The community has a new login process
The community single sign-on system has been changed. Learn more about it HERE
Security Research Blog
Get innovative research, observations and updates from the Micro Focus Security Research experts to help you proactively identify threats and manage risk.
Use the OPTIONS button below to subscribe

Security Research Blog - Page 2

Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

Fortify Software Security Research (SSR) is pleased to announce the immediate availability of updates to Fortify Secure Coding Rulepacks (English language, version 2018.1.0), Fortify WebInspect SecureBase (available via SmartUpdate), Fortify Application Defender, and Fortify Premium Content.
The Micro Focus Software Security Research team translates cutting-edge research into security intelligence that powers the Micro Focus Security Products Portfolio. 


Read Blog Article

Read more
0 0 9,133
Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

Fortify Software Security Research (SSR) is pleased to announce the immediate availability of updates to Fortify Secure Coding Rulepacks (English language, version 2017.4.0), Fortify WebInspect SecureBase (available via SmartUpdate), Fortify Application Defender, and Fortify Premium Content.

The Micro Focus Software Security Research team translates cutting-edge research into security intelligence that powers the Micro Focus Security Products Portfolio.


Read Blog Article

Read more
1 0 9,759
Community Manager COEST Community Manager
Community Manager

 

mf_logo_blue_small.png

Micro Focus Security Fortify Software Security Content 2017 Update 3: Fortify Software Security Research (SSR) is pleased to announce the immediate availability of updates to Fortify Secure Coding Rulepacks (English language, version 2017.3.0), Fortify WebInspect SecureBase (available via SmartUpdate), Fortify Application Defender, and Fortify Premium Content.

 


Read Blog Article

Read more
1 0 6,808
Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

Another month, another Struts2 remote code execution (RCE) vulnerability (CVE-2017-9805). However, this time the attack vector does not involve any arbitrary OGNL expression evaluations but an unsafe deserialization. This blog post describes how Fortify SCA was able to detect it out of the box.


Read Blog Article

Read more
0 0 6,818
Micro Focus Contributor
Micro Focus Contributor

When purchasing a car, miles per gallon, horsepower, crash rating, and cargo space are all measurements that can be used to determine which choice best meets your needs. However, there are no such simple measurements that can be used to compare two software security tools.


Read Blog Article

Read more
1 0 5,710
SasiSiddharth Absent Member.
Absent Member.

March 2017 witnessed two security advisories from Apache Struts2 – both involving a similar problem with the Jakarta-based file upload Multipart parsers (CVE-2017-5638). S2-045 addresses an issue with parsing the Content-type header on an erroneous multipart request, while S2-046 discusses the possibility of exploiting a multi-part file upload request’s content-disposition section. In both cases, it is possible to inject malicious OGNL expressions using the described attack vectors.

Our previous post explored the techniques involved in static analysis to detect these issues. In this post, we will dive into the dynamic analysis techniques to achieve the same goal.

 


Read Blog Article

Read more
0 0 7,242
Reasearch Blog Welcome to the Security Research Blog!
Get innovative research, observations and updates from the Micro Focus Security Research experts to help you proactively identify threats and manage risk
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.