- Doug Morris, DevSecOps Practice Director, Melillo Consulting
- linkedin.com/in/douglasmorrison/
- August 31, 2022
Enterprise security threats have exploded over the past 10 years. The use of malware, bots and exploits is commonplace. Our clients trust us to cover all those threat vectors, so they are less at risk. It’s our job to identify and use the best tools for that critical responsibility.
One of those tools that we are bullish on is Fortify. It is one of Micro Focus’ best products and the company has continued to invest in it over the years. Of course, Fortify has competition, but we believe it remains the one to beat.
False Positives
Primarily, we trust Fortify because it provides fewer false positives when scanning code for vulnerabilities than its rivals. That’s an Achilles’ heel for any company trying to implement security into the DevOps process. Because security is seen as time-consuming in general, chasing down false positives is extremely disheartening and can dissuade companies from proactively tracking down threats. Conversely, there is the very real possibility of dismissing something that might be real.
Fortify provides more reliable information in a couple of ways.
- 1. Fortify correlates the results of diverse types of scanning. For instance, the actual program code, the executable program, and the actual user interface are each scanned, providing three different types of security. Then, the three are cross referenced. For example, one scan may identify a potential vulnerability, but the UI scan may verify that the identified issue is being mitigated in another way. And so that security alert becomes a non-issue. That type of resource conservation and time saving can’t be understated, and it should not be undervalued. It certainly offsets any additional investment that Fortify may incur on a customer.
2. Micro Focus’ Fortify is a tremendous product overall but has one standout feature that doesn’t get enough attention: Fortify Security Assistant. Security Assistant scans code in real-time, while the programmers are writing it. It’s like Grammarly, but for programmers. It brings security scanning to the very beginning of the software life cycle when it is absolutely the easiest to fix.
Secure from the Start
Programmers are often on tight schedules, so they aren’t just typing in their own code — they are also, often, cutting and pasting code from some online open source, because they are trying to be fast, efficient and on-time meeting their targets. So, they might easily paste in some code that has a vulnerability. And that could be intentionally, or, hopefully, unintentionally. Either way, Fortify’s Security Assistant picks it up and identifies it as potentially creating a vulnerability. The tool catches hundreds of the top vulnerabilities.
We’ve come a long way in the industry, from DevOps to DevSecOps to now SecDevOps. It’s moved from not even considering security, to having the nomenclature include security at the beginning of the conversation. You can’t get any earlier in the process than Fortify Security Assistant, which truly is the poster child for SecDevOps.