Professional Documents
Culture Documents
Fortify On Demand: Data Sheet
Fortify On Demand: Data Sheet
Security
Fortify on Demand
Micro Focus Fortify on Demand (FoD) delivers application security as a service, providing customers
with the security testing, vulnerability management, expertise, and support needed to easily create,
supplement, and expand a Software Security Assurance program.
Security Testing Security Production Monitoring Scan Analytics machine learning platform to
A dynamic or mobile assessment of the run- Inevitably, not all vulnerabilities can be remedi- remove false positives and ensure overall qual-
ning application in a QA, test, or staging en- ated for every application before it goes live. ity so that development teams can maximize
vironment simulates the real-world hacking Misconfigurations in production environments their remediation efforts early in the software
techniques and attacks employed by hack- can introduce issues not present in preproduc- lifecycle. Fortify on Demand seamlessly fits
ers. For web applications and web services, tion, and new zero-day vulnerabilities arise in- into customers’ existing agile or DevOps pro-
dynamic assessments employ a combination between release cycles. A robust production cesses with out-of-the-box IDE, continuous in-
of automated and manual testing techniques monitoring regimen includes continuous dy- tegration/continuous deployment (CI/CD), and
to crawl the application attack surface and namic scanning for vulnerabilities and run time bug tracker integrations.
identify exploitable vulnerabilities before an detection of security events in the application
application release is deployed to production. itself. Fortify on Demand provides all produc- Features
Furthermore, interactive application security tion application monitoring activities in a single, ■ Supports 27+ languages: ABAP/BSP,
testing (IAST), with Fortify’s runtime agent, integrated place, ensuring the continuity of ap-
ActionScript, Apex, ASP.NET, C# (.NET),
supercharges dynamic testing to find more plication security throughout the entire SDLC..
C/C++, Classic ASP (with VBScript),
vulnerabilities—and fix them faster. COBOL, ColdFusion CFML, GoLang, HTML,
Key Features Java (including Android), JavaScript/
Similar to dynamic testing for web applica- Static Application Security Assessments AJAX/Node.js, JSP, Kotlin, MXML (Flex),
tions, Fortify on Demand mobile assessments Static assessments help developers identify Objective C/C++, PHP, PL/SQL, Python,
utilize the compiled application binary and em- and eliminate vulnerabilities in source, binary, Ruby, Scala, Swift, T-SQL, VB.NET,
ploy a combination of automated and manual or bytecode to build more secure software. VBScript, Visual Basic, and XML
techniques to identify vulnerabilities across all Powered by Micro Focus Fortify Static Code ■ Microservice licensing model for modern
three tiers of the mobile ecosystem—client Analyzer (SCA), static assessments detect over application development
device, network, and backend services. More 781 unique categories of vulnerabilities across
than just simple reputation or behavioral analy- ■ Real-time vulnerability identification
27 programming languages that span over 1
sis, mobile assessments provide true security million individual APIs. Fortify on Demand static with Security Assistant
testing for companies serious about securing assessments can also include a review by our ■ Actionable results in <1 hour for most
their mobile applications. security experts and our innovative Fortify applications with DevOps automation.
Static Static+
Application type Web, mobile or thick-client Web, mobile or thick-client
Fortify SCA analysis + +
Fortify Scan Analytics automated audit + +
Security Assistant +1 +1
Security expert manual review 2
+
Open source analysis +3 +3
1 Subscriptions only
2 Security expert review optional for first subscription scan only
3 Added Sonatype subscription needed
Open Source Software “must-have” AppSec capability using natural vulnerability sites. Powered by Sonatype,
Composition Assessments language processing to dynamically moni- Fortify on Demand’s Software Composition
Third party components make up a signifi- tor every GitHub commit to every open Analysis is much more than a simple com-
cant portion of many applications’ codebase, source project, advisory websites, Google parison of declared dependencies against
making Software composition analysis a search alerts, OSS Index, and a plethora of the National Vulnerability Database (NVD).
2
Additionally, new vulnerabilities are regularly ■ Examines fingerprints of 65M components control, input validation, session management,
discovered by a dedicated team of security for high accuracy—not just file names and and business logic testing. And once an ap-
researchers and added to the proprietary package manifests plication is deployed, Continuous Application
knowledge-base. Fortify on Demand simplifies ■ Detects 70% more vulnerabilities than the Monitoring provides production-safe vulner-
the onboarding and scanning process by com- NVD database alone ability scanning for the most critical vulnerabili-
bining static and composition analysis into a ties across the OWASP Top 10 and risk profile
single integration point, whether that’s in the Dynamic Web Application change detection.
IDE or CI/CD pipeline. The comprehensive bill-
Security Assessments
of-materials including security vulnerabilities Features
Dynamic assessments mimic real-world hack
and license details is delivered as a fully inte- ■ Identifies over 250 unique vulnerability
ing techniques and attacks using both auto
grated experience for security professionals categories for web applications in QA,
mated and manual techniques to provide
and developers alike. staging or production
comprehensive analysis of complex web ap-
plications and services. Featuring Fortify ■ Expanded coverage, accuracy and
Features WebInspect for automated dynamic scanning, remediation details with IAST runtime
■ Provide code once for both SAST and Fortify on Demand provides a full-service ex- agent
software composition analysis perience as all scans include macro creation for ■ Continuous application monitoring of
■ Supports Java, .NET, Javascript and authentication and a full audit of results by our production applications included
Python experts to remove false positives and for over-
all quality—a level of service you don’t get with ■ Assess public-facing and internal web sites
■ Integrated results deliver one platform
other providers. Our manual testing focuses and web services
for remediation, reporting and
analytics on the types of vulnerabilities that skilled hack- ■ Generate virtual patches for all leading
ers exploit, including authentication, access web application firewalls (WAFs)
Dynamic Dynamic+
Application type Website Website OR web services4
Fortify WebInspect analysis + +
Verify URL & authentication + +
Security expert manual review + +
Interactive application security testing (IAST) + +
Continuous application monitoring +5 +5
Manual vulnerability testing +
Mobile Application Security Assessments applications, whether they are developed in- ■ Identifies over 300 unique vulnerability
Fortify on Demand delivers comprehensive ternally, outsourced, or acquired. More than categories from mobile binary to backend
end-to-end mobile security with real-world just simple reputation or behavioral analysis, services
mobile application security testing across all Fortify on Demand mobile assessments pro- ■ Emphasizes security vulnerability
three tiers of the mobile ecosystem—client vide true security testing for companies seri- identification in addition to behavioral
device, network, and web services. Similar to ous about securing their mobile applications. and reputation analysis
dynamic testing for web applications, mobile
■ Automated mobile binary assessments
assessments utilize the compiled application Features
in <5 minutes for most applications
binary and employ the same techniques hack- ■ Supports iOS and Android mobile
ers utilize to exploit vulnerabilities in mobile applications ■ Manual testing performed on physical
devices
www.microfocus.com 3
Mobile Mobile+
Application type Mobile binary Mobile binary and backend services
Vulnerability analysis (mobile binary) + +
Endpoint reputation analysis + +
Security expert manual review + +
Fortify WebInspect analysis (backend +
services)
Manual vulnerability testing +
160-000278-005 | H | 11/20 | © 2020 Micro Focus or one of its affiliates. Micro Focus and the Micro Focus logo, among others, are trademarks
or registered trademarks of Micro Focus or its subsidiaries or affiliated companies in the United Kingdom, United States and other countries. All other
marks are the property of their respective owners.