Multiple Perspectives on Security

Security Journal

Subscribe to Security Journal: eMailAlertsEmail Alerts newslettersWeekly Newsletters
Get Security Journal: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn

Security Journal Authors: Elizabeth White, Yeshim Deniz, Pat Romanski, Maria C. Horton, Liz McMillan

Related Topics: PC Security Journal, Security Journal, Open Web Magazine

Open Web: News Feed Item

Fortify Software Contributes Software Security Research to Open Source Community

Classification of Security Vulnerabilities Available Through OWASP to Promote Secure Software Development

PALO ALTO, Calif., July 31 /PRNewswire/ -- Fortify Software Inc., the leading provider of products that identify and remediate security vulnerabilities in software to mitigate enterprise security risk, today announced that it has contributed an extensive classification of software security errors to the non-profit Open Web Application Security Project (OWASP). The classification of 115 security vulnerability categories will help software developers and security practitioners understand the common coding mistakes that affect software security and more readily identify security problems. OWASP will help manage the research from Fortify Software as part of the organization's library of free, unbiased open source documentation, tools and standards.

"OWASP is assembling the most comprehensive guide to application security principles, threats, attacks, vulnerabilities, and countermeasures ever attempted," said Jeff Williams, chairman of OWASP. "Integrated with the rest of our materials, Fortify Software's vulnerability research will help anyone acquiring, designing, building, testing, or deploying critical applications make informed decisions about application security."

The classification of software security errors entitled the "Seven Pernicious Kingdoms" organizes security vulnerabilities into seven top level sets of security problems that can be used to help software developers understand the types of coding errors that can increase security risk. By better understanding how systems fail, developers will better analyze the software they create, more readily identify and address security problems when they see them, and generally avoid repeating the same mistakes in the future.

"When put to work in an analysis tool, a set of security rules organized according to this classification is a powerful mechanism for reducing security risk," said Dr. Brian Chess, Chief Scientist at Fortify Software. "Software development practices have only just begun to look at the myriad of ways security problems factor into coding -- making a classification like this available should provide tangible benefits to the software security community."

Classification of Software Security Errors

Together with a research team that included Katrina Tsipenyuk of the Fortify Security Research Group and Gary McGraw, the chief technology officer of Cigital, Dr. Chess identified 115 security vulnerability categories present in today's software and organized them in top-level "kingdoms" which include:

* Input Validation and Representation * API Abuse * Security Features * Time and State * Errors * Code Quality * Encapsulation

The full classification and the research that accompanies it is available at . In addition, the classification can also be found at


OWASP was formed in 2000 and has almost 5,000 members and 73 chapters globally. The OWASP Foundation is a non-profit organization made up of all-volunteer participants. OWASP's mission is to find and fight the causes of insecure software. OWASP enables organizations to develop, maintain, and purchase applications that they can trust through the development of free, open, and unbiased application security documentation, tools, chapters, and conferences. More information is available at .

About Fortify Software, Inc.

Fortify Software products protect companies from the threats posed by security flaws in business-critical software applications. Its software security products, Fortify Source Code Analysis Suite, Fortify Security Tester and Fortify Application Defense, drive down costs and security risks by automating key processes of developing and deploying secure applications. More information is available at

Fortify Software Inc.

CONTACT: Kim Milosevich of OutCast Communications, +1-415-392-8282, or
[email protected], for Fortify Software, Inc.

Web site:

Web site:

More Stories By PR Newswire

Copyright © 2007 PR Newswire. All rights reserved. Republication or redistribution of PRNewswire content is expressly prohibited without the prior written consent of PRNewswire. PRNewswire shall not be liable for any errors or delays in the content, or for any actions taken in reliance thereon.