Q4 2011 Rulepack Update

We have just released the Q4 2011 update to the HP Fortify Secure Coding Rulepacks and the HP Fortify RTA Rulepack Kit.

With this release the HP Fortify Secure Coding Rulepacks now detect 502 unique categories of vulnerabilities across 20 programming languages and over 700,000 individual APIs. I would like to share with you a quick summary of the latest offerings from this release.

HP Fortify Secure Coding Rulepacks

Spring 3.0 – Support for the latest version of the Spring framework, including the following major features:

   Spring MVC – Updated support includes enhanced coverage of specific vulnerabilities related to the Spring    Framework and Spring Annotations. The update also allows Fortify to identify web service taint from REST    templates, locate resource injection errors in Spring applications, and detect three new vulnerability categories:

      - Often Misused: Spring Remote Service

      - Often Misused: Spring Web Service and

      - Spring MVC Bad Practices: Request Parameters Bound into Persisted Objects

   Spring Web Flow – New support for the Spring Web Flow framework includes identifying sources of web taint    from the framework and reporting vulnerabilities specific to Spring Web Flow applications.

Google Android – Updated support now provides improved detection of underprivileged Android applications, including missing permissions for privileged API calls, as well as sending and receiving intents. In addition, Fortify now detects overprivileged Android applications that request unnecessary permissions. This update introduces three new categories related to privilege management:

      - Privilege Management: Missing API Permission

      - Privilege Management: Missing Intent Permission and

      - Privilege Management: Unnecessary Permission.

File Disclosure – Misconfiguration and poor input validation in modern web frameworks can accidentally disclose sensitive files, including configuration and application code. Fortify now identifies File Disclosure vulnerabilities in applications that rely on Core EE Java APIs, Apache Struts, Spring and Spring Web Flow.

HP Fortify RTA Rulepack Kit – This quarter’s update adds three new categories for Fortify RTA:

Insecure Randomness – Added the ability to detect and replace uses of insecure random number generators with cryptographically-strong alternatives.

JavaScript Hijacking – We now detect JavaScript Hijacking and provide protection against Ajax/JSON/JSONP Hijacking in applications that rely on JavaScript for data transport.

Cookie Security: HTTPOnly not Set on Session Cookie – Added support for detecting and remediating insecure settings of the HTTPOnly flag during cookie creation.