Rulepack Subscription

The Security Research Group releases quarterly updates to the Fortify Secure Coding Rulepacks, which drive the Fortify 360 Analyzers. These updates embody the latest trends in software security and programming techniques and keep Fortify customers ahead of hackers, organized crime, rogue governments and other adversaries. They are distributed to our customers as part of the subscription service through updates on the Fortify customer download site, automated tool updates, and software releases on a quarterly basis.

In 2007, the Security Research Group identified two new classes of vulnerabilities: JavaScript hijacking and cross-build injection. They produced a detailed white paper on each, and integrated solutions for both into Fortify 360

Rulepack updates provide the following benefits to Fortify's customers:

• Expand the depth of the vulnerabilities Fortify detects with new types of issues and more specific sub-categorization of existing issues. This work has led to the recent discovery of vulnerability categories like JavaScript Hijacking and Cross-Build Injection (XBI).
• Increase the breadth of the Fortify analysis by providing coverage for existing vulnerability categories in new and previously unsupported third-party libraries. Examples of these kinds of additions are the support for Hibernate 3 and the Spring framework. 
• Improve the accuracy of the Fortify analysis by tuning rules in combination with the analyzers to reduce false positives and prevent false negatives. This work is evidenced best in vulnerabilities like resource leaks, where improvements to the rules have given Fortify the ability to identify certain comparisons and uses that help reduce false positives.

The Fortify Secure Coding Rulepacks represent years of experience in software security and are an ongoing focus for our researchers. They are a rich store of security knowledge about libraries and programming practices commonly used in software development and are continually expanded and improved by the security experts at Fortify Software.

Once vulnerabilities are detected, rulepacks provide targeted information about the vulnerabilities so developers and auditors are able to spend their time architecting and implementing fixes rather than researching the minute details of the security vulnerability. This information includes specific information on the category of vulnerability, how it can be exploited by attackers, and how developers can secure their code against such exploits.