Advertisement

Tutorials

Home Press Releases Fortify Software Sets the Indu ...

Press Releases by CGIDir


Fortify Software Sets the Industry Standard for Secure Code Development with Introduction of Fortify SCA 5.0


October 23, 2007; 06:29 AM
PALO ALTO, Calif., Oct. 22 /PRNewswire/ -- Fortify® Software Inc., the market-leading provider of enterprise application security solutions, today introduced Fortify SCA 5.0, the fifth generation of its award-winning source code analysis software. Fortify SCA is the industry's most powerful static analysis solution, designed to enable enterprises to eliminate security vulnerabilities in the applications they develop. Fortify's latest version, Fortify SCA 5.0, incorporates new capabilities that set a new industry standard for application security including several industry firsts:

    -- Wizard-driven creation of customized security rules by those who aren't
       software developers
    -- Enablement of global collaboration between software development teams
    -- Protection against new classes of vulnerabilities specific to
       application security
    -- Support for programming languages, including PHP, JavaScript (Ajax),
       Classic ASP/VB Script (VB 6) and a limited release of COBOL


According to Gartner, "Enterprises must adopt source code scanning technologies and processes, because the need is strategic." (Market Definition and Vendor Selection Criteria for Source Code Security Testing Tools, May 2007, Neil MacDonald and Joseph Feiman). As application security establishes itself as a 'must have' for organizations developing their own applications, a secure development process must be more closely integrated into their day-to- day activities. Fortify, already the market leader in application security, has incorporated feedback from its worldwide customer base to bring collaboration, customization and more comprehensive protection to the enterprise secure development lifecycle.

"The breadth and depth of our customer base gives us unique insight into the largest application security deployments in the world, as well as detailed knowledge of how organizations are using this technology," said John M. Jack, Fortify's CEO. "These businesses are faced with constant security threats and customers who evaluate their products and services based on the level of security they assure. As a result, they have spent a lot of time evaluating their secure development practices and have very specific requirements for any solution they may deploy. With the release of Fortify SCA 5.0, we have implemented feedback from these market leaders to deliver the first solution meeting these requirements and the most effective application security solution in the industry."

Fortify SCA 5.0 delivers functionality never before available in application security, spanning three key areas that enterprises need to speed secure development:

    -- Customization -- The vast majority of today's enterprises boast custom
       applications, security processes and coding styles that reflect their
       core competencies. Any successful application security implementation
       must adapt to the unique nature of each enterprise's development needs.
       Fortify SCA 5.0 enables enterprises to create customized rules for
       their mission-critical applications, as well as give security personnel
       and other non-developer team members the ability to create rules in
       minutes, rather than days, without the need for prior coding
       experience.

    -- Collaboration -- The extended teams of security auditors, compliance
       specialists, development leads and executives involved in software
       development span time zones and organization charts. Fortify SCA 5.0
       enables developers and auditors to collaborate on code review, security
       bug triage and audits as a team on complex development projects.

    -- Comprehensiveness -- Fortify helps enterprises deploy a comprehensive
       security strategy to protect past, present and future applications. As
       new classes of vulnerabilities emerge-brought on by the evolving hacker
       landscape and new technologies such as Web 2.0. -and exploits continue
       to evolve, security and development teams must take every possible step
       to secure their software. With PHP and JavaScript support, Fortify SCA
       5.0 helps development teams 'future-proof' applications. For legacy
       applications, Fortify SCA 5.0 will support COBOL and Classic ASP to
       protect older mission-critical applications-especially as they are
       exposed by SOA deployments.


"When selecting application security testing technologies, enterprises should be looking at how these products integrate into popular development and testing studios (such as Eclipse or Visual Studio), the number of analyzed programming languages, and speed and scale of testing capabilities," said Joseph Feiman, Vice President and Gartner Fellow with Gartner.

"The Depository Trust & Clearing Corporation, through its subsidiaries, provides clearance, settlement and information services for equities, corporate and municipal bonds, money-market instruments, government and mortgage-backed securities, and over-the-counter derivatives. In addition, we're a leading processor of mutual funds and insurance transactions, linking funds and carriers with their distribution networks. Security is paramount for our operations," said Jim Routh, Chief Information Security Officer at DTCC. "Like many enterprises, our software infrastructure is a mix of legacy applications and new applications. As a result, we needed a solution that could handle the diversity of technology in our environment and be easily integrated into our development environment. Fortify SCA lets us do this effectively."

"Fortify has always been the leader in its breadth of coverage of languages, platforms and IDEs (Integrated Development Environments), and with this release, we extend our leadership to four new languages and support for the RSA IDE," added Barmak Meftah, Fortify's Senior Vice President of Products and Services. "Fortify SCA 5.0 provides our customers with much deeper levels of control, analysis and collaboration, to protect them against the threats found in many of the most popular and rapidly evolving Web 2.0 programming languages and technologies, including JavaScript and PHP."

Fortify SCA 5.0 Delivers Customization

In order to help its enterprise customers customize their application security rules and deployments, Fortify has integrated rule development and management into Fortify SCA 5.0's Audit Workbench, giving developers unprecedented flexibility in generating, editing and sorting through the security rules that govern secure development. Some of these features include:

    -- New Rule-Writing Wizards -- Users can quickly create custom rules by
       answering a series of questions designed to pinpoint issues in code
       that depend on unique coding standards or proprietary libraries.

    -- API ScanView -- Fortify SCA 5.0 provides an interface for presenting
       the various APIs used within a project and highlights APIs not covered
       by the Fortify Secure Coding Rulepacks. From this interface, users can
       easily create new custom rules for relevant APIs.

    -- Rulepack Manager -- Fortify's interface for managing Rulepacks enables
       users to quickly determine the contents of a Rulepack and allows them
       to easily filter, sort and edit rules.

    -- Rule Editor -- For advanced users, Fortify's XML editor provides syntax
       highlighting, code completion, validation and inline error reporting
       for custom rules.


Fortify SCA 5.0 Enables Collaboration

Global businesses require connectivity across their development teams, with the ability to collaborate around the world and around the clock. Fortify SCA 5.0 gives security professionals and application developers the means to work on their projects in different views, allowing both groups to perform their functions without getting in each others' way. Additionally, this release is the first application security solution to include a series of tracking and auditing tools to help developers work on the same project regardless of location. Finally, Fortify SCA 5.0 incorporates powerful reporting functionality that team leads can use to demonstrate progress to other stakeholders throughout the enterprise. Specific collaboration features include:

    -- Collaborative Auditing -- Team members can now publish the results of a
       source code scan to a web-based application for reviewing, commenting
       on and triaging issues.

    -- Developer Mode -- A developer-centric mode focuses on well-known
       quality issues, such as null pointer dereferences, memory leaks and
       much more-with a very low false positive rate, streamlining the secure
       coding process. Developers can focus on the items that matter most to
       them, while security professionals can see all potential problems and
       bring them to the developers on an 'as needed' basis.

    -- Audit History -- Every comment and action performed on an issue is
       recorded on a timeline, along with a timestamp and the user name of the
       person performing the action.

    -- Manual Audit Integration -- Issues uncovered during manual code review
       or other forms of security testing can be integrated into an Audit
       Workbench. Now all code-level security issues can be consolidated in a
       Fortify SCA analysis.

    -- Issue Prioritization -- Users can classify issues based on their
       organization's nomenclature, create custom issue folders and create
       filters to automatically populate specific types of issues in folders,
       or to hide certain issues altogether.

    -- New IDE Support -- Fortify SCA now supports RSA 7, RAD 7, and RAD 6.


Fortify SCA 5.0 Sets a New Bar for Comprehensiveness

Fortify SCA 5.0 augments its industry leading analyzer capabilities with Analysis 360 technology that handles both the biggest problems facing secure development and new evolving attacks that are on the rise. With Analysis 360, Fortify SCA reduces false negatives to ensure nothing is missed while also minimizing false positives so development focuses on critical code problems. With Fortify SCA 5.0, analysis capabilities have been added or enhanced to improve precision, including:

    -- Unlimited Multi-Dimensional Taint Propagation -- This capability helps
       find remotely exploitable bugs, which is especially useful for finding
       privacy management failures and other PCI-related errors.

    -- Constraint-based Vulnerability Ranking -- Extracts a set of Boolean
       constraint equations from the code and uses a constraint solver to rank
       the likelihood that a bad coding practice is exploitable.

    -- Interprocedural Data Flow Analysis -- Uses finite state automata to
       model possible execution paths through the code.

    -- Associative Failure Diagnosis -- Allows the user to eliminate entire
       classes of false positives by associating results that follow the same
       code pattern.


    Fortify SCA 5.0 adds Support for Four New Programming Languages

    -- Classic ASP -- Today, thousands of legacy applications written in
       classic ASP need to be secured against common, well-known
       vulnerabilities such as SQL injections and cross-site scripting.

    -- COBOL -- Invented decades ago-long before application security was a
       concern-COBOL's importance has resurfaced as enterprises expose legacy
       systems through service orientated architecture (SOA) initiatives.

    -- JavaScript -- Today, JavaScript may be the fastest growing programming
       language-and its security problems have been well documented-including
       Fortify's discovery of JavaScript Hijacking.

    -- PHP -- A recent Yankee Group report "The Web 2.0 Security Train Wreck"
       (Andrew Jaquith, October 2007), cites, "Several popular applications
       based on the PHP framework, such as phpBB, have appalling security
       track records," adding that "PHP developers tend to be "scripters"
       without formal security training." Fortify SCA 5.0 gives the large and
       growing pool of PHP developers an automated system to clean code.


To learn more about Fortify SCA 5.0, please register for the Fortify webinar, "Fortify SCA 5.0: Application Security Without Borders," being held on November 13 from 11 a.m. to 12 p.m. Pacific, at https://www.gotomeeting.com/register/780841457.

About Fortify Software, Inc.

Fortify® Software products protect companies from the threats posed by security flaws in business-critical software applications. Its software security products-Fortify SCA, Fortify Manager, Fortify Tracer and Fortify Defender-drive down costs and security risks by automating key processes of developing and deploying secure applications. Fortify Software's customers include government agencies and FORTUNE 500 companies in a wide variety of industries, such as financial services, healthcare, e-commerce, telecommunications, publishing, insurance, systems integration and information management. The company is backed by world-class teams of software security experts and partners. More information is available at http://www.fortify.com.

Advertisement

Partners

Related Resources

Other Resources

image arrow