Highlighted
Micro Focus Expert
Micro Focus Expert
5268 views

Micro Focus Fortify Software Security Content 2019 Update 1

Software Security Research Release Announcement

Micro Focus

Fortify Software Security Content

2019 Update 1

March 29, 2019

About Micro Focus Fortify Software Security Research

The Fortify Software Security Research team translates cutting-edge research into security intelligence that powers the Fortify product portfolio – including Fortify Static Code Analyzer (SCA), Fortify WebInspect, and Fortify Application Defender. Today, Micro Focus Fortify Software Security Content supports 999 vulnerability categories across 25 programming languages and spans more than one million individual APIs.

Learn more at 

https://software.microfocus.com/en-us/software/security-research

Fortify Software Security Research (SSR) is pleased to announce the immediate availability of updates to Fortify Secure Coding Rulepacks (English language, version 2019.1.0), Fortify WebInspect SecureBase (available via SmartUpdate), Fortify Application Defender, and Fortify Premium Content.

 

Micro Focus Fortify Secure Coding Rulepacks [SCA]

With this release, the Fortify Secure Coding Rulepacks detect 796 unique categories of vulnerabilities across 25 programming languages and span over one million individual APIs. In summary, the release includes the following:

Angular 7[1]

Support for Angular, including support of versions up to and including 7.0.0, identifies sources of input from a browser and models the security validation performed by Angular by default. Angular templates are modeled such that all regular JavaScript sinks are supported for Angular projects, including the ability to find categories such as Cross-Site Scripting: DOM, Privacy Violation, Dynamic Code Evaluation issues, and many more.

AWS Lambda Function Support

New Amazon Web Services (AWS) Lambda Functions support for Java and Python languages. Functionality enables dataflow from Lambda triggering events into the Lambda function logic, including coverage of potential XSS issues when the Lambda is connected to an API Gateway.

AWS Java SDK v2

New support for the AWS Java SDK v2 for S3 and DynamoDB services. Including new categories such as:

  • Access Control: ACL Manipulation
  • Insecure Storage: S3 Full Anonymous Access
  • Insecure Storage: S3 Read ACP Anonymous Access
  • Insecure Storage: S3 Read Anonymous Access
  • Insecure Storage: S3 Write Anonymous Access
  • Insecure Storage: S3 Write ACP Anonymous Access
  • NoSQL Injection: DynamoDB

Python Django1

Updated support for Python Django Web Framework, including support of versions up to 2.1.7. Changes include improved support of class based views and associated dataflows as well as support for Django functions/methods introduced since Django 1.8.

Apache Wicket1

Improved support for Apache Wicket Web Framework, including support of versions 6, 7, and 8 of the framework.

DISA STIG 4.9

To support our federal customers in the area of compliance, correlation of the Micro Focus Fortify Taxonomy to the Defense Information Systems Agency (DISA) Application Security and Development STIG, version 4.9, has been added.

 

Micro Focus Fortify SecureBase [Fortify WebInspect]

Fortify SecureBase combines checks for thousands of vulnerabilities with policies that guide users in the following updates available immediately via SmartUpdate:

Vulnerability support

Often Misused: File Upload

The jQuery File Upload widget by Blueimp has been found to be vulnerable to remote code execution as identified by CVE-2018-9206. The vulnerability allows an attacker to upload and execute arbitrary PHP files. This release includes a check to detect this vulnerability.

SQL Injection

This release includes enhancements to the SQL Injection check to include support for applications using Microsoft Azure SQL Database.

Sensitive Information Leak: External

This release includes a check to detect if Magento CMS is running in developer mode. Developer mode is intended for use in a development or testing environment. Enabling developer mode in a production environment can reveal important application and system data to potential attackers and pose a security risk.         

Cross-Frame Scripting

The Content Security Policy frame-ancestors directive header provides policy protection against Cross-Frame Scripting vulnerabilities. It obsoletes the X-Frame-Options HTTP header currently in use.  This release includes enhancements to the existing Cross-Frame Scripting check to include support for the Content Security Policy frame-ancestors directive.

Content Management System (CMS) Fingerprinting

This release includes enhancements to fingerprint the presence of one of the following CMS on the target server during a WebInspect scan: WordPress, Drupal, Django, Joomla, Liferay, Magento, Sitecore, Sitefinity[2], and Umbraco. An information check is triggered to report the finding.

Compliance report

DISA STIG 4.9

To support our federal customers in the area of compliance, this release contains a correlation of the WebInspect checks to the latest version of the Defense Information Systems Agency Application Security and Development STIG, version 4.9.        

Policy Updates

DISA STIG 4.9

A policy customized to include checks relevant to DISA STIG 4.9 has been added to the existing list of supported policies in WebInspect SecureBase.

 

Micro Focus Fortify Application Defender

Fortify Application Defender is a runtime application self-protection (RASP) solution that helps organizations manage and mitigate risk from homegrown or third-party applications. It provides centralized visibility into application use and abuse while protecting from software vulnerability exploits and other violations in real time. For this release, the Micro Focus Fortify Software Security Research team provides the following feature improvements:

OGNL Expression Injection: Struts 2

Expanded support for OGNL Expression Injection detection in Apache Struts 2, which covers critical Struts vulnerability identified by CVE-2018-11776. Applications using Apache Struts2 versions 2.3.x up to 2.3.34, or versions 2.5.x up to 2.5.16, allow attackers to execute arbitrary OGNL expressions if they contain action results that are configured with no namespace or wildcard namespace and also have struts.mapper.alwaysSelectFullNamespace property set to true in the struts configuration.

 

Micro Focus Fortify Premium Content

The research team builds, extends, and maintains a variety of resources outside our core security intelligence products.

DISA STIG 4.9[3]

To accompany the new correlations, this release also contains a new report bundle for Fortify SSC with support for DISA STIG 4.9, which is available for download from the Fortify Customer Support Portal under Premium Content.

Micro Focus Fortify Taxonomy: Software Security Errors

The Fortify Taxonomy site, which contains descriptions for newly added category support, is available at https://vulncat.fortify.com. Customers looking for the legacy site, with the last supported update, may obtain it from the Micro Focus Fortify Support Portal.

 

Contact Fortify Technical Support

Micro Focus Fortify

https://softwaresupport.softwaregrp.com/

+1 (844) 260-7219

 

Contact SSR

Alexander M. Hoole

Manager, Software Security Research

Micro Focus Fortify

hoole@microfocus.com

+1 (650) 258-5916

 

© Copyright 2019 Micro Focus or one of its affiliates. The information contained herein is subject to change without notice. The only warranties for Micro Focus products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Micro Focus shall not be liable for technical or editorial errors or omissions contained herein.

[1] Support for Angular 7, Django, and Wicket requires Fortify SCA version 19.1.0 or later for optimal results.

[2] Sitefinity detection requires WebInspect 19.1.0 or later.

[3] Support for the DISA STIG 4.9 report requires Fortify SSC version 18.20 or later.

Labels (2)
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.