Q3 Rulepack Update

The Security Research Group released its Q3 update to the Fortify Secure Coding Rulepacks and the Fortify RTA Rulepack Kits last week and I wanted to take a chance to update you on the latest and greatest from SRG.

As of this release, the Fortify Secure Coding Rulepacks detect 459 unique categories of vulnerabilities across 18 programming languages and over 680,000 individual APIs. Please see the attached PDF document for the full release details, but in summary, our latest updates include the following exciting features:

Fortify Secure Coding Rulepacks
Google Android – Rules support for programs that run on the Google Android platform, which identify insecure data storage and categorize applications by their security permissions.
HTML 5 – Support for this revision of the HTML specification targets features aimed at rich web applications, including vulnerabilities related to offline applications, inter- and intra-session data storage, and client-side SQL statements.
Microsoft .NET 4.0 – Expanded coverage for the latest version of the .NET framework includes data visualization tools, updated encoding methods, and routing mechanisms as well as strengthened core support for tuples, memory mapped files, file system enumeration, and string manipulation methods.
Amazon Cloud – Targeted support for the Amazon Web Services (AWS) Java API, including: S3, SimpleDB, and EC2.
Facelets – Coverage of common vulnerabilities exposed in Facelets, which is an open source XHTML template framework designed as an alternative to JSP in applications that use Java Server Faces (JSF).
JAX-WS 2.0 – Support for web applications that leverage annotations from the Java API for XML Web Services.
DISA STIG Version 3 – Vulnerabilities generated by the Fortify Secure Coding Rulepacks now include references to like issues found in the latest version of the DISA STIG (Version 3 Release 1).

Fortify RTA Rulepack Kits for Java and .NET
Tuning Capabilities – This update includes enhanced rules for SQL Injection and Cross-Site Scripting that allow users to easily and accurately tune the rules to produce the highest fidelity results.

Premium Content
Cloud Security Process Template – As a complement to the project template released last quarter, this update includes a process template that highlights ways to reduce risk during the SDLC when migrating a program from an internal data center to a cloud provider. Compliance and Standards Report – Expanding on the reporting capabilities of Fortify 360 Server, this release includes an updated compliance report for DISA STIG Version 3 Release 1.