Product Overview: OpenText Fortify Static Code Analyzer
The OpenText Fortify Static Code Analyzer (SCA) is a cutting-edge static application security testing (SAST) solution designed to identify, prioritize, and remediate security vulnerabilities in source code during the early stages of software development. This tool is pivotal in ensuring the security and integrity of applications by detecting and addressing potential issues before they reach production.
Key Functionality
- Comprehensive Vulnerability Detection: Fortify SCA analyzes every feasible path that execution and data can follow in the source code to identify a wide range of security vulnerabilities. It supports over 33 programming languages and detects issues across more than 1,657 vulnerability categories, spanning over one million individual APIs.
- Accurate and Fast Scanning: The tool boasts a 100% true positive rate in the OWASP 1.2b Benchmark, ensuring high accuracy in identifying vulnerabilities. It can be tuned for fast scans or comprehensive, more accurate scans, depending on the development needs.
- Integration with Development Tools: Fortify SCA seamlessly integrates with various development environments, including build servers, source code management servers, and integrated development environments (IDEs). It also supports integration with CI/CD pipelines, enabling automated security analysis at the speed of DevOps.
- Customizable Scans and Rules: The tool allows for the customization of scan policies to focus on current priorities and exclude irrelevant or low-priority issues. It also includes a rules builder to extend and expand static analysis capabilities with custom rules.
- Detailed Guidance and Reporting: Fortify SCA provides detailed, line-of-code guidance on how to fix identified vulnerabilities, helping developers resolve issues quickly. The results can be viewed and managed through various interfaces, including the Fortify Audit Workbench and the Fortify Software Security Center, which offer visualization tools and filters to streamline the auditing and fixing process.
- Scalable Deployment Options: The solution can be deployed on-premises, in the cloud, or as an AppSec-as-a-Service, offering flexibility to meet the diverse needs of modern development environments.
- Advanced Analyzers: Fortify SCA comprises eight specialized analyzers (Buffer, Configuration, Content, Control Flow, Dataflow, Null Pointer, Semantic, and Structural) that work together to identify different types of vulnerabilities. These analyzers use secure coding rules to analyze the code base for violations of secure coding practices.
Key Benefits
- Early Detection and Remediation: Identifies security vulnerabilities early in the development cycle, reducing the cost and complexity of fixing issues later in the development process.
- Improved Developer Education: Educates developers about security best practices while they work, enabling them to create more secure software.
- Centralized Software Security Management: Provides a centralized platform for managing security issues, making it easier for developers to resolve issues efficiently.
- Automated Security in CI/CD Pipelines: Automates security analysis within the CI/CD pipeline, reducing the risk of security vulnerabilities and streamlining the development process.
In summary, the OpenText Fortify Static Code Analyzer is a robust SAST solution that enhances application security by identifying and remediating vulnerabilities early, integrating seamlessly with development tools, and providing customizable and scalable security analysis capabilities.