Original Question: Micro Focus Fortify Software Security Content 2020 Update 1 by Harley_Adams

Micro Focus

Fortify Software Security Content

2020 Update 1

March 27, 2020

About Micro Focus Fortify Software Security Research

The Fortify Software Security Research team translates cutting-edge research into security intelligence that powers the Fortify product portfolio – including Fortify Static Code Analyzer (SCA), Fortify WebInspect, and Fortify Application Defender. Today, Micro Focus Fortify Software Security Content supports 1,019 vulnerability categories across 26 programming languages and spans more than one million individual APIs.

Learn more at: https://software.microfocus.com/en-us/software/security-research

Fortify Software Security Research (SSR) is pleased to announce the immediate availability of updates to Fortify Secure Coding Rulepacks (English language, version 2020.1.0), Fortify WebInspect SecureBase (available via SmartUpdate), and Fortify Premium Content.

Micro Focus Fortify Secure Coding Rulepacks [SCA]

With this release, the Fortify Secure Coding Rulepacks detect 810 unique categories of vulnerabilities across 26 programming languages and span over one million individual APIs. In summary, this release includes the following:

GoLang Standard Library Support[1]

Expanded support for Go standard library. Go is a statically typed open-source language designed by Google which aims to make it easy to build simple, reliable, and efficient software. Go is syntactically similar to C, but with memory safety mechanisms, garbage collection, and structural typing. This update covers the standard library namespaces and support for 53 weakness types, including the following 19 additional categories:

• Denial of Service: Regular Expression
• Formula Injection
• Insecure Randomness
• JSON Injection
• Key Management: Empty HMAC Key
• Key Management: Hardcoded HMAC Key
• Log Forging
• Log Forging (debug)
• Resource Injection
• Weak Cryptographic Hash
• Weak Cryptographic Hash: Hardcoded Salt
• Weak Cryptographic Hash: User-Controlled Salt
• Weak Cryptographic Signature: Insufficient Key Size
• Weak Cryptographic Signature: User-Controlled Key Size
• Weak Encryption: Inadequate RSA Padding
• Weak Encryption: Insecure Initialization Vector
• Weak Encryption: Stream Cipher
• Weak Encryption: User-Controlled Key Size
• XML Injection

Miscellaneous Errata

In this release, we have continued to invest resources to ensure we can reduce the number of false positive issues and improve the ability for customers to audit issues. Customers can also expect to see changes in reported issues related to the following:

• In JavaScript, instances of "Cross-Site Scripting: DOM" that were more precisely identified as self-XSS have been changed to the new sub-category "Cross-Site Scripting: Self", and are now flagged with lower priority.
• In Java, due to improvements in the modeling engine, there was inadvertently an increase in the number of Dead Code false positives, particularly around if-conditions. The rules have been improved so a significant number of invalid issues are removed.
• Rare performance issues related to JSP and Spring MVC applications are resolved.
• Updates to External Metadata for improved Common Weakness Enumeration (CWE) correlation with the Micro Focus Fortify: Software Security Errors taxonomy (also known as the 7 Pernicious Kingdoms). Improvements include the alignment of 41 additional CWE-IDs across the 935 categories in the Software Security Errors Taxonomy resulting in updates to both the CWE and CWE Top 25 2019 mappings. Necessarily, any related reporting capabilities or ‘Group By’ filtering by CWE will be impacted. Additional CWE IDs include the following:

CWE-88, CWE-97, CWE-119, CWE-147, CWE-192, CWE-203, CWE-212, CWE-266, CWE-267, CWE-276, CWE-279, CWE-280, CWE-346, CWE-347, CWE-436, CWE-506, CWE-527, CWE-529, CWE-530, CWE-531, CWE-536, CWE-540, CWE-541, CWE-548, CWE-550, CWE-705, CWE-775, CWE-799, CWE-917, CWE-921, CWE-923, CWE-925, CWE-926, CWE-937, CWE-942, CWE-1004, CWE-1021, CWE-1069, CWE-1173, CWE-1188, CWE-1236, 

Micro Focus Fortify SecureBase [Fortify WebInspect]

Fortify SecureBase combines checks for thousands of vulnerabilities with policies that guide users in the following updates available immediately via SmartUpdate:

Vulnerability support

Dangerous File Inclusion: Local

A severe vulnerability affecting Tomcat leverages AJP protocol functionality to obtain access to server-side files and allows an attacker to read or include any files in Apache Tomcat webapp directories. This vulnerability is known as GhostCat and is identified by CVE-2020-1938. In addition, an arbitrary code execution attack might be possible. This issue affects Apache Tomcat 9.x (prior to 9.0.31), 8.x (prior to 8.5.51), 7.x (prior to 7.0.100), and all earlier versions. This Securebase update includes a check to detect this vulnerability.

Common Weakness Enumeration (CWE) mappings:

The Common Weakness Enumeration (CWE) is a taxonomy of software errors that can lead to vulnerabilities in software. The taxonomy provides a way to consolidate output of various methodologies in software risk and vulnerability assessment during various stages of SDLC.  In this release Securebase includes updated mappings of checks to recent updates in CWE. CWE is a hierarchical taxonomy. Checks are mapped to the closest leaf node that matches the intent of the check.

Compliance report

Common Weakness Enumeration (CWE) Top 25:

The Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Errors (CWE Top 25) is a list created by MITRE. The list demonstrates the most common 25 software weaknesses categories that can lead to vulnerabilities in software. This Securebase update includes mappings to these CWE categories. We have included those checks that map either directly to the category identified by the CWE Top 25, or a CWE-ID related to a CWE-ID in the Top 25 via “ChildOf” relationship.

Policy Updates

Common Weakness Enumeration (CWE) Top 25

The Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Errors (CWE Top 25) is a list created by MITRE. The list demonstrates the most common 25 software weaknesses categories that can lead to vulnerabilities in software. This release includes a policy containing list of checks to assess vulnerabilities mapped in the CWE Top 25. 

Miscellaneous Errata:

In this release, we have continued to invest resources to ensure we can reduce the number of false positive issues and improve the ability for customers to audit issues. Customers can also expect to see changes in reported issues related to the following:

• Bug fix in HTTP Request Smuggling check reduces false positives related to finding with check ID 11621. The check will no longer be considering HTTP 405 as valid verification of the vulnerability.
• Insecure Transport: Weak SSL Cipher report content now includes an example for excluding CBC mode ciphers via including !SHA246 and !SHA384 in configuration string. However, we advise that you consult server administrator to create a configuration with whitelisted strong cipher suite selection.
• Additional fix in Insecure Transport: Weak SSL Cipher detection is made to improve configuration detection in cases where check was not able to detect correct ciphers if server supported only TLS1.2 and strong ciphers.

Micro Focus Fortify Premium Content

The research team builds, extends, and maintains a variety of resources outside our core security intelligence products.

OWASP Application Security Verification Standard (ASVS):

The Application Security Verification Standard (ASVS) is a list of application security requirements and tests to perform during a software development lifecycle (SDLC) and configuration to build secure software.  We have created mappings of Securebase checks and SCA rules to applicable requirements of the standard. However, during the process of creating correlations to our products we discovered instances where the CWE mappings provided by the standard can be improved to more accurately align with Securebase checks and SCA rules. As we work on those improvements, we can make these artifacts available to interested customers for evaluation and collaboration. Please reach out to the SSR contact below to get compliance template and policy for WebInspect, or an SSC seed bundle, if interested.

Micro Focus Fortify Taxonomy: Software Security Errors

The Fortify Taxonomy site, which contains descriptions for newly added category support, is available at https://vulncat.fortify.com. Customers looking for the legacy site, with the last supported update, can obtain it from the Micro Focus Fortify Support Portal.

Contact Fortify Technical Support

Micro Focus Fortify

https://softwaresupport.softwaregrp.com/

1 (844) 260-7219

Contact SSR

Alexander M. Hoole

Manager, Software Security Research

Micro Focus Fortify

hoole@microfocus.com

1 (650) 258-5916

 Copyright 2020 Micro Focus or one of its affiliates. The information contained herein is subject to change without notice. The only warranties for Micro Focus products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Micro Focus shall not be liable for technical or editorial errors or omissions contained herein.

[1] SCA v20.1.0 or later recommended for optimal scan results.

SSR_Update Content Subscription Announcement Mar 2020.pdf