In case you haven’t seen the news, Fortify recently launched a one-stop SaaS shop (Fortify on Demand) for software security testing (support for Java, .NET, and PHP). This snippet from their site spells the offering out nicely:
“Fortify on Demand is a set of hosted Software-as-a-Service (SaaS) solutions that allow any organization to test and score the security of all software with greater speed and accuracy. This automated turnkey service offers an efficient way to test third-party application security or to complete baseline assessments of all internal applications. It is the only offering available on the market that correlates best-of-breed static and dynamic analysis into a single dashboard. Fortify on Demand's robust reports prioritize vulnerabilities fixes based on severity and exploitability, with line of code level details.”
The static analysis technology obviously comes from the market leader’s SCA product line, but guess who’s behind the dynamic part. Give up? :) That would be WhiteHat Security of course!
“Fortify selected WhiteHat Sentinel because it is the only software-as-a-service (SaaS) solution to deliver the highly accurate, verified vulnerability data required to ensure effective website security and actionable information for both developers and security operations as a service.”
Needless to say we are very excited! This technology combination and delivery model addresses a number of under-served customer use-cases, such as third-party validation and testing of COTS. As I’ve blogged before, it’s time to move beyond the nonsensical adversarial debates about which testing methodology (black or white) is best and instead focus on the synergies. We’re putting our R&D money where are mouths are and have grand plans to directly benefit our customers.
Today’s integration is already yielding a solid level of vulnerability correlation, right down to a line or code block, which helps prioritize findings into actionable results -- such as what vulnerabilities are confidently exploitable. Looking ahead, consider that static analysis can measure exactly how code coverage is being realized during the dynamic analysis -- furthermore pointing out the gaps in unlinked URLs, back doors, extra form parameters, etc. This will lead to way better and measurable comprehensiveness for both static and dynamic analysis. And don’t even get me started on the metrics we’ll be able to gather. We’re just at the beginning of understanding what is possible!
This will be the basis of Jacob West and my “Fortify on Demand Launch Webinar” (Jan 14.) and RSA presentation “Best of Both Worlds: Correlating Static and Dynamic Analysis Results” (Mar. 4). We’ll be learning a lot in the coming months and will be ready to share our discoveries with the audience.