Micro Focus Fortify Software Security Content 2019 Update 4

Micro Focus Expert
Micro Focus Expert
0 0 1,500

Fortify Software Security Research Release Announcement

Micro Focus Security Research

hoole@microfocus.com | 13 December 2019


Micro Focus Fortify

Software Security Content

2019 Update 4


Fortify Software Security Research (SSR) is pleased to announce the immediate availability of updates to Fortify Secure Coding Rulepacks (English language, version 2019.4.0), Fortify WebInspect SecureBase (available via SmartUpdate), and Fortify Premium Content.

The Micro Focus Fortify Software Security Research team translates cutting-edge research into security intelligence that powers the Micro Focus Security Products Portfolio. Highlights in this Release Announcement include:


Micro Focus Fortify Secure Coding Rulepacks [SCA]

With this release, the Fortify Secure Coding Rulepacks detect 807 unique categories of vulnerabilities across 26 programming languages and span over one million individual APIs. In summary, this release includes the following:

  • Go - Initial Support: Covers 10 core standard library namespaces and 34 categories[i]
  • Spring Security
  • Spring Boot
  • Java 12[ii]
  • JSTL XML Library
  • OpenXML SDK .NET Improvements
  • React-Router Support
  • 2019 CWE Top 25
  • DISA STIG 4.10


In this release, we have continued to expend resources to ensure we can reduce the number of false positive issues and improve the ability for customers to audit issues. Customers can also expect to see changes in reported issues related to the following:

  • Unsafe deserialization consistency: Previously, some rules would only flag when information came from a browser. This has been remediated to flag in other possible scenarios.
  • Description references verified: Some of referenced materials were out of date or pointed to invalid links. These instances have now been fixed and appropriate references are in their place.


Micro Focus Fortify SecureBase [Fortify WebInspect]

Fortify SecureBase combines checks for thousands of vulnerabilities with policies that guide users in the following updates available immediately via SmartUpdate:

Vulnerability support

  • SSO Bad Practices: Authentication Token Replay
  • Cache Management: Headers
  • HTML5: CORS Functionality Abuse
  • Insecure Deployment: HTTP Request Smuggling[iii]
  • Header Manipulation[iv]


Compliance report

  • DISA STIG 4.10


Policy Updates

  • DISA STIG 4.10


Micro Focus Fortify Premium Content

The research team builds, extends, and maintains a variety of resources outside our core security intelligence products.

  • DISA STIG 4.10 and 2019 CWE Top 25
    • To accompany the new correlations, this release also contains a new report bundle for Fortify Software Security Center with support for both DISA STIG 4.10 and the 2019 CWE Top 25, which is available for download from the Fortify Customer Support Portal under Premium Content.
  • Micro Focus Fortify Taxonomy: Software Security Errors
    • The Fortify Taxonomy site, which contains descriptions for newly added category support, is available at https://vulncat.fortify.com. Customers looking for the legacy site, with the last supported update, can obtain it from the Micro Focus Fortify Support Portal.


Details and specific feature requirements are available on the Fortify Product Announcement board. We hope that you continue to find our products helpful and we welcome any feedback. If you have any questions, please don’t hesitate to contact us. If you haven’t already, subscribe to this Fortify Product Announcement board today to stay up to date on what's new with our products!


Contact Software Security Research

Alexander M. Hoole

Manager, Software Security Research

Micro Focus Fortify


+1 (650) 258-5916




Contact Fortify Technical Support

Micro Focus Fortify


+1 (844) 260-7219




[i] Requires SCA v19.2.0 or later

[ii] Requires SCA v19.2.0 or later

[iii] Requires WebInspect v19.2.0 or later

[iv] Requires WebInspect v19.2.0 or later

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.