Source Code Analysis (Secure Coding)

> SOLUTION > Source Code Analysis (Secure Coding)

Summary
Solution

HPE Fortify Software Security Center provides enterprise-wide visibility for development, quality assurance, and operational application security vulnerability checks.

Characteristics

Fully supports most development languages, mobile languages, and IDE plug-ins.
  • Adobe®, ASP.NET, C/C++, C#, Classic ASP, HTML(HTML5), JAVA, JAVA Script/AJAX, JSP, PHP, PL/SQL, MS T-SQL, VB for Applications, VB Script, VB.NET, XML, Flex, Environments (Apache, J2EE, EJB, .NET, Weblogic, etc.), Android JAVA, iOS Objective-C, premium languages (COBOL, ColdFusion, Python, ABAP)
  • VS.net, Eclipse, IBM WSAD/RAD, Borland JBuilder
Applies security to the full Software Development Life Cycle (SDLC).
  • Eliminates all risks of applications in operation, under development or being planned.
Supports domestic and international compliance.
  • Guideline to Software Security Vulnerability Diagnosis by Ministry of Government Administration and Home Affairs
  • OWASP Top 10, OWASP Mobile Top 10
  • PCI, CWE, SANS, etc.
Developed by a world-leading software security R&D team
  • Participated in by 2,000 world-leading security professionals.
  • Periodically updates secure coding rules and development language analysis functions.
  • Provides project members with OWASP Top 10, Mobile Top 10, IOT Top 10, etc. and statistical data.
  • Supports quarterly updates (updates cover an average of 10-20 vulnerability issues and 1,000 APIs).
World-leading mobile secure coding diagnosis performance.
  • Simultaneously supports Android JAVA and iPhone Objective-C.
  • Supports the highest number of diagnosis methods in the industry (data flow, control flow, architecture, meaning, and environment analysis).
Proven solution that has been applied to international enterprises.
  • Most systems have been introduced to first and second financial sectors and telecommunication operators.
  • Secure coding standard selected and introduced in a conglomerate group.
  • Solutions introduced in a variety of businesses, including manufacuring, distribution, electronic commerce, portal, software development, etc.
Expected Effect
- Solves immediate security issues within software that has been installed.
- Reduces systemic risks of internally developed software or externally developed software.
- Improves reliability and fidelity of vulnerability diagnosis results by applying multiple analysis engines.
- Possible to obtain stability and flexibility, and develop and operate organized systems.
- Follows regulations according to internal/external security guidelines.
- Reduces time required to recognize and address software vulnerabilities.
- Reduces costs related with development, revision, and compliance with regulations.
- Greatly improves productivity by automating application security procedures.
- Accelerates Time To Market (TTM) by minimizing delay time related with security.
- Provides powerful performance and functions based on international recommendations.
Deployment Method
Reference Sites
A financial company
Problems
  • Legacy code basis that does not consider the web environment that is accessed by web applications.
  • Outsourcing development does not guarantee clear security.
  • Limited professional security knowledge of development group
  • Short development time and function-oriented development
Necessity
  • Source code analysis
  • Dynamic security test
  • penetration testing, web scanning, and traceback of an attack path.
  • Real-time protection
  • monitoring
Reference sites
Deploys Fortify Software Security Center, which incorporates source code static analysis, application execution analysis, and real-time detection/protection for applications that are operated by a financial company.
A telecommunication company
Problems
  • Legacy systems do not consider access characteristic of web applications, smartphones, etc.
  • Various tasks using wireless devices
  • Restricted security knowledge of development teams
  • Short development time and function-oriented development
Necessity
  • Source code analysis
  • Dynamic security test - penetration testing, web scanning, and traceback of an attack path.
  • Real-time protection - monitoring
Reference sites
Deploys Fortify Software Security Center, which incorporates source code static analysis, application execution analysis, and real-time detection/protection for applications operated by a telecommunications company.
A credit-card company
Problems
  • Incomplete development that is vulnerable to attacks such as SQL Injection is one of the 5 most serious problems that cannot pass PCI audit. (Forrester Research)
  • Section 6 of PCI was the 9th-most serious problem for companies that developed and operated security systems and applications in 2006, and the 2nd-most serious issue in 2007. (Qualys)
  • According to 85 K Forensic samples, Cross-site scripting was one of the 10 most serious vulnerabilities. (Top Tier US Forensics company)
  • 56% of companies that failed did so because they failed to develop safe applications and systems. (VeriSign)
Reference sites
Deploys source code analysis, dynamic analysis, and web firewall functions for security of developing/operating applications in an integrated architecture through Fortify Software Security Center.
A government agency
Problems
  • Increasing number of massive attacks
  • Increase in the use of software by the army, intelligency agency, government agencies, etc.
  • Outsourcing of development that does not consider security.
  • Legacy systems that do not consider the access characteristics of web applications, smartphones, etc.
Reference sites
Deploys Fortify Software Security Center, which incorporates source code static analysis, application execution analysis, and real-time detection/protection for developing and operating applications.
A software developer
Problems
  • Function-oriented development
  • Customer's demand for software security validation
  • Increasing software security incidents
Reference sites
Deploys Fortify Software Security Center, which incorporates source code static analysis, application execution analysis, and real-time detection/protection for developing and operating applications.