Software Security Research Release Announcement

Community Manager Community Manager
Community Manager
0 0 862

Micro Focus Security Research | 29 September 2017


Software Security Research Release Announcement

Fortify Software Security Research (SSR) is pleased to announce the immediate availability of updates to Fortify Secure Coding Rulepacks (English language, version 2017.3.0), Fortify WebInspect SecureBase (available via SmartUpdate), Fortify Application Defender, and Fortify Premium Content.

The Micro Focus Software Security Research team translates cutting-edge research into security intelligence that powers the Micro Focus Security Products Portfolio. Highlights in this Release Announcement include:

Micro Focus Security Fortify Secure Coding Rulepacks [SCA]

With this release, the Fortify Secure Coding Rulepacks detect 763 unique categories of vulnerabilities across 25 programming languages and span over 911,000 individual APIs. In summary, the release includes the following:

Updated Spring Support

Java security content support for Spring framework up to version 5.0.0 has been added. Support includes the latest additions in Spring 4.1.x, 4.2.x, 4.3.x and 5.x such as Hibernate4 and Hibernate5 integration, new Spring MVC features, and new Spring WebFlux module.

Spring Boot support

New support has been added for the Spring Boot module, including new categories related to configuration bad practices that can expose sensitive information:

  • Spring Boot Misconfiguration: Actuator Endpoint Security Disabled
  • Spring Boot Misconfiguration: Admin MBean Enabled
  • Spring Boot Misconfiguration: DevTools Enabled
  • Spring Boot Misconfiguration: Shutdown Actuator Endpoint Enabled
  • System Information Leak: Spring Boot Actuators Enabled

Scala support

Scala support has been co-developed with Scala creators and maintainers: Lightbend. Translation of Scala using Fortify SCA requires a Lightbend subscription. Initial support includes coverage of the Scala standard library (26 packages) in addition to the existing support for Java libraries. A total of 203 vulnerability categories are supported for Scala applications, including the consumption of Java libraries.

 (Scala support requires Fortify SCA version 17.20.)

JavaScript improvements

JavaScript rulepacks have been updated to include support for ECMAScript 2015 APIs.

 (Javascript improvements require Fortify SCA version 17.20.)

.NET Framework 4.7 support

This release includes improvements to .NET to include .NET Framework version 4.7, with added support for new sources and API coverage to help taint flow through applications.

(.NET Framework 4.7 support requires Fortify SCA version 17.20.)

PHP 7.1 improvements

This release includes updates supporting new functionality introduced in PHP 5.5.x through 7.1.x as well as improvements to coverage across numerous vulnerability categories. 

(PHP 7.1 improvements require Fortify SCA version 17.20.)

MISRA C and C++ support

In order to support our automotive and embedded systems customers in the area of compliance, correlation of the Micro Focus Fortify Taxonomy to the Motor Industry Software Reliability Association (MISRA) C 2012 and MISRA C++ 2008 has been added.

Micro Focus Security Fortify SecureBase [Fortify WebInspect]

Micro Focus SecureBase combines checks for thousands of vulnerabilities with policies that guide users in the following updates available immediately via SmartUpdate:

Vulnerability support

Code Injection enhancements

This release contains enhancements to Code Injection checks to evaluate Code injection vulnerabilities in JSON and XML formatted HTTP(S) requests.

Cross-Site Scripting enhancements

This release includes enhancements to cross-site scripting check to evaluate web applications for base tag and link tag with pre-fetch injections. 

Struts 2 REST Plugin Remote Code Execution (CVE 2017-9805)

A new check to detect CVE 2017-9805 was released earlier this month to enable identification of critical vulnerability in Struts2 applications promptly. The vulnerability exploited unsafe XStream deserialization weakness in Struts2 REST plugin and can be leveraged for remote code execution.

Unsafe .NET Deserialization enhancements

This release contains an enhancement to the Unsafe Deserialization (.NET) check to detect user-controlled LosFormatter data streams that can lead to dynamic code execution attacks in .NET applications.  

Insufficient Transport Layer Protection enhancements

This release includes an enhancement to extend detection of SSL/TLS weaknesses such as Weak SSL protocol, Weak Ciphersuite and Heartbleed in sites using network authentication.

Compliance report

ISO 27001 2013 Compliance Template

This release includes a compliance report template that provides correlation between ISO 27001:2013 (Information technology — Security techniques — Information security management systems) controls and WebInspect checks.

NIST Special Publication 800-53 Rev 4 enhancements

This release includes a compliance report template with improved correlation between NIST Special Publication 800-53 Rev 4 controls, WebInspect checks and Fortify Taxonomy: Software Security Errors.

Policy Updates

Checks deemed end of life based on the current technological landscape have been moved to the Deprecated Checks policy. Further, WebInspect policies that were not commonly used such as Dev and Platform policies have been deprecated and will not receive further updates.

Deprecated: Missing Public Key Pinning

Based on current research available, the HTTP Public Key Pinning header is no longer considered an adequate solution ensuring for Public Key integrity. Hence, checks related to this header have been deprecated

Micro Focus Security Fortify Application Defender

Micro Focus Security Fortify Application Defender is a runtime application self-protection (RASP) solution that helps organizations manage and mitigate risk from homegrown or third-party applications. It provides centralized visibility into application use and abuse while protecting from software vulnerability exploits and other violations in real time. For this release, the Micro Focus Security Fortify Software Security Research team provides the following feature improvements:

Revised Runtime Taint rulepack for IAST

Runtime taint rulepack finds security vulnerabilities by performing dynamic taint analysis. It is usually triggered by automated test system and is very suitable for DevOps environments which requires to find critical vulnerabilities in a short period of time.

Micro Focus Security Fortify Premium Content

The research team builds, extends, and maintains a variety of resources outside our core security intelligence products.

MISRA reports

  • New SSC report bundle providing support for MISRA C 2012 and MISRA C++ 2008.

Micro Focus Security Fortify Taxonomy: Software Security Errors

  • The Micro Focus Security Fortify Taxonomy site, containing descriptions for newly added category support, is available at and
  • Customers looking for the legacy site, with the last supported update, may obtain it from the Micro Focus Security Fortify Support Portal.

We hope that you continue to find our products helpful and we welcome any feedback. If you have any questions, please don’t hesitate to contact us.

Contact Software Security Research
Alexander M. Hoole
Manager, Software Security Research
Micro Focus Security Fortify
+1 (650) 258-5916

Contact Fortify Technical Support
Software Support
+1 (844) 260-7219

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.