HP Fortify on Demand can conduct a static and/or dynamic test, verify all results, and present correlated findings in a detailed web-based interface and report.
Static Application Security Testing (SAST)
HP Fortify on Demand leverages award-winning static analysis tools to find and fix vulnerabilities during development. A user uploads the source code, byte code, or binaries of an application, and receives manually reviewed results (generally) in less than 24 hours. Fortify on Demand's static analysis supports over 21 languages and more than 500 vulnerability categories.
|21 Supported Languages|| ||✔|
|File Size||Up to 75 MB||Unlimited|
|False-Positive Removal|| ||✔|
|Vulns Found||Limited to 10 XSS/SQL Injection||All Categories|
|Turnaround||1 Day||1-2 Days|
Open Source Risk Analysis
Now, users of HP Fortify on Demand have complete visibility into risks associated with open source and third party components in their applications via integration with Sonatype’s Component Lifecycle Management (CLM) Software.
Open Source risk analysis is requested with a simple check box during a static assessment. A thorough Open Source by Sonatype Report is delivered back in minutes, complete with charts of open source and third-party component vulnerabilities responsible for security, license, and quality issues in your applications.
Dynamic Application Security Testing (DAST)
HP Fortify on Demand offers four levels of service to find critical security issues in running web applications. We run a thorough analysis of an application's security posture, false positives are removed.
Unlike most competing services, Fortify on Demand Dynamic Security Analysis is backed by a large team of the industry’s most elite application penetration testers. This makes all the difference when performing advanced testing, as the Fortify on Demand team not only uses the best in automation, but also employs a comprehensive manual testing methodology when evaluating your applications.
Fortify on Demand Dynamic Testing Options
|App Risk Level||Perimeter Scanning||Low
|Automated Scan||No Authentication||✔||✔||✔|
|False Positive Removal||✔||✔||✔||✔|
|Remediation Scan|| ||✔||✔||✔|
|Manual Testing|| || ||✔||✔|
|Business Logic Testing|| || || ||✔|
|Web Services|| || || ||✔|
|Static Analysis|| || || ||✔|