Is Fortify and Webinspect the same ?

Please help me understand if HP Webinspect and Fortify are the same ? and Fortify is embedded in Webinspect Tool ?




  • Verified Answer

    They do seem mixed, but let's see if I can separate them for you.  HP Fortify is the combination of two acquisitions by HP, SPI Dynamics and Fortify.

    SPI Dynamics specialized in DAST testing, specifically web application security scanning.  They created WebInspect, QAInspect (EOL), Assessment Management Platform (AMP, EOL now on to WebInspect Enterprise), and DevInspect (EOL).

    Fortify specialized in SAST testing, specifically code analysis for security risks.  They provided SSA professional services as well as created SCA (scanner), F360 Server (now SSC Server), and Runtime.  That last one is technically a RAST solution, protecting and monitoring the live application from security risks.

    After these organizations were combined, we have HP Fortify.  Their current solution set includes WebInspect, SCA, SSC Server, WebInspect Enterprise, CloudScan plugin for SSC/SCA, Runtime (Logging and/or Protection), ApplicationView for Arcsight ESM, and WebInspect Agent (IAST agent for WebInspect).  The SaaS solutions offer Fortify On Demand (DAST and SAST) as well as Application Defender (cloud-based management of Runtime).

    WebInspect is a point solution (Windows) for a pen tester to perform VA scanning of live web sites and/or web applications (SOAP, REST, et al).  Fortify SCA is a code analyzer (multiple OS) capable of reviewing more than 20 languages in a variety of ways (CLI, IDE plugin, Build-time integration, et al).  Fortify SSC Server collates and helps centralize multiple SCA users.  WebInspect enterprise serves as a plugin to bring the DAST testing performed by WebInspect into the SSC Server where it can reside alongside the code reviews for the same Projects.  This is all rather simple and fast, but I hope it helps.

    You may learn more about these at  >>