Fortify Static Code Analyzer (SCA) analyzes source code and pinpoints the root cause of security vulnerabilities.
A Fortify scan prioritizes the most serious issues and guides how developers should fix them.
Fortify Static Code Analyzer
Fortify Static Code Analyzer has various vulnerability analyzers such as Buffer, Content, Control Flow, Dataflow, Semantic, Configuration, and Structural. Each of these analyzers accepts a different kind of rule tailored to offer information necessary for the type of analysis performed.
Fortify Static Code Analyzer has the following components;
- Fortify Scan Wizard. It is a tool that offers options to run scripts after or before the analysis.
- Audit workbench. It is a GUI-based app that organizes and manages the results analyzed.
- Custom Rules Editor. It is a tool that allows developers to create and edit custom rules for analysis.
- Plugin for IntelliJ and Android Studio. This plugin provides analysis results within the IDE.
- Plugin for Eclipse. This tool is integrated with Eclipse and displays results within the IDE.
- Bamboo Plugin. It is a plugin that collects the results from the Bamboo Job that runs an analysis.
- Jenkins Plugin. This plugin collects analysis results from the Jenkins Job.
Features of Fortify SCA
#1. Supports multiple languages
Some of the languages supported on Fortify SCA are; ABAP/BSP, ActionScript, ASP (with VBScript), COBOL, ColdFusion, Apex, ASP.NET, C# (.NET), C/C++, Classic, VB.NET, VBScript, CFML, Go, HTML, Java (including Android), JavaScript/AJAX, JSP, Kotlin, Visual Basic, MXML (Flex), Objective C/C++, PHP, PL/SQL, Python, Ruby, Swift, T-SQL, and XML.
#2. Flexible deployment options
- Fortify On-Prem allows an organization full control over all aspects of Fortify SCA.
- Fortify On Demand enable developers to work in a Software As Service environment.
- Fortify Hosted allows developers to enjoy both two worlds (On Demand and On-Prem) through an isolated virtual environment with full data control.
#3. Integrates easily with CI/CD tools
- Developers can easily integrate Fortify SCA with major IDEs such as Visual Studio and Eclipse.
- Developers have control over various actions as the tool integrates with open-source tools such as Sonatype, WhiteSource, Snyk, and BlackDuck.
- You can also integrate Fortify SCA with remote code repositories such as Bitbucket and GitHub. The tool can thus check code pushed to such platforms for vulnerabilities and send reports.
#4. Real-time alerts
You do not have to wait until you are done with coding to do your tests, as Fortify SCA gives real-time updates as you code. The tool has configuration and structural analyzers built for speed and efficiency and helps you produce secure applications.
#5. Audit Assistant powered by machine learning
Auditing of a system is fast using the Audit Assistant, which uses machine learning algorithms. The assistant identifies all the vulnerabilities and prioritizes them based on the confidence level. Organizations can thus save on auditing costs as the tool generates reports.
#6. Flexibility
Users can select the type of scan they want to conduct based on their needs. For instance, if you want accurate and detailed scans, you can select the comprehensive scan option. Developers can also select the fast scan option if they want only major threats detected.
What does Fortify SCA do?
Fortify SCA has several roles in a typical development ecosystem. The following are some of the roles;
Static Testing Helps Build Better Code
Static Application Security Testing (SAST) helps identify security vulnerabilities in the early development stages. Luckily, most of these security vulnerabilities are inexpensive to fix.
Such an approach reduces security risks in applications as the testing provides immediate feedback on the issues introduced to code during development.
Developers also learn about security through Static Application Security Testing, and they can thus start producing secure software.
Fortify SCA uses an expansive knowledge base of secure coding rules and multiple algorithms to analyze the source code of a software application for security vulnerabilities. The approach analyzes any feasible path that data and execution can follow to identify vulnerabilities and offer remedies.
Finds Security Issues Early
Fortify SCA mimics a compiler. After a Fortify scan, this tool reads the source code files and converts them into an intermediate structure enhanced for security analysis.
All the security vulnerabilities are easy to locate in the intermediate format. The tool comes with an analysis engine made up of multiple specialized analyzers that will then use secure coding rules to analyze if the code violates any secure coding practices rules.
Fortify SCA also comes with a rules builder if you want to expand static analysis capabilities and include custom rules. The results in such a setting can be viewed in different formats based on the task and audience.
Fortify Software Security Center (SSC) Helps Manage Results
Fortify Software Security Center (SSC) is a centralized management repository that offers visibility to an organization’s entire application security program. Through SSC, users can audit, review, prioritize, and manage remedy efforts when security threats are identified.
Fortify SSC offers an accurate scope and picture of the application security posture in an organization. SSC resides in a central server but receives results from different application security testing activities ranging from real-time, dynamic, to static analysis.
What type of code analysis can Fortify SCA do?
A fortify scan borrows from the pernicious kingdoms’ architecture when doing code analysis. These are the types of analysis that Fortify SCA does;
- Input Validation and Representation- problems associated with Input Validation and Representation come from alternate encodings, numeric representations and metacharacters. Examples of such issues are “Buffer Overflows,” “Cross-Site Scripting” attacks, and “SQL Injection,” which arise when the users trust inputs.
- API Abuse. The caller failing to honor the end of the contract is the most common type of API abuse.
- Security Features. This test differentiates between software security and security software. The analysis will focus on authentication, privilege management, access control, confidentiality, and cryptography issues.
- Time and State. Computers can switch between different tasks very fast. Time and State analysis search for defects arising from unexpected interactions between threads, information, processes, and time.
- Errors. Fortify SCA will check if errors give too much information to potential attackers.
- Code Quality. Poor code quality usually leads to unpredictable behavior. However, attackers can have a chance to manipulate an application to their benefit if they come across code that is written poorly.
- Encapsulation. This is the process of drawing strong boundaries. Such an analysis can mean differentiating between validated and unvalidated data.
Download and Install Fortify SCA
Before starting the installation process, you must;
- Check system requirements from the official documentation
- Get Fortify license file. Select your package from the Microfocus downloads page. Search for Fortify Static Code Analyzer, create your account, and get a Fortify license file.
- Ensure you have Visual Studio Code installed or another supported code editor
How to install on Windows
- Run the installer file
Fortify_SCA_and_Apps_<version>_windows_x64.exe
NB: <version> is the software release version
- Click Next after accepting the license agreement.
- Choose where to install the Fortify Static Code Analyzer and click Next.
- Select the components you want to install and click Next.
- Specify users if you are installing an extension for Visual Studio 2015 or 2017.
- Click Next after specifying the path for
fortify.license
file. - Specify the settings required to update security content. You can use the Fortify Rulepack update server by specifying the URL as https://update.fortify.com. Click Next.
- Specify if you want to install a sample source code. Click Next.
- Click Next to install Fortify SCA and applications.
- Click Update security content after installation and then Finish after the installation is done.
How to install on Linux
You can follow the same steps to install Fortify SCA on a Linux-based system. However, on the first step, run this as the installer file;
Fortify_SCA_and_Apps__linux_x64.run
You can alternatively install Fortify SCA using the command line prompt.
Open your terminal and run this command
./Fortify_SCA_and_Apps__linux_x64.run --mode text
Follow all the prompts as directed on the command line until you finish the installation process.
How to Run a Fortify scan
Once you are done with the installation, it is time to set up the tool for security analysis.
- Head over to the Installation Directory and navigate to the bin folder using the command prompt.
- Type
scapostinstall.
You can then type s to display settings. - Setup the locale using these commands;
Type 2 to select Settings.
Type 1 to select General.
Type 1 to select Locale
For language, type English: en to set the language as English.
- Configure Security Content updates. Type 2 to select Settings and then type 2 again to select Fortify Update. You can now use the Fortify Rulepack update server by specifying the URL as https://update.fortify.com.
- Type
sourceanalyzer
to check whether the tool is fully installed.
Fortify SCA will now run in the background and check all your code for security vulnerabilities.
Wrapping Up
Cases of systems being hacked and data being compromised have become rampant in this internet era. Luckily, we now have tools such as Fortify Static Code Analyzer that can detect security threats as code is being written, send alerts and give recommendations on handling such threats. Fortify SCA can increase productivity and cut operational costs when used with other tools.
You may also explore Software Composition Analysis (SCA) to improve your application’s security.