Diff between Fortify on-demand and on-premise

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP



Diff between Fortify on-demand and on-premise



What is the difference between HPE Fortify on-Demand and on-premise?



I'm trying to setup fortify with jenkins which is running on amazon cloud. Need suggestions.




2 Answers
2



"On-premise" means you're running the Fortify tools yourself, installed on hardware you manage (AWS instances, developer workstations, etc).



"On-demand" means you're using Fortify as a service (the vendor refers to it as "Security-as-a-Service"). The marketing material indicates that you send off your source code to be analyzed by their team (using Fortify), and you'll be sent back a report of the results.



My comments are my own, and do not necessarily reflect the view of my employer.



I've used both. If you're sold on Fortify, then you should use the on premise version. If you're open to using other tools, then you should ask if Fortify is right for you.



The short reason why is that Fortify on Demand often does not work for automation. It has too many problems, and Fortify Support will spend a lot more effort trying to get you to do something manual rather than trying to fix the problems.



Now let's break it down on the pros and cons of each.



With substantial effort and/or cost, you can setup Fortify on Premise to efficiently work in a DevSecOps Environment. In between the development environment and the Fortify SSC server, it is advisable to have an environment, such as a Jenkins server, than the Fortify scanning happens from. This middle environment receives the code from the dev environment, scans it, and uploads the results to Fortify SSC (the on-premise server). If there are problems, having this middle environment will be essential for efficiently debugging -- as the AppSec team will have complete control and visibility over it. The AppSec team will have to maintain the middle environment, Fortify SSC, and provide a script to developers to upload their code to the middle environment. Such a setup can be used to achieve security and raise the bar in secure coding practices in a corporate environment, but it takes time to set that up.



Pros:



Cons:



The appeal for Fortify on Demand is that you should not need all that setup to efficiently scan your code bases. In addition, they provide Jenkins and VSTS plugins to put in your developer build environment, they upload the code to the cloud server, the scan happens there, and you get the results. It would seem that they made it easier for you to have build integrated security.



Unfortunately, it simply does not work. Things break all the time with Fortify on Demand, and you have little ability to debug the problems. You are forced to open a Fortify Support help ticket. Fortify Support is slow. When things fail, their knee-jerk reaction is that you are doing something wrong and they tell you to try something different. They make little effort to debug problems. If you are an expert on Fortify (knowing all sorts of things about fpr files and what to look for when things break), you can pin Fortify Support down to prove that the problem is in their environment. But rather than fixing it, they will encourage you to not use their plugin and do something else instead. So, the short summary is that if you want automation, Fortify on Demand is not for you. Their sales people won't say that, but when you pin them down, that's what they push you to accept.



Now to be clear, one thing you need to understand is that unless you are an expert, you may think that the VSTS plugin is working fine, and your developers write awesome code so that's why Fortify is not finding much. Don't be deceived. Look at the fpr file. You can find out what is scanned, and you will often find that a number of things didn't work. In my latest case, I am finding that none of the controller files scanned, which is the most important part of scanning an application. I am mind boggled that Fortify Support thinks it is not their responsibility to fix the problem in their environment.



Pros:



Cons:






By clicking "Post Your Answer", you acknowledge that you have read our updated terms of service, privacy policy and cookie policy, and that your continued use of the website is subject to these policies.

Popular posts from this blog

Firebase Auth - with Email and Password - Check user already registered

Dynamically update html content plain JS

Creating a leaderboard in HTML/JS