HackDig : Dig high-quality web security articles for hackers

HPSR Software Security Content 2014 Update 4

2014-12-20 01:20

HP Software Security Research is pleased to announce the immediate availability of updates to HP Application Defender, HP WebInspect SecureBase (available via SmartUpdate), the HP Fortify Secure Coding Rulepacks (English language, version 2014.4.0), HP ArcSight Application View, and HP Fortify Premium Content. 


The Software Security Research team translates cutting-edge research into security intelligence that powers the HP Enterprise Security Products portfolio. Today, HPSR Software Security Content supports over 890 vulnerability categories across 22 programming languages and spans more than 815,000 individual APIs.


HP Application Defender

Managed from the cloud, HP Application Defender is a software-as-a-service (SaaS) solution that protects production applications against software security vulnerabilities. Features include:

  • Apache Struts ClassLoader manipulation protection (CVE-2014-0112 and CVE-2014-0114)
  • Google Web Toolkit (GWT) x-gwt-rpc protocol support
  • Improved protection for file upload features
  • Protection from the latest XML attacks

HP WebInspect SecureBase (WebInspect)

SecureBase combines checks for thousands of vulnerabilities with policies that guide users in identifying critical weaknesses in web applications under test. Features include:


Advisory Support

Enriched Transport Layer Security support

  • SSL certificates signed using MD5 hash
  • Detecting unknown Certificate Authorities
  • Weak SSLv3 protocol detection

Secure application configuration support

  • Insufficient session expiration
  • Misconfigured application cache manifest

Privacy violations

  • Mobile MAC address disclosure

Compliance Templates

  • DISA STIG 3.9

HP Fortify Secure Coding Rulepacks (SCA)

As of this release, the Fortify Secure Coding Rulepacks detect 624 unique categories of vulnerabilities across 22 programming languages and over 815,000 individual APIs.  Features include:


Mass assignment
Newly supported categories:

  • Mass Assignment: Insecure Binder Configuration
  • Mass Assignment: Sensitive Field Exposure 

Supported frameworks:

  • Java: Spring MVC, Struts 1, Struts 2, Restlet, JAX-RS, Spring REST
  • Microsoft .NET: ASP.NET MVC, ASP.NET WebForms, ASP.NET WebAPI

MyBatis 3 support

  • Java support for testing SQL Injection for both configuration files and annotations
  • SQL Injection: MyBatis Mapper

Coverage for 16 categories, most notably:

  • SQL Injection
  • Privacy Violation
  • System Information Leak
  • XPath Injection

JSON libraries

  • Java: Jackson, Gson, org.json, javax.json
  • Microsoft .NET: JSON.NET, Native DataContractJsonSerializer class, FastJSON
  • PHP: Native JSON methods
  • Python: Json module
  • Objective-C: Native NSJSONSerialization class

OWASP Java HTML sanitizer

  • XSS detection support through Insecure Sanitizer Policy category

Enhanced SAP ABAP support

  • GUI Frontend Services Utility and related APIs

Coverage for several categories, including:

  • Access Control: Database
  • Command Injection
  • Obsolete
  • Path Manipulation
  • Resource Injection



HP ArcSight Application View

HP ArcSight Application View automatically monitors applications to provide unparalleled insight into application behavior, enabling comprehensive visibility into threats that would otherwise go unnoticed. This release contains the following new features and enhancements:

  • Deeper insight into database activity

HP Fortify Premium Content

The research team builds, extends, and maintains a variety of resources outside our core security intelligence products.

  • DISA STIG 3.9 report

For more details about the exciting features for this release, please reference the attached release letter.

Read:18567 | Comments:0 | Tags:No Tag

“HPSR Software Security Content 2014 Update 4”0 Comments

Submit A Comment



Blog :

Verification Code: