Fortify Static Code Analyzer

With Fortify, Software Vulnerabilities Are Eliminated.
The Fortify solution helps reduce the cost of discovering and remediating vulnerabilities, enhances development team productivity, improves security review processes, and lays the foundation for secure code.

I. Focus on Enterprise Software Vulnerabilities

Applications originate from multiple sources: internal development, mobile, outsourcing, commercial off-the-shelf (COTS), open source, and acquisitions. The challenge lies in ensuring that applications from all these diverse sources are protected while running critical business operations. Software protection requires enterprises to build a Software Security Assurance (SSA) program. This program encompasses both Static and Dynamic Application Security Testing (SAST and DAST) solutions to identify and remediate exploitable vulnerabilities throughout the entire Software Development Life Cycle (SDLC). Furthermore, it necessitates training development and security teams on application security to ensure they understand the types of threats that could compromise the enterprise.
Static and dynamic analysis identify major security vulnerabilities within applications, but they operate at different stages of the SDLC. Static analysis is performed early in the SDLC, where fixing vulnerabilities is simplest and most cost-effective. In contrast, dynamic analysis is conducted on running applications at a later stage. Enterprises that run initial scans late in the SDLC often realize that auditing and correcting vulnerabilities before production deployment is expensive and resource-intensive.
Implementing an SSA program is a proactive approach to ensuring security across the entire SDLC—from design and development to QA and deployment. A key component of an SSA program is Static Code Analysis, which identifies security vulnerabilities during the development process when the cost of remediation is lowest. By providing developers with immediate feedback on code issues introduced during development, it reduces application security risks. It also helps developers “learn security by doing,” enabling them to write more secure software.

II. Static Testing Helps Build Better Code

Micro Focus Fortify Static Code Analyzer (SCA) employs a variety of algorithms and an extensive knowledge base of secure coding rules to analyze application source code and uncover potential vulnerabilities. This technology analyzes every feasible path of execution and data flow to identify and facilitate the repair of vulnerabilities.
Fortify SCA pinpoints the root causes of security vulnerabilities in the source code, performs risk ranking and prioritization, and provides detailed guidance on remediation. This allows developers to resolve issues with less time and effort while simultaneously learning and building secure coding expertise. Fortify SCA detects over 991 vulnerability categories, spans 26 development languages, and covers more than 1,007,000 component-level APIs (Source: Fortify Software Security Research Group).

III. Why Choose Fortify Static Code Analyzer?

  • Unmatched Precision: Fortify is one of the most accurate analyzers on the market, capable of detecting a range of issues that other static analysis technologies miss.
  • Seamless Integration: It can be easily integrated into any environment via scripts, plugins, and GUI tools, allowing developers to enable and run scans quickly and effortlessly.
  • Comprehensive Coverage: Whether applications are internally built, outsourced, third-party, open source, or mobile, Fortify tests and maintains their security regardless of the development language used.
  • Hybrid Environment Support: It supports multiple development languages, platforms, and frameworks, facilitating security reviews in mixed environments.
  • Actionable Insights: It identifies vulnerabilities in source code, prioritizes them based on severity, and provides specific remediation guidance.
  • Collaboration: It brings development and security teams together to find and fix security issues, thereby reducing software risk, time, and costs.
  • Flexible Delivery: Supports multiple delivery models, including on-premises and on-demand (cloud).
  • Scalability: Scales effectively as the number of applications within the enterprise grows.
  • Risk & Compliance: Proactively manages risk and compliance requirements.
  • Expert Backing: Supported by the Micro Focus Fortify Software Security Research Group, recognized as one of the top security organizations monitoring emerging threats.

IV. Key Benefits

  • Reduce Development Costs: By identifying vulnerabilities early in the SDLC.
  • Mitigate Risk: By identifying and prioritizing the vulnerabilities that pose the greatest threat.
  • Enable Secure Coding: By training developers through Static Application Security Testing (SAST).

V. Finding Vulnerabilities

Fortify SCA processes code in a manner very similar to a compiler—it reads source code files or collections of files and converts them into an intermediate format enhanced for security analysis.
This intermediate format is used to locate security vulnerabilities. The analysis engine consists of multiple specialized analyzers that use secure coding rules to examine the code. Fortify SCA also provides a Rule Generator to extend and expand static analysis capabilities, allowing for the inclusion of custom rules. Results can be viewed in various ways depending on the audience and task.

VI. Managing Results

Fortify SCA’s web-based collaboration features provide a shared workspace and repository for developers, application security professionals, and managers to jointly conduct code reviews and remediation. They can work together using role-specific interfaces.
  • Audit Workbench: Designed specifically for application security professionals, this tool allows for the analysis, prioritization, remediation, and tracking of individual vulnerabilities. Through intelligent code navigation and an intuitive user interface, users can easily investigate, validate, annotate, and set the severity of issues.
  • IDE Integration: Developers can resolve issues within their preferred development environments while collaborating with security teams using Eclipse and Microsoft Visual Studio plugins.
  • Learning Opportunity: With Fortify SCA, developers learn secure coding practices while fixing vulnerabilities in the development cycle. For every vulnerability, Fortify provides reference information describing the problem and specific instructions on how to fix it in the developer’s programming language.
Scroll to Top