Vulnerability Research

Security Vulnerablilties

Software developers play a crucial role in building secure computer systems. Developed by the Fortify Software Security Research Group together with Dr. Gary McGraw, this taxonomy of common types of coding errors will help developers and software security practitioners recognize the categories of problems that lead to vulnerabilities and help them identify existing errors as they build software. Learn more about software security errors.

White Papers

Attacking the Build through Cross–Build Injection

A poorly designed software build process can allow an attacker to insert malicious code into the final product or to take control of a build machine. This paper surveys previous attacks related to building open source software, including attacks against Sendmail, OpenSSH and IRSSI. It then shows how three popular build tools for Java (Apache Ant,1 Maven2 and Ivy3) are commonly misused in ways that make them susceptible to crossbuild injection (XBI) vulnerabilities, which can allow attackers to insert Trojans, back doors, or other malicious code. Download White Paper

JavaScript Hijacking

Fortify Software's Security Research Group has announced a new class of vulnerability: JavaScript Hijacking. This is the first class of vulnerability that specifically affects Web 2.0 AJAX-style web applications. Download Fortify’s advisory detailing the risk and how developers can make their code secure. Download White Paper (Registration required)

Webcasts & Videos

The Dark Side of AJAX

This talk considers the security implications of Ajax and the pitfalls and alternatives involved in creating rich Web applications. We will look at Ajax security concerns and discuss the first vulnerability specific to Ajax: JavaScript Hijacking. We will also look at popular Ajax programming frameworks and how they can make or break the security of an application. What happens when you point out the same vulnerability in twelve frameworks on the same day? Watch Webcast (Registration Required)

The Top 10 Software Security Vulnerabilities

Matt Rose, Senior Software Security Consultant at Fortify Software, shares his findings from a year analyzing millions of lines of code. He unveils his top ten most common vulnerabilities and provides detailed examples of each. These technical examples come from his experience working with fortune 500 companies, government agencies, and major ISVs. Watch Webcast (Registration Required)

AJAX & Security

AJAX is used to build much richer user interfaces, on sites like Google Maps and MySpace, but it carries severe security implications. Brian Chess, Chief Scientist of Fortify Software, urges developers to be mindful of these threats. Watch Video (ZDNet Video: 2:24 mins)

SOA Security

Find out why Roger Thornton, CTO of Fortify Software, says SOA should stand for “Secure Old Applications.” Service oriented architecture, though an important enabler, opens applications previously secure deep inside the computing infrastructure of a company to serious risk from hackers, malicious insiders, worms and viruses. Watch Video (ZDNet Video: 2:32 mins)

Security Research Group

Stay on Top of Security Issues

Fortify Software is at the cutting edge in developing threat intelligence to stay in front of the hacking community. Fortify’s internal Security Research Group (SRG), is comprised of researchers that bring together expertise in a variety of software technologies and programming styles with decades of collective experience in security. They represent the security-frontline at Fortify and their research into how real-world systems fail allows them to identify the most effective solutions to address the threats that Fortify customers face.

The Fortify Security Research is responsible for building security knowledge into Fortify 360. Their work leads to the continual development of Fortify's Secure Coding Rulepacks, which are the core to Fortify's solutions.

Rulepack Subcription

Rulepack Subscription

The Security Research Group releases quarterly updates to the Fortify Secure Coding Rulepacks, which drive the Fortify 360 Analyzers. These updates embody the latest trends in software security and programming techniques and keep Fortify customers ahead of hackers, organized crime, rogue governments and other adversaries. They are distributed to our customers as part of the subscription service through updates on the Fortify customer download site, automated tool updates, and software releases on a quarterly basis.