Cybersecurity
DevOps Cloud
IT Operations Cloud
The Fortify Software Security Research team translates cutting-edge research into security intelligence that powers the Fortify product portfolio – including Fortify Static Code Analyzer (SCA) and Fortify WebInspect. Today, Fortify Software Security Content supports 1,552 vulnerability categories across 31+ languages and spans more than one million individual APIs.
Fortify Software Security Research (SSR) is pleased to announce the immediate availability of updates to Fortify Secure Coding Rulepacks (English language, version 2023.2.0), Fortify WebInspect SecureBase (available via SmartUpdate), and Fortify Premium Content.
With this release, the Fortify Secure Coding Rulepacks detect 1,329 unique categories of vulnerabilities across 31+ languages and span over one million individual APIs. In summary, this release includes the following:
Support for Dart (version supported: 2.19.6)[1]
The Dart software development kit (SDK), developed by Google, provides a strongly typed, class-based, and garbage-collected programming language for building desktop, mobile, and web applications. Dart offers versatility by allowing applications to be compiled into architecture-specific machine code, portable modules, or JavaScript, depending on the intended use case. With Dart, developers can create applications with accompanying graphical user interfaces (GUIs), making it a flexible choice for building a wide range of software solutions. Categories supported include:
Initial support for Flutter (version supported: 3.7.11)[1]
Flutter, an open-source user interface (UI) SDK created by Google, harnesses the power of the Dart programming language. It provides developers with a comprehensive set of tools, libraries, and packages to facilitate the creation of cross-platform applications. With Flutter, developers can build mobile, web, and desktop applications from a single codebase, simplifying the development process and reducing time and effort. By leveraging Flutter's capabilities, developers can create visually appealing and performant applications that run seamlessly across multiple platforms. Support for Flutter includes tracking of user-supplied input, detection of all supported categories for the Dart programming language, and the following categories specifically for Flutter GUIs:
Android 13 (API level: 33)
The Android platform is an open-source software stack designed for mobile devices. A primary component of Android is the Java API Framework, which exposes Android features to application developers. This release expands vulnerability detection in native Android applications written in Java or Kotlin that leverage Android's Java API Framework. Five new weakness categories are introduced in this release for Android applications:
Additional Android updates are included to support detection of existing weakness categories in the following namespaces:
Java SE JDK (version supported: 17)
The Java Platform, Standard Edition (SE) Java Development Kit (JDK) is a software development package containing tools and libraries used to develop Java applications and components. This release includes updated support of existing weakness categories in the following namespaces for new APIs introduced in Java SE JDK 15, 16, and 17:
Improved scan coverage might include additional issues identified under the following categories:
Kotlin Standard Library Updates (version supported: 1.7.21)
Kotlin is a general-purpose, statically-typed language featuring Java interoperability. This release includes updated support for new standard library APIs introduced in Kotlin versions 1.6 and 1.7 targeting the Java Virtual Machine (JVM).
Secret Scanning Update
Secret Scanning is a technique to automatically search for secrets in source code and configuration files. In this context "secrets" refers to passwords, API tokens, encryption keys, and similar artifacts meant to be kept secret. This release includes updated support for secret scanning in the following categories:
Additionally, secret scanning in PowerShell scripts is now supported for the following categories:
Cloud Infrastructure as Code (IaC)
Infrastructure as code is the process of managing and provisioning computer resources through code, rather than various manual processes. Expanded coverage of supported technologies include Terraform configurations for deployment to Amazon Web Services (AWS) and Google Cloud Platform (GCP), as well as configurations for AWS CloudFormation. Common issues related to the configuration of these services mentioned are now reported to the developer.
AWS Terraform Configurations
Terraform is an open-source IaC tool for building, changing, and versioning cloud infrastructure. It uses its own declarative language known as HashiCorp Configuration Language (HCL). Cloud infrastructure is codified in configuration files to describe the desired state. Terraform providers support the configuration and management of AWS infrastructure. In this release, we report the following additional categories for Terraform configurations:
GCP Terraform Configurations
Terraform is an open-source infrastructure as code tool for building, changing, and versioning cloud infrastructure. It uses its own declarative language known as HashiCorp Configuration Language (HCL). Cloud infrastructure is codified in configuration files to describe the desired state. Terraform providers support the configuration and management of GCP infrastructure. In this release, we report the following weakness categories for GCP Terraform configurations:
AWS CloudFormation Configurations
CloudFormation is a service provided by Amazon that is used to automate the provisioning and configuration of AWS resources. CloudFormation allows users to manage AWS resources using a JSON or YAML template. In this release, we report the following weakness categories for AWS CloudFormation configurations:
Customizable Password Management Regular Expressions Update
Customizable Password Management regular expressions for Salesforce Apex, Dart, and PowerShell scripts can now be specified using the following properties:
These properties can be used to override the default regular expressions used to identify passwords when scanning Salesforce Apex source code, Dart source code, or PowerShell scripts.
OWASP Mobile Application Security Verification Standard (MASVS) v2.0.0
The OWASP MASVS v2.0.0 standard was released in April 2023 as part of the OWASP Mobile Application Security (MAS) project. It offers a baseline for mobile application security requirements, and it's intended to be used by mobile software architects, developers, and testers. OWASP MASVS 2.0 is intended to focus on the application security of the “client” mobile application running on the mobile device. As such, it should be used in combination with the OWASP ASVS to assess related server-side application security risks related to controls for remote endpoints. To support our customers in developing secure mobile applications and evaluating mobile applications for security control coverage and risk mitigation, a correlation of the Fortify Taxonomy to the OWASP MASVS v2.0.0 has been added.
Miscellaneous Errata
In this release, resources have been invested to ensure we can reduce the number of false positive issues, refactor for consistency, and improve the ability for customers to audit issues. Customers can also expect to see changes in reported issues related to the following:
Deprecation of the "Access Control" Category
The Access Control category for Salesforce Apex has been removed in this release. The lack of field-level security checks is now indirectly captured through other categories, such as Access Control: Database and SOQL Injection.
Deprecation of the "Link Injection: Auto Dial" Category
The Link Injection: Auto Dial category has been removed due to being outdated. The category was introduced to address CVE-2017-2484 where unsanitized user input in iOS apps can be exploited by attackers to auto dial phone numbers or Facetime calls. This exploit has been fixed in the iOS 10.3 update, therefore no longer relevant for current iOS apps.
Deprecated Standards Mappings
The following standards and best practices have been marked as obsolete, so that they will not show by default:
PHP Dynamic Functions[2]
The latest Fortify Static Code Analyzer includes updated PHP support, enabling the reporting of Dynamic Code Evaluation: Code Injection issues against dynamic functions that are referenced by unsanitized external input.
Java Unsafe class
Within the Java JDK there is a hidden class for performing inherently unsafe actions that are not typically available to developers that requires reflection to instantiate. Now when using the sun.misc.Unsafe class within Java projects, scan results will report any usage as Often Misused: sun.misc.Unsafe.
False Positive Improvements
Work has continued with the effort to remove false positives in this release. In addition to other improvements, customers can expect further removal of false positives in the following areas:
Category Changes
When weakness category name changes occur, analysis results when merging prior scans with new scans will result in added/removed categories.
To improve consistency, the following categories have been renamed:
Fortify SecureBase combines checks for thousands of vulnerabilities with policies that guide users in the following updates available immediately via SmartUpdate:
Vulnerability Support
Insecure Deployment: Unpatched Application:
ZK Framework, an open-source Java library used to create enterprise mobile and web applications, contains a security vulnerability identified by CVE-2022-36537. Attackers can exploit this vulnerability to retrieve the content of a file located in the web context. Successful exploitation enables an attacker to obtain sensitive information or target an endpoint that might otherwise be unreachable. This release includes a check to detect this vulnerability on target servers that use affected ZK Framework versions.
Miscellaneous Errata
In this release, we invested resources to further reduce the number of false positives and improve the ability for customers to audit issues. Customers can also expect to see changes in reported findings related to the following:
Command Injection:
The checks identified by ID 11722 and 11723 have been added to use payloads that support the Out-of-band Application Security Testing (OAST) feature[3]. They reduce false positives and increase the accuracy of WebInspect scan results.
The research team builds, extends, and maintains a variety of resources outside our core security intelligence products.
OWASP MASVS v2.0.0
To accompany the new correlations, this release also contains a new report bundle for Fortify Software Security Center with support for OWASP MASVS v2.0.0, which is available for download from the Fortify Customer Support Portal under Premium Content.
Fortify Taxonomy: Software Security Errors
The Fortify Taxonomy site, which contains descriptions for newly added category support, is available at https://vulncat.fortify.com.
A new off-cloud version of the Fortify Taxonomy site, consistent with the above live site, is now available to customers for download from the Fortify Support Portal.
OpenText Fortify
https://softwaresupport.softwaregrp.com/
+1 (800) 509-1800
Alexander M. Hoole
Senior Manager, Software Security Research
OpenText Fortify
hoole@opentext.com
+1 (650) 427-9973
Peter Blay
Manager, Software Security Research
OpenText Fortify
pblay@opentext.com
+1 (669) 309-1634
[1] Requires Fortify Static Code Analyzer 23.1.0. For best results, use Fortify Static Code Analyzer 23.1.1.
[2] Requires SCA 23.1 and above
[3] Because the 11723 check sends a significant number of requests, it is excluded from the Standard policy. Use either the All Checks policy, customize an existing policy to include the check, or create a custom policy to run this check.