Cigital and Fortify Software Release Cigital Java Security Rulepack 1.0
Cigital Java Security Rulepack expands the default set of Rules supported by the Fortify Source Code Analyzer
September 17, 2008 --
Cigital Java Security Rulepack 1.0 builds upon Fortify Software's current set of rules and enhances the Fortify analysis by checking for additional security vulnerabilities. Based on the "Seven Pernicious Kingdoms" security vulnerability taxonomy developed jointly by Cigital and Fortify, the rulepack enforces the secure implementation of APIs and frameworks including J2EE, Struts, and Java Cryptography. The Cigital Java Security Rulepack is licensed and distributed as open source and is available to the security community for distribution, modification and use.
"Evidence suggests that the payoff for eliminating flaws early on in the life cycle is high," states Dr.
Fortify's internal Security Research Group is the primary driver for building capabilities in Fortify analyzers to detect new vulnerabilities across a range of languages and APIs, with a current base of more than 315 vulnerability categories across 17 languages and in excess of 500K APIs. The Cigital Java Security Rulepack increases these numbers by adding more than 70 vulnerability categories, allowing users to check for even more security and quality implementation issues. Because the rules are released as open source, users have the ability to view and modify the implementation of the rules to fit their needs. Cigital experience shows that customized, tailored rule sets can significantly reduce the number of false positives and increase the uptake of static analysis in an organization.
The Cigital rules add a number of important security checks, including: -- J2EE misconfiguration checks -- Struts misconfiguration checks -- Cryptographic usage checks -- Credential protection checks -- Code quality checks
"Static analysis for security has come a long way in the ten years since Cigital introduced ITS4 to the world," says Dr.
"We're excited to see outside experts, such as Cigital, writing custom rules to further enhance and refine the level of analysis of Fortify's products," says
To view the Cigital Java Security Rule pack, please visit http://www.cigital.com/securitypack/. Fortify customers can download this update via the Premium Content section of the Fortify Customer Portal.
Established in 1992, Cigital, a leading software security and quality consulting firm, has enabled some of the most well-known organizations in financial services, communications, insurance, hospitality, e-commerce and government to reduce their mission-critical software business risks. Cigital consultants specialize in software security to help organizations protect some of their most valuable assets: company and mission information, customer and individual data, shareholder value and brand. Each client's unique requirements are served through a combination of proven methodologies, tools and best practices. Cigital also specializes in software quality, assuring the reliable delivery and deployment of software that organizations build, buy and integrate. Cigital (http://www.cigital.com) is headquartered near
About Fortify Software, Inc.
Fortify(R)'s Business Software Assurance products and services protect companies from the threats posed by security flaws in business-critical software applications. Its software security suite-Fortify 360-drives down costs and security risks by automating key processes of developing and deploying secure applications. Fortify Software's customers include government agencies and FORTUNE 500 companies in a wide variety of industries, such as financial services, healthcare, e-commerce, telecommunications, publishing, insurance, systems integration and information management. The company is backed by world-class teams of software security experts and partners. More information is available at http://www.fortify.com.
SOURCE Cigital, Inc.
Copyright 2008 PR Newswire. All Rights Reserved