Fortify Source Code Analysis Suite 4.5
Strengths: Powerful analysis of source code, solid documentation
Weaknesses: The various components have a disparate look and feel
Verdict: An excellent source-code analyser that preaches the value and benefits of integration within the SDLC
Fortify Source Code Analysis Suite 4.5 performs static source code analysis. Various languages and architectures including ASP.NET, C/C++, C#, Java, JSP, PL/SQL, T-SQL, XML, VB.NET and other .NET languages are supported. The product also works with environments, such as Microsoft Visual Studio, Eclipse, WebSphere Application Developer and IBM Rational Application Developer.
Installation of the various components required minimal effort. The product installs on various flavours of Windows and Unix and can be easily integrated into many different development environments. The suite consists of several components, targeted at the various roles within the systems development life cycle (SDLC). The Source Analyzer is at the heart of the solution, and is a command-line executable that integrates into the development build and IDE processes.
The Analyzer performed well against our test code. It can assess large code bases and multiple tiers of code execution largely independent of the environment it's running in. Other components include a custom rules builder and graphical front end for editing the results from the Source Analyzer. We found many administrative tasks to be resource-intensive on our test servers. Fortify recommends quality-assurance and testing staff use the front end to make audit decisions, while developers use the Analyzer within their build process.
Finally, a web-based management console provides high-level project information and dashboard views of vulnerability information. We found the suggested workflow to be on par with how most development teams would use the product. However, at times, the different look and feel of the various components suggests that some of them may be at separate stages in the product roadmap.
The documentation goes above and beyond just guiding the user through features and options. The text often relays the value of using proper roles within the SDLC and often reminds developers of the benefits of integrating automated code testing into the build processes.
No support options were provided to our reviewers, but the Fortify website does have a link to a Premium support area as well as contact information for general support requests.