Fortify 360 Securing Your Entire Software Portfolio Fortify Fortify s holistic approach to application security truly safeguards our enterprise against today s ever-changing security threats. Craig Schumard, CISO, CIGNA
Software Security Assurance (SSA) Removing the Risk Within Software Our mission is to help our customers ensure that their entire software portfolio whether it s built in house, outsourced, purchased from vendors or acquired from the open source community is secure. Attacks on software by hackers, criminals and insiders can result in business interruption, brand damage, tremendous financial loss and harm to innocent people. The targets of these attacks are hidden vulnerabilities within software applications. The results of years of security-blind programming practices, these vulnerabilities have accumulated within software, waiting to be exploited. To make matters worse, new vulnerabilities are continuing to be introduced into organizations from their own internal software development groups as well as through procurements from vendors, outsourcing firms and open-source projects. Alarmed by the potential for widespread social and commercial damage, government and industry regulatory bodies have been strengthening mandates in the area of application security. Many organizations are now required to address the risk posed by their applications and to demonstrate compliance. Software Security Assurance, or SSA is a systematic approach for eliminating the security risk in software and complying with relevant government and industry mandates. Where Software Quality Assurance ensures that software will function and perform as required, SSA ensures that software can not be used in a way that might cause harm to the organization. SSA addresses the immediate challenge of removing vulnerabilities from deployed applications as well as the ongoing systemic challenge of producing and procuring secure software. With its market-leading combination of products and services, Fortify has helped more than 500 organizations throughout the world achieve measurable reductions of risk with an effective SSA program. Fortify provides Fortify 360, the leading suite of products for SSA. Fortify s Global Services organization provides SSA implementation guidance and expertise, and Fortify s Security Research Group ensures that customer s SSA capabilities are sufficient to meet the ever-evolving threat landscape. The single biggest step for businesses to reduce risk today is to force major improvements in poorly designed and insecure software and applications. John Pescatore, Senior Analyst, Gartner
Fortify 360 The Market-Leading Suite of Solutions to Contain, Remove and Prevent Vulnerabilities in Software Fortify 360 provides the critical analytic, remediation and management capabilities necessary for a successful, enterprise-class SSA program. Identification Comprehensive root -cause identification of more than 400 categories of security vulnerabilities in 17 development languages Remediation Brings Security, Development and Management together to remediate existing software vulnerabilities Governance Monitors organization-wide SSA program performance and prevents the introduction of new vulnerabilities from internal development, outsourcers and vendors through automating Secure Development Lifecycle processes Application Defense Quickly contains existing vulnerabilities so they can t be exploited Compliance Easily demonstrates compliance with government and industry mandates as well as internal policies Auditor CISO Developer Risk Officer 3 WWW.FORTIFY.COM
Vulnerability Detection and Remediation Maximum Reduction of Risk at the Source Fortify 360 identifies the root cause of software security vulnerabilities in both source code and running applications, detecting more than 400 types of vulnerabilities across 17 development languages and 600,000 componentlevel APIs. Vulnerabilities can be collected during the development or quality assurance phase of a project or even after an application has been put into production, minimizing the risk that a serious problem goes undetected. To ensure that the most serious issues are addressed first, Fortify 360 correlates and prioritizes results from its analyzers to deliver an accurate, risk-ranked list of issues. Harmonize Expertise and Remediate More Code Fortify 360 offers a complete set of collaborative capabilities for quickly triaging and fixing vulnerabilities identified by its three analyzers. Application security professionals, developers and their managers can work together in the way that best suits them using role-specific interfaces. Designed specifically for the application security professional, Fortify 360 Audit Workbench provides the means to analyze individual vulnerabilities, assign them Fortify 360 Presents Integrated Results from Static and Dynamic Analyzers out for remediation and track activities to completion. Fortify 360 s web-based Collaboration Module provides a shared workspace and repository for application security professionals, developers and managers to work together on code reviews and remediation activities. Developers can address issues in their preferred development environment while collaborating with the security team using plug-ins for Eclipse and Microsoft Visual Studio. With Fortify 360 developers learn about secure coding practices while they are fixing vulnerabilities. For every vulnerability, Fortify 360 delivers reference information to the developer describing the problem and ways to fix it in the developer s specific programming language. For identifying vulnerabilities in both source code and running applications, Fortify 360 offers the following static and dynamic analyzers: Analyzer Type Description Usage Source Code Analyzer (SCA) Static Analysis The SCA component of Fortify 360 examines an application s source code for potentially exploitable vulnerabilities. Used during Development Phase for identifying vulnerabilities early in the development cycle, when they are less costly to address. Program Trace Analyzer (PTA) Dynamic Analysis PTA identifies vulnerabilities that can be found only when an application is running and to verify and further prioritize results found using SCA. During Quality Assurance phase to discover vulnerabilities as part of the normal test process. Real-Time Analyzer (RTA) Dynamic Analysis RTA monitors deployed applications, identifying how the application is getting attacked, by whom and when. It delivers detailed inside-the-application information that identifies which vulnerabilities are being exploited. While application is in production to reveal new exploitable vulnerabilities or ones that may have been missed during development. WWW.FORTIFY.COM 4
Fortify 360 SSA Governance Fortify 360 SSA Governance Module provides visibility and control of organization-wide SSA programs SSA Governance Managing the Business of Software Security Assurance Organization-wide SSA programs present many challenges for the security team. As the number of SSA projects increases, the security team may experience difficulty in meeting the demands put on it by development teams, auditors and management. Creation and implementation of repeatable processes such as Secure Development Lifecycle (SDL) are an essential first step in getting control of the situation. Yet, without effective automation, delivery and tracking of the security activities defined in a SDL, organizations may still find the situation to be unmanageable. For staying on track with multi-project SSA programs, there is Fortify 360 SSA Governance Module. It provides a single system-of-record with views into the assets, activities and results related to the organization s entire SSA effort. For individual projects, SSA Governance Module provides a convenient web portal where risk-mitigation activities and artifacts can be logged and communicated. For every project in the organization, Fortify 360 SSA Governance Module automatically assigns the correct activities based on the project s specific risk profile. The application security team can than track project effort and receive alerts based upon completed or missed milestones. With these capabilities in place, the security team can begin to move towards a management-by-exception approach to SSA, freeing up valuable time to support other activities. Advanced reporting and viewing capabilities provide the means to quickly consolidate results across all projects, deliver executive-quality reports and identify areas of improvement. For those organizations that are seeking a fast-start Secure Development Lifecycle, SDL templates and artifacts based on Fortify best practices are provided. These templates provide an effective SDL that can be implemented outof-the box. This can eliminate the research and expertise required to develop an SDL. Insecure Applications Harm Businesses 80% of companies report a loss of customers due to data breaches. Businesses risk losing over $1 trillion from loss or theft of data and other cybercrime. 5 WWW.FORTIFY.COM
Threat Intelligence Application Defense Stay Ahead of the Ever-Changing Threat Active Defense for Java and.net Applications Cyber-criminals continue to seek out new ways to exploit Fortify 360 Application Defense Module protects high-risk software. Fortify ensures that a customer s investment is Java and.net applications from attacks. Application Defense capable of meeting these new threats by providing a variety Module s inside-the-application approach to application of regular updates to Fortify 360. These updates are delivered defense accurately shields an application from attacks through Fortify s Security Research Group. This internal team with no tuning required. Users can see which specific of security experts is dedicated to leveraging cutting-edge vulnerabilities hackers are attempting to exploit and create research into the latest hacking techniques and vulnerability customized responses to attacks. Critical insight into the trends to build security knowledge into Fortify 360. They type and frequency of all attacks against an application is represent the security-frontline at Fortify Software and their also provided. Data generated from this component can be research into how real-world systems fail allows them to delivered to Fortify 360 for developing a more complete view identify the most effective solutions to address the threats of application security. that Fortify customers face. The Security Research Group releases quarterly updates to the Fortify Secure Coding Rulepacks, which drive the Fortify 360 Analyzers. These updates embody the latest trends in software security and programming techniques and keep Fortify customers ahead of hackers, organized crime, rogue governments and other adversaries. In total, the Security Research Group has identified over 400 vulnerability categories across 17 programming languages and have scanned more than 600,000 Application Programming Interfaces (APIs). Recent research by Fortify Security Research Group has resulted in the discovery of two entirely new categories of vulnerabilities (JavaScript Hijacking and Cross-Build Injection) as well as groundbreaking work in the area of Service Oriented Architecture and system backdoor detection. A 100K record data breach could cost between $10 and $30 million. Forrester WWW.FORTIFY.COM 6
Compliance The security infrastructure we have implemented at Financial Engines is extremely important to our business since protecting our customer s sensitive financial data is mission critical. Fortify 360 allows us to integrate source code analysis, dynamic testing and real-time monitoring in a single comprehensive package that plays a key part in our overall approach to application security. Gary Hallee, EVP Technology, Financial Engines Attacks Are on the Rise Cybercrime was up 53% in 2008. The number of malicious programs circulating on the Internet tripled in 2008. Exceed Application Security Compliance Mandates Fortify 360 enables companies to pass key compliance mandates, such as PCI, FISMA, HIPAA, SOX, NERC and many others. Pass PCI Compliance Fortify 360 comes fully configured for meeting the demands associated with the application security portions of PCI compliance projects (sections 3, 6, and 11). All vulnerabilities can be ranked according to their PCI relevance. Fortify 360 Application Defense Module provides a precision defensive option for supporting web-application firewall (WAF) provision. Fortify 360 SSA Governance Module provides an out-of-the-box PCI Compliance process complete with auditor-quality PCI reports. Pass FISMA Compliance Government entities must pass tight restrictions for application security. Fortify 360 identifies application security issues and guides the user through the process of fixing issues and reporting on progress. SOX, NERC, HIPAA and Others Fortify 360 has helped numerous organizations pass compliance mandates across a range of industries, including retail, healthcare, energy, finance, government and more. 7 WWW.FORTIFY.COM
In February 2009, Gartner positioned Fortify in the Leaders Quadrant in the Magic Quadrant for Static Application Security Testing (SAST). The report is available at http://www.fortify.com/magicquadrant. About Fortify Fortify s Software Security Assurance solutions protect companies and organizations from today s greatest security risk: the software that runs their businesses. Fortify reduces the threat of catastrophic financial loss and damage to reputation as well as ensuring timely compliance with government and industry mandates. Fortify s customers include government agencies and Global 2000 leaders in financial services, healthcare, e-commerce, telecommunications, publishing, insurance, systems integration and information technology. For more information, please visit us at www.fortify.com. Fortify Software Inc. More information is available at www.fortify.com 2215 Bridgepointe Pkwy. Tel: (650) 358-5600 Suite 400 Fax: (650) 358-4600 San Mateo, California 94404 Email: contact@fortify.com WWW.FORTIFY.COM