October was Cybersecurity Awareness Month, and all it made me aware of was how many breaches in October involved apps. Take these two: social media company Facebook reported a hack that compromised at least 50m accounts, then revealed a vulnerability that allowed attackers to steal automated log-in credentials (or “tokens”) to log into other popular apps and services. Also in October, Google made a surprise announcement that it was shutting down Google Plus. Apparently, a breach was discovered that shared private data. It was reported that a bug in the Google Plus People API put some user information at risk by making information that users thought wasn’t publicly visible available to 438 apps.
That’s why I am glad to be part of the Fortify team that provides solutions that help with secure app development, security testing, and continuous monitoring and protection to help prevent these types of breaches. One of the biggest challenges we have to overcome when selling Fortify is the perception that security will slow down app production. Not true, of course, Fortify finds security issues early in the development cycle and fixes them at the speed of DevOps. In fact, Fortify can manage, measure and integrate security for the entire software lifecycle.
I am also glad to see the continued innovation and update of Fortify features here at Micro Focus, including the announcement of the 18.20 release for on-premise products (Static Code Analyzer, Software Security Center, tools and WebInspect). Feature updates are where vision and execution intersect to provide our customers with a great product. I’m really excited how these features align with what our customers are asking for.
Our October 2018 updates enhance existing languages and improve integration/automation capabilities and support for new constructs and frameworks to drive greater customer efficiency and value. Here are some highlights.
Fortify Static Code Analyzer (SCA)
This release increases our depth of coverage:
Support for the latest releases of the following components:
- Swift 4.2
- Xcode 10
Added the ability to scan TypeScript 2.8 applications.
- MSBuild support has been changed to reflect the direction Microsoft has set for .NET
- MSBuild integration is now the only build integration used to translate .NET applications
The new Python translator supports both Python 2 and Python 3 applications. The new Python translator is used by default, but the legacy Python 2.x translator is still available with a command line option.
We added support for scanning Node.js 10.x applications.
This initial release of Angular support enables scanning Angular 2-6 applications.
Enhancements to Java 9 support result in the discovery of more complex vulnerabilities in Java 9 applications.
A major update to the logging infrastructure.
Fortify Software Security Center
This release provides improvements to make Software Security Center easier to use:
- SSC scan processing now up to 30% faster
- Automated machine assisted predictions w/ Audit Assistant
- New Fortify Jenkins plugin now available
- Integrated security training in SSC with Secure Code Warrior
- Request Dynamic Scans (Fortify WebInspect Enterprise) Migrated to the Current User Interface
This release helps solve customer needs to reduce friction with improved automation:
- Support for vulnerability detection across WebSockets
- Improved command line control to support pause/resume of running scans, and improves parity with the existing API functionality
WebInspect Enterprise (available Nov 20)
- WIE API improvements which are part of our focus on improving automation capability
- WIE SmartUpdate improved controls allows more efficient bandwidth and disk space usage
For more information about this feature release:
Fortify is Micro Focus’ suite of application security products, and has been known for its innovation and depth of coverage for more than a decade. Earlier in 2018, Gartner once again positioned Fortify as a leader in its "Magic Quadrant for Application Security Testing," citing both Fortify’s Completeness of Vision and Ability to Execute.