Fortify Bundles Static and Dynamic Code Analysis

Fortify Software’s new software suite brings information security into the development process.

Fortify Software Inc. has integrated its application security software to offer a suite of tools for development, quality assurance and production environments. The move comes more than a year after the company beefed up its arsenal back in February 2007 when it acquired Security Software. The Fortify 360 suite is the cornerstone of a new strategy the company calls "Business Software Assurance."

Fortify is targeting developers, who typically are not trained in information security, says Roger Thornton, co-founder and chief technology officer at Fortify, who has led development efforts at E*Trade Financial Corp. and eBay Inc., among other companies. "We generally don't have an information security regimen in our development activities, and we tend to think of ourselves as building something that this other group will protect-and that needs to change," he says.

The strategy that's generally accepted in the information security world is still firewalls, anti-virus and other perimeter technology, says Thornton. He advises against a security initiative that's based on isolation in a world that's interconnected.

"If the software is compromised, the business is compromised," he says.

Multimode Analysis
Fortify's updated toolset combines the results from the source code, program trace (dynamic runtime) and real-time analysis tools in a common repository that allows developers, QA and security teams to collaborate to remediate any vulnerabilities.

The collaborative auditing is done through an Audit Workbench, which has an IDE-like interface for tracking vulnerabilities and prioritizing and assigning security issues. Developers use either a Web browser or an IDE like Visual Studio to connect to the server and look at any vulnerabilities that were dispatched to them. The Fortify 360 suite also provides a centralized dashboard for security monitoring, reporting and governance capabilities.

Most of the companies in this space-Watchfire (acquired by IBM), Spy Dynamics, Clockworks, Coverity-offer source code analysis and Web application scanning, whether it's through partnerships or their own technologies.

"Fortify, I think, is the first to sort of package it all together and have a common look and feel and reporting across everything," says John Pescatore, vice president of Gartner Inc.

What matters in these types of tools is accuracy over a wide code base, meaning few false positives. Both Fortify and the former Security Software were rated highly in these areas in recent years.

Fortify also got a bump in its market share, according to Pescatore, when Oracle Corp. selected its tools a few years ago. Fortify also counts Fidelity Brokerage Services LLC, Microsoft, Scottrade Inc. and the U.S. Air Force among its customers.

Securing Custom Code
But licensing these types of tools is a commitment that generally means a substantial investment financially and in developer training.

"The sales of these of tools are tied to how many enterprise environments actually write their own software," Pescatore says.

However, more enterprises that outsource development are requiring their external developers to show evidence that they're using source code and Web application scanning tools; or the enterprises use the tools internally to check the quality of their outsourced applications before acceptance, he continues.

The application security tools market may get a boost over the next few months as companies accepting online payments are required to certify that their Web software meets the new Payment Application Data Security Standard (PA-DSS) by the July 2008 deadline.

The Fortify 360 suite supports Visual Studio, J2EE, PHP and COBOL. A trial version of Fortify 360 is available for download at

About the Author

Kathleen Richards is the editor of and executive editor of Visual Studio Magazine.

comments powered by Disqus


Subscribe on YouTube