Security Research Group
Fortify Software is at the cutting edge in developing threat intelligence to stay in front of the hacking community. Fortify’s internal Security Research Group (SRG), is comprised of researchers that bring together expertise in a variety of software technologies and programming styles with decades of collective experience in security. They represent the security-frontline at Fortify and their research into how real-world systems fail allows them to identify the most effective solutions to address the threats that Fortify customers face.
The Fortify Security Research is responsible for building security knowledge into Fortify 360. Their work leads to the continual development of Fortify's Secure Coding Rulepacks, which are the core to Fortify's solutions.
Stay on Top of Security Issues
The Security Research Group releases quarterly updates to the Fortify Secure Coding Rulepacks, which drive the Fortify 360 Analyzers. These updates embody the latest trends in software security and programming techniques and keep Fortify customers ahead of hackers, organized crime, rogue governments and other adversaries. In 2007, the Security Research Group identified two new classes of vulnerabilities: JavaScript hijacking and cross-build injection. They produced a detailed white paper on each, and integrated solutions for both into Fortify 360
Identifying New Vulnerabilities
In 2007, the Security Research Group identified two new classes of vulnerabilities: JavaScript Hijacking and Cross-Build Injection (XBI). Whitepapers that outline the details of these vulnerabilities can be found at:
- Attacking the Build through Cross–Build Injection
- A poorly designed software build process can allow an attacker to insert malicious code into the final product or to take control of a build machine. This paper surveys previous attacks related to building open source software, including attacks against Sendmail, OpenSSH and IRSSI. It then shows how three popular build tools for Java (Apache Ant,1 Maven2 and Ivy3) are commonly misused in ways that make them susceptible to crossbuild injection (XBI) vulnerabilities, which can allow attackers to insert Trojans, back doors, or other malicious code. Download PDF
- JavaScript Hijacking
- The group’s research into JavaScript Hijacking and Cross-Build Injection was also incorporated into the Fortify suite of products, which enabled Fortify customers to both identify and remediate these issues. Download PDF (Registration required)
Fortify Thought Leadership
In June 2007, the Manager of Fortify’s Security Research Group, Jacob West, along with Fortify’s Chief Scientist, Brian Chess, published a book entitled Secure Programming with Static Analysis. As the first of its kind, this book serves as a complete guide to static analysis: how it works, how to integrate it into the software development processes, and how to make the most of it during security code review. The book illustrates main points using Java and C code examples taken from real-world security incidents, showing how coding errors are exploited, how they could have been prevented, and how static analysis can rapidly uncover similar mistakes.
The book has received much applause since its publication, including comments from industry experts, such as the following:
"We designed Java so that it could be analyzed statically. This book
shows you how to apply advanced static analysis techniques to create
more secure, more reliable software."
–Bill Joy, Co-founder of Sun Microsystems,
co-inventor of the Java programming language
"'Secure Programming with Static Analysis' is a great primer on static
analysis for security-minded developers and security practitioners. Well-written,
easy to read, tells you what you need to know."
–David Wagner, Associate
Professor, University of California Berkeley
"Software developers are the first and best line of defense for
the security of their code. This book gives them the security development
knowledge and the tools they need in order to eliminate vulnerabilities
before they move into the final products that can be exploited."
–Howard
A. Schmidt, Former White House Cyber Security Advisor
In addition to their research responsibilities, the members of the Security Research Group spend time in the field working with customers to advance their use of the Fortify suite of tools and identifying ways to improve the next generation of Fortify products.