Collaborate Disseminate
I’m currently working on a task where I am trying to suppress some Path Manipulation warnings that have been raised from running an analysis with Fortify on my team’s source code. The issues are being raised due to the fact that we are try… Continue reading Best way to handle Path Manipulation vulnerabilities with retrieving files from .appconfig?
I have installed Fortify latest version(20.2) in my Agent and trying to run scan in pipeline(Azure DevOps). THe scans are working fine but when Im trying to upload the FPR file it throws the below error.
Error:
fortifyclient uploadFPR -url… Continue reading Fortify Static Scan – Upload FPR throws Access Denied [closed]
Last month Sonatype announced the acquisition of MuseDev, an innovative code analysis platform that does three things remarkably well:
The post Sonatype + Muse: How Improved Code Quality Compliments Enterprise SAST appeared first on Security Boule… Continue reading Sonatype + Muse: How Improved Code Quality Compliments Enterprise SAST
I have Codeblocks C compiler installed on my system. I am able to compile c/c++ files using gcc.
But Fortify Source Code Review Tool is not detecting the c files or the compiled files of c code for scanning.
It is saying "No Valid F… Continue reading Source Code Scanning [closed]
I am trying to use WordPress from Azure marketplace to deploy a web app. I ran a Fortify scan on entire code base (wwwroot) which includes wp-admin, wp-includes, wp-content and other boilerplate php files.
There are various issues found li… Continue reading Scanning WordPress for security vulnerabilities
In today’s world, we know that most security breaches occur because of application vulnerabilities. We also know that most typical software applications are, on average, comprised of 85% open source software. These facts are changing the way… Continue reading New Micro Focus, Sonatype Partnership Provides 360 Degree View of AppSec
I have been searching for an answer as to how you should treat false positives in Fortify scans.
For a long time, if something was determined to be a false positive, I would document the reasoning behind why that issue was a false posit… Continue reading Best Practice for Suppressing Fortify SCA Findings
SaaS security solutions such as “WhiteHat Sentinal” and “Fortify on Demand”
are getting popular now a days. Methodologies of both describe them involving manual verification. Does this qualify the Application security asses… Continue reading Does application security assessments done using SaaS solutions (WhiteHat Sentinal and Fortify on Demand) count as penetration tests?
I installed Fortify Security Assistant extension in Visual Studio 2017 from https://marketplace.visualstudio.com/items?itemName=fortifyvsts.fortify-security-assistant-visual-studio for testing purposes in my local environment… Continue reading Fortify Security Assistant for Visual Studio license [on hold]
I’m looking to use a security code analysis tool for multiple popular programming languages (Java, JavaScript, possible others as well). I’ve searched for different comparisons for both paid and free/ open-source tools, but I… Continue reading Recommended security code analysis tool [on hold]