Skip to main content
Information Security

Questions tagged [fortify]

Ask Question

The tag has no usage guidance.

7 questions
Newest Active Bountied Unanswered
0 votes
0 answers
2k views

Best way to handle Path Manipulation vulnerabilities with retrieving files from .appconfig?

I'm currently working on a task where I am trying to suppress some Path Manipulation warnings that have been raised from running an analysis with Fortify on my team's source code. The issues are being ...
lawgik's user avatar
lawgik
  • 1
0 votes
2 answers
547 views

Scanning WordPress for security vulnerabilities

I am trying to use WordPress from Azure marketplace to deploy a web app. I ran a Fortify scan on entire code base (wwwroot) which includes wp-admin, wp-includes, wp-content and other boilerplate php ...
deachyut's user avatar
deachyut
  • 1
6 votes
3 answers
10k views

Best Practice for Suppressing Fortify SCA Findings

I have been searching for an answer as to how you should treat false positives in Fortify scans. For a long time, if something was determined to be a false positive, I would document the reasoning ...
developer_117's user avatar
developer_117
  • 171
1 vote
0 answers
90 views

Does application security assessments done using SaaS solutions (WhiteHat Sentinal and Fortify on Demand) count as penetration tests?

SaaS security solutions such as "WhiteHat Sentinal" and "Fortify on Demand" are getting popular now a days. Methodologies of both describe them involving manual verification. Does this qualify the ...
EssentialsOfCool's user avatar
EssentialsOfCool
  • 11
12 votes
3 answers
14k views

Safely load a pickle file?

In our Python app, we are using pickle.load to load a file named perceptron.pkl. A HP Fortify static scan raises a high vulnerability, "Dynamic Code Evaluation - Unsafe Pickle Deserialization", at the ...
Pro's user avatar
Pro
  • 261
1 vote
1 answer
1k views

Fortify and third-party libraries [closed]

I am trying to understand in the new version of Fortify SCA 17.10, why the scan defaults to excluding third-party libraries? I found this article and it seems any open source library you use, it would ...
developer_117's user avatar
developer_117
  • 171
3 votes
2 answers
2k views

HP Fortify scan automation

I am asked to integrate the code audit tool HP Fortify in our development process, but the main constraint about it is that the whole code should not be scanned every time: only the classes impacted ...
MedAl's user avatar
MedAl
  • 225