Introduction As a security professional, you’re proud of your static code scanning program. You run scans every month. Fortify Static Code Analyzer cranks out consistent results. Software Security Center lets developers exhaustively research each and every Common Weakness Enumeration (CWE). Surely, they have enough information to effectively manage their security backlog? That was you think, […]
Fortify Static Code Analyzer And Family Reporting: OWASP Top 10 Categories
Introduction Fortify’s Software Security Center (SSC) not only has a powerful UI that developers can use to manage their backlog of security weaknesses. It also has a series of powerful reports. One of those reports shows weaknesses grouped by the categories in OWASP’s Top 10 (2017 edition). I use that all the time, and it […]
Fortify Static Code Analyzer And Family Reporting: Basic Statistics
Fortify Software Security Center Application Vulnerability Counts by Priority In the previous post in this series, I showed you how to pull basic scan information out of the SQL Server database that houses Fortify’s Software Security Center (SSC) data. Fortify’s Static Code Analyzer (SCA) produced the *.fpr output file that populated SSC. In this post, […]
Fortify Static Code Analyzer and Family Reporting: Looking at a Scan
Fortify SCA and SSC Basics: The Scan If we’re going to write reports based on Fortify Static Code Analyzer (SCA), then we need a source of the information. The output of an SCA scan is an *.fpr file, which contains what SCA thinks are the issues with the code, as well as code snippets, the […]
Introduction: Fortify Static Code Analyzer and Family Reporting
SAST: You Can’t Improve What You Can’t Measure Protecting your custom applications and data is a never-ending task. It seems like the burden on application architects, designers, and developers has only increased in the world of Continuous Integration/Continuous Deployment (CI/CD). Teams have to find the right mix of tools like Dynamic Application Security Testing tools […]