October 27, 2006; 02:48 AM
Fortify Software, the leading provider of security products that help
companies identify, manage, and remediate software vulnerabilities,
today announced the introduction of Fortify® Tracer. Fortify Tracer
provides code-level information so that black box security testers can:
1. Measure in a consistent way the percentage of security-critical points actually reached by black box security tests;
2. Speed remediation of identified vulnerabilities;
3. Discover additional runtime vulnerabilities that black box security testing tools cannot find.
“While black box security testing is important for analyzing the
security of deployed applications, its scope is limited by the fact
that the testing resides outside of the application,” said Barmak
Meftah, VP of Products & Services, Fortify Software. “Our research
and early product feedback demonstrates the importance of knowing how
many of a web application’s security-critical points are covered during
a test. In addition to providing this important metric, Fortify Tracer
helps security professionals improve the effectiveness of their black
box security tests and fix security flaws faster.”
By providing
code level information, Fortify Tracer helps security professionals
adjust their black box testing efforts to cover more of the application
and identify additional vulnerabilities. Fortify Tracer can be used in
conjunction with any manual or automated security testing procedure,
providing consistency and repeatability among independent application
security tests.
“Fortify Tracer is a valuable addition to any
black box application testing toolkit,” said Andrew Nairn, Co-Founder
of Gotham Digital Science, a leading security testing provider for
Fortune 100 companies. “The detailed runtime information and code
coverage statistics provided by Fortify Tracer will really assist
security teams in performing more effective and comprehensive black box
assessments.”
“Fortify Tracer's code-level information is an
exciting complement to AppScan, the market leading web application
security testing solution,” stated Michael Weider, CTO, Watchfire.
“Used together, these two products will give customers a powerful
solution that not only yields more secure applications but demonstrates
how the Fortify-Watchfire partnership continues to provide meaningful
security solutions for both our customers and the industry.”
About Fortify Tracer
Fortify
Tracer provides reports on coverage percentages and code-level details
about runtime security errors discovered during automated and manual
application penetration tests. Its patent-pending Call Site Monitor™
technology tracks security-critical APIs, such as database and file
system, within the web application itself, and detects runtime
vulnerabilities that are not visible through an application’s web
interface.
Fortify Tracer details which security-critical
function points of a given application are actually exercised by
specific penetration tests. In doing so, it helps security
professionals evaluate and correct their tests, and remediate
vulnerabilities much faster by showing them the actual location of
vulnerabilities in the source code.
Fortify Tracer features include:
* Insightful security coverage reports detail percentage of
security-critical functions exercised during a test. Key areas of the
application that interact with sensitive interfaces, such as Web input,
the database, and the file system, are tracked separately to provide
additional coverage information;
* Patent-pending Call Site Monitor technology works from inside to provide vulnerability identification at the root cause;
* Dashboards clearly communicate key metrics and allow users to compare
runs, inspect issues, and find the flaws quickly and easily;
*
Fortify Tracer currently works on any J2EE executable (.war/.ear)
files; users simply point to the file and the Fortify instrumentation
engine inserts monitors at security-critical call sites;
* Detailed reports show vulnerabilities according to their categories, such as cross-site scripting and SQL injection.
Fortify Tracer is available today.
In
a report released today, Fortify Software disclosed its findings that
manual and automated web application black box security tests generally
reach less than 50% of security-critical sites within the code. The
report is based on sixty days of empirical data gathered from Fortify
Tracer’s black box security tests on numerous applications varying in
function, size, and complexity. The full report is available today at www.fortifysoftware.com/fortifytracer/report
About Fortify Software, Inc.
Fortify
Software products protect companies from the threats posed by security
flaws in business-critical software applications. Its software security
products, Fortify Source Code Analysis (SCA), Fortify Tester, Fortify
Tracer and Fortify Defender drive down costs and security risks by
automating key processes of developing and deploying secure
applications. Fortify Software's customers include government agencies
and Fortune 500 companies in a wide variety of industries such as
financial services, healthcare, e-commerce, telecommunications,
publishing, insurance, systems integration, and information management.
The company is backed by a world-class team of software security
experts and partners. More information is available at www.fortifysoftware.com .