Product Overview: Fortify Static Code Analyzer (SCA)
Introduction
The Fortify Static Code Analyzer (SCA) is a robust Static Application Security Testing (SAST) solution designed to identify and remediate security vulnerabilities in source code early in the development cycle. Developed by OpenText, this tool is integral for ensuring the security and integrity of software applications.
Key Functionality
- Comprehensive Security Analysis: Fortify SCA analyzes every feasible path that execution and data can follow in the source code to detect and report security vulnerabilities. This includes translating source code into an intermediate format, which is then scanned by multiple specialized analyzers to identify violations of secure coding practices.
- Multi-Language Support: The tool supports over 30 major programming languages and their frameworks, as well as more than 1,000 vulnerability categories, making it versatile for a wide range of development environments.
- High Accuracy: Fortify SCA boasts a 100% true positive rate in the OWASP 1.2b Benchmark, ensuring accurate detection of security issues without false positives. This accuracy is crucial for efficient and reliable security audits.
- Integration with Development Pipelines: The tool seamlessly integrates into Continuous Integration/Continuous Deployment (CI/CD) pipelines, allowing for automated security analysis at the speed of DevOps. This integration supports build servers, source code management servers, and various development tools like Azure DevOps Server, Jira, and Bugzilla.
- Customizable Scanning: Fortify SCA offers the flexibility to customize scan policies to focus on current priorities and exclude irrelevant or low-priority issues. Users can toggle between different scan policies to optimize the scanning process.
- Advanced Analyzers: The tool comprises eight specialized vulnerability analyzers:
- Buffer Analyzer: Detects buffer overflow vulnerabilities.
- Configuration Analyzer: Checks for mistakes and policy violations in application deployment configuration files.
- Content Analyzer: Identifies security issues in HTML content, including dynamic HTML files.
- Control Flow Analyzer: Detects potentially dangerous sequences of operations.
- Dataflow Analyzer: Analyzes data flow to identify vulnerabilities.
- Null Pointer Analyzer: Detects null pointer dereferences.
- Semantic Analyzer: Performs semantic analysis to identify security issues.
- Structural Analyzer: Examines the structural aspects of the code for vulnerabilities.
- User-Friendly Results Management: The results of the security analysis can be managed and viewed through various tools, including the Fortify Audit Workbench and the Fortify Software Security Center. These tools provide visualization and filtering capabilities to make auditing and fixing issues more efficient.
- Deployment Flexibility: Fortify SCA can be deployed on-premises, in the cloud, or as an AppSec-as-a-Service solution, offering flexibility to fit different organizational needs.
Key Benefits
- Early Detection and Remediation: Identifies security vulnerabilities early in the development cycle, reducing the cost and complexity of fixing issues later in the production phase.
- Improved Developer Education: Educates developers about security best practices while they work, enabling them to create more secure software.
- Scalability and Performance: Offers scalable and centralized scanning infrastructure to meet the demands of modern development needs, with options for fast or comprehensive scans.
- Robust Ecosystem Integrations: Integrates with a robust ecosystem of tools and platforms to enhance DevOps and streamline development processes.
In summary, Fortify Static Code Analyzer is a powerful tool that enhances software security by identifying and remediating vulnerabilities early, integrating seamlessly into development pipelines, and providing customizable and accurate security analysis.