Data Sheet Fortify Static Code Analyzer (SCA) Static Application Security Testing CyberRes Static Code Analyzer (SCA) pinpoints the root cause of security vulnerabilities in the source code, prioritizes the most serious issues, and provides detailed guidance on how to fix them so developers can resolve issues in less time with centralized software security management. Static Testing Helps Build Better Code Static Application Security Testing (SAST) identifies security vulnerabilities during early stages of development when they are least expensive to fix. It reduces security risks in applications by providing immediate feedback to developers on issues introduced into code during development. Static Application Security Testing also helps educate developers about security while they work, enabling them to create more secure software. Fortify Static Code Analyzer (SCA) uses multiple algorithms and an expansive knowledge base of secure coding rules to analyze an application’s source code for exploitable vulnerabilities. This technique analyzes every feasible path that execution and data can follow to identify and remediate vulnerabilities. Find Security Issues Early To process code, Fortify SCA works much like a compiler—which reads source code files and converts them to an intermediate structure enhanced for security analysis. This intermediate format is used to locate security vulnerabilities. The analysis engine, which consists of multiple specialized analyzers, uses secure coding rules to analyze the code base for violations of secure coding practices. Fortify SCA also provides a rules builder to extend and expand static analysis capabilities and be able to include custom rules. Results are viewed in a number of ways depending on the audience and task. Integration Ecosystem Includes: Manage Results with Fortify Software Security Center (SSC) • Integrated Development Environments (IDE): Eclipse, Visual Studio, JetBrains (including IntelliJ) Fortify Software Security Center (SSC) is a centralized management repository providing visibility to an organization’s entire application security program to help resolve security vulnerabilities across the software portfolio. Users can review, audit, prioritize, and manage remediation efforts, track software security testing activities, and measure improvements via the management dashboard and reports to optimize static and dynamic application security test results. Fortify SSC helps to provide an accurate picture and scope of the application security posture across the enterprise. The Fortify SSC server resides in a central location and receives results from different application security testing activities, such as static, dynamic, and real‑time analysis. Fortify SSC correlates and tracks the scan results and assessment results over time, and makes the information available to developers through Fortify Audit Workbench, or through IDE plugins such as the Fortify Plugin for Eclipse, the Fortify Extension for Visual Studio, and others. • F  lexible Deployment Options: AppSec-as-aService, On Premise, or in the cloud • C  I/CD Tools: Jenkins, Bamboo, Visual Studio, Gradle, Make, Azure DevOps, GitHub, GitLab, Maven, MSBuild • Issue Trackers: Bugzilla, Jira, ALM Octane • O  pen Source Security Management: Sonatype, Snyk, WhiteSource, BlackDuck • Code Repositories: GitHub, Bitbucket • Swaggerized API for unlimited customization Fortify Static Code Analyzer (SCA) Static Application Security Testing Users can also manually or automatically push issues into defect tracking systems, including ALM Octane, Jira, Azure DevOps Server, and Bugzilla. • Audit Workbench − Smart View—Visualization makes auditing and fixing easier:      •  Quickly understand how multiple issues are related from a data flow perspective      •  Apply Smart View filters to begin triaging or fixing issues at most efficient point Key Benefits Fast and Accurate Scanning • Static application security testing (SAST) captures the majority of code related issues early in development. • Identify and eliminate vulnerabilities in source, binary, or byte code • Fortify SCA detects 815 unique categories of vulnerabilities across 27 programming languages and spans over one million individual APIs • Accuracy as demonstrated by a true positive rate of 100% in the OWASP 1.2b Benchmark Automate Security in the CI/CD Pipeline • Reduces risk by identifying and prioritizing which vulnerabilities pose