Fortify Software

From Wikipedia, the free encyclopedia

Fortify Software is a San Mateo, California-based software vendor. The company was founded in 2003 and provides software security products that identify and remove security vulnerabilities from software applications throughout the development, testing, and deployment cycles.^[1]^[2] Its funding was provided by Kleiner, Perkins, Caufield & Byers. The company has provided products for Wells Fargo, Oracle, and Honeywell.

1 Technical Advisory Board
2 Security Research
3 Products
4 Platform support
5 References
6 External links

[edit] Technical Advisory Board

Fortify's technical advisory board includes Avi Rubin, Bill Joy, David Wagner, Fred Schneider, Gary McGraw, Greg Morrisett, Li Gong, Marcus Ranum, Matt Bishop, William Pugh and John Viega.

[edit] Security Research

Fortify runs a security research group led by Jacob West and the Chief Scientist Brian Chess. Among other work, Fortify's security research group introduced JavaScript Hijacking, a new type of eavesdropping attack against Ajax-style Web applications.

The Fortify taxonomy of security vulnerabilities is maintained by the security research group in the publicly available Vulncat database[1].

Fortify customers receive quarterly updates from the security research group, which include rules to find new types of vulnerabilities, as well as support for new languages.

The group is also responsible for published research, including JavaScript Hijacking Attacking the Build: Cross Build Injection Dynamic Taing Propagation Watch What You Write: Preventing Cross-Site: Scripting by Observing Program Output

In addition, Jacob West and Brian Chess published a book, "Secure Programming with Static Analysis" in 2007.

The group investes resources in understanding, and improving the security of Open Source Software with its Java Open Review Project (JOR). http://opensource.fortifysoftware.com/welcome.html;jsessionid=CC2C5FBE4F4C1EDE015C174B2249DC0A

[edit] Products

Fortify offers 1 core product, called Fortify 360. It consists of three analyzers which detect vulnerabilities in software, a collaboration module to help developers and security auditors fix the identified vulerabilities, and a management and reporting console. The core components include

1) Source Code Analyzer (SCA): analyzes an application's source code for security vulnerabilities. 2) Program Tracer Analyzer (PTA - Formerly known as Tracer): detects vulnerabilities in a running application. This analyzer integrates into a QA test, using dynamic taint propagation to find vulnerabilities automatically, while a QA test is conducted 3) Real-Time Analyzer (RTA - Formerly known as Defender): monitors and protects deployed applications. 4) Collaboration Module: a web-based interface that collects all vulnerability information, correlates it, and offers a centralized work station for auditors and developers to fix issues. 5) Manager: centralized reporting and management console for setting policies and reporting on a list of metrics

SCA scans code in the following languages: Adobe® ColdFusion® .NET C/C++ Classic ASP Java JavaScript PHP PL/SQL MS T-SQL VB for Applications VB Script

PTA and RTA use bytecode instrumentation and work with J2EE and .NET websites.