Fortify Source Code Analysis Suite 4.5
Strengths: Powerful analysis of source code. Solid documentation with an emphasis on workflow and secure coding best practices.
Weaknesses: The various components have a disparate look and feel. Non-coders should steer clear from code analysis tasks from a usability perspective.
Verdict: An excellent source code analyzer that preaches the value and benefits of integration within the software development life cycle.
SummaryFortify Source Code Analysis Suite 4.5 is a suite of components used to perform static source code analysis. Various languages and architectures -- such as ASP.NET, C/C++, C#, ColdFusion, Java, JSP, PL/SQL, T-SQL, XML, VB.NET and other .NET languages -- are supported. The product also supports several environments, such as Microsoft Visual Studio, Eclipse, WebSphere Application Developer and IBM Rational Application Developer.
Installation of the various components required minimal effort. The product installs on various flavors of Windows and UNIX and can be easily integrated into many different development environments.
The product consists of several different components, all targeted at the various roles that stakeholders have within the systems development life cycle (SDLC) environment. The Source Analyzer component is at the heart of the solution, and is a command line executable that integrates into the development build and integrated development environment (IDE) processes.
The Analyzer performed well against our test code. It has the ability to assess large code bases, as well as multiple tiers of code execution largely independent of the environment in which you╒re running. The other components include a custom rules builder component and graphical frontend for editing the results from the Source Analyzer.
We did find many administrative tasks to be resource intensive on our test servers. Fortify recommends quality assurance and testing personnel use the frontend to make audit decisions, while developers use the Source Analyzer within their build process. We tend to view this as a good practice as some non-coding users might not find the analysis tasks as user friendly.
Last, a web-based management console provides high level project information and dashboard views of vulnerability information. We found the suggested workflow to be on par with how most development teams would use the product. However, at times, the different look and feel of the various components suggests that some of them may be at separate stages in the product roadmap.
The documentation goes above and beyond just stepping the user through features and options. The text often relays the value of using proper roles within the SDLC and frequently reminds developers of the benefits of integrating automated code testing into the build processes.
Pricing for Source Code Analysis Suite 4.5 starts at $1,200 per seat. Also, no support options were provided to our reviewers, but the Fortify website does have a link to a premium support area, as well as contact information for general support requests.