About OpenText Fortify Software Security Research
The Fortify Software Security Research team powers the Fortify portfolio by translating cutting-edge research into security intelligence – including the OpenText family of Fortify Static Analyzers (SCAs) and WebInspect. Today, Fortify software security content supports 1,657 vulnerability categories in 33+ languages and covers more than 1 million individual APIs.
Fortify Software Security Research (SSR) is pleased to announce the immediate availability of Fortify Secure Coding RulePacks (English, version 2023.)4.0), Fortify WebInspect SecureBase (available via SmartUpdate), and Fortify Premium Content.
Fortify Secure Coding Rules Package [FortifySCA].
In this release, the Fortify Secure Coding Rulepack detects 1,432 unique categories of vulnerabilities in 33+ languages and covers more than 1 million individual APIs.
In summary, this release includes the following:
Improved support for python (supported versions: 3.)12)
Python is a general-purpose, powerful programming language with dynamic typing and efficient high-level data structures. It supports a variety of programming paradigms, including structured, object-oriented, and functional programming. This release expands our coverage to the latest version of Python, expanding our support for changes to the Python Standard Library API. Updated existing rule coverage for the following modules:
ospathlib
tomllib
Improved support for Django (supported versions: 4.)2)
Django is a web framework written in Python to facilitate secure and fast web development. The speed and security of development is achieved through a high degree of abstraction in the framework, where construction and generation are used to drastically reduce boilerplate. In this release, we've updated our existing Django coverage to support the following versions. 1 and 42。
Improved coverage includes the following namespaces: asyncio, djangocore.cache.backends.base.basecache、django.db.models.model and djangomiddleware.security.securitymiddleware。In addition, we've improved the coverage of the Weaknesses category, which includes the following:
header manipulation
insecure cross-origin opener policy
resource injection
setting manipulation
pycryptodome and pycrypto (supported versions: 3.)19.0)
PyCryptoDome is a standalone Python package that provides a comprehensive collection of cryptographic algorithms and protocols. It is an extended and more actively maintained version of the pycrypto library. PyCryptoDOME is designed to provide a wide range of cryptographic capabilities, making it a versatile choice for developers who need secure communication, data protection, and cryptographic operations in their Python applications.
The initial coverage of the vulnerability category includes the following:
key management: empty encryption key
key management: empty pbe password
key management: hardcoded encryption key
key management: hardcoded hmac key
key management: hardcoded pbe password
key management: unencrypted private key
password management: hardcoded password
password management: lack of key derivation function
password management: password in comment
weak cryptographic hash
weak cryptographic hash: hardcoded pbe salt
weak cryptographic hash: insecure pbe iteration count
weak cryptographic hash: predictable salt
weak cryptographic signature: insufficient key size
weak encryption
weak encryption: insecure initialization vector
weak encryption: insecure mode of operation
weak encryption: insufficient key size
weak encryption: stream cipher
weak encryption: user-controlled key size
Detect risks originating from machine Xi (ML) and artificial intelligence (AI) models
As the use of generative AI and large language models (LLMs) rapidly changes the solution space in the software industry, new risks arise. Initial Fortify support covers Python projects that use the OpenAI API, Amazon Web Services (AWS) SageMaker, or Langchain. Support detects weaknesses caused by implicit trust in responses from the AI ML Model API, as well as the following unique features:
Initial support for the Python OpenAI API (Supported versions: 1.)3.8)
The OpenAI Python library enables developers to conveniently access the OpenAI REST API to interact with OpenAI models such as GPT-4 and DALL-E. The OpenAI API enables applications to send prompts to OpenAI models and receive generated responses, as well as fine-tune existing models. The OpenAI Python module supports the ability to send and receive asynchronous and synchronous requests powered by HTTPX. Support includes identifying the potentially hazardous output of the model as well as the following new categories:
Cross-site scripting: AI
Initial support for Python AWS SageMaker (BOTO3) (Supported versions: 1.)33.9)
AWS SageMaker is a product of Amazon AWS Large Services. AWS SageMaker provides a wide range of tools to support a wide range of ML projects, from training custom models to setting up full MLoPs-backed development pipelines. Amazon's Python SDK (BOTO3) allows communication with a variety of AWS products, including AWS SageMaker. Support includes identifying the potentially hazardous output of the model as well as the following new categories:
Cross-site scripting: AI
Initial support for Python Langchain (Supported versions: 0..)0.338
LangChain is a popular open-source orchestration framework for developing applications using large language models (LLMs). LangChain provides tools and APIs that make it easier to create LLM-powered applications such as chatbots and virtuals**. They are available as Python and J**Ascript-based libraries. Support includes identifying the model's potentially hazardous outputs, detecting path actions, and the following new categories:
Cross-site scripting: AI
.NET 8 support (Supported versions: 8.)0.0).net 8 support (version supported:8.0.0)
As .Successor to .NET 7,.NET 8 is a cross-platform, free, and open-source development framework that enables programmers to write applications in different languages, such as C and VB, using a standardized set of APIs. This release expands our coverage to the latest version of.NET to improve detection of weaknesses in new and existing APIs.
The extended coverage covers the following namespaces:
collections.frozen
net.http.json
system
security
texttext.unicode
net.http
j**a Simplified Encryption (Jasypt) (Supported versions: 1.)9.3)
J**A Simplified Encryption (Jasypt) is a small J**A library for performing password-based encryption and creating password digests for storage. It integrates with popular J**A frameworks like Spring, Wicket, and Hibernate.
insecure randomness
key management: null pbe password
privacy violation: heap inspection
setting manipulation
weak cryptographic hash: empty pbe salt
weak cryptographic hash: user-controlled pbe salt
weak encryption
ecmascript 2023
eMascript 2023, also known as es2023 or es14, is the latest version of the ecmascript standard for the j**ascript language. Key features of ES2023 include new array functions that allow them to be changed by copying and searching from the end. Support for ES2023 extends the coverage of all relevant j**ascript vulnerability categories to the latest version of the eMascript standard.
Prototype contamination
Prototype contamination is a vulnerability in the j**ascript application that enables a malicious user to bypass or affect business logic and potentially run their own.
This rulepack update detects if an attacker can contaminate an object's prototype in the following npm packages:
assign-deep
deapdeep-extend
defaults-deep
dot-prop
hoeklodash
mergemerge-deep
merge-objects
merge-options
merge-recursive
mixin-deep
object-path
pathval
Kubernetes configuration
Kubernetes is an open-source container management solution for automating the deployment, scaling, and management of containerized applications. It provides container-centric infrastructure abstraction, eliminates dependencies on underlying infrastructure, enables portable deployments, and simplifies the management of complex distributed systems. Improved vulnerability category coverage includes:
Kubernetes misconfiguration: Improper network access control to the API server.
Kubernetes misconfiguration: Improper access control for CronJob.
Kubernetes misconfiguration: Improper Daemonset access control.
Kubernetes misconfiguration: Improper deployment access control.
Kubernetes misconfiguration: Improper job access control.
Kubernetes misconfiguration: Improper pod access control.
Kubernetes misconfiguration: Improper RBAC access control.
Kubernetes misconfiguration: Incorrect ReplicaSet access control.
Kubernetes misconfiguration: Incorrect replication controller access control.
Kubernetes misconfiguration: Improper access control for stateful replica sets.
Kubernetes misconfiguration: Insecure confidential transfer.
Kubernetes misconfiguration: Insufficient kubelet logging.
Kubernetes misconfiguration: Scheduler system information is leaked.
Kubernetes misconfiguration: Uncontrolled consumption of kubelet resources.
Kubernetes terraform misconfigured: The daemon is set up with improper access control.
kubernetes terraform
kubernetes terraform
Kubernetes terraform misconfigured: Improper pod access control.
Kubernetes Terraform misconfigured: Improper access control to the pod network.
Kubernetes Terraform misconfigured: Improper RBAC access control
kubernetes terraform
Kubernetes Terraform configuration error: Incorrect stateful set access control.
Kubernetes Terraform misconfigured: Insecure secret transfer.
disastig 5.3
To support our federal customers in the area of compliance, we have added the Fortify taxonomy with the U.S. Defense Information Systems Agency (DISA) Application Security and Development STIG version 53.
OWASP MOBILE's Top 10 Risks in 2023
The Open Global Application Security Project (OWASP) Top 10 Mobile Risks 2023 aims to raise awareness of mobile security risks and educate those involved in the development and maintenance of mobile apps. To support customers looking to reduce the risk of their web applications, we've added the relevance of the Fortify taxonomy to the initial release of the OWASP Mobile TOP 10 2023.
Other errata
In this release, we've invested resources to ensure that we can reduce the number of false positives, refactor consistency, and improve our customers' ability to review issues. Customers can also see changes to reporting issues related to:
Deprecation 20x
Previous version of Fortify Static Code AnalyzerAs we wrote in 2023As described in the 3 release announcement, this is supported by 20The last version of the rule package for the static analyzer version prior to x. For this version, 20Static analyzer versions prior to x will not load rule packages. This will require downgrading the rule package or upgrading the version of the static analyzer. For future releases, we will continue to support the last four major versions of Static Code Analyzer.
Reduce false positives and other significant detection improvements
We've been working hard to eliminate false positives in this release. Customers can expect further elimination of false positives, as well as other significant improvements related to:
.NET Misconfiguration: Persistent Authentication in ASP. using the Forms Authentication ServiceFalse positives were removed in the .NET application.
Credential Management: Hard-coded API credentials remove false positives from secret scans related to HTTP bearer tokens.
Credential Management: Hardcoded API Credentials A new issue with the Ature API key has been detected.
Cross-site request forgery is used using "expressjs" j**ascript framework.
Cross-site scripting A new issue detected in Go applications that use the "HTML Template" package.
Cross-site scripting: Reflects in asp. using the "ListControl" classFalse positives were removed in the .NET application.
Denial of Service: The format string is incorrectly mapped to the first 10 categories of OWASP.
Insecure transport in ASP. related to controller methods that handle private user dataFalse positives were removed in the .NET application.
Insecure Transfer: Mail Transfer from using "smtplib."smtp'Kind.
Key Management: Hardcoded encryption keys False positives were removed in J**A applications that use the "rsakeygenparameterspec" class.
Link Injection: Missing Validation Removed false positives in SWIFT and Objective-C applications using the "wkn**igationdelegate" protocol[2].
Bulk Allocation: Insecure Binder Configuration Removed false positives from J**A applications using the Jakarta EE API
Password Management: Passwords in Profiles False positives are removed from the profile.
Path Manipulation A new issue detected in the PHP application where the file is uploaded.
SQL Injection A new issue detected in a nodejs application that uses a MarsDB database.
SQL injection: A new issue detected by MyBatis Mapper in the MyBatis Mapper XML file.
String termination error Removed false positives in C C++ applications that use "printf()" and its variants.
System Information Leak: Incomplete Servlet Error Handling Removed false positives in j**a applications.
Weak Encryption: Insecure Initialization Vectors Removed false positives in python applications using the "pycryptodome" library.
Unpublished resources: Streams are using "j**a."nio.file" API.
Various data flow false positives related to user profile information in VisualForce applications.
Category name change
When the vulnerability category name changes, merging the analysis results of a previous scan with the new scan may result in the addition and deletion of categories.
To improve consistency, the following two categories have been renamed:
fortify securebase [fortify webinspect]
Fortify SecureBase combines a review of thousands of vulnerabilities with a strategy that directs users to get the following updates immediately through SmartUpdate.
Vulnerability support
Access control: the management interface
This release includes a check to detect insecure configurations of Spring Cloud Gateway when the gateway executor endpoint is enabled, exposed, and insecure. In this case, an attacker can create a new route and access internal or sensitive assets on behalf of the application. This can lead to cloud metadata key theft, internal application compromise, or denial-of-service (DoS) attacks.
Expression language injection: spring
Spring Cloud Gateway version. 0.0 to 30.6 and below 30.Version 0 contains a security vulnerability identified by CVE-2022-22947. This vulnerability allows injection attacks when the gateway actuator endpoint is enabled, exposed, and insecure. This release includes a check to detect the presence of this vulnerability on target servers using the affected version of Spring Cloud Gateway.
Insecure deployments: Unpatched applications
TeamCity On-premises Server Version 202305.3 and earlier versions are prone to authentication bypass, which enables an unauthenticated attacker to obtain remote execution (RCE) on the server. This vulnerability has been identified by CVE-2023-42793. This release includes a check to detect this vulnerability on the target server.
Information discovery: Undocumented APIs
Undocumented or limited documentation of API endpoints can provide attackers with an attack surface that is not adequately tested for security vulnerabilities. Attackers may perform reconnaissance to discover deprecated, unpatched, and unmaintained endpoints that can gain access to sensitive information or dangerous functionality. This release includes a check to discover versioned API endpoints that are accessible but not defined in the API specification document.
Compliance Reporting
disastig 5.3
To support our federal customer compliance needs, this release includes WebInspect checks with the latest version of the Defense Information Systems Agency Application Security and Development (DISA) STIG version 53.
Policy Updates
disastig 5.3
Customize the policy to include the same policy as Disa stig 53 Related checks, added to the WebInspect SecureBase list of supported policies.
Other errata
In this release, we've invested resources to further reduce the number of false positives and improve our customers' ability to review issues. Customers can also see changes in the reported results related to the following areas:
Insecure transport: SSLV3 TLS renegotiate flows
tls1.3 Renegotiation is not supported. This release includes improvements to the Renegotiation Flow Injection Check to reduce false positives and improve the accuracy of the results.
HTML5: Cross-site scripting protection
The x-xss-protection header is deprecated in all modern browsers. In this release, we've derided header checks for missing or misconfigured headers.
Fortify premium content
The research team builds, extends, and maintains a variety of resources outside of our core security intelligence products.
disa stig 5.3 and OWASP Mobile Top 10 2023 To coincide with the new relevance, this release also includes a new report package, OpenTextFortify Software Security Center supports Disa STIG 53 and OWASP Mobile Top 10 2023, mayFrom the Fortify Customer Support Portal, under Premium Content**.
Fortify taxonomy: Software security errors
1] Langchain is still very new. Safety must be carefully considered before production use.
2] Fortify Source Code Analyzer 231 or later.
Contact Fortify customer support