Fortify Software Sets the Industry Standard for Secure Code Development with Introduction of Fortify SCA 5.0

Application security leader delivers a customizable, collaborative and comprehensive solution based on feedback from the world’s largest software developers.

PALO ALTO, Calif., October 22, 2007 - Fortify® Software Inc., the market–leading provider of enterprise application security solutions, today introduced Fortify SCA 5.0, the fifth generation of its award–winning source code analysis software. Fortify SCA is the industry’s most powerful static analysis solution, designed to enable enterprises to eliminate security vulnerabilities in the applications they develop. Fortify’s latest version, Fortify SCA 5.0, incorporates new capabilities that set a new industry standard for application security including several industry firsts:

• Wizard–driven creation of customized security rules by those who aren’t software developers
• Enablement of global collaboration between software development teams
• Protection against new classes of vulnerabilities specific to application security
• Support for programming languages, including PHP, JavaScript (Ajax), Classic ASP/VB Script (VB 6) and a limited release of COBOL

According to Gartner, “Enterprises must adopt source code scanning technologies and processes, because the need is strategic.” (Market Definition and Vendor Selection Criteria for Source Code Security Testing Tools, May 2007, Neil MacDonald and Joseph Feiman). As application security establishes itself as a ‘must have’ for organizations developing their own applications, a secure development process must be more closely integrated into their day–to–day activities. Fortify, already the market leader in application security, has incorporated feedback from its worldwide customer base to bring collaboration, customization and more comprehensive protection to the enterprise secure development lifecycle.

“The breadth and depth of our customer base gives us unique insight into the largest application security deployments in the world, as well as detailed knowledge of how organizations are using this technology,” said John M. Jack, Fortify’s CEO. “These businesses are faced with constant security threats and customers who evaluate their products and services based on the level of security they assure. As a result, they have spent a lot of time evaluating their secure development practices and have very specific requirements for any solution they may deploy. With the release of Fortify SCA 5.0, we have implemented feedback from these market leaders to deliver the first solution meeting these requirements and the most effective application security solution in the industry.”

Fortify SCA 5.0 delivers functionality never before available in application security, spanning three key areas that enterprises need to speed secure development:

• Customization — The vast majority of today’s enterprises boast custom applications, security processes and coding styles that reflect their core competencies. Any successful application security implementation must adapt to the unique nature of each enterprise’s development needs. Fortify SCA 5.0 enables enterprises to create customized rules for their mission–critical applications, as well as give security personnel and other non–developer team members the ability to create rules in minutes, rather than days, without the need for prior coding experience.
• Collaboration — The extended teams of security auditors, compliance specialists, development leads and executives involved in software development span time zones and organization charts. Fortify SCA 5.0 enables developers and auditors to collaborate on code review, security bug triage and audits as a team on complex development projects.
• Comprehensiveness — Fortify helps enterprises deploy a comprehensive security strategy to protect past, present and future applications. As new classes of vulnerabilities emerge—brought on by the evolving hacker landscape and new technologies such as Web 2.0. —and exploits continue to evolve, security and development teams must take every possible step to secure their software. With PHP and JavaScript support, Fortify SCA 5.0 helps development teams ‘future–proof’ applications. For legacy applications, Fortify SCA 5.0 will support COBOL and Classic ASP to protect older mission–critical applications—especially as they are exposed by SOA deployments.

“When selecting application security testing technologies, enterprises should be looking at how these products integrate into popular development and testing studios (such as Eclipse or Visual Studio), the number of analyzed programming languages, and speed and scale of testing capabilities,” said Joseph Feiman, Vice President and Gartner Fellow with Gartner.

“The Depository Trust & Clearing Corporation, through its subsidiaries, provides clearance, settlement and information services for equities, corporate and municipal bonds, money–market instruments, government and mortgage–backed securities, and over–the–counter derivatives. In addition, we’re a leading processor of mutual funds and insurance transactions, linking funds and carriers with their distribution networks. Security is paramount for our operations,” said Jim Routh, Chief Information Security Officer at DTCC. “Like many enterprises, our software infrastructure is a mix of legacy applications and new applications. As a result, we needed a solution that could handle the diversity of technology in our environment and be easily integrated into our development environment. Fortify SCA lets us do this effectively.”

“Fortify has always been the leader in its breadth of coverage of languages, platforms and IDEs (Integrated Development Environments), and with this release, we extend our leadership to four new languages and support for the RSA IDE,” added Barmak Meftah, Fortify’s Senior Vice President of Products and Services. “Fortify SCA 5.0 provides our customers with much deeper levels of control, analysis and collaboration, to protect them against the threats found in many of the most popular and rapidly evolving Web 2.0 programming languages and technologies, including JavaScript and PHP.”

Fortify SCA 5.0 Delivers Customization

In order to help its enterprise customers customize their application security rules and deployments, Fortify has integrated rule development and management into Fortify SCA 5.0’s Audit Workbench, giving developers unprecedented flexibility in generating, editing and sorting through the security rules that govern secure development. Some of these features include:

• New Rule–Writing Wizards — Users can quickly create custom rules by answering a series of questions designed to pinpoint issues in code that depend on unique coding standards or proprietary libraries.
• API ScanView — Fortify SCA 5.0 provides an interface for presenting the various APIs used within a project and highlights APIs not covered by the Fortify Secure Coding Rulepacks. From this interface, users can easily create new custom rules for relevant APIs.
• Rulepack Manager — Fortify’s interface for managing Rulepacks enables users to quickly determine the contents of a Rulepack and allows them to easily filter, sort and edit rules.
• Rule Editor — For advanced users, Fortify’s XML editor provides syntax highlighting, code completion, validation and inline error reporting for custom rules.

Fortify SCA 5.0 Enables Collaboration

Global businesses require connectivity across their development teams, with the ability to collaborate around the world and around the clock. Fortify SCA 5.0 gives security professionals and application developers the means to work on their projects in different views, allowing both groups to perform their functions without getting in each others’ way. Additionally, this release is the first application security solution to include a series of tracking and auditing tools to help developers work on the same project regardless of location. Finally, Fortify SCA 5.0 incorporates powerful reporting functionality that team leads can use to demonstrate progress to other stakeholders throughout the enterprise. Specific collaboration features include:

• Collaborative Auditing — Team members can now publish the results of a source code scan to a web–based application for reviewing, commenting on and triaging issues.
• Developer Mode — A developer–centric mode focuses on well–known quality issues, such as null pointer dereferences, memory leaks and much more—with a very low false positive rate, streamlining the secure coding process. Developers can focus on the items that matter most to them, while security professionals can see all potential problems and bring them to the developers on an ‘as needed’ basis.
• Audit History — Every comment and action performed on an issue is recorded on a timeline, along with a timestamp and the user name of the person performing the action.
• Manual Audit Integration — Issues uncovered during manual code review or other forms of security testing can be integrated into an Audit Workbench. Now all code–level security issues can be consolidated in a Fortify SCA analysis.
• Issue Prioritization — Users can classify issues based on their organization’s nomenclature, create custom issue folders and create filters to automatically populate specific types of issues in folders, or to hide certain issues altogether.
• New IDE Support — Fortify SCA now supports RSA 7, RAD 7, and RAD 6.

Fortify SCA 5.0 Sets a New Bar for Comprehensiveness

Fortify SCA 5.0 augments its industry leading analyzer capabilities with Analysis 360 technology that handles both the biggest problems facing secure development and new evolving attacks that are on the rise. With Analysis 360, Fortify SCA reduces false negatives to ensure nothing is missed while also minimizing false positives so development focuses on critical code problems. With Fortify SCA 5.0, analysis capabilities have been added or enhanced to improve precision, including:

• Unlimited Multi–Dimensional Taint Propagation — This capability helps find remotely exploitable bugs, which is especially useful for finding privacy management failures and other PCI–related errors.
• Constraint–based Vulnerability Ranking — Extracts a set of Boolean constraint equations from the code and uses a constraint solver to rank the likelihood that a bad coding practice is exploitable.
• Interprocedural Control Flow Analysis — Uses finite state automata to model possible execution paths through the code.
• Associative Failure Diagnosis — Allows the user to eliminate entire classes of false positives by associating results that follow the same code pattern.

Fortify SCA 5.0 adds Support for Four New Programming Languages

• Classic ASP — Today, thousands of legacy applications written in classic ASP need to be secured against common, well–known vulnerabilities such as SQL injections and cross–site scripting.
• COBOL — Invented decades ago—long before application security was a concern—COBOL’s importance has resurfaced as enterprises expose legacy systems through service orientated architecture (SOA) initiatives.
• JavaScript — Today, JavaScript may be the fastest growing programming language—and its security problems have been well documented—including Fortify’s discovery of JavaScript Hijacking.
• PHP — A recent Yankee Group report “The Web 2.0 Security Train Wreck” (Andrew Jaquith, October 2007), cites, “Several popular applications based on the PHP framework, such as phpBB, have appalling security track records,” adding that “PHP developers tend to be “scripters” without formal security training.” Fortify SCA 5.0 gives the large and growing pool of PHP developers an automated system to clean code.

To learn more about Fortify SCA 5.0, please register for the Fortify webinar, “Fortify SCA 5.0: Application Security Without Borders,” being held on November 13 from 11 a.m. to 12 p.m. Pacific, at https://www.gotomeeting.com/register/780841457.

About Fortify Software, Inc.

Fortify® Software products protect companies from the threats posed by security flaws in business–critical software applications. Its software security products—Fortify SCA, Fortify Manager, Fortify Tracer and Fortify Defender—drive down costs and security risks by automating key processes of developing and deploying secure applications. Fortify Software’s customers include government agencies and FORTUNE 500 companies in a wide variety of industries, such as financial services, healthcare, e–commerce, telecommunications, publishing, insurance, systems integration and information management. The company is backed by world–class teams of software security experts and partners. More information is available at www.fortify.com.

Fortify Press Contact

North America: Lisa Eskey, Sterling Communications, 1-408-884-5157, leskey@sterlingpr.com
UK: Laura Mead, Johnson King Public Relations, +44 (0)20 7357 7799, lauram@johnsonking.co.uk
Austria, Germany and Switzerland: Ingrid Daschner, Johnson King Public Relations, +49 (0)89 8940 8511, ingridd@johnsonking.de