by Mannix - November 21, 2021 at 04:58 PM

Fortify Software Security Research (SSR) is pleased to announce the immediate availability of Fortify Secure Coding Rulepacks (English, Version 2021.3.0), Fortify WebInspect SecureBase (available via SmartUpdate), and Fortify Premium Content updates.

CyberRes Fortify Security Coding Rule package [SCA]

In this release, the Fortify security coding rule pack detects 831 unique vulnerability categories across 27 programming languages, covering more than 1 million individual apis. In summary, this release includes the following:

Golang Standard Library Update (version 1.16)

Extended support for the Go standard library. Go is a statically typed open source language designed by Google to make it easy to build simple, reliable, and efficient software. Go is syntactically similar to C, but has memory safety mechanisms, garbage collection, and structural types. This update covers the standard library namespace, adding support for the following new categories:

Cookie security: Missing SameSite property

Cookie security: Overly loose SameSite properties

Out: Residual debug code

Unsafe randomness: hard-coded seeds

Unsafe randomness: The seed of user control

Unsafe transport: Cipher suite degraded

Insecure transport: Weak SSL protocol

Frequently misused: Permission management

Weak cryptographic signature

Android 11 Update (API level: 30)

The Android platform is an open source software stack designed for mobile devices. A major component of Android is the Java API framework, which exposes Android functionality to application developers. This release extends vulnerability detection in native Android applications written in Java or Kotlin using Android's Java API framework. Users should expect improved results from updates to Android application modeling and API coverage. This release also includes the following new permission management vulnerability categories to provide guidance for dangerous Android permissions:

Permission management: Android Activity recognition

Permission management: Android Calendar

Rights management: Android Call records

Permission management: Android camera

Permission management: Android address book

Permission management: Android microphone

Permission management: Android sensor

IOS Standard Library Update (version: iOS 14)

This release updates our support for Swift and Objective-C'S iOS 14 library apis. The updates focus on the following frameworks:

User Interface Toolkit

User notification

The user interface

Message interface

Users should see improvements in the categories of unsafe IPC, link injection, path manipulation, privacy invasion, shoulder surfing, and system information leakage.

Micro Focus Visual COBOL Update (Version 7.0)

Extended support for Micro Focus Visual COBOL Version 7 to add support for the following two vulnerability categories:

The integer overflow

Competition condition: file system access

SAPUI5/OpenUI5 support [1] (Version: 1.93)

SAPUI5 is a client-side JavaScript framework created by SAP that shares a core set of control libraries with the open source OpenUI5. This release provides preliminary support for identifying vulnerabilities in the following categories:

Cross-site scripting: DOM

Cross-site scripting: SAPUI5 control

Cross-site scripting: Ego

Privacy violation

SAPUI5 misconfiguration: unsanitized editor

System information leakage: External

JSON support [2]

The JavaScript Object Notation (JSON) is a lightweight data interchange format. This release provides improved support for identifying JSON vulnerabilities in the following categories:

Password management: empty password

Password management: hardcoded passwords

Password management: empty password

Password management: Passwords in comments [3]

Kotlin Standard Library Update (version 1.4.30)

Kotlin is a generic statically typed language with Java interoperability. This release includes updated support for the new standard library apis introduced in Kotlin 1.4 for the Java Virtual Machine (JVM).

ECMAScript 2021 (version: ECMA-262)

Support for new apis introduced in ECMAScript 2021. ECMAScript is a general-purpose programming language defined by the ECMAScript language specification, known for its integration into all modern Web browsers. However, it is increasingly used to build Web servers, mobile applications, and other types of traditional applications. Customers should expect improved data flow when scanning applications against the latest ECMAScript standard.

Enumeration of Common Vulnerabilities (CWE TM) top 25 in 2021

Common Weakness Enumeration (CWE TM) Top 25 Most Dangerous Software Weaknesses (CWE Top 25) was introduced in 2019, replacing SANS Top 25. Released in July, 2021 CWE Top 25 was determined using a heuristic formula that standardizes the frequency and severity of the number of vulnerabilities reported to the National Vulnerability Database (NVD) over the past two years. To support customers who want to prioritize audits around the most frequently reported critical vulnerabilities in NVD, the relevance of the CyberRes Fortify taxonomy to the 2021 CWE top 25 has been added.

Miscellaneous errata

In this release, we continue to invest resources to ensure that we can reduce the number of false positives and improve customers' ability to audit problems. Customers can also see changes to reported issues related to:

Deprecate SCA versions prior to 18.x:

As observed in version 2020.4, we will continue to support the last four major versions of SCA. Therefore, this will be the last version of the rule pack that supports pre-18.x VERSIONS of SCA. For the next release, SCA versions prior to 18.x will not load the latest rule package. This will require demoting the rule package or upgrading the version of SCA.

For future releases, we will continue to support the last four major releases of SCA.

Java J2EE improvements:

Improved support for the Javax. servlet API in the privacy violations and system information leaks categories.

Android Binding services:

With our continued support for Android, this release covers Android binding services. Customers may encounter new data flow problems from the Android binding service method parameters. This can introduce repeated subtraces of data flow when methods are invoked in a bound service.

Weakly encrypted hashes in Node.js:

Determine the use of weakly encrypted hashes in Node.js applications.

OWASP ASVS 4.0 mapping now includes support for levels

To support customers who want to be able to query reported problems that violate specific OWASP Application Security Verification Standard (ASVS) application security verification levels (L1, L2, and L3), the latest security content has added these levels to the mapping name. Customers can now search for relevant L1, L2 and L3 keywords in the OWASP ASVS 4.0 grouping, as well as design relevant filter sets and filter templates for use in the AuditWorkbench and software Security Center (SSC).

False positive improvement:

The work of eliminating false positives continues in this release. Among other improvements, customers can look forward to further eliminating false positives in the following areas:

Cross-site scripting error in jQuery code

Privacy violation: Shoulder surfing in.NET applications using the JsonIgnore attribute

It is more consistent to reduce Fortify Priority Order on path manipulation where only one number can be controlled

We no longer recognize passwords in Swift when they are part of an enumeration

Lack of XML validation issues in.NET

A Null check is missing in Java projects

[1] Improved results are expected when using SCA V21.2.0 or later.

[2] to SCA v21.1.0 and signs: '- Dcom. Fortify. SCA. Use. Json - analyzer = true'.

[3] SCA V21.2.0 or higher is required. No flags are required as of SCA V21.2.0.

CyberRes Fortify SecureBase [Fortify WebInspect]

Fortify SecureBase combines checks for thousands of vulnerabilities with a strategy that guides users to get the following updates immediately with SmartUpdate:

Vulnerability to support

Insecure deployment: HTTP request smuggling

HTTP2 over Clear text, or H2C, is an alternative to traditional HTTP request smuggling that abuses the H2C-UNAWARE front end (e.g., proxy server) to create a tunnel to the back-end system. An attacker can use this tunnel to smuggle additional requests to the back-end server without being detected by the front-end server. This enables an attacker to bypass front-end authorization controls and access restricted resources on back-end systems. This release includes checks to detect configurations that can be used for H2C smuggling attacks.

Access control: Lack of authorization checking

GraphQL introspection enables the server to query for information about the underlying architecture. Introspection provides detailed information about elements such as queries, types, and fields. GraphQL introspection is usually enabled by default. Attackers without proper authorization may misuse this information for attacks such as SQL injection and batch attacks. This version includes checks to detect introspection enabled GraphQL endpoints.

NoSQL injection: MongoDB

The NoSQL script injection vulnerability allows an attacker to inject malicious queries into the database. MongoDB is one of the NoSQL databases documented to allow applications to run JavaScript operations. NoSQL injection is dangerous because an unauthenticated attacker can extract data or execute JavaScript code. This can lead to remote code execution, confidentiality, application data integrity, and denial of service (DoS) attacks. This release includes checks to detect NoSQL script injection in MongoDB.

Dynamic code evaluation: Unsafe deserialization

Preauthorized insecure Java deserialization vulnerabilities in ForgeRock AM servers prior to 7.0 and OpenAM servers prior to 14.6.4 have been identified by CVE-2021-35464. This vulnerability allows an attacker to make a malicious serialized object in the jato. PageSession parameter and send it to the endpoint "/ ccVersion /Version" with a single request. The vulnerability exists because an insecure third-party Java library is used in the application. This problem typically allows an attacker to execute arbitrary code, abuse application logic, or denial-of-service (DoS) attacks on the server. This release includes a check to detect this vulnerability on the target Web server.

Cross-site scripting: DOM [1]

Cross-site scripting occurs when a dynamically generated web page displays improperly validated user input, such as login information, allowing an attacker to embed a malicious script into the generated page and then execute the script on any user's computer viewing the page. Location. In the case of XSS based on the Document Object Model (DOM), malicious content is executed as part of DOM operations. If successful, DOM cross-site scripting vulnerabilities can be exploited to manipulate or steal cookies, create requests that could be mistaken for valid users, destroy confidential information, or execute malicious code on end-user systems. This release includes a new check to detect DOM XSS on client URI fragments.

Web server configuration error: unsafe mapping instruction

Configuring Nginx to execute PHP on a Web server sometimes advocates passing every.php ending URI to a back-end PHP interpreter (such as FastCGI). Nginx with this insecure PHP configuration treats the folder in the URL path as the target file to execute if the requested full path does not point to an actual file. This misconfiguration allows an attacker to execute arbitrary PHP code in any type of file, such as an image file, provided it can be uploaded to a Web server and accessed. This release includes a check to detect this vulnerability on the target Web server.

The integer overflow

Nginx versions 0.5.6 through 1.13.2 are vulnerable to an integer overflow vulnerability identified by CVE-2017-7529. This problem exists in the Nginx range filter module, which allows an attacker to obtain potentially sensitive information by sending a customized request. This release includes checks to detect the CVE-2017-7529 vulnerability on the target Web server.

Compliance report

Enumeration of common Vulnerabilities in 2021 (CWE TM

Hidden Content
You must register or login to view this content.

Hidden Content
You must register or login to view this content.
This forum account is currently banned. Ban Length: Permanent (N/A).
Ban Reason: Spammer
Thank you for sharing !!
Thank you for sharing!!!

Thank you for sharing !!
(November 22, 2021 at 03:06 PM)halewandering Wrote: Thank you for sharing!!!


IT IS!!! IT IS NO USE??????????????rules is no use????????
(November 23, 2021 at 03:45 AM)Mannix Wrote:
(November 22, 2021 at 03:06 PM)halewandering Wrote: Thank you for sharing!!!


IT IS!!! IT IS NO USE??????????????rules is no use????????

The title is not rules
(November 24, 2021 at 06:28 AM)halewandering Wrote:
(November 23, 2021 at 03:45 AM)Mannix Wrote:
(November 22, 2021 at 03:06 PM)halewandering Wrote: Thank you for sharing!!!


IT IS!!! IT IS NO USE??????????????rules is no use????????

The title is not rules

Copyright issue, post withdrawn
Does this come with the crack?
Thank you for sharing !!

Can you share it again??
I have already purchased
@Mannix can you provide a new dl link, your current one is dead.

 Users browsing this thread: 1 Guest(s)