Original Question: Micro Focus Fortify Software Security Content 2019 Update 4 by Harley_Adams
Fortify Software Security Content
2019 Update 4
December 13, 2019
About Micro Focus Fortify Software Security Research
The Fortify Software Security Research team translates cutting-edge research into security intelligence that powers the Fortify product portfolio – including Fortify Static Code Analyzer (SCA), Fortify WebInspect, and Fortify Application Defender. Today, Micro Focus Fortify Software Security Content supports 1,018 vulnerability categories across 26 programming languages and spans more than one million individual APIs.
Fortify Software Security Research (SSR) is pleased to announce the immediate availability of updates to Fortify Secure Coding Rulepacks (English language, version 2019.4.0), Fortify WebInspect SecureBase (available via SmartUpdate), and Fortify Premium Content.
Micro Focus Fortify Secure Coding Rulepacks [SCA]
With this release, the Fortify Secure Coding Rulepacks detect 807 unique categories of vulnerabilities across 26 programming languages and span over one million individual APIs. In summary, this release includes the following:
Initial support for Go. Go is a statically typed open-source language designed by Google that aims to make it easy to build simple, reliable, and efficient software. Go is syntactically similar to C, but with memory safety mechanisms, garbage collection, and structural typing. This update covers 10 core standard library namespaces and support for the following 34 categories:
Spring Security is an authentication and access-control framework that also provides additional layers of security, such as security headers, which offers additional protection against attacks such as session fixation, clickjacking, and cross-site request forgery. It is the de-facto standard for securing Spring-based applications. This update includes support, up to version 5.2.1, for the following 21 categories:
Additionally, the following seven new weakness types are introduced:
Spring Boot creates stand-alone Spring applications and automatically configures Spring and third-party libraries whenever possible. It also provides production-ready features such as metrics, health checks, and externalized configuration. In addition to the previously supported categories, this update includes support, up to version 2.2.1, for the following additional nine categories:
In addition, while previous Rulepacks only supported Properties configuration files and the Maven build system, this release also includes support for YAML configuration files and Gradle.
Support for new APIs in Java 12. These rules require SCA version 19.1, or later, when new Java 12 syntax such as the new Switch statement is used.
JSTL XML Library
JavaServer Pages (JSP) Standard Tag Library (JSTL) is a library that provides a JSP-centric way of manipulating and creating XML documents. Support now includes coverage for the following categories for JSTL v1.1:
OpenXML SDK .NET Improvements
Updated support for OpenXML SDK v2.9.0 includes support for three additional categories:
React Router is a collection of navigational components that compose declaratively with your application. Whether you want to have bookmarkable URLs for your web application or a composable way to navigate in React, React Router works wherever React is rendering. Categories supported for React-Router 5.1.2 include:
2019 CWE Top 25
The Common Weakness Enumeration (CWE) Top 25 has fundamentally changed how it is determined, compared to the days when it was known as the SANS Top 25. Released in September, the new Top 25 is determined using a heuristic formula that normalizes the frequency and severity of vulnerabilities reported to the National Vulnerability Database (NVD) over the past two years. To support our customers who want to prioritize their auditing around the most commonly reported critical vulnerabilities in the NVD, a correlation of the Micro Focus Fortify Taxonomy to the CWE Top 25, 2019 version has been added.
DISA STIG 4.10
To support our federal customers in the area of compliance, correlation of the Micro Focus Fortify Taxonomy to the Defense Information Systems Agency (DISA) Application Security and Development STIG version 4.10 has been added.
In this release, we have continued to expend resources to ensure we can reduce the number of false positive issues and improve the ability for customers to audit issues. Customers can also expect to see changes in reported issues related to the following:
Micro Focus Fortify SecureBase [Fortify WebInspect]
Fortify SecureBase combines checks for thousands of vulnerabilities with policies that guide users in the following updates available immediately via SmartUpdate:
Authentication tokens exchanged during a single sign-on process are susceptible to replay attack and can enable an attacker to impersonate a valid user to gain unauthorized access to the service. This release includes a check that performs the replay attack for windows identity framework and service providers using the SAML protocol.
The HTTP Vary response header contains a list of HTTP headers that are used to decide the correct cached response to serve an incoming request. Absence of ‘Origin’ in the Vary header can leave the application open to both client-side and server-side cache poisoning attacks especially when a cross origin request is made. This release includes a check to detect when there is a missing 'Origin' header in the Vary header value.
Allowing CORS requests that originate from null origins, 'Origin: null', can compromise system security and leave the application vulnerable to data theft. This release includes a check to detect the presence of 'null' value in the Access-Control-Allow-Origin CORS header within a server response.
HTTP Request Smuggling vulnerabilities arise due to the discrepancy in parsing of non-compliant HTTP headers by front-end and back-end servers. By supplying a request that gets interpreted as being of different lengths by different servers, an attacker can poison the back-end TCP/TLS socket and prepend arbitrary data to the next request or smuggle additional requests to the back-end server without the front-end server being aware of it. This release includes a check to detect this vulnerability.
The existing Header Manipulation check has been enhanced in this release to include carriage return (‘CR’) and line feed (‘LF’) attacks in addition to the existing CRLF attack.
To support our federal customers in the area of compliance, this release contains a correlation of the WebInspect checks to the latest version of the Defense Information Systems Agency Application Security and Development STIG, version 4.10.
A policy customized to include checks relevant to DISA STIG 4.10 has been added to the existing list of supported policies in WebInspect SecureBase.
Micro Focus Fortify Premium Content
The research team builds, extends, and maintains a variety of resources outside our core security intelligence products.
DISA STIG 4.10 and 2019 CWE Top 25
To accompany the new correlations, this release also contains a new report bundle for Fortify Software Security Center with support for both DISA STIG 4.10 and the 2019 CWE Top 25, which is available for download from the Fortify Customer Support Portal under Premium Content.
Micro Focus Fortify Taxonomy: Software Security Errors
The Fortify Taxonomy site, which contains descriptions for newly added category support, is available at https://vulncat.fortify.com. Customers looking for the legacy site, with the last supported update, can obtain it from the Micro Focus Fortify Support Portal.
Contact Fortify Technical Support
Micro Focus Fortify
1 (844) 260-7219
Alexander M. Hoole
Manager, Software Security Research
Micro Focus Fortify
1 (650) 258-5916
Copyright 2019 Micro Focus or one of its affiliates. The information contained herein is subject to change without notice. The only warranties for Micro Focus products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Micro Focus shall not be liable for technical or editorial errors or omissions contained herein.
 Requires SCA v19.2.0 or later.
 Requires SCA v19.2.0 or later.
 Insecure Deployment: HTTP Request Smuggling check requires WebInspect v19.2.0 or later.
 Header Manipulation enhancement requires WebInspect v19.2.0 or later.