Reviews

Briefing: Fortify Software

• By Mike Gunderloy
• June 7, 2004

Fortify Software
starting at $50,000
Menlo Park, California
(650) 561-0213
www.fortifysoftware.com

I had a nice talk with Fortify Software, a 1 1/2 year old company devoted to helping developers include the security of their code, this week. Their main thrust at the moment is static code analysis with a focus on security issues only, though they also help out with testing the security of deployed solutions. But overall they want to help you prevent vulnerabilities in development rather than find them in deployment.

Their source code analysis tool uses an extensible rules engine with a baseline of about 2000 rules covering C, C++, and Java - as well as JSP and PL-SQL. The mix of languages across tiers lets them look at a solution as a whole, so they can find vulnerabilities in distributed systems that might not be obvious from looking at the code for a single module. The analysis tool works as standalone (good for integrating into a build process) or as part of an IDE such as Eclipse (good for pointing out vulnerabilities when they're introduced into the code, so that they can be corrected at once).

There's also a Software Security Manager that stores the results of multiple runs of the tool, so you can do careful analysis of things like bug and fix rates. This lets you set and monitor a quality bar to help you decide when software is secure enough to ship.

When it comes to the deployment side, Fortify also has an attack simulation piece. This workbench-style application lets you run various attacks against deployed code, and it also takes advantage of information collected during static analysis (on the theory that if a hacker had your source code, they'd use it too). So, for example, if you know that SQL injection bugs have been turning up, you can concentrate on those attacks. Any security hols found can be turned into scripts for Mercury LoadRunner or JUnit, so it's easy to put them into a regression suite.

Although you won't find any products on their Web site, they are in fact selling suites for both developers and code auditors; contact them to find out detailed pricing. They're planning to move into the C# and CLR worlds in the next release.