Large Diversified Financial Services Company Fortifies Applications

Customer Business Profile

One of America's largest diversified financial services companies. Winner of numerous awards for its web site, web applications, and information security initiatives.

Application Security Initiatives

Industry research clearly indicates that malicious users are accelerating their efforts and efficacy. Diverse methods are constantly evolving to exploit any weakness in business applications. A key element to defending against the onslaught is to fortify as much of the code base as possible.

Traditional software security testing methods involve significant manual effort. Combined with the need for a specialized skill set, this prevents cost effective audits of large code bases. Rather than being satisfied with focusing on only small amounts of the most critical code, this customer sought out a vendor with proven technology that could effectively automate security audits for a vast amount of code. This would lead to rapid audit and approval cycles. This, in turn, would reduce the audit bottlenecks and associated costs that are inevitable with manual efforts. By automating software security testing practices across the software development lifecycle, it would become a transparent part of the lifecycle, rather than a black box at the tail end of the project.

• Key Challenges

  • Automated manual code reviews or application security
  • Centrally define and enforce security policy
  • Multi-language support
  • Ability for tool to learn – extensibility and customization
  • Multi-layer (multi-tier) support
  • Solutions that could be rolled out on an enterprise basis for Security and Development organizations

Why they chose Fortify

As with all large, diversified financial organizations, one of the most daunting aspects of improving software security is to find a way to accurately and productively audit large amounts of code. Traditional methods involved the manual effort of highly skilled resources. This approach could simply never scale to meet the long term business objective. One of the unique capabilities that Fortify Software brought to this problem was the ability to do just that – enable the Information Security team to audit vast amounts of diverse code and therefore dramatically increase application security.

With more than one hundred eighteen categories of vulnerabilities, the largest secure coding rule sets commercially available and powerful code analyzers, Fortify Source Code Analysis (SCA) provides proven, accurate and productive results in this demanding enterprise deployment. This was facilitated with industry leading ease of integration in the enterprise production build environment. This build integration is a prerequisite to obtaining results both quickly and efficiently over time.

Having engaged in extensive evaluations of all options, this customer determined that only Fortify Software had the combination of product performance, depth of analysis, and breadth of platform support to meet their needs. The unique ability to execute data flow analysis across tiers and languages proved to be the most effective means of identifying potential risks, with an exceptionally low rate of false negatives. This translates into high trust and rapid return on investment.

A better experience

The Fortify Software solution and mentor consulting have brought immediate benefits. The Information Security team has greater insights into the security status of many applications. They are able to prioritize issues, and then communicate them in great detail to the development teams for remediation. Code that is produced by globally distributed teams can be fortified before it is accepted. As malicious tactics change, the solution can be easily tailored to adjust, and the security policy centrally managed and enforced.

This has delivered greater software security, decreased development costs, decreases maintenance costs, and an overall mitigation of risk associated with business applications, including web-facing applications.

• Fortify Benefits

  • Accurate, effective and efficient security audits
  • Ease of integration in the enterprise production build environment
  • Ability to audit vast amounts of code
  • More visibility into security risk in multiple applications
  • Set and enforce a clear standard for software security testing

Read more security risk management case studies.