Cybersecurity
DevOps Cloud
IT Operations Cloud
Original Question: Micro Focus Fortify Software Security Content 2020 Update 3 by Brent_Jenkins
2020 Update 3
September 25, 2020
Fortify Software Security Research (SSR) is pleased to announce the immediate availability of updates to Fortify Secure Coding Rulepacks (English language, version 2020.2.0), Fortify WebInspect SecureBase (available via SmartUpdate), and Fortify Premium Content.
The Fortify Software Security Research team translates cutting-edge research into security intelligence that powers the Fortify product portfolio – including Fortify Static Code Analyzer (SCA), Fortify WebInspect, and Fortify Application Defender. Today, Micro Focus Fortify Software Security Content supports 1,032 vulnerability categories across 27 programming languages and spans more than one million individual APIs.
Learn more at: https://software.microfocus.com/en-us/software/security-research
With this release, the Fortify Secure Coding Rulepacks detect 815 unique categories of vulnerabilities across 27 programming languages and span over one million individual APIs. In summary, this release includes the following:
.NET System.Text.Json Support (Version 3.1)[1]
The System.Text.Json namespace provides a high-speed, built-in, and standards-compliant alternative to Newtonsoft's Json.NET package. The System.Text.Json namespace also provides types to read and write JSON text encoded as UTF-8. Support includes dataflow through the various serialization/deserialization methods as well as increased coverage for the following categories:
- Cross-Site Scripting: Reflected
- Cross-Site Scripting: Persistent
- Cross-Site Scripting: Poor Validation
- Privacy Violation
- System Information Leak: External
- System Information Leak: Internal
Kotlin Coroutines and Standard Library Support[2]
Extended coverage of the Kotlin standard libraries, including support for coroutines. Coroutines provide a rich and flexible API to develop concurrent and asynchronous code. This update adds improved dataflow analysis in applications using coroutines.
Kotlin Java Interoperability and Android Improvements[3]
Improved language support across existing weakness categories for projects containing both Java and Kotlin source code as well as for Android applications developed using Kotlin.
Improvements across existing weakness categories to support version changes up to Java 14.
Rules coverage for ECMAScript versions has been upgraded to support all versions up to ECMAScript 2020.
Go Logrus (Version 1.6.0)
Logrus is a structured logger for Go, completely API compatible with the standard library logger. Logrus is a common logging package that may introduce logging related risks to enterprise applications. Categories supported include:
- Poor Logging Practice: Use of a System Output Stream
- Privacy Violation
- System Information Leak
Docker allows packaging code and its dependencies in a sandbox environment (also called containers) to be executed on any computing environment. Dockerfile is the configuration of container images. This update deals with the most common vulnerabilities in the Dockerfile.
Initial support covers the existing "Password Management: Password in Configuration File" category, as well as the following new categories:
- Dockerfile Misconfiguration: Default User Privilege
- Dockerfile Misconfiguration: Privileged Container
- Dockerfile Misconfiguration: Privileged Port
- Dockerfile Misconfiguration: Sensitive Host Discovery
- Dockerfile Misconfiguration: SSH Service
DISA STIG 4.11
To support our federal customers in the area of compliance, correlation of the Micro Focus Fortify Taxonomy to the Defense Information Systems Agency (DISA) Application Security and Development STIG version 4.11 has been added.
Miscellaneous Errata
In this release, we have continued to invest resources to ensure we can reduce the number of false positive issues and improve the ability for customers to audit issues. Customers can also expect to see changes in reported issues related to the following:
Deprecation notice of SCA versions prior to 17.x:
A notice to our users, that this will be the last release of the Rulepacks that support SCA versions prior to 17.x. For the next release, SCA versions prior to 17.x will not load the Rulepacks. This will require either downgrading the rulepacks or upgrading the version of SCA.
For future releases, we will continue to support the last four major releases of SCA.
Obsoleting mappings - Security Technical Implementation Guide Versions 3.x (STIG 3.x):
The Software Security Research team has continued to create mappings from Fortify categories to external standards and best practices over the years. As such, we are now at the point that the versions of different standards supported has grown very large, even though many old versions will not be used.
As such, we have now marked versions of STIG prior to version 4.0 as "obsolete" using a new XML attribute in the externalmetadata.xml file. This change means that Fortify Software Security Center and SCA applications starting with version 20.2 will not show these old versions by default. If you are required to check these old versions, then the workaround is to change the mappings to set obsolete to "false", or remove the attribute entirely.
Blacklist and Whitelist naming:
Following trends within the field, the Software Security Research team as part of Micro Focus Fortify as a whole have decided to move away from the terms "blacklist" and "whitelist" to more neutral and semantically specific terms. We have instead decided to use the more descriptive terms "deny list" and "allow list" respectively.
This change also means the following category names have changed, potentially resulting in removed and new issues:
- “Deserialization Bad Practice: Blacklist” is now “Deserialization Bad Practice: Deny List”
- "Django Bad Practices: Blacklisted Attributes" is now "Django Bad Practices: Attributes in Deny List"
- "Setting Manipulation: User-Controlled Whitelist" is now "Setting Manipulation: User-Controlled Allow List"
Weak Encryption: Insecure Mode of Operation update
We believe that it is no longer safe to use the Cipher Block Chaining (CBC) mode of symmetric encryption. From this release, any use of CBC will be reported as Weak Encryption: Insecure Mode of Operation for current supported libraries. Considering BEAST, POODLE, Zombie POODLE, GOLDENDOODLE, LUCKY13 and padding oracle attacks, we have determined that CBC is no longer safe based on currently known cryptographic research.
False positive improvements:
We continue to listen to our customers and strive to improve the false positive rates. During this release we have worked on the following in order to reduce the number of false positives:
- Cross-Site Request Forgery
Reduction to account for other types of CSRF tokens, and inside ASP.NET hidden fields
- Server-Side Request Forgery
Removals in some Spring applications
- Poor Logging Practice: Use of a System Output Stream
Removed when the context is based around command-line applications or utilities.
- Dead Code: Unused Field
Inside lambdas
- Privacy Violation
Removed duplicate issues involving passwords inside Java, Scala, and Kotlin lambdas
- Java System Properties are now treated separately for built-in properties, reducing false positives in many cases, and potentially finding new System Information Leaks.
Rules for Null Dereference and Redundant Null Check have been reworked to enable reduction of false positive rates. In particular, the ability to write custom rules to handle internal null check functions has been added.
However, it is unclear if the benefits are universal in nature. As such, these improvements that are available in SCA 20.2 are turned off by default. If you would like to test these improvements please contact customer support.
Fortify SecureBase combines checks for thousands of vulnerabilities with policies that guide users in the following updates available immediately via SmartUpdate:
Vulnerability support
Weak Cryptographic Signature: User-Controlled Key Source
Key Confusion attacks threaten integrity of the JSON Web Tokens (JWT). The JWT Implementations that do not carefully select a key source to verify a token received from the client allowing an attacker to forge token payload, are vulnerable to these attacks. This release includes a check to evaluate JWT usage against key confusion attacks.
JSON Web Token: Missing Protection Claims
JSON Web Tokens that do not implement protection claims such as "jti", "exp", and "aud" might be susceptible to impersonation and replay attacks. This release includes multiple checks that detect if the tokens encountered during a scan are missing these claims.
Access control: Authorization Bypass
JSON Web Token (JWT) provides protection against data tampering because the information it contains is digitally signed with either the HMAC or the RSA algorithm. Applications that fail to verify the signature might be susceptible to unauthorized access and impersonation attacks. This release includes multiple checks to evaluate JWT implementation for missing and arbitrary signature attacks.
OAuth2: Insufficient state Parameter Entropy
OAuth2 protocol implementations that do not use a "state" parameter value with sufficient entropy are susceptible to impersonation attacks. This release includes a check to evaluate if the state parameter fails to meet sufficient entropy requirements.
OAuth2: Insufficient Refresh Token Revocation
Authorization servers that do not verify the client ID, the client secret, and refresh token expiration before reissuing a new access token might be vulnerable to impersonation attacks. This release includes a check to detect if a refresh token can be used to generate multiple access tokens without the client ID and the client secret.
OAuth2: Insufficient Authorization Code Expiration
OAuth2 authorization servers that do not timely expire authorization codes might be susceptible to impersonation attacks as they might continue to grant a new valid access token for stolen authorization codes. This release includes a check to detect authorization code abuse.
Cross-Site Request Forgery
Applications that fail to use the "state" parameter in OAuth2 authorization flow are susceptible to unauthorized actions impersonating clients. Additionally, applications that use cookie storage for JSON Web Tokens (JWT) are at risk of similar CSRF attacks. This release includes multiple checks that detect JWT and OAuth2 instances vulnerable to CSRF.
Weak Cryptographic Signature: Insufficient Key Size
JSON Web Tokens contain digitally signed information to prove payload integrity. Symmetric algorithms such as HS256 with a weak secret could be brute forced, allowing an attacker to generate an arbitrary payload and sign it with valid key. This release includes a check to detect if a weak algorithm like HS256 is used to sign the tokens.
SQLite is a C library that provides a lightweight disk-based database that does not require a separate server process and allows accessing the database using a nonstandard variant of the SQL query language. This release includes an enhancement to WebInspect SQL Injection check to detect SQL injection vulnerabilities in Web Applications using SQLite library version 3.16.0 or later.
Compliance report
DISA STIG 4.11
To support our federal customers in the area of compliance, this release contains a correlation of the WebInspect checks to the latest version of the Defense Information Systems Agency Application Security and Development STIG, version 4.11.
Policy Updates
DISA STIG 4.11
A policy customized to include checks relevant to DISA STIG 4.11 has been added to the existing list of supported policies in WebInspect SecureBase.
Web API
A policy customized to include checks relevant to API security assessment has been added to the existing list of supported policies in WebInspect SecureBase.
Miscellaneous Errata:
In this release, we have continued to invest resources to ensure we can reduce the number of false positive issues and improve the ability for customers to audit issues. Customers can also expect to see changes in reported issues related to the following:
Insecure Transport: Weak SSL Cipher:
The check identified by ID 11285 has been modified to report all instances of CBC mode ciphers as weak as compared to report content blurb in Weak SSL Protocol when SSLv3 or TLS1.0 were detected along with CBC ciphers. Considering weaknesses, such as POODLE, GoldenPOODLE, and ZombieDOODLE, CBC mode ciphers are no longer recommended for transport layer security.
Blacklist and Whitelist naming:
Following trends within the field, the Software Security Research team as part of Micro Focus Fortify as a whole have decided to move away from the terms "blacklist" and "whitelist" to more neutral and semantically specific terms. We have instead decided to use the more descriptive terms "deny list" and "allow list" respectively in check security contents.
The research team builds, extends, and maintains a variety of resources outside our core security intelligence products.
DISA STIG 4.11
To accompany the new correlations, this release also contains a new report bundle for Fortify Software Security Center with support for DISA STIG 4.11, which is available for download from the Fortify Customer Support Portal under Premium Content.
Micro Focus Fortify Taxonomy: Software Security Errors
The Fortify Taxonomy site, which contains descriptions for newly added category support, is available at https://vulncat.fortify.com. Customers looking for the legacy site, with the last supported update, can obtain it from the Micro Focus Fortify Support Portal.
Contact Fortify Technical Support
Micro Focus Fortify
https://softwaresupport.softwaregrp.com/
1 (844) 260-7219
Contact SSR
Alexander M. Hoole
Manager, Software Security Research
Micro Focus Fortify
hoole@microfocus.com
1 (650) 258-5916
[1] Due to the design of the System.Text.Json namespace, it is not vulnerable to the same JSON injection issues reported in the Newtonsoft Json.NET package.
[2] Experimental coroutines APIs such as those using select expressions are not supported in this update.
[3] Requires SCA 20.2 or later.
[4] Requires SCA 20.2 or later.
[5] Full support requires SCA 20.2 or later.
[6] Requires SCA 20.2 or later.
[7] Requires SCA 20.2 or later.
[8] Inclusion of database type information for SQLite as part of the report content requires WebInspect 20.2 or later.
Question: RE: Micro Focus Fortify Software Security Content 2020 Update 3 by Bob_HwangIt's Awesome !!
When will the translated version be released?
Question: RE: Micro Focus Fortify Software Security Content 2020 Update 3 by Clifford
Bob_Hwang,
Shortly after a new release goes out we begin the translation process. We don't pre-announce a release date as there are a number of variables that can impact it. At a minimum, it takes about 5 weeks. We will announce the availability as soon as possible. If you have subscribed to this board, you will be notified of their availability.
Thank you for your patience.