Introduction
Micro Focus Fortify provides both Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST), ensuring that vulnerabilities are caught at both the source code level and during runtime. Its advanced capabilities allow teams to detect a wide range of vulnerabilities, including SQL injections, cross-site scripting (XSS), buffer overflows, and insecure data handling.
This essay will provide a detailed review of Micro Focus Fortify by discussing its features, pros and cons, usage with examples, pricing, and recommendations for whom it is best suited.
Features
a) Static Application Security Testing (SAST)
Fortify's SAST feature helps developers identify vulnerabilities directly in the source code. This static analysis takes place early in the SDLC, enabling teams to fix issues before they become critical. By scanning the code without actually executing the application, Fortify identifies vulnerabilities in the programming logic, coding errors, and potential weaknesses.
Key highlights:
- Supports more than 25 programming languages (Java, Python, JavaScript, C/C++, .NET, etc.).
- Works well with frameworks like React, Angular, and Spring Boot.
- Integrated with popular Integrated Development Environments (IDEs) like Visual Studio, Eclipse, and IntelliJ, allowing developers to run security checks within their development environment.
- Provides remediation guidance by suggesting fixes and offering detailed insights into the vulnerabilities it discovers.
b) Dynamic Application Security Testing (DAST)
The DAST functionality in Fortify allows security testers to assess vulnerabilities in running applications. This is critical because it identifies security issues that may arise during runtime, including those related to APIs and third-party services.
Key highlights:
- Real-time testing of web and mobile applications.
- Emulates an attacker’s behavior to find runtime vulnerabilities such as XSS, SQL injection, and session hijacking.
- Scans APIs and web services to ensure they’re secure from external threats.
- Can be run on live production environments without affecting performance or stability.
c) Fortify Software Security Center
The Fortify Software Security Center acts as a central hub for managing and orchestrating the security activities within a team. It offers capabilities like reporting, vulnerability prioritization, and remediation tracking.
Key highlights:
- Unified dashboard for reporting and tracking vulnerabilities.
- Offers scalability to manage thousands of applications.
- Integrates with bug-tracking tools like JIRA to provide a seamless workflow from detection to remediation.
d) Continuous Integration and Continuous Deployment (CI/CD) Integration
Micro Focus Fortify integrates with CI/CD pipelines, enabling organizations to adopt a shift-left security approach, embedding security checks early and throughout the development cycle.
Key highlights:
- Supports Jenkins, Bamboo, and other popular CI/CD tools.
- Ensures automated security checks at each stage of deployment.
- Helps maintain the integrity of the development lifecycle by catching vulnerabilities before the code is pushed to production.
e) Cloud-Based and On-Premise Options
Micro Focus Fortify is available both as a cloud-based service (Fortify on Demand) and an on-premise solution. The cloud-based option is suitable for teams looking for flexibility and ease of use without the overhead of maintaining local infrastructure.
Pros
a) Comprehensive Language Support
Fortify supports an extensive range of programming languages, making it suitable for almost any development environment. Whether you're developing in Java, C#, PHP, or Python, Fortify has the capability to scan your code for vulnerabilities.
b) Real-Time Vulnerability Detection
The real-time dynamic testing offered by Fortify helps in identifying issues that are missed during static analysis. This combination of SAST and DAST provides broad coverage of vulnerabilities and ensures the application is tested both in a pre-production and production environment.
c) Detailed Remediation Guidance
Fortify provides actionable insights and remediation advice, helping developers not only understand the vulnerabilities but also how to fix them. This feature is especially helpful for teams that are newer to secure coding practices.
d) Excellent Integration with Development Pipelines
Fortify's ability to integrate with CI/CD pipelines ensures that security is embedded throughout the development cycle. By scanning every build and alerting teams early on, Fortify prevents vulnerabilities from making their way into production.
e) Highly Scalable
Whether you're a small team managing a few applications or an enterprise managing thousands, Fortify’s scalability is impressive. It provides the infrastructure and tools necessary to handle security for applications of any size.
Cons
a) Steep Learning Curve
Fortify’s extensive feature set can be overwhelming for teams new to application security testing. The tool's interface, while powerful, can be complex for users unfamiliar with security testing, requiring additional time for training.
b) Expensive Licensing
Fortify is known for its premium pricing, which might not be feasible for small and mid-sized companies. The tool is primarily suited for large enterprises with the budget to invest in a comprehensive security solution.
c) Long Scanning Times
While thorough, Fortify’s scans—especially with static analysis—can take a significant amount of time, particularly for large projects. This can slow down development processes, especially for teams looking for faster feedback loops.
d) False Positives
Like many static analysis tools, Fortify can generate false positives, which can waste developers' time. Though Fortify is continually improving its accuracy, false positives remain an issue that teams must work around.
5) Usage with Example and Links
Using Fortify within a CI/CD pipeline is one of its key strengths. Here’s an example of how it might be implemented:
Example:
Let’s say a company uses Jenkins as its CI tool. They can integrate Fortify to run static scans as part of their build process. Once a developer commits code to the repository, Jenkins automatically triggers a build. Before the build is deployed to staging, Fortify runs a static analysis scan on the code. The scan report is generated and displayed in Jenkins, allowing developers to view vulnerabilities and remediate them before moving forward.
Fortify’s integration capabilities with IDEs such as Visual Studio also allow developers to scan their code in real-time. For instance, while coding in Java, a developer may inadvertently write code that could lead to SQL injection. Fortify's IDE plugin will immediately flag this vulnerability and suggest potential fixes, ensuring that the codebase remains secure from the start.
Useful Links:
Pricing
Fortify is considered a premium tool, with pricing based on the number of users, applications, and the deployment model (cloud vs. on-premise). While specific pricing is available on request, general feedback indicates that the cost can be prohibitive for small businesses. Large enterprises with extensive security needs, however, will find value in the comprehensive nature of Fortify’s offerings.
Pricing Tiers:
- Fortify on Demand: Subscription-based, priced per application and per user.
- On-Premise Fortify: Licensed annually with additional costs for support and updates.
For an accurate quote, businesses should contact Micro Focus directly.
Recommended For?
a) Large Enterprises
Fortify is an ideal solution for large organizations with substantial security budgets and the need for comprehensive application security. Its scalability and broad language support make it suitable for enterprises managing a vast portfolio of applications across different teams.
b) Security-Driven Development Teams
Fortify integrates well with development pipelines, ensuring security checks are performed at every stage of the SDLC. This makes it perfect for teams already practicing DevSecOps or those looking to shift security left in their development processes.
c) Regulated Industries
Organizations operating in highly regulated industries, such as finance, healthcare, or government, will benefit from Fortify’s thorough vulnerability scanning and compliance reporting features.
d) Development Teams Needing Comprehensive Coverage
If your team requires both SAST and DAST capabilities, Fortify provides an all-in-one solution that ensures application security at both the code level and during runtime.
Conclusion
Micro Focus Fortify is a powerful, all-encompassing security testing tool that excels at providing both static and dynamic application security testing. While it offers extensive features, scalability, and integration capabilities, its premium pricing and complexity make it most suited for large enterprises and teams with significant security needs. With strong support for multiple languages and environments, Fortify remains a top choice for businesses aiming to secure their applications throughout the entire development lifecycle.