What is Fortify and How it works? An Overview and Its Use Cases

Posted by

History & Origin of Fortify

Gartner and Magic Quadrant are registered trademarks of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Micro Focus. * The Fortify brand was recognized as a Magic Quadrant Leader 8 times over the years under HP, HPE and currently under Micro Focus.

2021 Gartner Magic Quadrant for Application Security Testing highlights:

Fortify on Demand is, hands down, one of the best solutions out there for SAST/DAST.” –Director of Cybersecurity, Finance industry
Highly recommended for holistic application security.” – Sr. Director of Global InfoSec, Services industry

Read the 2021 Gartner Magic Quadrant or Application Security Testing report today.

What is  Fortify

Fortify Software, later known as Fortify Inc., is a California-based software security vendor, founded in 2003 and acquired by Hewlett-Packard in 2010 to become part of HP Enterprise Security Products. Since 2017, Fortify’s products have been owned by Micro Focus.

Machine Learning for Auditing

Fortify’s application security as a service offering (Fortify on Demand) runs thousands of static, dynamic, and mobile scans per week, scanning billions of lines of code. Fortify on Demand takes customer application source code, runs the scan, then (as a value added service) passes these raw scan results to a team of expert auditors who are subject matter experts. These auditors identify and prioritize the noteworthy findings while removing the noise from the results. Consequently, Fortify on Demand customers receive actionable results and can primarily focus on fixing the most critical issues. The Fortify Audit Assistant service uses machine learning algorithms to feed off the hundreds of millions of anonymous audit decisions from Fortify on Demand experts. These decision models are actively used and developed for Fortify on Demand, but are also technologies that can be automatically applied on-prem to Fortify Static Code Code Analyzer results by using Audit Assistant. This innovative and patent-pending technology has been made available to Fortify customers for the past five years.

How Fortify  works aka Fortify  architecture?

Data Flow This analyzer detects potential vulnerabilities that involve tainted data (user-controlled input) put to potentially dangerous use. The data flow analyzer uses global, inter-procedural taint propagation analysis to detect the flow of data between a source (site of user input) and a sink (dangerous function call or operation). For example, the data flow analyzer detects whether a user-controlled input string of unbounded length is being copied into a statically sized buffer, and detects whether a user controlled string is being used to construct SQL query text.

Control Flow This analyzer detects potentially dangerous sequences of operations. By analyzing control flow paths in a program, the control flow analyzer determines whether a set of operations are executed in a certain order. For example, the control flow analyzer detects time of check/time of use issues and uninitialized variables, and checks whether utilities, such as XML readers, are configured properly before being used.

Structural This detects potentially dangerous flaws in the structure or definition of the program. For example, the structural analyzer detects assignment to member variables in Java servlets, identifies the use of loggers that are not declared static final, and flags instances of dead code that will never be executed because of a predicate that is always false.

Semantic This analyzer detects potentially dangerous uses of functions and APIs at the intra-procedural level. Basically a smart GREP.

Configuration This analyzer searches for mistakes, weaknesses, and policy violations in an application’s deployment configuration files.

Buffer This analyzer detects buffer overflow vulnerabilities that involve writing or reading more data than a buffer can hold.


This technique analyzes every feasible path that execution and data can follow to identify and remediate vulnerabilities. To process code, Fortify SCA works much like a compiler—which reads source code files and converts them to an intermediate structure enhanced for security analysis.

Use case of Fortify

Use Cases Solutions ideal for



Give your developers the confidence to code securely with fast, frictionless security, without sacrificing quality.


Cloud transformation

Whether your app is fully cloud-native or just beginning to modernize, Fortify has you covered, every step of the way.


Software supply chain

Be confident in all that goes into the applications you deliver by evolving the security of your software supply chain.


Maturity at scale

Make AppSec part of your organization’s fabric as you scale from one to thousands of apps with a partner you can trust.


Enterprise DAST

Leverage a scalable DAST solution capable of managing thousands of active assessments while tracking known vulnerabilities.


CI/CD pipeline security

Integrate security into the CI/CD pipeline for application security at the speed of DevOps.

Best Alternative of Fortify

Top 10 Alternatives to Micro Focus Fortify On Demand
  • Checkmarx.
  • Veracode Application Security Platform.
  • HCL AppScan.
  • Coverity.
  • SonarQube.
  • GitLab.
  • Acunetix by Invicti.
  • ReSharper.

Best Resources, Tutorials and Guide for Fortify

  1. microfocus.com
  2. devopsschool.com

Free Video Tutorials of  Fortify

Interview Questions and Answer for Fortify

  1. What is Fortify and how does it work?

Fortify Software Security Center: An AppSec platform that enables organizations to automate an application security program. It provides management, development, and security teams a way to work together to triage, track, validate, and manage software security activities.

2. What is Fortify used for?

Fortify SCA is a static application security testing (SAST) offering used by development groups and security professionals to analyze the source code for security vulnerabilities. It reviews code and helps developers identify, prioritize, and resolve issues with less effort and in less time.

3. Is Fortify free?

Basic access to Fortify is free for everyone – all the time. The subscription cost for Fortify Premium allows us to maintain and continually improve Fortify.

4. Does Fortify scan XML?

We have been used HP Fortify Scanner to scan our application for vulnerabilities. … xml format and zip it up and attach it to the scanner and do an automated scan.

5. How do I run a fortify scan locally?

Run a locally installed version of Fortify Static Code analyzer on the currently opened project to create an FPR. Open the FPR in Fortify Audit Workbench to view the results. Run a remote translation and scan using Fortify Scan Central. You can upload the results to Fortify Software Security Center.

6. What is the difference between SonarQube and fortify?

Fortify essentially classifies the code quality issues in terms of its security impact on the solution. While Sonarqube is more of a Static code analysis tool which also gives you like “code smells,” though Sonarqube also lists out the vulnerabilities as part of its analysis.

7. Is fortify SAST or DAST?

About Micro Focus Web Inspect

Micro Focus Fortify Web Inspect is a dynamic application security testing (DAST) tool that identifies application vulnerabilities in deployed web applications and services.

8. What is the difference between Sonarqube and fortify?

Fortify essentially classifies the code quality issues in terms of its security impact on the solution. While SonarQube is more of a Static code analysis tool which also gives you like “code smells,” though SonarQube also lists out the vulnerabilities as part of its analysis.

9What are the main components of Fortify?

  • Fortify
  • Fortify. Application Security. Build software resilience for modern development from a partner you can trust. …
  • Integration Ecosystem.
  • Marketplace.
  • Software Composition Analysis.
  • Software Security Center.
  • Static Code Analyzer.
  • WebInspect.

10. What is Fortify on Demand?

HP Fortify on Demand is a Security-as-a-Service (SaaS) testing solution that allows any organization to test the. security of software quickly, accurately, affordably, and without any software to install or manage.

11. What is Fortify in Skyrim?

Fortify is a spell effect of the Restoration school of magicka in The Elder Scrolls V: Skyrim that temporarily increases the value of the one or more target’s statistics. In Skyrim, this effect is available in the form of potions and enchantments.

12. Is Fortify open source?

Summary. Both Fortify and GitLab Ultimate offer open source component scanning along with Static and Dynamic Application Security Testing. … The Fortify RASP product, Application Defender, is limited to Java and. Net applications.

13. Does Fortify scan Cobol?

Fortify SCA already supports a specific (outdated) version of COBOL: IBM Enterprise COBOL for z/OS 3.4. 1 with CICS, IMS, DB2, and IBM MQ. We are in the process of expanding and updating the COBOL coverage.

14. What is fortify in Jenkins?

Fortify on Demand is a Software as a Service (SaaS) solution that enables your organization to build and expand a Software Security Assurance program easily and quickly. The Fortify on Demand Jenkins Plugin enables users to upload code directly from Jenkins for Static Application Security Testing (SAST).

15. What is fortify in software development?

Fortify Software Security Center

It automates key processes of developing and deploying secure applications. It helps you resolve software vulnerabilities integrating vulnerability analysis across the entire software life cycle—from development to QA testing and even deployed applications.

16. Does Fortify scan shell script?

No, Fortify does not support shell scripts. The closest support would be scanning python.

17. How do I create a Fortify report?

From the Audit Workbench, generate your report and under the ‘Results Outline’ panel Open up the Listings section and then uncheck the Limit number of issues in each group setting if checked. Show activity on this post.

18. What languages can fortify scan?

Fortify SCA supports 27+ programming languages including newly added languages such as Kotlin and Go Language. Latest language support includes Java 14, Lombok, MSBuild 16.6, XCode up to 11.7, ECMA Script 2019 and 2020, TypeScript 3.9 and 4.0, Kotlin 1.3.

19. How do I fortify scan in eclipse?

Fortify scanning in Eclipse over maven projects

Install the Maven Fortify plugin.

Added Maven fortify Plugin details in my application pom.

Ran translate and scan commands. It generated fpr files under the projects.

20. How do I fix a fortify scan error?

There are a few options:

You can mark those issues as “No an issue” in your FPR report file, and merge future scan to the baseline audit review. The same issue won’t show up again in the merged file. …

I think you can also add a close session statement in the finally block. This would execute only if an exception occurs.





Notify of
Inline Feedbacks
View all comments
Would love your thoughts, please comment.x