New Micro Focus, Sonatype Partnership Provides 360 Degree View of AppSec

Micro Focus Expert
Micro Focus Expert
1 0 2,419

In today’s world, we know that most security breaches occur because of application vulnerabilities. We also know that most typical software applications are, on average, comprised of 85% open source software. These facts are changing the way enterprises are thinking about security overall, and makes open source libraries a critical dimension of any serious application security initiative. 

The need to understand both custom and open source code, in a holistic way, is exactly why Micro Focus Fortify and Sonatype are coming together in partnership and powering a best-in-class, fully integrated application security platform for all Fortify customers.  

This new partnership, which promotes Sonatype as Fortify's preferred Software Composition Analysis (SCA) partner, delivers Micro Focus’s Fortify on Demand or Premise (Fortify SSC) customers the advantages of a single, fully integrated application security platform, without compromising depth and capability in managing open source risk and vulnerabilities. 

SCA Data rolled up into the dashboard in Fortify on Demand.png

(SCA Data rolled up into the dashboard in Fortify on Demand)

Global SCA view in Fortify on Demand.png

(Global SCA view in Fortify on Demand)

Application Security as a Service

 Fortify software composition analysis, now powered by Sonatype, provides Micro Focus customers with greatly expanded SCA coverage. Sonatype uses artificial intelligence, machine learning, and human curation to identify open source software security vulnerabilities. This significantly expands component intelligence in depth and breadth beyond name matching files listed in the NVD (National Vulnerability Database). Sonatype’s SCA platform is continuously updated as open source projects, GitHub commits, advisory websites, and other vulnerability sources are examined. Security monitoring is ongoing and automatic.

Benefits for Dev and Sec

Fortify simplifies the onboarding and scanning process by combining static and composition analysis into a single integration point, whether that's in the IDE or CI/CD pipeline. The comprehensive software bill-of-materials, including security vulnerabilities and license details, is delivered as a fully integrated experience for security professionals and developers alike. 

Key features and updates include: 

  • Simultaneously run SAST and SCA analysis
  • Supports Java, .NET, JavaScript and Python
  • Integrated results deliver one platform for remediation, reporting and analytics
  • Examines fingerprints of over 65 million components - not file names and package manifests
  • Detects 70% more vulnerabilities than the NVD database alone 

Get an inside look at how to use Sonatype’s open source security capability with Micro Focus Fortify below.

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.