Fortify on Demand Reviews

Fortify On Demand is a cloud-based service/software-as-a-service model. Fortify On-Prem, which I have implemented, is an on-prem service where the customer provides the server infrastructure, and then Fortify On Demand comes fully implemented out of the box. 

But you're still able to connect all of your Git repositories and your build environments like Maven and Gradle and all these different build environments, even like Jenkins that customers are using. It's fully connected either whether it's on-prem or cloud, and then you can do a full scan analysis of your security posture.

SAST and DAST scanning. Dynamic application scanning as well as static application scanning. So that would be websites, and you can do an audit and crawl scan of your web-based or web-facing applications, and then also scan your source code of your static application code.

The source code analyzer is the actual tool. It's the engine that sits behind Fortify. And this engine or this intelligence is within your tools. So, the great thing about Fortify is that you have plugins for your build environment. So when you're building and executing that code, you can scan that code at that interval. You can shift left. The commonality is that you want to shift left. You want to find threats early in production, as early as before it actually goes into production. It saves money that way, so you don't have to recode or reinvent your entire architecture.

We also have plugins for your actual interface. We call them IDEs. It's the interface where the developer will actually code and write programs. So from there, the source analyzer will give an analysis, and the developer can fix the code.

Then the second gateway that we have is our plugins work in both environments. So when the developer has written and remediated and fixed some of the issues, in the build environment, when he's testing his code, when it's actually running the application, the Source Code Analyzer will then analyze it again, and then there can be remediation. The code can be fixed.

We even have a tool called RASP, which is a tool that works in production. So even when your code is now being published, it's now an actual application, it's a live application, we have a RASP tool also in Fortify that also further on, in real-time, will scan and do an analysis of your code to find any zero-day attacks or threats or emerging threats. And then, again, from the dashboard interface, you'll be able to remediate.

And you can also do on-demand, we build AI Audit Assistance 2.0. It's the GEM 2.0 tool that we now have in Fortify that uses artificial intelligence where you can set thresholds. You can set a score to say that if I am sure, or if the system is sure with absolute certainty, with 90% accuracy, there is, in fact, a threat or a high risk; it will find those vulnerabilities and give you a score.

So, what it does is actually reduce the time spent on false positives. When you have false positives, you have to scrutinize all of them. We've got a lot of new technologies and methods within Fortify that allow us to reduce the false-positive rate that you generally find with scanning tools because we're using artificial intelligence as well as the source code analyzer tool. All of this has been built over years and years of development and research, and it actually gives you a better rate of reducing false positives, and you can then remediate actual threats. So, the tool has a lot of value.

The reduction of false positives is in the region of 98% or more. We now have even a new tool or AI product line called Aviator. So Fortify, OpenText Fortify now harnesses the power of artificial intelligence within the architecture, which will reduce your false-positive rate and actually give you scores on actual threats that it finds. Then, the threats and the threshold scores, the threats that are not seen as a low risk or a medium risk, can still be tended to. 

So, it doesn't exclude the thresholds. It will still give you a full analysis, but it will, with surety and with the correct analysis, give you the threats that do matter, the threats that you do need to tend to immediately.

By doing this, you also reduce the time to threat response because in cybersecurity, your time to threat response is very important. You need to ensure that you detect the threats early and that your response time is also very quick to reduce any business impact or downtime to a business. So, this is where Fortify really excels with all the new technology and artificial intelligence metrics that we have within our architecture.

We used Fortify for static code analysis, dynamic security testing, and both white box and black box testing. We applied these scanning methods to our business-critical applications such as Temenos (T-24), which was our core banking application. 

Additionally, other business-critical applications like Murex and various applications in trade finance or treasury security services also rely on Fortify.

Our CSD team used multiple tools for different scenarios. When dealing with sophisticated threats or vulnerabilities, manual analysis was necessary alongside Fortify's machine-based analysis. So, in handling complicated vulnerabilities, we couldn't rely on just one tool. Multiple tools were required. One such tool was OS Zap Proxy. We integrated Zap Proxy with Fortify, and this integration proved quite useful. Instead of relying solely on Fortify's dashboard, we integrated it with other tools, which made more sense. The security analysts, up to the level of the CSO, wouldn't rely only on a single dashboard. They used multiple tools to detect and work on vulnerabilities across various platforms and products. Fortify seamlessly integrates all these aspects.

The primary use case for Fortify On Demand in our environment revolves around its critical role in sales and desk operations. It helps identify application vulnerabilities from both a source code and web perspective. It directly detects issues such as SQL injection in the source code. It conducts website scans with customizable configurations to examine potential risks and vulnerabilities, which is crucial during software development. We can avoid risks before moving to the production stage.

One of the most valuable features of Fortify On Demand is its ability to integrate seamlessly with the DevOps lifecycle, particularly in terms of security testing. Injecting security testing into the DevOps process ensures that security measures are incorporated from the development stage onwards. It aligns with the main objective of DevOps, which is to automate and streamline the software development lifecycle, from code commit to deployment. With automation tools orchestrating the pipeline, tasks such as code compilation, testing, and deployment can be carried out rapidly and efficiently. This results in faster time-to-market for features, reducing deployment times from hours to minutes. It enhances trust from customers and cybersecurity teams, as security measures are built into the software from the outset, increasing confidence in the security.

The HP FoD effort allowed my client to utilize this service anytime their internal IT team was overwhelmed with workloads. FoD gives them an option to utilize the additional HP Services when they are overwhelmed with other IT Security needs across the company.

• The ability to utilize the Client Portal, which provided my clients with a view of the project status, vulnerabilities and needed remediation steps in real-time
• I don’t know of any other On-Demand enterprise solution like this one where we can load the details and within a few days, receive the results of intrusion attacks, and work with HP Security Experts when needed for clarification
• The process was easy to follow and we were supported by 24/7 by TAM personnel to help with any fire drills. This was helpful many times when I needed a quick answer late at night or early in the morning

We use Fortify on Demand to look at dependency vulnerabilities and vulnerabilities in the source code. We are customers of Micro Focus. 

We've found the depth of scanning that the product provides and the results we get are the most valuable features. 

Whenever we have a new application we scan it using Micro Focus Fortify on Demand. We then receive a service connection from Azure DevOps to Micro Focus Fortify on Demand and the information from the application tested.

We are using Micro Focus Fortify on Demand in two ways in most of our processes. We are either using it from our DevOps pipeline using Azure DevOps or the teams which are not yet onboarded in Azure DevOps, are running it manually by putting in the code then sending it to the security team where they will scan it.

We use two solutions for our application testing. We use SonarQube for next-level unit testing and code quality and Micro Focus Fortify on Demand mostly for vulnerabilities and security concerns.

We previously only did the testing and scanning after deploying applications in production, but now we are doing it in development. We are making sure the code is safe to use in all the environments, not only in production. It has been valuable for us.

I have used Fortify on Demand for security scanning, along with outsourcing to companies that scan our systems and report vulnerabilities. My work has involved securing our APIs and systems.

We use Fortify across all stages of the environment: development, test, and production. We even use it for disaster recovery.

Whenever we deploy our Jenkins pipelines, the system automatically scans our Git repository to fix security vulnerabilities. All the security vulnerabilities are then created as tasks in Jira, so we can fix them as quickly as possible.

We have added it to our operational toolkit to ensure it's part of our development spectrum. We added it directly into our Jenkins pipelines.

We have some products that are publicly accessible via phone or website. These products need to be extra secure because they rely on firewalls, and hackers could potentially exploit them. Fortify on Demand provided us with valuable information on how to fix a critical API vulnerability.

So, Fortify on Demand identifies critical vulnerabilities. We have two security scans. One is Fortify on Demand, and the other is for an outsourced company. For Fortify, you assign the specific branch of code you want to scan. You can scan the code you're currently deploying through Jenkins pipelines. Since it's external, you can also scan other brands if needed. Otherwise, you can specify which specific brands or smaller branches to scan within your entire codebase.

I use the solution to check the software, as the development is done internally, to detect any security breaches. If there is something in the code that could lead to SQL injections or other vulnerabilities, it will be detected.

The most valuable features are the detailed reporting and the ability to set up deep scanning of the software, both of which are in the same place.