Having problems with your account or logging in?
A lot of changes are happening in the community right now. Some may affect you. READ MORE HERE
Security Research Blog
Get innovative research, observations and updates from the Micro Focus Security Research experts to help you proactively identify threats and manage risk.
Use the OPTIONS button below to subscribe

Security Research Blog

Micro Focus Contributor
Micro Focus Contributor

Starting May 25, 2018, the EU General Data Protection Regulation (GDPR) will harmonize data privacy laws across all EU states by providing a framework for organizations to handle the personal data of all EU citizens.  

As organizations rush to deploy encryption technologies to secure data, we at Micro Focus Fortify Software Security Research would like to caution our customers against overlooking the importance of application security to help achieve GDPR compliance.

A crucial clause of the GDPR framework requires businesses to protect their systems and applications from “accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data” (GDPR Article 32) by taking into consideration, “appropriate technical and organizational measures” (GDPR Article 25). These technical measures must include a formal process of application security and vulnerability assessment, if a comprehensive data security solution is to be achieved.

Presence of software vulnerabilities will undermine any protection mechanisms and processes deployed to ensure data security.  Application vulnerabilities such as defects in the implementation of encryption technology, errors in key management, injection vulnerabilities, as well as configuration and maintenance errors in systems and networks that store or process personal data, can all result in the compromise of personal data.

In an effort to help our customers who are working to investigate and comply with the GDPR requirements, we have correlated the Micro Focus Fortify Taxonomy to GDPR compliance as it relates to application security.  The vulnerabilities have been divided into four logical groupings to help identify weaknesses that can impact GDPR compliance.

The four logical groupings are:

Privacy Violation vulnerabilities include errors that result when an application simply fails to encrypt or pseudonymize personal data before transmitting, storing or writing to an external device.

Insufficient Data Protection vulnerabilities are a result of implementation flaws in the use of encryption technology to protect the confidentiality and privacy of personal data. Examples include use of a weak encryption algorithm, errors in configuring encryption parameters or the use of faulty key management practices.  This will all undermine the benefits of encryption and compromise data security.

Access Control vulnerabilities include flaws in the implementation and configuration of authentication, authorization and access policies for an application, which allows unauthorized access to restricted resources leaving personal data vulnerable to misuse. 

Indirect Access to Sensitive Data includes a large set of software vulnerabilities that are often overlooked but are critical in maintaining system and data integrity. These vulnerabilities if successfully exploited may result in giving the attacker control of the system resources and access to sensitive data.  For example, injection vulnerabilities may allow attackers to run malicious script on servers, which would result in exposing sensitive system data and resources. 

This set also includes software vulnerabilities in external third party and open source software components that interface with your application. Presence of any vulnerabilities in these components can compromise your application. It is therefore crucial that vulnerabilities such as unpatched application and web server misconfiguration be addressed with the same urgency as vulnerabilities in your application code. 

The above correlation shows that it is imperative for organizations to ensure that all the systems, services and applications that handle sensitive data are themselves secure to achieve GDPR compliance. 

All Micro Focus Fortify customers can access the benefits of this compliance template by downloading the recently announced 2018 R1 release.

Read more
0 0 3,994
Micro Focus Expert
Micro Focus Expert

Fortify Software Security Research (SSR) is pleased to announce the immediate availability of updates to Fortify Secure Coding Rulepacks (English language, version 2017.4.0), Fortify WebInspect SecureBase (available via SmartUpdate), Fortify Application Defender, and Fortify Premium Content.

The Micro Focus Software Security Research team translates cutting-edge research into security intelligence that powers the Micro Focus Security Products Portfolio.


Read Blog Article

Read more
1 0 9,964
Community Manager COEST Community Manager
Community Manager

 

mf_logo_blue_small.png

Micro Focus Security Fortify Software Security Content 2017 Update 3: Fortify Software Security Research (SSR) is pleased to announce the immediate availability of updates to Fortify Secure Coding Rulepacks (English language, version 2017.3.0), Fortify WebInspect SecureBase (available via SmartUpdate), Fortify Application Defender, and Fortify Premium Content.

 


Read Blog Article

Read more
1 0 6,903
Pavan_Rapaka Absent Member.
Absent Member.

45347875_ml.jpg

This blog delves into vulnerabilities found in the SAP Authorization concept, specifically in those applications developed in Advanced Business Application Programming (ABAP), SAP’s proprietary programming language.


Read Blog Article

Read more
0 0 17.1K
alvaro_munoz Trusted Contributor.
Trusted Contributor.

 

java deserialization.jpg

Java deserialization issues have been known for a long time, and we have been analyzing them and making mitigation recommendations for years.  On Friday at RSA 2016, we presented new research during our talk on “SerialKiller: Silently pwning your Java endpoints.” We offer the technical paper here to provide further information and recommendations for improving the situation.


Read Blog Article

Read more
0 0 15.3K
Reasearch Blog Welcome to the Security Research Blog!
Get innovative research, observations and updates from the Micro Focus Security Research experts to help you proactively identify threats and manage risk
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.