Application security With The Micro Focus Security Fortify Suite

Fortify is the undisputed leader in application security that provides reliable, comprehensive security through all stages of the Software Development Life Cycle  (SDLC). It delivers a flexible, comprehensive suite of application security technologies that target businesses wanting to integrate agile techniques with greater protection and control. Together, these technologies focus on three distinct areas of protection: secure development, security testing, and continuous monitoring and protection.

Gartner in their March 2018 report place Micro Focus as a leader in the Application Security Testing magic quadrant (as shown in figure 1).

Figure 1: Gartner rank Micro Focus as a leader in the Application Security Testing business

Flexible Deployment

Fortify is the only application security provider to offer static application security testing (SAST), dynamic application security testing (DAST), interactive application security testing (IAST), and runtime application self-protection (RASP) on premise and on demand. Because Fortify Software Security Center and Fortify on Demand are fully compatible.

For organisations that want to control the running of their own scans and keep their data and scan results in-house, Fortify on-premise solutions allow you to customise the technologies to fit your organisation’s workflow requirements and enable greater control.

Fortify on Demand offers application security as a service. This on-demand platform provides a quick and simple way for organisations to initiate static, dynamic, and mobile security testing without the upfront investment in time and security resources.

The Micro Focus global team of account managers, researchers, testers, and software engineers work as an extension of your in-house team, providing you with the support and technical expertise you need 24/7.

Fortify Tools & Integrations

Fortify Security Assistant, IDE Plugins, and Integrations bring security closer to the developer.  Fortify Security Assistant empowers developers to take responsibility for their own code by finding and fixing application security defects during the coding process—eliminating potential security vulnerabilities before the code is even compiled. This solution sits on the developer’s IDE and allows them to run get immediate security feedback continuously as code is developed.

Security Assistant provides instantaneous feedback, so developers can take quick, decisive action to fix vulnerabilities in real time. It highlights vulnerable code, like a spellchecker and offers suggestions for correcting it. It also features intuitive integration with integrated development environments (IDEs), making security awareness and vulnerability remediation fluid and natural.

Fortify IDE plugins enable developers to initiate scans, see identified issues with their code and collaborate with other teams for remediation. Integrations with source code repositories, build servers and orchestration tools enable security automation, speed and assurance. Fortify complements the agile development process by quickly identifying and correcting errors early in the cycle, organisations can save significant time, effort and money while lowering their risk.

Key Benefits

  • Delivers instant security results with inline analysis of the source code as the developer types
  • Gives developers who may know little about security, the technology to help them develop secure code
  • Tracks findings and remediation for instant and continuous protection
  • Provides deep and accurate analysis, leveraging industry-leading technologies

Fortify Static Code Analyzer (SCA)

Fortify SCA is an automated static testing offering that builds security into the development process. Fortify SCA pinpoints the root cause of the vulnerability and prioritises results, and provides best practices so developers can code more securely. It reviews code and helps developers identify and resolve issues with less effort and in less time.

Key Benefits

  • Identify and remove exploitable vulnerabilities quickly with a repeatable process.
  • Integrated into any environment through scripts, plugins and GUI tools so developers can get up and running quickly and easily.
  • Use in mixed development and production environments with a wide variety of languages, platforms, and frameworks

WebInspect: Automated Dynamic Application Security Testing

WebInspect provides security professionals and novices with the power and knowledge to quickly identify, prioritise, and validate critical, high-risk security vulnerabilities in running applications. This automated solution mimics real-world hacking techniques to provide comprehensive detail about vulnerabilities detected, the implications if exploited, and best practices to quickly pinpoint and fix issues.

The WebInspect Agent integrates dynamic testing and runtime analysis to identify more vulnerabilities by expanding coverage of the attack surface. This solution provides the broadest DAST coverage available, detecting vulnerabilities that often go undetected by black-box security testing technologies.

Key Benefits

  • Comprehensive dashboard that tracks critical vulnerabilities, confirms remediation, and provides metrics, progress and trends
  • Elevate security knowledge across the business with a powerful reporting system
  • Simplify compliance of legal, regulatory, and architectural requirements with pre-configured policies and reports for all major compliance regulations

Fortify Application Defender—an Application Self-Protection Solution

Fortify Application Defender is a runtime application self-protection (RASP) solution that businesses use to manage and mitigate risk from homegrown and third-party applications. This solution provides centralised visibility into application use and abuse, enabling you to see threats in your applications and immediately protect against vulnerability exploits and other violations in production applications.

Fortify Application Defender can quickly instrument applications to capture application and user activity logs. It detects and stops attacks across dozens of vulnerability categories such as SQL injection (SQLi) and cross-site scripting. This runtime solution is available both on premise and on demand. It helps organizations stop security threats that no one else can see by protecting production applications from the inside.

Key Benefits

  • Instantly see software vulnerability exploits in production applications and continuously monitor use and abuse.
  • Pinpoint vulnerabilities at the line of code and see the full query. Accurately distinguish between an actual attack and a legitimate request.
  • Detect and protect known and unknown security vulnerabilities in real time without having to alter or recompile source.

Fortify Software Security Center

Fortify Software Security Center (SSC) is a centralised management repository that provides security managers and program administrators with visibility into their entire application security testing programme.

Fortify SSC provides an accurate picture of your software risk across your enterprise by helping, manage security testing activities, prioritise remediation efforts based on risk potential, measure improvements, and generate cross-portfolio management reports.

Fortify SSC is a platform for unifying static and dynamic test results. It triages and assigns issues, offers remediation guidance, and reports across the entire SDLC through a single interface.

Figure 2: Fortify Software Security Center Dashboard provides the ability to eliminate risk in existing applications and deliver new applications with security.

Organisations need innovative ways to further automate their scanning, auditing and remediating efforts to deliver application faster, stay competitive, and scale their application program. Validating and prioritising scan results takes an enormous amount of time, expertise and requires contextual knowledge and understanding of the application.

Fortify SSC scan analytics offers real-time machine learning, and with audit assistant, it refines and streamlines the application security program and enhances the security posture by making the audit process more efficient.

Fortify SSC offers unified consistency of findings across your applications regardless of who audits and processes the findings. It also increases the accuracy of findings specific to an organisation’s policies and preferences, it does this by analysing the information in an organisation’s scan results, and uses those insights to enhance the validity of findings with the use of real-time machine learning.

Key Benefits

  • Added accuracy, visibility into your entire application security testing programme
  • Lowers costs associated with development, remediation, and compliance
  • Boosts productivity by automating application security procedures
  • Accelerates time-to-market by ensuring fewer security-related delays

Fortify on Demand—Application Security as a Service

For organisations that don’t have the time, resources, and expertise to implement an in-house security program, Fortify on Demand provides a fast and easy way to get started with minimal upfront investment and the flexibility to scale with changing business needs.

In addition to static and dynamic analysis, Fortify on Demand covers in-depth mobile app security testing, open-source analysis, vendor application security management, and continuous monitoring for applications in production. Test results are manually reviewed by application security experts.

Key Benefits

  • Fast and accurate. Detailed scan results are delivered in 1–3 days.
  • Easy to use. Manage your entire application security portfolio from one dashboard. View risks, address issues early, manage remediation efforts across teams and applications.
  • Personalised support. Results are manually reviewed by application security experts. You are also assigned a dedicated technical account management team responsible for delivering overall satisfaction.

Fortify Professional Services Help Ensure Your Success

Building a successful software assurance program can also help safeguard your applications and your business. Fortify offers a wide range of professional services to help organisations gain greater value from the Fortify suite. Hands-on training, personalised consulting, and customised implementation services are delivered by skilled application security consultants working with defined methodologies and best practices derived from thousands of application security deployments.

Micro Focus services include:

  • Software security assurance assessment and program design
  • Fortify and WebInspect quick starts
  • Fortify and WebInspect health checks
  • Secure development process integration
  • Static and dynamic auditing services

Micro Focus also offer education and training, including:

  • Security awareness and secure coding education programs
  • Software security assurance eLearning courses
  • Fortify product eLearning courses
  • Customised training classes to your specific needs

Benefits of Professional Services

  • Access our experienced application security consultants
  • Save development costs by building security early into the software development lifecycle
  • Ensure the least amount of disruption to the development team by building security into the new SDLC using our efficient methodologies
  • Eliminate false positives and focus your time only on audited security defects
  • Incorporate best practices and recommendations based on thousands of successful Fortify deployments
  • Leverage consultants’ direct lines to product and support teams to solve problems quickly

Why Fortify is the Right Choice

Fortify is the only solution that secures and protects code throughout the entire development lifecycle of any type of software—from development to testing, release to production and every iteration in between.

Fortify static, dynamic, interactive, and runtime security testing technologies are available on demand or through several licensing models, offering organizations the flexibility needed to build an end-to-end software security assurance program.

You can find much more at:


This article was first published in OHM Issue 42, 2018/3, p27-30

Leave a Reply