Highly publicized breaches in the past 12 months have raised awareness of the need to identify and remediate vulnerabilities at the application layer. Enterprise application security testing solutions for Web, native, cloud and mobile applications are key to this strategy.
« When you’re building a software security program, you need options. That’s why savvy development and security teams select HP Fortify. Static or dynamic testing, on your site or in the cloud—you choose.
So we’re not surprised Gartner has again named HP Fortify an industry leader in their Magic Quadrant for Application Security Testing 2015. It’s an unbroken streak. In fact, Fortify is highest in vision and ability to execute, » said HP.
Industry leader – again
HP, headquartered in Palo Alto, California, is a worldwide provider of SAST, DAST, IAST and RASP products and services. Its flagship SAST offering, Fortify Static Code Analyzer (SCA), anchors its solutions, and the Fortify brand has been extended to its other capabilities, including WebInspect DAST and IAST. It also offers all of its AST products as services under Fortify on Demand branding, with four levels of dynamic testing, one level of static testing and three levels of mobile testing. In 2014, HP announced its intention to split into two companies, but this is expected to have no impact on HP Software (where HP security resides), which is a part of the Enterprise Group that will stay with Hewlett-Packard Enterprise. HP’s AST solutions should be considered by enterprises looking for a comprehensive set of AST capabilities, either as a product or service or both combined, with enterprise-class reporting and integration capabilities.
HP Fortify is a well-known brand worldwide. It frequently appears on clients’ shortlists, and HP is the only AST vendor that provides capabilities in all four areas: SAST, DAST, IAST and RASP. HP was one of the first to ship a commercial RASP offering, and, in late 2014, it released HP Application Defender, on-premises and as a service for Java and .NET.
HP’s SAST has the broadest language support of any of the SAST providers, and its WebInspect IAST agent for Java and .NET is included at no cost for WebInspect DAST tool customers.
HP has a comprehensive set of enterprise capabilities, such as full SDLC integration (IDE, QA, bug tracking), Selenium support, role-based access control (RBAC), full authentication integration, SOAP, REST and JSON Web services testing, extensive WAF integration, mobile device management (MDM) integration and Sonatype integration for software composition analysis.
HP is the only large AST vendor that provides SLAs with financial penalties on the turnaround time for its AST-as-a-service offerings.
Some AST capabilities are only available with the Fortify on Demand offering, such as malware detection and Universal Description, Discovery and Integration (UDDI) testing for DAST.
Its IAST offering does not yet support PHP.
Although it offers security testing for mobile device languages on Android, iOS and Windows Phone, it has limited behavioral mobile application security testing and its database of tested apps is relatively small (100,000 applications), and doesn’t yet have EMM integration.
The cost of equipping every developer with Fortify’s SAST capabilities can be high, if an organization chooses to equip individual developers.