Software Quality Insights

Dec 7 2009   5:53PM GMT

Fix expensive Web security weaknesses at a lower cost

Daniel Mondello Profile: Daniel Mondello

Fortify’s new Fortify on Demand service offers penetration and static testing of binary code with an introductory price smaller than the 360 full service. On Demand is essentially the first half of Fortify 360, a security assessment service  that include penetration, static, runtime and real-time testing..  In our interview this week, Fortify’s Barmak Meftah  explained that the abridged version was created to give security testing capabilities to budget-constrained  software development teams. 


Penetration and static tests are key ingredients in application security testing, said Meftah, Fortify’s senior vice president of products and technologies.“What people often overlook is that static and penetration tests work complementary of one another. Although most companies choose one or other, mistaking them as the same test,” he said.


Fortify’s new service doesn’t require clients to bring their software in-house, thanks to White Hat-based software. Like Fortify 360, On Demand boasts  the ability to run tests live without disruption to a live-running, online application. Analyzing binary code is a good practice and doesn’t require an application to be brought in-house to test for weaknesses, Meftah said.  “We can assess the app and make changes live without altering the performance negatively or holding up online users,” he explained. “We can do this cheaply and easily, in a low-touch way. It is a great way to get started.”


On Demand’s service can run  multiple tests simultaneously without damaging the running application. The runtime and real-time analyses are designed to observe and report security and performance algorithms from within the application. On Demand can be also used to track  changes made in addition to monitoring the results of ethical hacking attempts.


“Our ideal client is a company that recognizes that they may have security issues and wants to know what the real risks are,” said Meftah. ” We show them our assessment, and if there are problems or even potential problems, we are able to show them what could happen if a spider, crawler or hacker infiltrates them,” said Meftah. Fortify helps testers “ethically or malicious hack our client’s applications without damaging them — recording the results of hacks and problems and reporting to them ways to repair the troubled app  This provides them some insight into where the risks are and what can be done to prevent issues.”


If a company using on Demand later decides to upgrade to 360, it gains the option of using White Hat as well as the runtime and real-time analysis.



 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: