Fo

rtiF

y 360

Fortify® 360 Securing Your entire Software portfolio

“ Fortify’s holistic approach to application security truly safeguards

our enterprise against today’s ever-changing security threats.”

— Craig Schumard, CISO, CIGNA

Software Security assurance (SSa) – Removing the Risk Within Software

Software Security assurance (SSa) – Removing the Risk Within Software

“ The single biggest step for businesses to reduce risk today is to force major improvements in poorly designed and insecure software and applications.”

—John Pescatore, Senior Analyst, Gartner

Our mission is to help our customers ensure that their entire software portfolio—whether it’s built in house, outsourced, purchased from vendors or acquired from the open source community—is secure.

Attacks on software by hackers, criminals and insiders can result in business interruption, brand damage, tremendous financial loss and harm to innocent people. The targets of these attacks are hidden vulnerabilities within software applications. The results of years of security-blind programming practices, these vulnerabilities have accumulated within software, waiting to be exploited. To make matters worse, new vulnerabilities are continuing to be introduced into organizations from their own internal software development groups as well as through procurements from vendors, outsourcing firms and open-source projects.

Alarmed by the potential for widespread social and commercial damage, government and industry regulatory bodies have been strengthening mandates in the area of application security. Many organizations are now required to address the risk posed by their applications and to demonstrate compliance.

Software Security Assurance, or SSA is a systematic approach for eliminating the security risk in software and complying with relevant government and industry mandates. Where Software Quality Assurance ensures that software will function and perform as required, SSA ensures that software can not be used in a way that might cause harm to the organization. SSA addresses the immediate challenge of removing vulnerabilities from deployed applications as well as the ongoing systemic challenge of producing and procuring secure software.

With its market-leading combination of products and services, Fortify has helped more than 500 organizations throughout the world achieve measurable reductions of risk with an effective SSA program. Fortify provides Fortify 360, the leading suite of products for SSA. Fortify’s Global Services organization provides SSA implementation guidance and expertise, and Fortify’s Security Research Group ensures that customer’s SSA capabilities are sufficient to meet the ever-evolving threat landscape.360

3 WWW.FORTIFY.COM

Fortify 360 provides the critical analytic, remediation and management capabilities necessary for a successful, enterprise-class SSA program.

• Identification Comprehensive root -cause identification of more than 400 categories of security vulnerabilities in 17 development languages

• Remediation Brings Security, Development and Management together to remediate existing software vulnerabilities

• GovernanceMonitors organization-wide SSA program performance and prevents the introduction of new vulnerabilities from internal development, outsourcers and vendors through automating Secure Development Lifecycle processes

• ApplicationDefense Quickly contains existing vulnerabilities so they can’t be exploited

• Compliance Easily demonstrates compliance with government and industry mandates

as well as internal policies

Fortify® 360The Market-Leading Suite of Solutions to Contain, Remove and Prevent Vulnerabilities in Software

Auditor CISO

Risk OfficerDeveloper

Fortify 360 Presents Integrated Results from Static and Dynamic Analyzers

vulnerability detection and Remediation

MaximumReductionofRiskattheSource

Fortify 360 identifies the root cause of software security

vulnerabilities in both source code and running applications,

detecting more than 400 types of vulnerabilities across

17 development languages and 600,000 component-

level APIs. Vulnerabilities can be collected during the

development or quality assurance phase of a project or

even after an application has been put into production,

minimizing the risk that a serious problem goes undetected.

To ensure that the most serious issues are addressed

first, Fortify 360 correlates and prioritizes results from its

analyzers to deliver an accurate, risk-ranked list of issues.

HarmonizeExpertiseandRemediateMoreCode

Fortify 360 offers a complete set of collaborative

capabilities for quickly triaging and fixing vulnerabilities

identified by its three analyzers. Application security

professionals, developers and their managers can work

together in the way that best suits them using role-specific

interfaces.

Designed specifically for the application security

professional, Fortify 360 Audit Workbench provides the

means to analyze individual vulnerabilities, assign them

out for remediation and track activities to completion.

Fortify 360’s web-based Collaboration Module provides a

shared workspace and repository for application security

professionals, developers and managers to work together

on code reviews and remediation activities. Developers can

address issues in their preferred development environment

while collaborating with the security team using plug-ins for

Eclipse and Microsoft Visual Studio.

With Fortify 360 developers learn about secure coding

practices while they are fixing vulnerabilities. For every

vulnerability, Fortify 360 delivers reference information to

the developer describing the problem and ways to fix it

in the developer’s specific programming language.

Foridentifyingvulnerabilitiesinbothsourcecodeandrunningapplications, Fortify360offersthefollowingstaticanddynamicanalyzers:

AnAlyzer Type DescripTion UsAge

source code Analyzer (scA)

program Trace Analyzer (pTA)

Static Analysis

Dynamic Analysis

Dynamic Analysis

The SCA component of Fortify 360 examines an application’s source code for potentially exploitable vulnerabilities.

PTA identifies vulnerabilities that can be found only when an application is running and to verify and further prioritize results found using SCA. RTA monitors deployed applications, identifying how the application is getting attacked, by whom and when. It delivers detailed “inside-the-application” information that identifies which vulnerabilities are being exploited.

Used during Development Phase for identifying vulnerabilities early in the development cycle, when they are less costly to address.

During Quality Assurance phase to discover vulnerabilities as part of the normal test process. While application is in production to reveal new exploitable vulnerabilities or ones that may have been missed during development.

WWW.FORTIFY.COM 4

real-Time Analyzer (rTA)

SSa governance

ManagingtheBusinessof SoftwareSecurityAssurance

Organization-wide SSA programs present many challenges

for the security team. As the number of SSA projects

increases, the security team may experience difficulty in

meeting the demands put on it by development teams,

auditors and management. Creation and implementation

of repeatable processes such as Secure Development

Lifecycle (SDL) are an essential first step in getting control

of the situation. Yet, without effective automation,

delivery and tracking of the security activities defined

in a SDL, organizations may still find the situation to

be unmanageable.

For staying on track with multi-project SSA programs, there

is Fortify 360 SSA Governance Module. It provides a single

system-of-record with views into the assets, activities

and results related to the organization’s entire SSA effort.

For individual projects, SSA Governance Module provides

a convenient web portal where risk-mitigation activities

and artifacts can be logged and communicated. For every

project in the organization, Fortify 360 SSA Governance

Module automatically assigns the correct activities based

on the project’s specific risk profile. The application security

team can than track project effort and receive alerts

based upon completed or missed milestones. With

these capabilities in place, the security team can begin

to move towards a management-by-exception approach

to SSA, freeing up valuable time to support other activities.

Advanced reporting and viewing capabilities provide the

means to quickly consolidate results across all projects,

deliver executive-quality reports and identify areas of

improvement.

For those organizations that are seeking a fast-start Secure

Development Lifecycle, SDL templates and artifacts based

on Fortify best practices are provided. These templates

provide an effective SDL that can be implemented out-

of-the box. This can eliminate the research and expertise

required to develop an SDL.

5 WWW.FORTIFY.COM

Fortify 360 ssA governanceFortify 360 SSA Governance Module provides visibility and control of organization-wide SSA programs

InsecureApplications HarmBusinesses

80% of companies report a loss of customers due to data breaches.

Businesses risk losing over $1 trillion from loss or theft of data and other cybercrime.

StayAheadoftheEver-ChangingThreat

Cyber-criminals continue to seek out new ways to exploit

software. Fortify ensures that a customer’s investment is

capable of meeting these new threats by providing a variety

of regular updates to Fortify 360. These updates are delivered

through Fortify’s Security Research Group. This internal team

of security experts is dedicated to leveraging cutting-edge

research into the latest hacking techniques and vulnerability

trends to build security knowledge into Fortify 360. They

represent the security-frontline at Fortify Software and their

research into how real-world systems fail allows them to

identify the most effective solutions to address the threats

that Fortify customers face.

The Security Research Group releases quarterly updates to

the Fortify Secure Coding Rulepacks, which drive the Fortify

360 Analyzers. These updates embody the latest trends in

software security and programming techniques and keep

Fortify customers ahead of hackers, organized crime, rogue

governments and other adversaries. In total, the Security

Research Group has identified over 400 vulnerability categories

across 17 programming languages and have scanned more

than 600,000 Application Programming Interfaces (APIs).

Recent research by Fortify Security Research Group has

resulted in the discovery of two entirely new categories of

vulnerabilities (JavaScript Hijacking and Cross-Build Injection)

as well as groundbreaking work in the area of Service Oriented

Architecture and system backdoor detection.

Threat Intelligence

ActiveDefenseforJavaand.NetApplications

Fortify 360 Application Defense Module protects high-risk

Java and .NET applications from attacks. Application Defense

Module’s inside-the-application approach to application

defense accurately shields an application from attacks

with no tuning required. Users can see which specific

vulnerabilities hackers are attempting to exploit and create

customized responses to attacks. Critical insight into the

type and frequency of all attacks against an application is

also provided. Data generated from this component can be

delivered to Fortify 360 for developing a more complete view

of application security.

application defense

WWW.FORTIFY.COM 6

A 100K record data breach could cost between $10 and $30 million. — Forrester

AttacksAreontheRise

Cybercrime was up 53% in 2008.

The number of malicious programs circulating on the Internet tripled in 2008.

Exceed Application Security Compliance Mandates

Fortify 360 enables companies to pass key compliance

mandates, such as PCI, FISMA, HIPAA, SOX, NERC

and many others.

Pass PCI Compliance

Fortify 360 comes fully configured for meeting the

demands associated with the application security

portions of PCI compliance projects (sections 3, 6,

and 11). All vulnerabilities can be ranked according to

their PCI relevance. Fortify 360 Application Defense

Module provides a precision defensive option for

supporting web-application firewall (WAF) provision.

Fortify 360 SSA Governance Module provides an

out-of-the-box PCI Compliance process complete

with auditor-quality PCI reports.

Pass FISMA Compliance

Government entities must pass tight restrictions for

application security. Fortify 360 identifies application

security issues and guides the user through the

process of fixing issues and reporting on progress.

SOX, NERC, HIPAA and Others

Fortify 360 has helped numerous organizations pass

compliance mandates across a range of industries,

including retail, healthcare, energy, finance,

government and more.

Compliance

7 WWW.FORTIFY.COM

“ The security infrastructure we have implemented at

Financial engines is extremely important to our business

since protecting our customer’s sensitive financial data is

mission critical. Fortify 360 allows us to integrate source

code analysis, dynamic testing and real-time monitoring in

a single comprehensive package that plays a key part in our

overall approach to application security.”

—Gary Hallee, EVP Technology , Financial Engines

WWW.FORTIFY.COM

FORTIFY SOFTWaRe InC. MORe InFORMaTIOn IS avaIlable aT WWW.FORTIFY.COM

2215 bRIdgepOInTe pkWY. Tel: (650) 358-5600 SuITe 400 Fax: (650) 358-4600 San MaTeO, CalIFORnIa 94404 eMaIl: COnTaCT@FORTIFY.COM

About Fortify

Fortify’s Software Security Assurance solutions protect companies and organizations

from today’s greatest security risk: the software that runs their businesses. Fortify

reduces the threat of catastrophic financial loss and damage to reputation as well

as ensuring timely compliance with government and industry mandates. Fortify’s

customers include government agencies and Global 2000 leaders in financial services,

healthcare, e-commerce, telecommunications, publishing, insurance, systems

integration and information technology. For more information, please visit us at

www.fortify.com.

In February 2009, Gartner positioned Fortify in the Leaders Quadrant in the “Magic Quadrant for Static Application Security Testing (SAST).” The report is available at http://www.fortify.com/magicquadrant.