According to Cigital, Cigital Java Security Rulepack 1.0 builds upon Fortify Software’s current set of rules and enhances the Fortify analysis by checking for additional security vulnerabilities. Based on the Seven Pernicious Kingdoms security vulnerability taxonomy developed jointly by Cigital and Fortify, the rule pack enforces the secure implementation of APIs and frameworks including J2EE, Struts, and Java Cryptography.
The Cigital Java Security Rulepack is licensed and distributed as open source and is available to the security community for distribution, modification and use.
According to Cigital, Fortify’s internal Security Research Group is the primary driver for building capabilities in Fortify analyzers to detect new vulnerabilities across a range of languages and APIs, with a current base of more than 315 vulnerability categories across 17 languages and in excess of 500K APIs. The Cigital Java Security Rulepack increases these numbers by adding more than 70 vulnerability categories, allowing users to check for even more security and quality implementation issues.
Because the rules are released as open source, users have the ability to view and modify the implementation of the rules to fit their needs.
Brian Chess, co-founder and chief scientist at Fortify, said: We’re excited to see outside experts, such as Cigital, writing custom rules to further enhance and refine the level of analysis of Fortify’s products. This trend started with the Computer Emergency Response Team (CERT) earlier in 2008 and now takes a great stride forward with the addition of the Cigital Java Security Rulepack.
