Fortify Software

Fortify Software

Fortify Software is a San Mateo, California-based software vendor. The company was founded in 2003 and provides software security products that identify and remove security vulnerabilities from software applications throughout the development, testing, and deployment cycles. [http://www.pcworld.com/news/article/0,aid,115532,00.asp Software Searches for Security Flaws] en icon, "PCWorld.com", April 5 2004] [http://www.internetnews.com/dev-news/article.php/3335651 A New Approach to Fortify Your Software ] en icon, "Internetnews.com", April 5 2004] Its funding was provided by Kleiner, Perkins, Caufield & Byers. The company has provided products for Wells Fargo, Oracle, Honeywell, and Lockheed Martin.

Technical Advisory Board

Fortify's technical advisory board includes Avi Rubin, Bill Joy, David Wagner, Fred Schneider, Gary McGraw, Greg Morrisett, Li Gong, Marcus Ranum, Matt Bishop, William Pugh and John Viega.

ecurity Research

Fortify runs a security research group led by Jacob West and Chief Scientist Brian Chess. Among other work, Fortify's security research group introduced JavaScript Hijacking, a new type of eavesdropping attack against Ajax-style Web applications.

The Fortify taxonomy of security vulnerabilities is maintained by the security research group in the publicly available Vulncat database [http://fortify.com/vulncat] .

Fortify customers receive quarterly updates from the security research group, which include rules to find new types of vulnerabilities, as well as support for new languages.

The group is also responsible for published research, including "JavaScript Hijacking" [http://www.fortify.com/landing/downloadLanding.jsp?path=%2Fpublic%2FJavaScript_Hijacking.pdf] , "Attacking the build: Cross build injection" [http://www.net-security.org/article.php?id=1077] , "Watch what you write: Preventing Cross-site scripting by observing program output" [http://www.owasp.org/images/9/9d/OWASP-AppSecEU08-Madou.pdf.] and "Dynamic taint propagation: Finding vulnerabilities without attacking" [http://portal.acm.org/citation.cfm?id=1371501] .

In addition, Jacob West and Brian Chess published a book, "Secure Programming with Static Analysis" in 2007.

The group invests resources in understanding, and improving the security of Open Source Software with its Java Open Review project [http://opensource.fortifysoftware.com] .

Products

Fortify offers one core product, Fortify 360. Fortify 360 consists of three analyzers which detect vulnerabilities in software, a collaboration module to help developers and security auditors fix the identified vulnerabilities, and a management and reporting console. The core components include:
*1) Source Code Analyzer (SCA): analyzes an application's source code for security vulnerabilities.
*2) Program Tracer Analyzer (PTA - Formerly known as Tracer): detects vulnerabilities in a running application. This analyzer integrates into a QA test, using dynamic taint propagation to find vulnerabilities automatically while a routine system test is conducted.
*3) Real-Time Analyzer (RTA - Formerly known as Defender): monitors and protects deployed applications.
*4) Collaboration Module: a web based interface that collects and correlates vulnerability information from the analyzers, together with a view of the relevant source code, and provides a user interface for auditors and developers to triage and fix issues.
*5) Manager: centralized reporting and management console for setting policies and reporting on a list of metrics.

SCA scans code in the following languages:
* Adobe® ColdFusion®
* Microsoft .NET
* C/C++
* Classic ASP
* COBOL
* Java
* JSP
* JavaScript
* PHP
* Oracle PL/SQL
* Microsoft T-SQL
* Visual Basic for Applications ("VBA")
* VBScript

PTA and RTA use bytecode instrumentation and work with J2EE and .NET websites.

Platform support

Supported platforms include Windows, Solaris, Linux, HP-UX, AIX, and Mac OS X.

References

External links

* [http://fortify.com/ Company website]
* [http://opensource.fortify.com/ Java Open Review Project]
* [http://www.businessweek.com/technology/content/sep2006/tc20060926_175459.htm?chan=top+news_top+news+index Software Isn't Complete Unless It's Secure, BusinessWeek, September 26, 2006] - Article by Fortify Software Advisor Bill Joy
* http://reddevnews.com/news/devnews/article.aspx?editorialsid=1052]
* http://www.vnunet.com/vnunet/news/2217134/linux-vulnerability-exposed]


Wikimedia Foundation. 2010.

Игры ⚽ Поможем сделать НИР

Look at other dictionaries:

  • Sicherheitstest (Software) — Sicherheitstests sind Softwaretests, welche die Sicherheit einer Software testen. Sie stellen eine Möglichkeit zur Erhöhung der Informationssicherheit dar. Die Tests können beginnen, sobald die erste Zeile Quelltext geschrieben wurde, damit… …   Deutsch Wikipedia

  • Mary Ann Davidson — is the Chief Security Officer of Oracle Corporation, the second largest software company in the world. Her outspoken views regarding software security and role as security spokesperson for a leading database product have made hers an important… …   Wikipedia

  • Rough Auditing Tool for Security — (RATS) is an automated code review tool, provided originally by Secure Software Inc, who were acquired by Fortify Software Inc. It scans C, C++, Perl, PHP and Python source code and flags common security related programming errors such as buffer… …   Wikipedia

  • Marcus J. Ranum — Born 5 November 1962 (1962 11 05) (age 49) …   Wikipedia

  • MD6 — General Designers Ronald Rivest, Benjamin Agre, Dan Bailey, Sarah Cheng, Christopher Crutchfield, Yevgeniy Dodis, Kermin Fleming, Asif Khan, Jayant Krishnamurthy, Yuncheng Lin, Leo Reyzin, Emily Shen, Jim Sukha, Eran Tromer, Yiqun Lisa Yin First… …   Wikipedia

  • Static program analysis — This article is about certain software quality assessment methods. For the statistical method, see Static analysis. Static program analysis (also Static code analysis or SCA) is the analysis of computer software that is performed without actually …   Wikipedia

  • MD6 — Криптографическая хеш функция Название MD6 Создан 2008 Опубликован 2008 Размер хеша переменный, 0<d≤512 Число раундов переменное. По умолчанию, Без ключа=40+[d/4], с ключом=max(80,40+(d/4)) Тип хеш фу …   Википедия

  • Gary McGraw — Gary McGraw, born 1966, is a an expert in software security and author. He has co authored Building Secure Software: How to Avoid Security Problems the Right Way with John Viega and Exploiting Software: How to Break Code with Greg Hoglund as well …   Wikipedia

  • Application security — encompasses measures taken throughout the life cycle to prevent exceptions in the security policy of an application or the underlying system (vulnerabilities) through flaws in the design, development, deployment, upgradation,or maintenance of the …   Wikipedia

  • RATS — Rough Auditing Tool for Security (kurz: RATS) ist ein automatisches Codereview Programm von Secure Software. Es durchsucht C, C++, Perl, PHP und Python Programmcode und kennzeichnet mögliche sicherheitsrelevante Programmierfehler wie zum Beispiel …   Deutsch Wikipedia

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”