Reviews

Briefing: Fortify

Fortify
starting at $50,000 for team versions
Menlo Park, California
(650) 561-0213
www.fortifysoftware.com

Also back for a briefing this week is Fortify, who have made great strides with their security analysis tools in the last six months. You may recall that they focus on static code analysis of software, with the goal of finding security issues at development time rather than deployment time. After all, we all know that finding problems early is the key to fixing them without spending a ton of money.

Their key tool is a source code analysis tool with an extensible rules engine. It can analyze C, C++, Java, PL-SQL and (new in the latest version) C# code; support for other languages is planned for future versions. The analysis tool works as standalone (good for integrating into a build process) or as part of an IDE such as Eclipse or Visual Studio (good for pointing out vulnerabilities when they're introduced into the code, so that they can be corrected at once). They're also shipping a version as part of Borland's JBuilder 2005. They also have a version that can run on your build server as things are checked in, giving you continuous security auditing.

Also new is the ability to build custom rules. If your company is using a library or an API with particular secure coding concerns, you can develop rules to address those concerns and deploy them as part of Fortify. This helps you make sure that every component in your solution is used securely. An "Audit Workbench" piece lets you sort and prioritize rules violations. This is especially useful as you move large projects over to secure coding, when you might have thousands of vulnerabilities to deal with.

Fortify's pricing is three-tiered. You can get into the individual bundles like JBuilder's in the hundreds of dollars. For a more flexible team-based solution, including the Audit Workbench and build-based analysis, you should expect to spend around $50,000. At the enterprise level, you get more rules and a Security Manager piece that tracks the entire security history of your code. A typical enterprise deployment runs around $125,000.

About the Author

Mike Gunderloy has been developing software for a quarter-century now, and writing about it for nearly as long. He walked away from a .NET development career in 2006 and has been a happy Rails user ever since. Mike blogs at A Fresh Cup.

Most   Popular