Cigital Java Security Rulepack for Fortify Source Code Analyzer

Cigital, Inc. announced the release of the Cigital Java Security Rulepack 1.0, a set of Java static analysis rules for the Fortify Source Code Analyzer.

Cigital Java Security Rulepack 1.0 builds upon Fortify Software’s current set of rules and enhances the Fortify analysis by checking for additional security vulnerabilities. Based on the “Seven Pernicious Kingdoms” security vulnerability taxonomy developed jointly by Cigital and Fortify, the rulepack enforces the secure implementation of APIs and frameworks including J2EE, Struts, and Java Cryptography. The Cigital Java Security Rulepack is licensed and distributed as open source and is available to the security community for distribution, modification and use.

Fortify’s internal Security Research Group is the primary driver for building capabilities in Fortify analyzers to detect new vulnerabilities across a range of languages and APIs, with a current base of more than 315 vulnerability categories across 17 languages and in excess of 500K APIs. The Cigital Java Security Rulepack increases these numbers by adding more than 70 vulnerability categories, allowing users to check for even more security and quality implementation issues. Because the rules are released as open source, users have the ability to view and modify the implementation of the rules to fit their needs.  Cigital experience shows that customized, tailored rule sets can significantly reduce the number of false positives and increase the uptake of static analysis in an organization.