Software Security Research Release Announcement
Date: 15 December 2017
Micro Focus Security Fortify Software Security Content
2017 Update 4
Fortify Software Security Research (SSR) is pleased to announce the immediate availability of updates to Fortify Secure Coding Rulepacks (English language, version 2017.4.0), Fortify WebInspect SecureBase (available via SmartUpdate), Fortify Application Defender, and Fortify Premium Content. Reference the Micro Focus Security Research Blog or see the attached release announcement for all the details.
Micro Focus Security Fortify Secure Coding Rulepacks [SCA]
With this release, the Fortify Secure Coding Rulepacks detect 770 unique categories of vulnerabilities across 25 programming languages and span over 970,000 individual APIs. In summary, the release includes rules enhancement and support for the following:
Scala Play Framework Support
Initial support has been added for the Scala Play framework in security content. Many existing categories are extended to support Scala Play and four new vulnerability categories can now be detected in applications using Scala Play: JSON Path Manipulation, Missing Form Field Constraints, Missing Form Field Validation and Same-Origin Method Execution.
Scala Slick library
Numerous categories are now supported with the two principally supported vulnerability categories of interest being SQL Injection and Access Control: Database.
Same-Origin Method Execution
Coverage for a new vulnerability category, Same-Origin Method Execution (SOME), has been added for Scala Play and Java Spring frameworks.
Support for Oracle JDBC
Java rulepacks now contain extended JDBC support for the Oracle JDBC Java API. Vulnerability category coverage includes: Access Control: Database, Password Management: Empty Password, Password Management: Hardcoded Password, Password Management: Null Password and SQL Injection.
NoSQL Injection: MongoDB
A new category, NoSQL Injection: MongoDB, has been added to detect insecure MongoDB queries. This release supports both the Java and .NET MongoDB client SDKs.
OWASP Java Encoder project
Java rulepacks contain added support for the OWASP Java Encoder project used in Java applications as well as with JSP tags.
Support has been added for new attributes and APIs available for use for model and request validation under multiple namespaces including: System.Web.Mvc, System.Web.Mvc.Ajax, System.Web.Mvc.Html and System.Web.WebPages.
Objective-C AFNetworking library
Coverage for the most popular Objective-C HTTP client library, AFNetworking, has been added in this release.
OWASP Top 10 2017
Correlation of the Micro Focus Fortify Taxonomy to the newly released OWASP Top 10 2017 has been added.
DISA STIG 4.4
Correlation of the Micro Focus Fortify Taxonomy to the Defense Information Systems Agency Application Security and Development STIG, version 4.4 has been added.
Micro Focus Security Fortify SecureBase [Fortify WebInspect]
Fortify SecureBase combines checks for thousands of vulnerabilities with policies that guide users in the following updates available immediately via SmartUpdate:
Cross Site Scripting Enhancements
This release includes enhancements for the Cross-Site Scripting check to detect dangling tag injection vulnerabilities in web applications.
Optimizations to WebInspect checks to reduce the amount of WebInspect traffic generated during a scan are also included.
OWASP Top 10 2017 compliance template
This release includes a new compliance report template that provides correlation between OWASP Top 10 2017 categories and WebInspect checks.
DISA STIG 4.4
This release contains a correlation of the WebInspect checks to the latest version of the Defense Information Systems Agency Application Security and Development STIG, version 4.4.
SANS Top 25 2011 compliance template
This release also includes a new compliance report template correlating WebInspect checks to the 2011 CWE/SANS TOP 25 Most Dangerous Software Errors list.
This release includes the following new Policies: OWASP Top 10 2017, DISA STIG V4R4 and SANS Top 25 2011.
We have also improved the existing OWASP 2013 policy and compliance to exclude checks that are considered legacy and deprecated.
Micro Focus Security Fortify Application Defender
For this release, the following features have been improved:
Improved Runtime Taint rulepack for IAST
Performance optimization when repeatedly reading the same database column across multiple rows. This release has also improved support on Microsoft WebApi which maps more .NET Attributes as Taint sources.
Micro Focus Security Fortify Premium Content
The research team builds, extends, and maintains a variety of resources outside our core security intelligence products.
Insider Threat Rulepacks
With this update, the Insider Threat Rulepacks now supports a new category, Insider Threat: Static SQLite Query, and expands coverage of Insider Threat: Runtime Compilation to the following four Java libraries: ObjectWeb ASM, Apache BECL, Javassist and CGLib.
OWASP Top 10 2017 and DISA STIG 4.4 reports
This release contains a new report bundle with support for OWASP Top 10 2017 and DISA STIG 4.4.
Micro Focus Security Fortify Taxonomy: Software Security Errors
Details are available in the attached release letter along with specific feature requirements. We hope that you continue to find our products helpful and we welcome any feedback. If you have any questions, please don’t hesitate to contact me.
Alexander M. Hoole
Manager, Software Security Research
Micro Focus Security Fortify
1 (650) 258-5916
Contact Fortify Technical Support
Micro Focus Security Fortify
1 (844) 260-7219