Micro Focus Fortify Software Security Content 2019 Update 2

by in Security

MF logo.png

Fortify Software Security Research Release Announcement

Micro Focus Security Research

hoole@microfocus.com | 28 June 2019


Micro Focus Fortify Software Security Content

2019 Update 2


Fortify Software Security Research (SSR) is pleased to announce the immediate availability of updates to Fortify Secure Coding Rulepacks (English language, version 2019.2.0), Fortify WebInspect SecureBase (available via SmartUpdate), and Fortify Premium Content.

The Micro Focus Fortify Software Security Research team translates cutting-edge research into security intelligence that powers the Micro Focus Security Products Portfolio. Highlights in this Release Announcement include:


Micro Focus Fortify Secure Coding Rulepacks [SCA]

With this release, the Fortify Secure Coding Rulepacks detect 799 unique categories of vulnerabilities across 25 programming languages and span over one million individual APIs. In summary, this release includes the following:

  • .NET Updates
  • Realm Database
  • Python urllib3
  • Java SE 10 and 11 Updates
  • Cross-Site Scripting: SOP Bypass
  • PCI SSF 1.0

In this release, we have continued to expend resources to ensure we can reduce the number of false positive issues and improve the ability for customers to audit issues. Customers can also expect to see changes in reported issues related to the following:

  • Log Forging
  • Unreleased Resource: Database
  • Unsafe JNI and Unsafe JSNI
  • Dynamic Code Evaluation and Other Sinks on Lambdas
  • Cross-Site Scripting: Content Sniffing support
  • Lowering of Fortify Priority Order Based On Taint


Micro Focus Fortify SecureBase [Fortify WebInspect]

Fortify SecureBase combines checks for thousands of vulnerabilities with policies that guide users in the following updates available immediately via SmartUpdate:

Vulnerability support

  • WebSocket Update[i]
  • Secure Response Headers Configuration Update
  • Web Server Misconfiguration: Deprecated SSL/TLS Certificate
  • Insecure Deployment: Unpatched Application

Compliance report

  • PCI SSF 1.0

Policy Updates

  • PCI SSF 1.0

Miscellaneous Errata

  • Cache Management: Insecure Policy
  • Expression Language Injection: Spring


Micro Focus Fortify Premium Content

The research team builds, extends, and maintains a variety of resources outside our core security intelligence products.

  • PCI SSF 1.0
    • To accompany the new correlations, this release also contains a new report bundle for Fortify SSC with support for PCI SSF 1.0, which is available for download from the Fortify Customer Portal under Premium Content.
  • Micro Focus Fortify Taxonomy: Software Security Errors
    • The Fortify Taxonomy site, which contains descriptions for newly added category support, is available at https://vulncat.fortify.com. Customers looking for the legacy site, with the last supported update, may obtain it from the Micro Focus Fortify Support Portal.


Details are available in the attached release letter along with specific feature requirements. We hope that you continue to find our products helpful and we welcome any feedback. If you have any questions, please don’t hesitate to contact us. If you haven’t already, subscribe to this Fortify Product Announcement board today to stay up to date on what's new with our products!


Contact Software Security Research

Alexander M. Hoole

Manager, Software Security Research

Micro Focus Fortify


1 (650) 258-5916



Contact Fortify Technical Support

Micro Focus Fortify


1 (844) 260-7219


[i] WebSocket Update requires WebInspect 19.1.0 or later.


Application security