Diff between Fortify on-demand and on-premise

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP



Diff between Fortify on-demand and on-premise



What is the difference between HPE Fortify on-Demand and on-premise?



I'm trying to setup fortify with jenkins which is running on amazon cloud. Need suggestions.




2 Answers
2



"On-premise" means you're running the Fortify tools yourself, installed on hardware you manage (AWS instances, developer workstations, etc).



"On-demand" means you're using Fortify as a service (the vendor refers to it as "Security-as-a-Service"). The marketing material indicates that you send off your source code to be analyzed by their team (using Fortify), and you'll be sent back a report of the results.



My comments are my own, and do not necessarily reflect the view of my employer.



I've used both. If you're sold on Fortify, then you should use the on premise version. If you're open to using other tools, then you should ask if Fortify is right for you.



The short reason why is that Fortify on Demand often does not work for automation. It has too many problems, and Fortify Support will spend a lot more effort trying to get you to do something manual rather than trying to fix the problems.



Now let's break it down on the pros and cons of each.



With substantial effort and/or cost, you can setup Fortify on Premise to efficiently work in a DevSecOps Environment. In between the development environment and the Fortify SSC server, it is advisable to have an environment, such as a Jenkins server, than the Fortify scanning happens from. This middle environment receives the code from the dev environment, scans it, and uploads the results to Fortify SSC (the on-premise server). If there are problems, having this middle environment will be essential for efficiently debugging -- as the AppSec team will have complete control and visibility over it. The AppSec team will have to maintain the middle environment, Fortify SSC, and provide a script to developers to upload their code to the middle environment. Such a setup can be used to achieve security and raise the bar in secure coding practices in a corporate environment, but it takes time to set that up.



Pros:



Cons:



The appeal for Fortify on Demand is that you should not need all that setup to efficiently scan your code bases. In addition, they provide Jenkins and VSTS plugins to put in your developer build environment, they upload the code to the cloud server, the scan happens there, and you get the results. It would seem that they made it easier for you to have build integrated security.



Unfortunately, it simply does not work. Things break all the time with Fortify on Demand, and you have little ability to debug the problems. You are forced to open a Fortify Support help ticket. Fortify Support is slow. When things fail, their knee-jerk reaction is that you are doing something wrong and they tell you to try something different. They make little effort to debug problems. If you are an expert on Fortify (knowing all sorts of things about fpr files and what to look for when things break), you can pin Fortify Support down to prove that the problem is in their environment. But rather than fixing it, they will encourage you to not use their plugin and do something else instead. So, the short summary is that if you want automation, Fortify on Demand is not for you. Their sales people won't say that, but when you pin them down, that's what they push you to accept.



Now to be clear, one thing you need to understand is that unless you are an expert, you may think that the VSTS plugin is working fine, and your developers write awesome code so that's why Fortify is not finding much. Don't be deceived. Look at the fpr file. You can find out what is scanned, and you will often find that a number of things didn't work. In my latest case, I am finding that none of the controller files scanned, which is the most important part of scanning an application. I am mind boggled that Fortify Support thinks it is not their responsibility to fix the problem in their environment.



Pros:



Cons:






By clicking "Post Your Answer", you acknowledge that you have read our updated terms of service, privacy policy and cookie policy, and that your continued use of the website is subject to these policies.

-

Popular posts from this blog

Firebase Auth - with Email and Password - Check user already registered

Image
Clash Royale CLAN TAG #URR8PPP Firebase Auth - with Email and Password - Check user already registered I want to check when a user attempts to signup with createUserWithEmailAndPassword() in Firebase user Authentication method, this user is already registered with my app. createUserWithEmailAndPassword() 8 Answers 8 To detect whether a user with that email address already exists, you can detect when the call to createUserWithEmailAndPassword () fails with auth/email-already-in-use . I see that @Srinivasan just posted an answer for this. createUserWithEmailAndPassword () auth/email-already-in-use Alternatively, you can detect that an email address is already used by calling fetchSignInMethodsForEmail() (previous called fetchProvidersForEmail() ). fetchSignInMethodsForEmail() fetchProvidersForEmail() When the user trying to create an user with same email address, the task response will be "Response: The email address is already in use by another account." mFirebas
Read more

Dynamically update html content plain JS

Image
Clash Royale CLAN TAG #URR8PPP Dynamically update html content plain JS So I have a script bound in my index.html, which literally has to fetch an array of jsons from an api, then dynamically update my page when get response. But as a result I'm getting an as the only update of my page. here is my script fetch(url) .then((resp) => resp.json()) .then((resp) => resp.results.forEach(item => fetch(item.url) .then((response)=> response.json()) .then((response) => pokeArr.push(response)) .catch(console.log) ) ).catch(console.log) const filler = () => if(!pokeArr) return 0 pokeArr.map((i,j)=> return `<tr>$i.name</tr>` ) const pokeindex = () => document.getElementById('a').appendChild(document.createElement(filler())) pokeindex() When I'm consoling it, I can see in the console all the responses I get, so I'm at least doing the fetching part right. What's parberakan ? What's pokeArr ? – T.J. Crowder Aug 8 at 12
Read more

How to determine optimal route across keyboard

Image
Clash Royale CLAN TAG #URR8PPP How to determine optimal route across keyboard I'm trying to automate the typing process in a video game. Players are given an on-screen QWERTY keyboard layout that they can navigate with the control stick (up, down, left, right) in order to select a letter to type. I was wondering if there was a module for Python (or some other resource I could explore) that would help my program find a path across the keyboard as it types each letter in a given message. In other words, if the first letter typed was "A" and the next letter was "B", the module would know that the program should move 1 space down on the keyboard and 4 spaces to the right. Currently, I have the program resetting to the "G" key after each letter is typed (allowing me to use fixed-directions as the program parses each character in the desired message). As you can imagine, this is quite inefficient and defeats the purpose of automating the typing in the fir
Read more