Based on a PeerSpot PeerPaper About Sonatype Lifecycle and OpenText Fortify Static Code Analyzer
While the use of open-source software (OSS) has become non-negotiable in software development today, the practice has not been a risk-free proposition. There were twice as many software supply chain attacks in 2023 as there were in the years 2019 to 2022 combined. Custom code can also be the cause of security risks, as vulnerabilities get embedded into software that is making its way through the DevSecOps pipeline. The situation is not good news for developer teams and their partners in security and quality assurance (QA). Everyone is expected to produce software more quickly than ever before, just as an increased security workload creates a drag on productivity for developers and quality assurance (QA) teams.
Finding the balance between speed and security is critical. Fortunately, Sonatype and OpenText Fortify offer a combined solution that manages both. Sonatype Lifecycle offers software composition analysis (SCA) for open source security that pairs with Fortify Static Code Analyzer for static application security testing (SAST). Reviewers on PeerSpot, an enterprise buying intelligence platform, have provided their feedback on the combined Sonatype and Fortify solution, and their feedback was incorporated into this PeerPaper: Increase Developer Velocity While Mitigating Risk with Fortify and Sonatype.
Increasing Developer Velocity
Faster is almost always better, assuming there are no tradeoffs in quality or security. As users of the Sonatype/Fortify combined solution have discovered, it helps with developer velocity.
Factors that speed up development, as enabled by the Sonatype/Fortify combined solution, include improving developer productivity, integration with other solutions, and real-time feedback. Ease of use also helps everyone work more quickly. With a single pane of glass view for Fortify static code analysis and Sonatype open source findings, securing the software supply chain is made easier, which contributes to developer velocity.
The PeerPaper features compelling testimonials that highlight real-world scenarios where organizations have successfully increased developer velocity using the combined solutions of Sonatype and OpenText.
A Software Engineer at a manufacturing company felt that the solution “has definitely increased developer productivity.” She elaborated, saying, “If you manually download a package, you’re not sure if it is the right package because you cannot test it. But now, we can automatically download packages. It’s much more effective and more productive for each software developer using it. I would estimate we have seen a 20 percent increase in productivity.”
Decreasing Risk
Risk reduction is half the battle of DevSecOps. As users discovered, the joint Fortify/Sonatype solution achieves this aim by providing visibility, identifying vulnerabilities—and then remediating them—while also maintaining compliance. The PeerPaper emphasizes the importance of mitigating risks for DevSecOps. By integrating security measures early on and continuously monitoring for vulnerabilities, organizations can proactively address potential threats and safeguard their applications against cyber attacks.
For a Vice President of Cybersecurity at a financial services firm, visibility manifested as “Fortify provides robust details about the issues, along with comprehensive insights into what needs to be fixed.”
The solution’s comprehensive set of security rules and patterns further helps identify vulnerabilities, including issues related to the Open Web Application Security Project (OWASP) Top Ten, CWE (Common Weakness Enumeration), and other industry standards. For a Vice President of Application Security for North America at BNP Paribas, a financial services firm, getting to success requires supporting a wide range of programming languages, including Java, C/C++, C#, and Python. He also explained in his review how Fortify SAST reviews the source code or compiled binary code without executing the application, “This helps in identifying vulnerabilities, coding errors, and security issues within the codebase.”
Conclusion
The joint PeerPaper is a must-read for any organization seeking to accelerate developer velocity while mitigating risks effectively. By implementing the combined product solution, businesses can stay ahead of attacks and increase productivity in their software development lifecycle.
Read more customer reviews by checking out the full Fortify + Sonatype PeerPaper here.
More About Fortify
OpenText Fortify's Application Security Testing portfolio empowers your team for DevSecOps best practices by constantly innovating, supporting, and collaborating with organizations across the globe. As the sole code security solution with over two decades of expertise, and acknowledged as a market leader by major analysts, Fortify provides the most adaptable, precise, and scalable AppSec platform available. At Fortify, we firmly believe that great code is secure code, and helping customers achieve it runs through everything we do.