-edge research into security intelligence that powers the Micro Focus Security Products Portfolio. Highlights in this Release Announcement include:
Micro Focus Security Fortify Secure Coding Rulepacks [SCA]
With this release, the Fortify Secure Coding Rulepacks detect 756 unique categories of vulnerabilities across 24 programming languages and span over 862,000 individual APIs. In summary, the release includes the following:
Updates supporting the .NET Framework, primarily covering the System.Security namespaces, improves coverage for .NET across many vulnerability categories, and adds the following new categories:
- Key Management: Hardcoded Encryption Key
- Key Management: Hardcoded HMAC Key
- Key Management: Empty HMAC Key
- Insecure SSL: Server Identity Verification Disabled
- Often Misused: Asserting Permissions
- Permission Manipulation
- Permission Manipulation: Logging
Unsafe JSON Deserialization
The deserialization of untrusted JSON streams can lead to remote code execution on certain insecure libraries. Support has been added for the new vulnerability category, Dynamic Code Evaluation: Unsafe JSON Deserialization, which will also be the focus of presentations at BlackHat and DefCon this year. Misconfigurations of popular libraries, such as Jackson and JSON.NET, may also lead to Unsafe JSON Deserialization and remote code execution.
Expression Language Injections: Spring
Support has been added for Spring Expression Language (SpEL) Injection, which may lead to remote code execution if untrusted data is parsed as an SpEL expression.
DISA STIG 4.3
In order to support our federal customers in the area of compliance, correlation of the HPE Security Fortify Taxonomy to the latest version of the Defense Information Systems Agency Application Security and Development STIG, version 4.3 has been added.
Micro Focus Security Fortify SecureBase [Fortify WebInspect]
Micro Focus SecureBase combines checks for thousands of vulnerabilities with policies that guide users in the following updates available immediately via SmartUpdate:
HTTP Verb Tunneling
Some applications may allow the HTTP verb/method of a request to be overridden, thus unintentionally enabling attackers to bypass server security configurations. Known as HTTP Verb Tunneling, this vulnerability leverages a weakness called HTTP Method Override, present in various framework configurations. While HTTP Method Override may be used in legitimate contexts, it is necessary to understand the implications and the right way to secure such situations.
Improved Server Fingerprinting
Reconnaissance is an important step in any vulnerability assessment. Understanding the environment being tested allows for more accurate attacks to be generated, while disabling unnecessary ones. New server fingerprinting rules have been added to detect various web servers, application servers and technologies, thus allowing WebInspect to be more efficient in scanning for vulnerabilities.
Dynamic Code Evaluation: Code Injection
Many languages provide capabilities to dynamically interpret/execute source code instructions. Dynamic execution of user-controlled instructions at runtime can allow attackers to execute malicious code. This release contains four additional checks to detect Code Injection vulnerabilities within applications developed using PHP, Python, Perl and Ruby.
DISA STIG 4.3 Compliance Template
This release includes a new compliance template to provide support for the latest version of the Defense Information Systems Agency Application Security and Development STIG, version 4.3.
Micro Focus Security Fortify Application Defender
Micro Focus Security Fortify Application Defender is a runtime application self-protection (RASP) solution that helps organizations manage and mitigate risk from homegrown or third-party applications. It provides centralized visibility into application use and abuse while protecting from software vulnerability exploits and other violations in real time. For this release, the Security Fortify Software Security Research team provides the following feature improvements:
Improved JSON support for Java
The JSON data monitoring has been reimplemented, improving reliability and extending support for additional JSON parsing libraries.
Improved Jetty application server support
Support has been added to WIA rulepack kits for Jetty application server, which is one of the most popular open source Java HTTP Web Servers and Servlet Containers.
Performance improvement in “Unified Logging” rule, minor bug fix in “LDAP Injection," and improved coverage in “OGNL Expression Injection: Struts2” for CVE-2017-5638.
Micro Focus Security Fortify Premium Content
The research team builds, extends, and maintains a variety of resources outside our core security intelligence products.
DISA STIG 4.3 report
To accompany the new correlation, this release also contains a new report bundle with support for DISA STIG 4.3, which is available for download from the Fortify Customer Portal under Premium Content.
Micro Focus Security Fortify Taxonomy: Software Security Errors
The Security Fortify Taxonomy site, containing descriptions for newly added category support, is available at https://vulncat.fortify.com .
Customers looking for the legacy site, with the last supported update, may obtain it from the Security Fortify Support Portal.
We hope that you continue to find our products helpful and we welcome any feedback. If you have any questions, please don’t hesitate to contact me.
Alexander M. Hoole
Manager, Software Security Research
MIcro Focus Security Fortify