LLMpediaThe first transparent, open encyclopedia generated by LLMs

Fortify (software)

Generated by GPT-5-mini
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: SonarQube Hop 4
Expansion Funnel Raw 72 → Dedup 0 → NER 0 → Enqueued 0
1. Extracted72
2. After dedup0 (None)
3. After NER0 ()
4. Enqueued0 ()
Fortify (software)
Fortify (software)
source
NameFortify
DeveloperMicro Focus
Released2005
Latest release2024
Programming languageJava, C++, Python
Operating systemWindows, Linux, macOS
GenreStatic application security testing
LicenseProprietary

Fortify (software) is a static application security testing (SAST) platform originally developed by Fortify, Inc. and later acquired by Micro Focus International. It analyzes source code and binaries to detect security vulnerabilities across multiple programming languages and integrates with DevOps toolchains, IDEs, and Continuous integration systems. The product competes with offerings from Checkmarx, Synopsys, and Veracode in enterprise SDLC pipelines used by organizations such as AT&T, Lockheed Martin, and Bank of America.

Overview

Fortify provides static analysis, code auditing, and reporting capabilities for large codebases written in languages including Java, C, C++, C#, JavaScript, Python, and Go. The platform offers vulnerability classification mapped to standards like Common Weakness Enumeration (CWE), Open Web Application Security Project (OWASP) Top Ten, and PCI DSS requirements. Enterprises deploy Fortify to support compliance frameworks such as SOX, HIPAA, and FISMA.

Features

Fortify includes features for source code analysis, binary analysis, and interactive application security testing integration with runtime tools like AppScan and Burp Suite. Key capabilities include high-fidelity pattern matching, data flow analysis, taint propagation, and path-sensitive checks that reduce false positives compared to naive pattern scanners. The product offers customizable rulepacks, remediation guidance linked to CWE, role-based dashboards, and metrics for security gates in Jenkins, GitLab, and Azure DevOps. Additional features include policy management, automated scans, incremental analysis, and support for containerized scanning with Docker and orchestration via Kubernetes.

Architecture and Components

Fortify's architecture separates analysis engines, rule engines, and reporting services across on-premises and cloud-hosted deployments. Core components include the Static Code Analyzer (SCA), Audit Workbench for manual triage, Software Security Center (SSC) for centralized management, and API endpoints for CI/CD orchestration. The SCA parses language-specific abstract syntax trees (ASTs) and constructs intermediate representations processed by taint analysis and semantic analyzers. SSC stores scan results in relational databases like PostgreSQL or Oracle Database and exposes role-based access using LDAP or Active Directory for enterprise integration.

Integration and Ecosystem

Fortify integrates with numerous tools across the development lifecycle, including Eclipse, IntelliJ IDEA, and Visual Studio IDEs, as well as build systems like Maven, Gradle, and Make. It supports orchestration with Jenkins, Bamboo, TeamCity, and cloud CI services such as GitHub Actions and GitLab CI/CD. Fortify's ecosystem includes connectors for issue trackers and project management platforms like JIRA, ServiceNow, and Trello, enabling vulnerability triage workflows tied to ITIL processes and enterprise risk management with vendors such as McAfee and Palo Alto Networks for broader security posture coordination.

Usage and Workflow

Typical usage begins with configuring language-specific analyzers and rulepacks, followed by scheduled or on-demand scans triggered by commits or build pipelines. Developers receive findings in IDE plugins or through SSC dashboards, where security engineers triage, assign severity based on CVSS scores, and create tickets in JIRA or Azure Boards. Remediation guidance references secure coding practices associated with sources like OWASP and coding standards such as MISRA for embedded C. Enterprise teams implement security gates to block merges for critical vulnerabilities and use historical trend reporting to track reduction in high-risk defects across releases and programs like DevSecOps transformations.

Licensing and Editions

Fortify is offered under proprietary licensing by Micro Focus International with editions targeting different scales and deployment models: on-premises SCA and SSC bundles, cloud-based SaaS offerings, and developer-focused IDE plugins. Licensing tiers typically differentiate by number of users, lines of code scanned, and available integrations. Enterprises negotiate support and maintenance agreements, professional services for onboarding and rule customization, and subscription models that align with Gartner quadrants and procurement cycles of organizations such as General Electric and Siemens.

Security and Compliance Impact

By embedding static analysis into development lifecycles, Fortify helps organizations reduce vulnerabilities that could lead to incidents involving CVE entries and data breaches like those publicized in incidents affecting Equifax or Target. Its reporting aligns findings with compliance mandates including PCI DSS and ISO/IEC 27001, aiding auditors and risk officers from entities such as Deloitte, KPMG, and Ernst & Young. Critics and independent researchers from institutions like SANS Institute and NIST have examined SAST efficacy; Fortify's combination of language depth and enterprise integrations positions it as a tool for large-scale secure development programs and regulatory compliance initiatives.

Category:Static program analysis tools