Fortify's offering in this space is also a CASE (computer-aided software engineering) utility. Any source code can be reviewed with the Source Code Analysis (SCA) suite. This ties tightly to the PCI DSS standard, which requires code reviews and should also be part of a system development life cycle.
The use of source code analysis is, of course, the best way to spot flaws and, unlike with most of the products we tested, is not a black-box test.
Fortify SCA supports many languages including ASP.NET, C/C++, C#, ColdFusion, Java, JSP, PL/SQL, T-SQL, XML, VB.NET and other .NET languages. The software-based solution offers secure coding plug-ins for several development environments, such as Microsoft Visual Studio, Eclipse, WebSphere Application Developer and IBM Rational Application Developer.
Fortify SCA can be installed on a variety of operating systems including Windows, Mac OS X, Solaris, Linux, AIX and HPUX.
The installation was simple, and the utility automatically downloads updates during part of the installation process. The process was a bit time-consuming as the installation procedure configured the system. The application installation performs most of the configuration without the need for user intervention. All in all, the installation process was among the simplest in this group test.
The Fortify SCA rules builder allows you to customise rules specific to your organisation. A feature-rich audit workbench offers multiple sorting, filtering and organising features to prioritise important issues.
Fortify SCA arrived with a guide for the initial installation in hard-copy format. A PDF version of the document is also available. However, the PDF files are not indexed and searchable, which means the PDF needs to be scanned manually.
Support is offered through phone and a password-protected web portal, as well as via email. In addition, the standard price features quarterly updates of the latest security tests for code review.
The price for the Fortify SCA suite is £600 per developer. This puts the product at the low end of the spectrum. For a feature-rich CASE environment, this is definitely good value for money.