Brochure Fortify on Demand Dynamic Application Security Testing Fortify on Demand Dynamic Application Security Testing Dynamic Application Security Testing Fortify on Demand delivers application security as a service, providing customers with the security testing, vulnerability management, expertise, and support needed to easily create, supplement and expand a Software Security Assurance program. Fortify on Demand supports Secure Development through continuous feedback to the developer’s desktop at DevOps speed and scalable Security Testing embedded into the development tool chain. Protect Applications throughout the Software Development Lifecycle Organizations are faced with rapidly expanding application portfolios, both in size and complexity. Securing applications from risk and vulnerabilities has become a business imperative in order to protect the business and protect customers. Applications must be protected across all phases of the Software Development Lifecycle (SDLC) to make a Software Security Assurance program successful. Application security begins when code is developed. Code is validated through testing, and is continuously monitored once the application moves into production. Application security programs embedded throughout the SDLC have been proven to be the most cost-effective way to ensure policy execution, compliance, and on-going enforcement. Dynamic Application Security Testing (DAST) is critical to identify vulnerabilities in the software in the Quality Assurance (QA) phase. Fortify on Demand Dynamic Assessments Are Essential to Software Security Fortify on Demand dynamic assessments complement Static Application Security Testing of source code because they identify vulnerabilities that can be detected only in a live/simulated production environment. Examples of vulnerabilities detected only through dynamic testing range from configuration related vulnerabilities to sophisticated hacking techniques and specific attack vectors against an application’s business logic. Fortify on Demand Dynamic Application Security Testing (DAST) assessments: • Mimic real-world hacking techniques and attacks on targeted applications • Provide comprehensive security analysis of complex web applications and web services • Crawl the entire attack surface to find exploitable vulnerabilities • Can test internal applications through site-to-site VPN or whitelisting Fortify on Demand’s official data centre IP addresses Our DAST technologies support web applications, web services, and mobile-browser optimized applications. What makes Fortify on Demand DAST assessments unique is that they integrate three essential components: WebInspect automated testing, manual analysis, and optional active IAST. 2 Fortify on Demand Dynamic Application Security Testing Fortify on Demand: Comprehensive Dynamic Assessment Approach WebInspect Manual Analysis Active IAST (optional) Best-in-class Dynamic Application Security Testing Proven to remove 99% of false positives Works in conjunction with WebInspect and the application runtime engine Extensive coverage across 250+ vulnerability categories Results reviewed by 150+ global security experts Provides stack trace details for faster remediation Flexible authentication for improved session management Supports automated scanning with advanced, targeted penetration testing Boosts the speed and accuracy of dynamic testing for improved results Figure 1. Fortify on Demand: Comprehensive Dynamic Assessment Approach Fortify on Demand Leverages Webinspect’s Leading-Edge DAST Capabilities WebInspect is the cornerstone of Fortify on Demand DAST and is the industry-leading dynamic web application security assessment solution. WebInspect is designed to thoroughly analyze today’s complex web applications and web services for security vulnerabilities. Fortify on Demand discovers potential threats across all web applications and web services as they move across QA, staging, and into production. Capability highlights of WebInspect include: • Coverage across 250+ unique vulnerability categories • Automated scan scheduling and built-in support to pause and resume scans during scan blackout periods to save time and resources • Flexible authentication handling for improved session management, particularly with complex applications • Broad client side language support such as HTML5, Flash, JavaScript among others • Language-agnostic scanning technology covering virtually all s