Fortify Software Security Content 2018 Update 3


Original Question: Fortify Software Security Content 2018 Update 3 by Erdem_Menges


Fortify Software Security Research Release Announcement

Micro Focus Security Research | 28 September 2018

Micro Focus Fortify 
Software Security Content 

2018 Update 3

Fortify Software Security Research (SSR) is pleased to announce the immediate availability of updates to Fortify Secure Coding Rulepacks (English language, version 2018.3.0), Fortify WebInspect SecureBase (available via SmartUpdate), Fortify Application Defender, and Fortify Premium Content.

The Micro Focus Fortify Software Security Research team translates cutting-edge research into security intelligence that powers the Micro Focus Security Products Portfolio. Highlights in this Release Announcement include:

Micro Focus Fortify Secure Coding Rulepacks [SCA]

With this release, the Fortify Secure Coding Rulepacks detect 788 unique categories of vulnerabilities across 25 programming languages and span over 1,007,000 individual APIs. In summary, the release includes the following:  

  • Unsafe deserialization of YAML documents
  • Path Manipulation: Zip Entry Overwrite
  • Python MongoDB
  • OGNL Expression Injection: Struts 2
  • Java 9 APIs [i]
  • DISA STIG 4.7

Micro Focus Fortify SecureBase [Fortify WebInspect]

Fortify SecureBase combines checks for thousands of vulnerabilities with policies that guide users in the following updates available immediately via SmartUpdate:

Vulnerability support

  • Cross-Site Scripting Enhancements [ii]
  • Web Server Misconfiguration: Insecure Mapping Directives
  • Insecure Deployment: Path Normalization Conflict
  • Cross-Site WebSocket Hijacking [iii]
  • OGNL Expression Injection: Struts 2
  • Insecure Transport: Missing Perfect Forward Secrecy

Compliance report  

  • DISA STIG 4.7 correlation

Policy Updates 

A policy customized to include checks relevant to DISA STIG 4.7 has been added to the existing list of supported policies in WebInspect SecureBase.

Micro Focus Fortify Application Defender

Fortify Application Defender is a runtime application self-protection (RASP) solution that helps organizations manage and mitigate risk from homegrown or third-party applications. It provides centralized visibility into application use and abuse while protecting from software vulnerability exploits and other violations in real time. For this release, the Micro Focus Fortify Software Security Research team provides the following new rule:

  • Path Manipulation: Zip Entry Overwrite

Micro Focus Fortify Premium Content

The research team builds, extends, and maintains a variety of resources outside our core security intelligence products.

DISA STIG 4.7 reports

  • To accompany the new correlations, this release also contains a new report bundle with support for DISA STIG 4.7, which is available for download from the Fortify Customer Support Portal under Premium Content.

Micro Focus Fortify Taxonomy: Software Security Errors

  • The Fortify Taxonomy site, containing descriptions for newly added category support, is available at
  • Customers looking for the legacy site, with the last supported update, may obtain it from the Micro Focus Fortify Support Portal.

Details are available in the attached release letter along with specific feature requirements. We hope that you continue to find our products helpful and we welcome any feedback. If you have any questions, please don’t hesitate to contact us.


Contact Software Security Research

Alexander M. Hoole

Manager, Software Security Research

Micro Focus Fortify

1 (650) 258-5916


Contact Fortify Technical Support

Micro Focus Fortify

1 (844) 260-7219


[i]. Support for Java 9 requires Fortify SCA version 18.20 or above.

[ii]. Support for Cross-Site Scripting enhancements require Fortify WebInspect 18.20 and above.

[iii]. Support for Cross-Site WebSockets Hijacking requires Fortify WebInspect 18.20 and above.

Comment List