Application Scanner – Fortify
October 12, 2023Source Code Analyzer (SCA) – Rational equivalent is AppScan Source Edition
The core product for static source code analysis
Program Trace Analyzer (PTA) – Rational equivalent is AppScan Standard or Enterprise
They claim to be able to do dynamic analysis with PTA (& RTA below), but it only analyzes the application while its running and requires someone (security or QA) to run the program and monitor the behavior to find flaws.
This helps them understand the app but still requires sanitizers to be configured, in other words it analyzes dynamically but still requires static analysis
Real Time Analyzer (RTA) – Rational equivalent is AppScan Enterprise or AppScan onDemand
Detects vulnerabilities in production. What is unclear is if it merely detects, but doesn’t do any blocking of attempted attacks
Again, not widely successful/adopted but customers (little value add)
Audit Workbench – Rational equivalent is AppScan Source Edition for Security
Security auditor software client to manage results
Collaboration Module – Rational equivalent is AppScan Reporting Console
Used for team triage of results
Governance Module
Provides control with an inventory of all software assets and tracks activities of these assets
SaaS – Rational equivalent is AppScan onDemand
They claim source & binary analysis delivered in SaaS manner (although technically they only do source code and byte code, not binary). Supports 3rd party and in-house assessments
Their Claims | Our Response |
All the components of their solution are integrated and information is correlated | Not true. We have heard anecdotally that customers who try to deploy 360 solutions require teams of professional services and weeks of on site integration. Here are some defensible points from the SC Magazine Review |
They claim better Language Support | We provides a comprehensive list of supported languages which include: C/C++, Java/JSP, .NET (C#, VB .NET, ASP.NET), and Classic ASP (Sever Side JavaScript, VBScript, Visual Basic 6). In plan for delivery is support for PHP, ColdFusion, Perl and Client Side JavaScript. |
They claim Code Quality | Fortify does just enough here to position itself against the code quality vendors like Klockwork & Coverity, who are working to add security features to their solution. They do not provide a comprehensive code quality solution. Rational Software Analyzer is our code quality solution, which is much more comprehensive than a security solution that has added some code quality rules |
Claim AppScan Source Edition is hard to install and heavy to maintain | They have claimed AppScan Source Edition requires multiple boxes to install to derail our POCs. The reality is that we have a client/server architecture that is transparent to the user and can be installed on a single server. In fact, the entire solution can be installed on a single laptop. |
Framework Support | Fortify claims support for a broad list of application frameworks. AppScan Source Edition provides support for popular frameworks such as Struts and Hibernate. Addition framework support can be provided through the definition of custom rules. |
Claim we have weak reporting | It is important to point out that in a matter of 3 months we were able to integrate Appscan Source Ed results into AppScan Reporting Console – this is merely a first step in an extensive roadmap with significant advancements in reporting capabilities and integration/correlation of whitebox and blackbox results. The reality is that the breadth, depth and IP of our R&D resources will introduce advancements in our solution that Fortfiy cannot match. Additionally, we do provide a set of out-of-the-box compliance reports such as PCI with the ability for users to create their own custom reports. |
Ease of Configuration | Fortify provides a “Rule Builder” feature, but it is difficult to use and targeted at the most expert users. AppScan Source Edition provides a Rule Wizard to help create custom rules. The AppScan Source Edition Configuration Wizard makes initial setup easy. |