Data Sheet Security

Fortify Static Code Analyzer (SCA) Static Application Security Testing

Micro Focus® Fortify Static Code Analyzer (SCA) pinpoints the root cause of security vulnerabilities in the source code, prioritizes the most serious issues, and provides detailed guidance on how to fix them so developers can resolve issues in less time with centralized software security management.

Static Testing Helps Build of multiple specialized analyzers, uses secure Integration Ecosystem Includes: coding rules to analyze the code base for viola‑ Better Code ■■ Integrated Development Environments (IDE): Static Application Security Testing identifies tions of secure coding practices. Fortify SCA Eclipse, Visual Studio, IntelliJ IDEA also provides a rules builder to extend and ex‑ security vulnerabilities during early stages of ■ Build Servers: Jenkins, Bamboo, Visual Studio, pand static analysis capabilities and be able to ■ development when they are least expensive to Gradle, and more fix. It reduces security risks in applications by include custom rules. Results are viewed in a ■■ Issue Trackers: Bugzilla, Jira, ALM Octane providing immediate feedback to developers number of ways depending on the audience on issues introduced into code during devel‑ and task. ■■ Open Source Security Management: opment. Static Application Security Testing Sonatype, Snyk, WhiteSource, BlackDuck also helps educate developers about security Managing Results with Fortify ■■ Code Repositories: GitHub, Bitbucket while they work, enabling them to create more Software Security Center (SSC) ■■ Swaggerized API for unlimited customization secure software. Fortify Software Security Center (SSC) is a centralized management repository providing Fortify Static Code Analyzer (SCA) uses mul‑ visibility to an organization’s entire application tiple algorithms and an expansive knowledge security program to help resolve security vul‑ base of secure coding rules to analyze an ap‑ nerabilities across the software portfolio. Users plication’s source code for exploitable vulner‑ can review, audit, prioritize, and manage reme‑ abilities. This technique analyzes every feasible diation efforts, track software security testing path that execution and data can follow to iden‑ activities, and measure improvements via the tify and remediate vulnerabilities. management dashboard and reports to opti‑ mize static and dynamic application security Finding the Vulnerabilities test results. Fortify SSC helps to provide an To process code, Fortify SCA works much like accurate picture and scope of the application a compiler—which reads source code files and security posture across the enterprise. The converts them to an intermediate structure Fortify SSC server resides in a central location enhanced for security analysis. This interme‑ and receives results from different application diate format is used to locate security vulner‑ security testing activities, such as static, dy‑ abilities. The analysis engine, which consists namic, and real‑time analysis. Data Sheet Fortify Static Code Analyzer (SCA) Static Application Security Testing

Fortify SSC correlates and tracks the scan re‑ Fortify Software Security Center (SSC) ■■ 2X as many vulnerabilities found with up sults and assessment results over time, and ■■ SSC scan processing now up to 30% faster to 95% reduced false positives (reference: makes the information available to developers Mainstay Continuous Delivery of Business ■■ Automated machine assisted predictions through Fortify Audit Workbench, or through w/ Audit Assistant Value with Micro Focus Fortify 2017) IDE plugins such as the Fortify Plugin for ■ Enables secure coding practices by ■■ New Fortify Jenkins plugin now available ■ Eclipse, the Fortify Extension for Visual Studio, educating developers about static ■ Integrated security training in SSC with and others. ■ application security testing while they work Secure Code Warrior Users can also manually or automatically push Key Features issues into defect tracking systems, including Key Benefits ■■ Developer-friendly language coverage ALM Octane, JIRA, TFS/VSTS, and Bugzilla. Find More –– Support for ABAP/BSP, ActionScript, ■ Audit Workbench ■ ■■ Static application security testing (SAST) Apex, ASP.NET, C# (.NET), C/C++, –– Smart View—Visualization makes captures the majority of code related Classic, ASP (with VBScript), COBOL, auditing and fixing easier: issues early in development. ColdFusion CFML, HTML, Java • Quickly understand how multiple issues ■■ Identify and eliminate vulnerabilities in (including Android), JavaScript/AJAX, are related from a data flow perspective source, binary, or byte code JSP, MXML (Flex), Objective C/C++, PHP, • Apply Smart View filters to begin ■■ Fortify SCA detects 788 unique categories PL/SQL, Python, Ruby, Swift, T-SQL, triaging or fixing issues at most of vulnerabilities across 25 programming VB.NET, VBScript, Visual Basic, and XML efficient point languages and spans over 1,007,000 ■■ Integration into CI/CD tools (IDEs, individual APIs –– Centralized scanning: Bug Tackers, Open Source) ■ Accuracy as demonstrated by a true • Translate source code on one machine ■ –– Support for all major IDEs: Eclipse, positive rate of 100% in the OWASP 1.2b and perform analysis phase of those Visual Studio, IntelliJ IDEA Benchmark translated files on another machine –– Defect management integrations provide transparent remediation • Can queue scan requests to manage Fix Easier resources for security issues ■■ Reduces risk by identifying and prioritizing –– Open Source integration: Sonatype, which vulnerabilities pose the greatest WhiteSource, Snyk, BlackDuck Product Highlights threat New with 18.20 (Nov 2018) –– The combination of swagger supported ■■ Fortify integrates with CI/CD tools including rest APIs, open source GitHub Jenkins, ALM Octane, Jira, Atlassian repo, with plugins and extensions Fortify Static Code Analyzer (SCA) Bamboo, Microsoft VSTS, Eclipse and ■ Apple update. Support has been added for: for Bamboo, VSTS and Jenkins ■ Microsoft Visual Studio. –– Swift 4.2 are the types of tools to leverage ■■ Review scan results in real-time with to automate the CI/CD pipeline. –– Xcode 10 access to recommendations, line-of-code ■■ Security Assistant provides real time, navigation to find vulnerabilities faster and –– Objective-C/C++Swift 4.2/Xcode 10 as-you-type code, security analysis collaborative auditing. ■■ TypeScript 2.8 support has been added. and results for developers. ■■ .NET applications to use MSBuild Reduce Development Time & Cost –– It provides structural and configuration integration. analyzers which are purpose built for ■■ When embedded within the SDLC, ■■ Updated Python translator for both 2 & 3. development time and cost can be speed and efficiency to power our most instantaneous security feedback tool. ■■ Node.js 10.x support has been added. reduced by 25%. The production/post- release phase is 30 times more costly –– Security Assistant only finds high ■■ Angular 2-6 support has been added. to fix than vulnerabilities found earlier confidence (all true positives or with ■■ Java 9 enhancements. in the lifecycle. very low false positive rates) findings ■■ Logging infrastructure updated. with immediate results in the IDE

2 “We can identify, analyze, and resolve possible issues far more efficiently with Fortify Static Code Analyzer than we ever could before.”

BRENTON WITONSKI Contact us at: Senior IT Security Engineer www.microfocus.com Acxiom Like what you read? Share it.

(Microsoft Visual Studio 2017 or ■■ Flexibility to achieve desired coverage by ■■ Application Defender for Runtime Eclipse). Security Assistant is suggested adjusting scan. Application Self-Protection (RASP): to be used as an additional job aid for –– Improved scanning performance Identifies attacks on software vulnerabilities developers and used in conjunction and other security violations in production –– Tune for fast scans with full static scans for a more applications and protects them from comprehensive view of security –– Tune for comprehensive, more accurate exploitation in real-time. issues. All current Fortify Static Code –– Restful API/ Swaggerized API ■■ Fortify on Demand for Security as a Analyzer and Fortify on Demand ■■ Scalable with on-premise, on demand, Service: Easy and flexible way to test the Static Assessments customers are or hybrid approaches security of your software quickly, entitled to use Security Assistant accurately, and without dedicating with no additional licenses/cost. Accurately Assess the Security State additional resources, or having to install ■ Audit Assistant saves manual audit time and manage any software. ■ of Your Applications with machine learning to identify and Fortify offers the broadest set of software se‑ prioritize the most relevant vulnerabilities curity testing products spanning the software System Requirements to your organization. Automation with lifecycle: For detailed product specifications and system applied machine learning reduces manual requirements, visit: www.microfocus.com/ audit time to amplify ROI of your static ■■ Fortify Static Code Analyzer (SCA) for documentation/fortify-static-code/. application security testing initiative. Static Application Security Testing (SAST): Identifies vulnerabilities during –– Provides automated audit results in Company Overview development, and prioritizes those critical minutes At Micro Focus we help you run your business issues when they are easiest and least and transform it. Our software provides the –– Minimizes auditor workload expensive to fix. Scanned results are stored critical tools you need to build, operate, secure, –– Prioritizes issues with confidence level in Fortify SSC. Learn more about Fortify and analyze your enterprise. By design, these SCA at: https://software.microfocus. –– Creates accurate and consistent audit tools bridge the gap between existing and com/en-us/products/static-code- results throughout projects emerging technologies—which means you analysis-sast/overview. –– Audit results at the speed of DevOps; can innovate faster, with less risk, in the race this makes it possible to integrate ■■ WebInspect for Dynamic Application to digital transformation. SCA to build servers, source code Security Testing (DAST): Identifies and management servers and scan more prioritizes security vulnerabilities in running Fortify offers the most comprehensive static often with immediate results. web applications and web services. and dynamic application security testing Integrates Interactive Application Security –– Reduces the number of issues needing technologies, along with runtime application Testing (IAST) to identify more vulnerabilities deep manual examination monitoring and protection, backed by indus‑ by expanding coverage of the attack try-leading security research. Solutions can be –– Identifies relevant issues and removing surface. Scanned results can be stored deployed in-house or as a managed service false positives sooner in Fortify SSC. to build a scalable, nimble Software Security –– Scales application security with existing Assurance program that meets the evolving resources needs of today’s IT organization.

160-000279-001 | H | 08/19 | © 2019 Micro Focus or one of its affiliates. Micro Focus and the Micro Focus logo, among others, are trademarks or registered trademarks of Micro Focus or its subsidiaries or affiliated companies in the United Kingdom, United States and other countries. All other marks are the property of their respective owners.