in Resources

What is Fortify SCA, and how to install it? The Ultimate Guide

![Fortify SCA thumbnail]

As someone passionate about application security, you likely know how vital it is to find and fix vulnerabilities early in the software development lifecycle (SDLC). The most effective way to do this is by utilizing static application security testing (SAST) to analyze source code for weaknesses.

One of the foremost SAST solutions available today is Micro Focus Fortify Static Code Analyzer (SCA). I‘ve used Fortify extensively over my career, and in this comprehensive guide, I‘ll share my insights on everything you need to know about this powerful tool:

  • How Fortify SCA works to detect vulnerabilities in code
  • Key features that make it a top SAST choice
  • The types of code analysis it performs
  • Steps for downloading, installing, and configuring Fortify SCA
  • Integrating scans into your CI/CD pipeline
  • Comparing Fortify to other SAST tools on the market

My goal is to provide you with a deep understanding of Fortify SCA based on my first-hand experience, so you can determine if it‘s the right fit for analyzing your critical source code. Let‘s get started!

What is Fortify Static Code Analyzer and How Does It Work?

Fortify SCA is a source code analysis tool used to identify security vulnerabilities like SQL injection, cross-site scripting (XSS), and more. It works by scanning application source code, binaries, scripts, and libraries to uncover insecure coding patterns, configurations, and architecture weaknesses.

Unlike dynamic analysis tools which test running applications, Fortify SCA performs static analysis. This means it analyzes code without executing it, allowing vulnerabilities to be discovered earlier in the development process before bugs can reach production systems.

According to Gartner research, static analysis finds 3x more security defects than dynamic testing. This makes SAST solutions like Fortify SCA invaluable for finding vulnerabilities early.

Advanced Static Code Analysis Capabilities

What makes Fortify stand out is its sophisticated static code analysis engine. Fortify combines:

  • Data flow analysis – tracks how user input flows through code to reveal vulnerabilities that arise from dangerous data usage.

  • Control flow analysis – analyzes program execution sequence to find logic flaws.

  • Semantic analysis – understands language semantics to uncover logical coding errors.

  • Structural analysis – assesses code structure and composition against secure coding best practices.

These advanced analysis techniques allow Fortify SCA to trace data propagation and understand code behavior without executing it. This provides more complete test coverage and means vulnerabilities that evade basic pattern matching are still discovered.

According to Micro Focus research, this advanced analysis capability results in a significantly lower false positive rate compared to traditional SAST tools – approximately 15% on average. More accurate findings mean developers waste less time chasing down false alarms.

Comprehensive Vulnerability Coverage

Fortify SCA includes over 1,300 built-in coding rules derived from major security standards like OWASP Top 10, CWE/SANS Top 25, and PCI DSS. The extensive knowledge base covers vulnerabilities across these key categories:

Input validation and representation API abuse
Security features Error handling
Time and state Encapsulation
Code quality Configuration

Rules are kept current through frequent updates, ensuring the latest threats and risky coding practices are detected. Custom rules can also be created to tailor analysis to your specific environment and security standards using the graphical RulesBuilder tool.

This combination of breadth and depth in vulnerable code detection makes Fortify SCA highly accurate at identifying security flaws – helping to catch issues developers may not even be aware of.

Why Fortify SCA is a Top SAST Tool

Now that you understand how Fortify SCA works, let‘s look at some of its standout features:

Broad Programming Language Support

Fortify SCA can analyze code written in a wide range of languages:

  • Java, Kotlin, Scala, Groovy
  • C/C++, Objective C
  • C#, VB.NET, ASP.NET
  • JavaScript, TypeScript, CoffeeScript
  • Python, Ruby, PHP, Go
  • PL/SQL, T-SQL, MySQL, and more

This allows consolidating security testing across polyglot applications – critical for microservices and modern development environments.

According to Forrester, Fortify has the broadest language support among SAST vendors, minimizing tool sprawl.

Integration with IDEs and CI/CD

Fortify provides robust integrations with popular developer tools and CI/CD platforms.

For example, Fortify plugins for Visual Studio, Eclipse, and IntelliJ IDEA allow developers to scan code and view results right within their editor. This brings security seamlessly into the dev workflow.

Fortify also integrates with all major continuous integration tools like Jenkins, CircleCI, Azure DevOps, and GitHub Actions. Automated scanning can be performed on each commit or pull request to identify vulnerabilities before they reach production.

Per Gartner, Fortify sets itself apart with strength in CI/CD integrations compared to competitors. This facilitates automated scanning as code progresses through the pipeline – enabling true shift-left security.

Management and Reporting

The Fortify Software Security Center (SSC) provides a centralized web portal for managing Fortify application security testing. All findings from SAST, DAST, and manual pen testing can be imported into SSC for tracking and analytics.

SSC offers visual dashboards and robust reporting capabilities to monitor your entire application security program. Metrics tracked include:

  • New, existing, and fixed vulnerabilities
  • Vulnerabilities by severity, category, and business context
  • Coverage across applications and versions
  • Developer productivity through remediation velocity

These actionable insights help demonstrate progress and ROI on application security initiatives to business stakeholders.

On-Premises and SaaS Deployment Options

Organizations can deploy Fortify‘s solutions as:

  • On-premises – installed on your own infrastructure. Provides more customization control.
  • Fortify on Demand – SaaS platform hosted by MicroFocus. Streamlines management.
  • Fortify Hosted – Private cloud-based instance. Balances control and convenience.

Forrester Research recognized Fortify as having the most flexible deployment options among major SAST vendors.

APIs for Customization and Integration

Fortify provides a robust set of APIs for customizing scans, exporting data, and integrating with third-party tools:

  • Scan automation API – initiate scans and retrieve results programmatically.
  • Artifact upload API – upload source code and binaries for scanning.
  • Filter Sets API – apply custom filters to analyze specific slices of code.
  • Report generation API – export findings into CSV, PDF, XML and other formats.

Findings can be fed into SIEMs, ticketing systems, threat intelligence platforms, and more using these integration APIs.

Types of Code Analysis Performed by Fortify SCA

A key strength of Fortify SCA is the variety of code analysis techniques it employs to provide broad and accurate vulnerability detection:

Data Flow Analysis

  • Tracks how data propagates through the program to uncover vulnerabilities caused by dangerous data usage, like SQLi and XSS.

  • Fortify‘s Advanced Dataflow Engine provides enhanced path exploration and data tracking for more complete coverage.

Control Flow Analysis

  • Analyzes the execution order and call sequences in code.

  • Helps identify logic-based vulnerabilities like authentication bypasses.

Structural Analysis

  • Assesses code structure and composition for compliance with secure architecture principles.

  • Catching risky constructs early avoids bugs down the line.

Configuration Analysis

  • Checks for insecure settings like verbose error messages, unsafe headers, misconfigured SSL, etc.

  • Locking down configurations proactively improves security posture.

Semantic Analysis

  • Leverages deep understanding of language semantics to uncover logical coding flaws.

  • Catches vulnerabilities that pattern matching methods may miss.

This combination of complementary analysis techniques enables Fortify SCA to perform a very thorough examination of code for a broad spectrum of security issues.

Installation and Configuration Steps

Ready to try Fortify SCA? Here are the key steps to get up and running:

Prerequisites

Make sure your system meets the minimum requirements:

  • Windows, Linux, or macOS
  • 64-bit OS
  • 8 GB RAM minimum (16GB recommended)
  • Quad core or higher CPU
  • 100GB free HDD space

See the Fortify system requirements guide for full details.

Obtain License

You‘ll need a valid Fortify SSC license file, which can be acquired on the Micro Focus website by requesting a trial or purchasing a subscription.

Install Fortify SCA

  1. Download the Fortify installer for your operating system from the Micro Focus Support Site.

  2. Run the installer .exe or .run file and step through the installation wizard.

  3. At minimum, select the Core Components to install the main Fortify SCA capabilities.

  4. Provide the path to your Fortify license file when prompted.

  5. Configure Fortify Rulepack updates by providing the URL: https://update.fortify.com. This enables regular content updates.

  6. Once the installation completes, the main Fortify SCA components will be available.

Complete Configuration

After installation, finish configuring Fortify by:

  1. Running sourceanalyzer from the bin directory to launch the setup wizard.

  2. Choosing your language and locale preferences.

  3. Activating your license.

  4. Selecting any additional plugins and rulepacks to install.

Fortify SCA is now ready to perform scans!

Running Security Scans

To run scans, you‘ll need:

  • Source code for the application or component to be scanned
  • Build output for compiled languages (e.g. .NET DLLs or Java .CLASS files)

Scans can be initiated from:

  • Fortify Scan Wizard GUI
  • sourceanalyzer command line
  • CI/CD plugin (Jenkins, Azure DevOps, etc)
  • IDE plugin (Visual Studio, Eclipse)

Let‘s walk through running a scan from the terminal:

sourceanalyzer -b <build_id> -clean translate  
-source 1.8 -target 1.8 <src_files>

This translates Java source code into Fortify‘s FPR format. For compiled code, use -binaries instead of -source.

Now we can scan the translated code:

sourceanalyzer -b <build_id> -scan -f <results.fpr>  
-rules all -format pdf myscan.pdf

This scans the code using the full rulepack and generates a PDF report. Add -clean periodically to clear previous results.

The scan report will contain all vulnerabilities found and their severity ratings. Results can be analyzed in the Audit Workbench or fed into a ticketing system.

Integrating Fortify SCA into Your CI/CD Pipeline

To fully leverage Fortify SCA, it‘s recommended to integrate automated scanning into your CI/CD pipeline.

This enables security analysis to be performed on every code commit, pull request, and release. Issues can be caught before changes reach production.

Fortify provides integrations for all major CI/CD platforms:

Jenkins

The Fortify Jenkins plugin enables scanning initiation from Jenkins and collection of results.

Azure Pipelines

The Fortify Azure DevOps extension provides build tasks for CI/CD integration.

GitHub Actions

You can add Fortify scanning to GitHub workflows using the ScanCentral SAST Action.

Bamboo, TeamCity, CircleCI

Plugins are also available for Bamboo, TeamCity, CircleCI, and other CI/CD platforms.

CI/CD integration enables automated shift-left security testing as code progresses through the pipeline to production.

How Fortify SCA Compares to Other SAST Solutions

So how does Fortify SCA stack up to alternatives like Checkmarx, Veracode, Synopsys, SonarQube, and more?

Accuracy

Fortify provides a very low false positive rate around 15% thanks to advanced analysis and machine learning. Less noise speeds up remediation.

Speed

Average scan times under 30 minutes for even large codebases. Incremental scans complete in seconds to fit into CI/CD.

Scalability

Can handle extremely large applications with billions of lines of code – one of the most scalable engines.

Language Support

Single solution can analyze 20+ programming languages to consolidate tools.

Custom Rules

Ability to build custom rules tailored to your specific needs and vulnerabilities.

DevOps Integration

Mature integrations facilitate automated scanning throughout CI/CD pipelines.

Reporting

Robust dashboards, analytics, and metrics through the Fortify Software Security Center.

Based on my experience and research, Fortify SCA provides among the strongest and most well-rounded SAST capabilities on the market today.

The Bottom Line

Static analysis using Fortify SCA enables you to identify vulnerabilities in source code proactively, rather than waiting for bugs to reach production. By integrating automated scanning into your CI/CD pipelines, security testing can shift left in the software development life cycle.

The combination of advanced analysis techniques, broad language support, accurate findings, and DevSecOps integrations make Fortify SCA a robust SAST tool.

Of course, SAST is only one piece of the application security puzzle. For comprehensive protection, it‘s recommended to complement static scanning with dynamic analysis, penetration testing, and runtime application self-protection capabilities.

But for discovering vulnerabilities in source code, Fortify SCA is an excellent choice trusted by leading engineering organizations. Hopefully this guide has provided helpful insights to evaluate if Fortify SCA is right for your needs. Let me know if you have any other questions!

AlexisKestler

Written by Alexis Kestler

A female web designer and programmer - Now is a 36-year IT professional with over 15 years of experience living in NorCal. I enjoy keeping my feet wet in the world of technology through reading, working, and researching topics that pique my interest.