Redefining The Walls Of Security

The Palo Alto, Calif.-based company was formed by three former application developers and one security expert to address the issue that even though companies spend billions of dollars on security to protect their assets and privileged information, attacks have been on the rise.

"The billions [of dollars] put into security have been put into walls that go around and try and keep the good stuff from getting out—but the hackers figured it out. They stopped trying to bash against the wall and started going through those avenues that software made available [such as] Web applications. Instead of trying to break in and guess the login, they started to pretend they were a good piece of data but instead gave an instruction to return everybody's records," said Mike Armistead, Fortify co-founder and vice president of corporate development.

"That level of attack couldn't be solved by those walls that were put around it. It meant you had to make those applications secure from the inside out," he said.

To combat the problem, Fortify offers four software products that identify vulnerabilities at different stages in the application development process. Fortify SCA identifies security issues in source code as it's developed. Fortify Tracer examines applications during testing. Fortify Defender looks for vulnerabilities when an application is deployed, and Fortify Manager organizes the information so that developers can asses the risk profile of applications. The offerings range in price from $6,500 to $200,000, depending on product and implementation.

Sponsored post

While the company has a healthy channel in the Asia-Pacific region, Fortify recently appointed a vice president of corporate development to beef up its U.S. and European channels. The company recently inked a deal with Wipro Technologies, a solution provider in India that develops software for enterprise companies.

"We're outreaching to different folks within the VAR channel, especially those that would be a good fit for the kinds of products that we have and that have a good reach into different kinds of customer bases. We really have a whole program that is doing outreach and assessment and evaluation of different VARs to see where the right fit is," Armistead said.

So far, Fortify's users have been enthusiastic about the product. Financial Engines, an investment adviser in Palo Alto, beta-tested the products and has been using them for about a year and a half to test the Web-based applications that its customers use.

Matthew Todd, CIO and vice president of risk and technical operations at Financial Engines, uses Fortify to determine how secure his developers' code is before the company's software goes live.

"It fits right in with our overall risk management process. We do a great deal to ensure the security and privacy of customer data because, obviously, as financial advisers we have people's financial information," Todd said.

"Any vulnerability is too many. No one solution is going to be enough. Fortify is part of an overall practice. It alone wouldn't be sufficient, but it plays an overall part in our security practice," he said.

Hyperic, an open-source IT management solution provider in San Francisco, came to use Fortify software when a public company was looking to the firm to develop a software product and wanted to make sure the code was secure. Incorporating the solution won Hyperic the job.

"It satisfied our customer and we were able to get our customer on board and they were really pleased with our results," said Javier Soltero, CEO of the company. "It's not something that just got us through the hoops with this customer; it's given us a competitive advantage."

Working with open-source code opens products up to additions from a wide range of developers, and running nightly scans with Fortify has allowed Hyperic to maintain its open-source model while making sure the contributed and changed code is up to par.

"At every layer of the ROI calculation, in terms of the problems that it identified, those were problems that would not have surfaced without Fortify's technology taking a closer look," Soltero said. "It delivers not only security but a higher-quality product."