Application Security

fortify

April 2023
Contents

1 Market Observations

2 Customer Challenges

3 Key Trends, Primary Use Cases, and Stakeholders Priority

4 Fortify Portfolio Overview and Business Value

5 Customer Success

6 Market Insights – Competition

7 AppSec Fortify in Banking and Finance

Trends and Market Observations
Application Security Key Trends 2022
Shift left Cloud Transformation AppSec Maturity OpenSource Risk

AppSec Is evolving from Shift-Left to Cloud-Native AppSec AppSec Orchestration and Correlation Securing the Software Supply Chain
Shift Everywhere • With the broad IT industry trend towards the • AppSec orchestration and correlation has Supply chains have many blind spots or cracks
• Test early is now test everywhere and often! cloud, a modern software stack includes many increasingly become a hot topic in the that attackers can take advantage of, resulting in
cloud-native elements of the architecture. industry, with many benefits and challenges increased severity and frequency of attacks.
• There is no one-size fits all, but finding the
right tools for right job, at the right time. • As a result, the demarcation between AppSec
and InfraSec is becoming blurred
• It´s all about defense in depth.

API security needs are growing ever Next Generation DAST

larger • We are starting to see developer-driven DAST
• APIs are the most rapidly growing attack testing expand, extending the use of DAST
surface, but still aren´t widely understood and beyond the hands of AppSec/QA and fully
are often overlooked by developers and within the Dev CI/CD automation pipelines
AppSec managers

Machine Learning and AI are key to

the next evolution of automation
Companies who use automation are twice as
likely to implement security testing, in addition,
there are numerous use cases for machine
learning advancements
Market Observations

The COVID-19 pandemic accelerated hybrid work and the shift to the cloud, challenging
CISOs to secure an increasingly distributed enterprise.

There is an ever-increasing shortage of skilled security staff, which dilutes security best
v
practices.

Organizations worldwide are facing sophisticated ransomware, deeply embedded

vulnerabilities, and attacks on the digital supply chain.
Financial Impacts of Security Breaches
 Average total cost and frequency of data breaches by initial attack
vector

Source: Cost of a data breach report 2021 by Ponemon Institute and IBM
Top Security and Risk Management Trends for 2022
New responses to The evolution and reframing of The consolidation of
sophisticated threats the security practice security products

Attack Surface Expansion Distributing Decisions Vendor Consolidation

Risks associated with the use of cyber- The CISO role has moved from a technical Security technology convergence is accelerating, driven by
physical systems and IoT, open-source code, subject matter expert to that of an executive the need to reduce complexity, reduce administration
cloud applications, and more have made risk manager,” said Firstbrook. CISOs must overhead and increase effectiveness. This consolidation will
organizations’ exposed surfaces outside of a reconceptualize their responsibility matrix to lower total cost of ownership and improve operational
set of controllable assets empower Boards of Directors, CEOs and efficiency in the long term, leading to better overall security.
other business leaders to make their own
Identity Threat Detection and Response informed risk decisions.”
Organizations have spent considerable effort Cybersecurity Mesh
improving user authentication, which increases
The security product consolidation trend is driving integration
the attack surface. Credential misuse is now a Beyond Awareness of security architecture components. However, there is still a
primary attack vector. Human error continues to be a factor in need to define consistent security policies, enable workflows
many data breaches, demonstrating that and exchange data between consolidated solutions. A
Digital Supply Chain Risk traditional approaches to security awareness cybersecurity mesh architecture (CSMA) helps provide a
Cybercriminals have discovered that attacks on the training are ineffective. Progressive common, integrated security structure and posture to secure
digital supply chain can provide a high return on organizations are investing in holistic security all assets, whether they’re on-premises, in data centers or in
investment. Gartner predicts that by 2025, 45% of behavior and culture programs (SBCPs), the cloud.
organizations worldwide will have experienced rather than outdated compliance-centric
attacks on their software supply chains, a three- security awareness campaigns.
fold increase from 2021

https://www.gartner.com/en/newsroom/press-releases/2022-03-07-gartner-identifies-top-security-and-risk-management-trends-for-2022
Customer Challenges and Personas
 Application Security Challenges
 Personas and Stakeholders
Attackers Move from Infrastructure Level to App Level
 Application layer attacks are perceived as normal traffic and pass-
through network, perimeter, data, and endpoint security systems.
Application level
Application security
• Not mature; lack of developer training
• Growing attack surface: more applications, more
connected to the Internet
Security Application
Security • Accelerating releases reduces time available for
Functionality
* Security functionality testing is
security
different from application security
testing.
Controlled Avoiding
access bypassing
Infrastructure security
• Highly mature
• Substantial investments in place
Identity & Access Network & • Systems are more secure out-of-the-box than ever
Management Perimeter

Infrastructure level
Security Is Often Left Out
Why?

• Need for Speed

Developers have to deliver functional code fast – anything
else is friction.

• Digital Transformation
82% of CIOs say they have implemented new
technologies, IT strategies, and/or methodologies due to
the COVID-19 pandemic*.

• More Volume
Because of the volume of apps being pushed into
production, security is not the focus of DevOps.

* IDG 2021 State of the CIO Report

Customers Need Help!
People Process Technology

Training Developers around Security Testing Maturing DevSecOps Third-Party and Open-Source Vulnerabilities

 Engage developers early in the testing process Many customers are still in their early phases of  As much as 90% of applications use open-source
adopting an integrated approach. software and libraries while they are available
 Make it easy for developers to initiate security under GNU general public license.
scans on the code
• They lack an understanding of the impact of not
Inherited Vulnerabilities
 Prioritize security alerts to drive productivity remediating vulnerabilities early in the development
of developers cycle.  Blindly using code previously written by
• Involve developers to shift security left in the someone else is a huge risk. You cannot know
development cycle. what security measures had been taken; the
• Break Silo’s through a centralized reporting and code might contain many weaknesses and
monitoring solution for found vulnerabilities omissions.

 By reusing old code or legacy applications,

without adequate security testing or validating
the health of the project can lead to
vulnerabilities getting embedded in the new
application . This is known as technical debt.

 Open-source modules might have security

defects or known vulnerabilities, which could
lead to software supply chain attacks.
Stakeholder Priorities

Henk Visscher Anika Bendali Julia Zanberch Troy Michanna

Chief Information Security Officer (CISO) DevOps Manager (DevOps) Application Security Manager (AppSec) Product Owner (DevLead)

Protect the organization’s brand, Manager with a technical Identify, track, and reduce Release schedules and deadlines;
information, applications, and background, responsible for application security risks across ensures applications are secure
infrastructure. Cost optimization developer tooling and overall the applications catalog. before releasing to production.
for security and risk. CI/CD pipeline lights on
operation
Portfolio Capabilities and Business Value
 Fortify Portfolio Overview
 Fortify Business Value
Fortify Product Offerings
Flexible offering for Modern Development

 Static Code Analyzer: Analyzes source code for security vulnerabilities to enable Static
Application Security Testing (SAST).
 Software Composition Analysis (SCA): Scans open-source components for vulnerabilities,
either using Debricked (SaaS) or through our partnership with Sonatype (on-premises).
 WebInspect: Analyzes applications in their running state and simulates attacks to find
vulnerabilities to enable Dynamic Application Security Testing (DAST).
 Software Security Center (SSC): Holistic application security platform included with on-
premises or hosted solutions to centralize the visibility of application security risks
 Fortify on Demand (FoD): AppSec as a managed service that includes SAST, DAST, SCA, and
MAST capabilities and managed by CyberRes security analysts.
 Fortify Hosted: SaaS-based offering deployed in the cloud with managed infrastructure
deployment and support.

Solutions that Align with DevSecOps Success Integration Automation Speed

Backed by the Market-Leading Software Security Research Team

1,244 Vulnerability Categories | 30 Programming Languages | 1M+ Individual APIs
Fortify Embodies DevSecOps

Enterprise-level security at each stage of development Strong integration with industry-leading tools
Fortify Portfolio
Software Resilience for Modern Development
Why Fortify ?
AppSec on demand
Application Security-as-a-Service with security testing and vulnerability
management gets you started with minimal skilled resources.

High-quality AppSec
With Fortify, you don’t need to trade quality of results for speed in order to
scale up your DevSecOps processes.

Industry-leading research
Our research supports 1,224 vulnerability categories across 30+ languages
and over 1 million APIs to improve threat detection.

Benefits

Protect your software Detect risk Evolve your AppSec

Software resilience from a Focus on whats matters with A holistic, scalable platform that
partner you can trust accurate, through results. supports your needs
What we do – Enable Secure Code Development
Find and fix security vulnerabilities with fast and Fortify offers end-to-end application security
accurate results, whether the application is built in- solutions, including integration with the developer
house, by a third party, or using open-source (IDE) as well as the DevOps tool chain (CI/CD).
libraries.

Automatically identify and tune out false Fortify is named #1 for Enterprise by
positives with machine learning. Fix known Gartner (Critical Capabilities report), including its
issues with minimal developer friction. machine learning capabilities.

Flexibility in testing application security on- Fortify customers benefit from a holistic, inclusive,
premises, hosted, or delivered as a SaaS managed and extensible platform that uses a single
service. Cloud SDK’s to support cloud DevOps taxonomy and provides building blocks to mature
integration ad testing cloud microservices your software security assurance efforts.
AppSec’s Journey Toward Cyber Resilience
 Then, now, and in the future
2001 2008 + 2020
SOX MAJOR CYBERATTACKS COVID DRIVING DX

COMPLY DE-RISK ENABLE RESILIENT

ERA OF COMPLIANCE ERA OF THREAT ERA OF DX TRANSFORM

MANAGEMENT ERA OF GROWTH
2001 - 2008 2014 - 2020
2008 - 2014 2021+

aka “Check the Box” aka “Stage Gate” aka “Shift Left” aka ”Speed vs Cost”
Customer Success and Market Insights

 Success Story
 Key competitors
The world’s leading enterprises entrust their AppSec needs to
Fortify
9 out of 10
of the largest information technology "Micro Focus Fortify really addresses the needs of the
companies developers. It makes sense to them.“
- Damien Suggs, AppSec Director
9 out of 10
of the largest banks

“This is a partnership to drive AppSec modernization with

4 out of 5 Fortify on Demand to deliver actionable, data driven
of the largest pharmaceutical companies results.”
- Rajan Gupta, VP, Product Security
5 out of 5
of the largest telecommunication companies

3 out of 3
of the largest independent software vendors

Federal
Strongest AppSec solution provider in
Federal space (FedRAMP Certified)
Fortify Has a Continued Leadership Position in the Market

Leader in Application Security Testing Fortify Key Competitive Differentiation

Maturity at Scale
1 Fortify is a good fit for enterprises with complex application projects and AST users with
experience and advanced requirements.

2 Shift-Left Security
Fortify Security Assistant is a real-time security checker that operates in the IDE. It is not a
replacement for a comprehensive SAST scan, but can provide a lightweight automatic check for
developer security mistakes as the developer codes.

3 Fewer False Positives

The Fortify Audit Assistant feature has been extended to allow teams the flexibility to either
manually review artificial intelligence (AI) predictions on issues or to opt in to “automatic
predictions,” which support completely in-band automated triaging of findings. This contributes
to reducing false positives.

4 Enterprise DAST
Micro Focus provides DAST that is able to address many of the challenges with modern
applications, such as scanning client-side vulnerabilities or support for 2FA, among other things.
But don’t take our word for it…
Application Security Testing Market Size and Growth
Market Size Forecast 2017 to 2023 (Global) Market Drivers

% $7.1B • Increasing investment in AppSec aligned with risk of

: 17
AGR breaches.
C
• Emergence of DevSecOps: Security becoming a
critical component of DevOps, on-premises or in the
cloud.
$3.3B
• Open Source: Significant % of production
application has OSS code, leading to software supply
chain risks.
• Developer-Lead: Developers are both users and a
source for insider threats, which requires zero trust in
2018 (F) 2023 (F) the SDLC.
Security Scanning Tools Runtime Protection Tools • Shift Left: Faster time to vuln identification and fix,
Static Application Security Testing (SAST)* Web Application Firewall (WAF) driven by DevOps and the cost impact of
Dynamic Application Security Testing (DAST)* Bot Management remediation if done during production.
Software Composition Analysis (SCA)* Runtime Application
Self-protection (RASP)
Interactive Application Security Testing (IAST)*

Source: Forrester Analytics: Application Security Solutions Forecast, 2017 to 2023 (Global)
F = Forecast *Fortify’s currently served market segments
Key Competitors

SCA SAST DAST

Invicti

BlackDuck

Coverity
Strengthen Your Cyber Resilience
CyberRes at a Glance

Data Application
Privacy and Security
Protection

Identity
and Access Security
Management Operations

Identities Data Applications

Protect. Detect. Evolve.

Protect across your identities, Detect, respond, and recover from Evolve your security posture at the
applications, and data. advanced threats. speed of change.
Fortify

AppSec
Banking and Finance
Banking and finance industry objectives
Reputation/ Trust and Financial Services
Community Development • Deposits
• Customers • Lending
• Shareholders 06 01 • Payment processing
• Stakeholders • Managing risks (Credit, market, etc.)
• Development of
local community

Innovation and Technology Profitability

• Improve efficiency 05 02 • Competitive Products
• Reduce costs • Competitive Services
• New products/ services • Managing costs
• Digital transformation

04 03
Customer Needs Financial Stability
• Tailor made products/ services • Secure payment system
• Customer service • Source of liquidity during stress
• Nation’s/ World’s financial backbone
Banking and finance security requirements

Unleashing SecDevOps C, I, A (Confidentiality, Integrity, Availability)

• Enable developers • Financial Info
• Integrate security • Personal Data
• Automate appsec • Sensitive Data
• Digital Assets (Applications, Systems)

Security Monitoring and Logging Authentication

• Applications/ Systems Authorization
• Suspicious Activity Session Control
• User actions

Penetration Testing
Scaling AppSec Application Security Assessments
• Horizonal Scaling Eliminating noise (False-positive, Low Severity)
• Vertical Scaling Compliance (PCI, GDPR)
Risk Management
• Identification
• Assessing
• Mitigation
Statistics of AppSec in banking and finance

Average Cost of a Data Breach by Industry Global AppSec Market by Industry Vertical
USD 2019.3 million

648.2

2019 2020 2021 2022 2023 2024 2025 2026 2027

BFSI Retail.

Government Healthcare

IT & Telecommunications Education

Other

Data Source: IBM Security Cost of a Data Breach Report 2022 Data Source: Researchdive - https://www.researchdive.com/5735/application-security-market
Top OWASP risks to finance industry
Top OWASP Application Security Risks Banking and Finance Industry vs.All Other Industries

Sensitive Data Ex-

posure(Data Leak-
age)
22%
38%
Injection (RCE/ RFI)

21%

19% XSS

Others

Data Source: Imperva- Top OWASP Risks to Financial Sector Report

AppSec challenges: Banking and finance industry
1 Cloud Transformation 5 Complex and Legacy Apps
• Multiple Clouds • Insecure Integration • Distributed architecture • Lack of security controls
• Migrate first, appsec later • Interoperability • Difficult to identify & address
vulns

2 Software Vulnerabilities 6 Third Party Risks

• Data breach • Compliance violations • Third party apps • Third party
service providers
• Supply chain attacks • App compromise • Third party vendors

3 Conventional AppSec 7 Access Control

• Siloed SAST, DAST, MAST • Manual testing delays • Strong auth control • Sensitive info
• Scalability concerns • Multiple parties involved • Trade-off b/w ease of
use and access control

4 Rise of Mobile Apps 8 AppSec Talent Gap

• Speed precedes Security • Malware, Phishing • More demand, less supply
• Processes sensitive data • Unauthorized access • Train and retain
Top application attack vectors
Banking and finance industry

Sensitive
Malware Information
Disclosure

Privilege Escalation Access Control Breaches

• Horizontal • Authentication bypass
• Vertical • Broken Authentication

Input Validation Attacks OSS

• XSS • License violation
• Injection based • Compliance validation
• XSRF • Missing dependency

File Inclusion
PHISHING • Remote file inclusion
• Local file inclusion
Recommended solutions
Banking and finance industry
Vendor/third party risk
management
Multi-factor Bridge talent gap:
Authentication Developer/security professional training

Periodic and automated

application security testing
 SAST  API
Compliance
 SCA  DAST
 IaC  MAST

Shift left Sec DevOps Penetration testing

 On-Prem Simulate real world attacks
 Cloud (AWS, Azure, GCP, OCI)
 Hosted

Strong input validation

Strong authentication
and access control Data encryption

Secure Development Application (Software, open source, Web app, mobile app)
Lifecycle (SDL) Vulnerability Remediation and/or Guidance
Fortify for banking and finance
Vertical specific solutions
Banking and finance Fortified

Vendor/third party risk

management
Multi-factor Bridge talent gap:
Authentication Developer/security professional training

Fortify
Periodic and automated Fortify Fortify
application security testing
 SAST  API
Compliance
 SCA  DAST Fortify Fortify
 IaC  MAST

Shift left Sec DevOps Penetration testing

 On-Prem Fortify Fortify Simulate real world attacks
 Cloud (AWS, Azure, GCP, OCI)
 Hosted

Fortify Fortify Strong input validation

Strong authentication
and access control Data encryption

Fortify Fortify
Secure Development Application (Software, open source, Web app, mobile app)
Lifecycle (SDL) Vulnerability Remediation and/or Guidance
Benefits with Fortify

Fortify

STRATEGIC TECHNICAL
 Complaince  Cost savings  Secure code move to  Train and enable developers
production
 Risk management  Protection of crown jewels  Increased code quality
 Reduction in pen testing costs
 Improved software quality  Secure cloud transformation  Increased developer
 Scalable security testing performance
 COST SAVINGS
 Seamless integration into
DevOps
Banking and finance
PCI-DSS

OWASP
GDPR
TOP 10
Standards and
Compliance
ISO 27001 PSD2

BASEL III FFIEC

NYDFS
Fortify

Licensing & Support

License Usage Definitions
Perpetual Subscription Additional Resources

• Perpetual License SKU provides the • Subscription SKU provides the • Product and Pricing Useful Links
customer with perpetual usage rights customer with specific term of usage • Pricing Tools (sharepoint.com)
to the software. rights for the software.
• Micro Focus End User License Agree
• The customer is required to buy a • Subscription SKU’s offer a bundle of ment (EULA) and Additional License
separate support SKU every year to term license to use + support for the Authorization (ALA)
get access to support and upgrades. defined term. (Public)
• There is no end date until the • Usage rights expire at the end of the • MF Business Support Agreement
customer retires the software. subscription term. • Addendum to the Business Support A
• Yearly purchase of support is • Yearly purchase of subscription is greement (Fortify)
considered a renewal purchase. considered as a new purchase.

Fortify On-premises, Fortify Hosted,

debricked, Sonatype, and Fortify on
Fortify On-premise SKU’s Demand*

*FoD subscriptions are termed Assessment units

Support Definitions

Business Support
• Bundle with Perpetual or Subscription SKU
• Provides product upgrades and updates during active term
• Provides 24x7 unlimited support on call through a toll-free number
• Provides access to self-help resources, free trainings, and community engagement

Premium Support 3 levels of dedication available

Problem Resolution Technical Guidance Support Management

(TAM) (ESM)
Premium Support Engineers
Technical Account Manager Enterprise Support Manager

Deep technical expertise Environment optimization & Strategic guidance, escalation

for rapid incident resolution problem prevention management & advocacy
Coverage per product center Coverage per product center Coverage per product group
Fortify

Fotify on Demand
Fortify on Demand – Managed Services
Offered as Subscriptions

SAST : Static Application Security Testing

Service Offerings DAST : Dynamic Application Security Testing
MAST : Mobile Application Security Testing
SCA : Software Composition Analysis

Tenant CyberRes managed, hosted on AWS cloud

Security Analysis Conducted by CyberRes, optional services

Currency Assessment Units (AU)

What are Assessment Units (AUs)?
AUs are like tokens at a carnival . . .

Carnival:
Purchase carnival tokens and spend them on
rides.

Fortify:
Purchase assessment units (AUs) and spend
them on assessments.
How Many AUs should the customer purchase?
Initial assessment + Unlimited assessments of a single
remediation assessment application / year
Assessment Type* Single Assessment Application Subscription (1 year)

SAST Static 1 Assessment Unit 4 Assessment Units

Static+ 2 Assessment Units 6 Assessment Units

DAST Dynamic Web 2 Assessment Units 6 Assessment Units

Dynamic+ Web 6 Assessment Units 18 Assessment Units

Dynamic API Assessment 2 Assessment Units 6 Assessment Units

Dynamic+ API Assessment 6 Assessment Units 18 Assessment Units

MAST Mobile 1 Assessment Units 4 Assessment Units

Mobile+ 6 Assessment Units 18 Assessment Units

Get your customer started with Fortify on Demand

What We License Assessment Units Assessment Units

What Customer Gets Pack of 20 Assessment Units Pack of 65 Assessment Units

How Do We License Term Licensing (6 months) Term Licensing (6 months)

Ordering SKU SA-AA011: $ 15000​(includes Support**) SA-AA012 : $ 50000​(includes Support**)

SKU Description FoD Base Starter Edition FoD Starter Edition

Minimum Order Quantity 1 1

Terms of usage:
1. Use AU across scanning services available
2. AU to be consumed in 6 months, or else it retires
3. Customer can add additional units of AU to continue with their Fortify on Demand Usage
Fortify on Demand Support Options
Standard Managed Enhanced Premium Add-on Support
Support Support Support Support Packages
Welcome Pack    
Self-Service Portal    
Help Desk Support    
Nominated Technical Account
Manager    

Onboard Technical 1st 4 ALL 1st

Development Team

Results Review Calls 2 per month 8 per month 4 per month

Integration Support 1 integration ALL

Nominated AppSec Program

Manager 

AppSec Program Support 

Customized Training Support 

Price / Year US $ 15000 for less than 100

Included US $ 40000 US $ 250000 US $ 60000
AU purchased, else included
 A: Floor 16, Lotte Ha Noi Center, 54 Lieu Giai Street, Lotte Hanoi Building
W: www.tek-experts.com

48