Fortify On Demand
Enterprise application risk management
Understanding risk is an important first step in any application security initiative. Organizations must also take steps to build security in points along the software development lifecycle. Fortify on Demand can help build a program that includes secure development, preproduction security testing, and production monitoring. Mature programs employ full “defense in depth” across all of these areas, but security teams can start from any point and grow. Organizations are faced with rapidly expanding applications portfolios, both in size and complexity. In addition to protecting legacy applications and certifying new releases of software developed in-house using a combination of custom and open source code, ensuring the security of out-sourced and commercial off-the-shelf applications is critical as well. For those customers purchasing third-party code, HPE Security Fortify on Demand provides an easy-to-use Vendor Security Management service that doesn’t require source code, allows the vendor to test applications, resolve issues, and then publish a report to the procurer. A centralized, online portal enables Fortify on Demand customers to get started quickly and build a comprehensive Software Security Assurance program over time. Dashboards provide visibility to an organization’s entire application security portfolio, allowing them to view program risk, address critical security issues early, and prioritize remediation efforts across many teams and applications.
Finding and fixing application security issues early, during development, is far less costly than waiting until after an application has been deployed, so empowering developers to create secure software from inception is critical. Fully integrated within the IDE where developers work, static assessments provide immediate feedback to the developer. Open source component analysis can be added with a mouse click to avoid including known vulnerable components. Audited scan results, including line of code details and remediation advice, help drive secure coding best practices. As organizations further mature and adopt DevOps principles, Fortify on Demand static assessments are often integrated into the software toolchain as an automatic step in the continuous build and integration pipeline.
A dynamic or mobile assessment of the running application in a QA, test, or staging environment simulates the real-world hacking techniques and attacks employed by the bad guys. For web applications and web services, dynamic assessments employ a combination of automated and manual testing techniques to crawl the application attack surface and identify exploitable vulnerabilities before an application release is deployed to production. Furthermore, interactive application security testing (IAST) with Fortify’s runtime agent supercharges dynamic testing to find more vulnerabilities—and fix them faster. Similar to dynamic testing for web applications, Fortify on Demand mobile assessments utilize the compiled application binary and employ a combination of automated and manual techniques to identify vulnerabilities across all three tiers of the mobile ecosystem—client device, network, and backend services. More than just simple reputation or behavioral analysis, mobile assessments provide true security testing for companies serious about securing their mobile applications.
Inevitably, not all vulnerabilities can be remediated for every application before it goes live. Misconfigurations in production environments can introduce issues not present in preproduction, and new zero-day vulnerabilities arise in-between release cycles. A robust production monitoring regimen includes continuous dynamic scanning for vulnerabilities and risk profile changes, discovery of rogue applications, and run time detection of security events in the application itself. Fortify on Demand provides all production application monitoring activities in a single, integrated place.