Wednesday, December 23, 2009

(Fortify + WhiteHat = Fortify on Demand) or (1 + 1 = 3)

In case you haven’t seen the news, Fortify recently launched a one-stop SaaS shop (Fortify on Demand) for software security testing (support for Java, .NET, and PHP). This snippet from their site spells the offering out nicely:

“Fortify on Demand is a set of hosted Software-as-a-Service (SaaS) solutions that allow any organization to test and score the security of all software with greater speed and accuracy. This automated turnkey service offers an efficient way to test third-party application security or to complete baseline assessments of all internal applications. It is the only offering available on the market that correlates best-of-breed static and dynamic analysis into a single dashboard. Fortify on Demand's robust reports prioritize vulnerabilities fixes based on severity and exploitability, with line of code level details.”

The static analysis technology obviously comes from the market leader’s SCA product line, but guess who’s behind the dynamic part. Give up? :) That would be WhiteHat Security of course!

“Fortify selected WhiteHat Sentinel because it is the only software-as-a-service (SaaS) solution to deliver the highly accurate, verified vulnerability data required to ensure effective website security and actionable information for both developers and security operations as a service.”

Needless to say we are very excited! This technology combination and delivery model addresses a number of under-served customer use-cases, such as third-party validation and testing of COTS. As I’ve blogged before, it’s time to move beyond the nonsensical adversarial debates about which testing methodology (black or white) is best and instead focus on the synergies. We’re putting our R&D money where are mouths are and have grand plans to directly benefit our customers.

Today’s integration is already yielding a solid level of vulnerability correlation, right down to a line or code block, which helps prioritize findings into actionable results -- such as what vulnerabilities are confidently exploitable. Looking ahead, consider that static analysis can measure exactly how code coverage is being realized during the dynamic analysis -- furthermore pointing out the gaps in unlinked URLs, back doors, extra form parameters, etc. This will lead to way better and measurable comprehensiveness for both static and dynamic analysis. And don’t even get me started on the metrics we’ll be able to gather. We’re just at the beginning of understanding what is possible!

This will be the basis of Jacob West and my “Fortify on Demand Launch Webinar” (Jan 14.) and RSA presentation “Best of Both Worlds: Correlating Static and Dynamic Analysis Results” (Mar. 4). We’ll be learning a lot in the coming months and will be ready to share our discoveries with the audience.


Anonymous said...

Really looking forward to seeing what this service looks like and getting some pricing info. If I could convince my boss to go this route, I could be out of a job.

Jeremiah Grossman said...

Doubtful anyone would be out of a job as a result of the offering. Finding vulnerabilities or missing controls in the code is just one part of the appsec work flow. Someone still has to actually fix issues, perform root cause analysis, make tactical risk recommendations and drive the process.

hit me with an email (my_first_name -at- my companies domain name) and I'll make sure pricing info gets to you.

Nilesh Kumar said...

Hi Jeremiah,
I am working as a Security Analyst with a Fortune 100 company.
I have profile of VAPT in my company and looking for some more tools
Can you tell me exact features of this product and how SaaS is different from conventional products? I want a brief walk through of this product.


Jeremiah Grossman said...


Fortify on Demand and by extension WhiteHat Sentinel are not really "tools", but more "services" designed to do the work for you. If you are looking for a software product, then you might want to investigate Fortify 360, and maybe one of the many dynamic analysis scanners on the market.

Hopefully this answers your question.

Anonymous said...

HI Nitish

Webscrab, Burp suite , Web Inspect .

Appscan , Paros Proxy , N-stalker

and other free tools (code crawler, xss shield , sqlinjectme ,ssldigger and etc

Proxy Based tools


Srinivasan M.S

Unknown said...

So with Fortify on demand, do we benefit from all the integration capabilities of Sentinel (e.g.: Archer) ?

Jeremiah Grossman said...

@Yves, We are moving towards having the Sentinel web-interface (including the XML API) made available to Fortify on Demand customers. Its been a popular request, so its coming very soon.