Fortify Software

Last updated
Fortify
Company typeSoftware Vendor
Industry Computer software
Genre Software Security Assurance
Founded2003
FounderTed Schlein of Kleiner, Perkins, Caufield & Byers, Mike Armistead, Brian Chess, Arthur Do, Roger Thornton
Headquarters,
United States
Key people
John M. Jack (former CEO), Jacob West (head of Security Research Group), Brian Chess (former Chief Scientist), Arthur Do (former Chief Architect)
Owner OpenText
Website Micro Focus Security
Micro Focus Fortify Software Security Center Server

Fortify Software, later known as Fortify Inc., is a California-based software security vendor, founded in 2003 and acquired by Hewlett-Packard in 2010, [1] [2] [3] Micro Focus in 2017, and OpenText in 2023.

Contents

Fortify offerings included Static application security testing (SAST) [4] and Dynamic application security testing [5] products, as well as products and services that support Software Security Assurance. In 2011, Fortify introduced Fortify OnDemand, a static and dynamic application testing service. [6]

History

Fortify Software was founded by Kleiner Perkins in 2003. Fortify Inc. was acquired by HP in 2010. [7]

On September 7, 2016, HPE CEO Meg Whitman announced that the software assets of Hewlett Packard Enterprise, including Fortify, would be merged with Micro Focus to create an independent company of which HP Enterprise shareholders would retain majority ownership.[ citation needed ]

Micro Focus CEO Kevin Loosemore called the transaction "entirely consistent with our established acquisition strategy and our focus on efficient management of mature infrastructure products" and indicated that Micro Focus intended to "bring the core earnings margin for the mature assets in the deal - about 80 percent of the total - from 21 percent today to Micro Focus's existing 46 percent level within three years." [8] The merge concluded on September 1, 2017.[ citation needed ]

OpenText acquired Micro Focus (including Fortify Software products) in 2023.

Technical advisory board

Fortify's technical advisory board was composed of Avi Rubin, Bill Joy, David Wagner, Fred Schneider, Gary McGraw, Greg Morrisett, Li Gong, Marcus Ranum, Matt Bishop, William Pugh, and John Viega.

Security research

Fortify created a security research group that maintained the Java Open Review project [9] and the Vulncat taxonomy of security vulnerabilities in addition to the security rules for Fortify's analysis software. [10] Members of the group wrote the book Secure Coding with Static Analysis, and published research, including JavaScript Hijacking, [11] Attacking the build: Cross build Injection, [12] Watch what you write: Preventing Cross-site scripting by observing program output, [13] and Dynamic taint propagation: Finding vulnerabilities without attacking. [14]

See also

Related Research Articles

In computer science, static program analysis is the analysis of computer programs performed without executing them, in contrast with dynamic program analysis, which is performed on programs during their execution.

<span class="mw-page-title-main">Mercury Interactive</span> Israeli company

Mercury Interactive Corporation was an Israeli company acquired by the HP Software Division. Mercury offered software for application management, application delivery, change and configuration management, service-oriented architecture, change request, quality assurance, and IT governance.

<span class="mw-page-title-main">LoadRunner</span> Software testing tool

LoadRunner is a software testing tool from OpenText. It is used to test applications, measuring system behavior and performance under load.

Software assurance (SwA) is a critical process in software development that ensures the reliability, safety, and security of software products. It involves a variety of activities, including requirements analysis, design reviews, code inspections, testing, and formal verification. One crucial component of software assurance is secure coding practices, which follow industry-accepted standards and best practices, such as those outlined by the Software Engineering Institute (SEI) in their CERT Secure Coding Standards (SCS).

<span class="mw-page-title-main">Metasploit</span> Computer security testing tool

The Metasploit Project is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development. It is owned by Boston, Massachusetts-based security company Rapid7.

Dynamic program analysis is analysis of computer software that involves executing the program in question. Dynamic program analysis includes familiar techniques from software engineering such as unit testing, debugging, and measuring code coverage, but also includes lesser-known techniques like program slicing and invariant inference. Dynamic program analysis is widely applied in security in the form of runtime memory error detection, fuzzing, dynamic symbolic execution, and taint tracking.

<span class="mw-page-title-main">UFT One</span> Software testing automation tool

OpenText UFT One, formerly known as Micro Focus Unified Functional Testing and QuickTest Professional (QTP), is software that provides functional and regression test automation for software applications and environments.

HP Application Security Center (ASC) was a set of technology solutions by HP Software Division. Much of the portfolio for this solution suite came from HP's acquisition of SPI Dynamics. The software solutions enabled developers, quality assurance (QA) teams and security experts to conduct web application security testing and remediation. The security products have been repackaged as enterprise security products from the HP Enterprise Security Products business in the HP Software Division.

OpenText Quality Center, formerly known as Micro Focus Quality Center and HP Quality Center is a quality management software offered by OpenText who acquired Micro Focus in 2023[8]. Micro Focus acquired the software division of Hewlett Packard Enterprise in 2017, with many capabilities acquired from Mercury Interactive Corporation. Quality Center offers software quality assurance, including requirements management, test management and business process testing for IT and application environments. Quality Center is a component of the Micro Focus Application Lifecycle Management software set.

<span class="mw-page-title-main">ArcSight</span> Cyber security product

ArcSight, Inc. was an American software company that provided security management and compliance software packages for enterprises and government agencies. The company was acquired by Hewlett-Packard (HP) in 2010. When HP split into two companies, HP Inc. and Hewlett Packard Enterprise, HP's ArcSight subsidiary was transferred to the latter company. HPE later sold the ArcSight subsidiary to Micro Focus. OpenText acquired Micro Focus in 2023.

HP IT Management Software is a family of Enterprise software products by OpenText as a result of the spin-merge of Hewlett Packard Enterprise's software assets with Micro Focus in 2017 and acquisition of Micro Focus by OpenText in 2023. The division was formerly owned by Hewlett Packard Enterprise, following the separation of Hewlett-Packard into HP Inc. and Hewlett Packard Enterprise in 2015. IT management software is a family of technology that helps companies manage their IT infrastructures, the people and the processes required to reap the greatest amount of responsiveness and effectiveness from today's multi-layered and highly complex data centers. Beginning in September 2005, HP purchased several software companies as part of a publicized, deliberate strategy to augment its catalog of IT management software offerings for large business customers. According to ZDNet and IDC, HP is the world's sixth largest software company.

OpenText ALM is a set of software tools developed and marketed by OpenText for application development and testing. It includes tools for requirements management, test planning and functional testing, performance testing, developer management, and defect management.

Cigital was a software security managed services firm based in Dulles, VA. The services they offered included application security testing, penetration testing, and architecture analysis. Cigital also provided instructor-led security training and products such as SecureAssist, a static analysis tool that acts as an application security spellchecker for developers.

Software subversion is the process of making software perform unintended actions either by tampering with program code or by altering behavior in another fashion. For example, code tampering could be used to change program code to load malicious rules or heuristics, SQL injection is a form of subversion for the purpose of data corruption or theft and buffer overflows are a form of subversion for the purpose of unauthorised access. These attacks are examples of computer hacking.

The Micro Focus Enterprise Security Products business is part of the software business of Micro Focus. HP Enterprise Security Products was built from acquired companies Fortify Software, ArcSight, and TippingPoint and Atalla, which HP bought in 2010 and 2011. HPE has since sold TippingPoint and has announced the intention to divest the entire HP Enterprise Software business unit by spinning it out and merging it with Micro Focus. The merge concluded on September 1, 2017.

Utimaco Atalla, founded as Atalla Technovation and formerly known as Atalla Corporation or HP Atalla, is a security vendor, active in the market segments of data security and cryptography. Atalla provides government-grade end-to-end products in network security, and hardware security modules (HSMs) used in automated teller machines (ATMs) and Internet security. The company was founded by Egyptian engineer Mohamed M. Atalla in 1972. Atalla HSMs are the payment card industry's de facto standard, protecting 250 million card transactions daily as of 2013, and securing the majority of the world's ATM transactions as of 2014.

RIPS is a static code analysis software, designed for automated detection of security vulnerabilities in PHP and Java applications. The initial tool was written by Johannes Dahse and released during the Month of PHP Security in May 2010 as open-source software. The open-source version is released under the Lesser GNU General Public License and was maintained until 2013.

Static application security testing (SAST) is used to secure software by reviewing the source code of the software to identify sources of vulnerabilities. Although the process of statically analyzing the source code has existed as long as computers have existed, the technique spread to security in the late 90s and the first public discussion of SQL injection in 1998 when Web applications integrated new technologies like JavaScript and Flash.

References

  1. "HP Completes Acquisition of Fortify Software, Accelerating Security Across the Application Life Cycle". September 22, 2010. Retrieved December 17, 2018.
  2. Roberts, Paul (April 5, 2004). "Software Searches for Security Flaws". PCWorld.com . Archived from the original on December 19, 2020. Retrieved December 17, 2018.
  3. Wagner, Jim (April 5, 2004). "A New Approach to Fortify Your Software". Internetnews.com . Retrieved December 17, 2018.
  4. "HP Fortify Static Code Analyzer" . Retrieved December 17, 2018.
  5. "HP Unveils Real-Time Application Security Testing Tool". DarkReading.com. July 14, 2011. Retrieved December 17, 2018.
  6. Reitano, Victoria (February 15, 2011). "HP builds up its Security-as-a-Service". SD Times. Retrieved December 17, 2018.
  7. "HP's Fortify Buyout Numbers Tell Lucrative Story For Software Security". Forbes. August 18, 2010. Retrieved May 4, 2020.
  8. Sandle, Paul; Baker, Liana B. (September 7, 2016). "HP Enterprise strikes $8.8 billion deal with Micro Focus for software assets". Reuters. Retrieved December 17, 2018.
  9. "Quality and Security for Open source Community". Archived from the original on December 16, 2006. Retrieved December 17, 2018.
  10. "HP Fortify Taxonomy: Software Security Errors". Archived from the original on November 27, 2012. Retrieved December 17, 2018.
  11. Chess, Brian; O'Neil, Yekaterina Tsipenyuk; West, Jacob (March 12, 2007). "JavaScript Hijacking" (PDF). Retrieved December 17, 2018.
  12. Chess, Brian; Lee, Fredrick DeQuan; West, Jacob (October 10, 2007). "Attacking the Build through Cross-Build Injection" . Retrieved December 17, 2018.
  13. Madou, Matias; Lee, Edward; West, Jacob; Chess, Brian (2008). "Watch What You Write: Preventing Cross-Site Scripting by Observing Program Output" (PDF). Retrieved December 17, 2018.
  14. Chess, Brian; West, Jacob (January 2008). "Dynamic taint propagation: Finding vulnerabilities without attacking". Information Security Tech. 13 (1): 33–39. doi:10.1016/j.istr.2008.02.003 . Retrieved December 17, 2018.