Fortify aims for the security suite spot; Moves upstream

Fortify Software, which heads off insecure software code in the development, said Monday that it has launched a suite designed to head off vulnerabilities in automated and older applications.

The suite, dubbed Fortify 360, expands the company's market. Previously, Fortify was mostly focused on checking code for vulnerabilities before applications went into production. That approach was fine for new software, but "developers don't address older applications," says Barmak Metfah, senior vice president of products and services at Fortify. That means there are security gaps in software that is more than a few years old.

Fortify 360 is being positioned as a software assurance suite designed to find, prioritize and fix vulnerabilities. Once a flaw is spotted it is tracked via a dashboard to manage and report the repairs. The general idea is to connect security, software development and tracking into a regular business process. Metfah said Fortify is trying to bring "harmony between security, development and lines of business to build business process around software assurance."

Metfah argues that the software that runs your business--and holds the secret sauce to a company's business processes--is at risk.

Among the core parts of Fortify 360:

• An analysis tool that includes static and dynamic access of code, QA testing and real-time monitoring;
• And audit tool that ranks vulnerabilities so security teams can remediate the biggest risks first;
• Instant remediation to deliver patches immediately;
• Collaboration tools so security and development teams can resolve vulnerabilities;
• Security dashboard to track vulnerabilities over multiple applications;
• Updates from Fortify's research team.

The strategy is designed to move Fortify, backed by Kleiner Perkins Caufield & Byers, upstream into what it calls the "business software assurance" market. In a nutshell, Fortify is arguing that security has to come within a company and that means focusing on the software that holds critical data from development to deployment. And thus far Fortify has a nice reference customer for its suite--the U.S. Air Force, which has rolled out Fortify 360.

Metfah's pitch makes a lot of sense and is part of a growing trend: Security companies are trying to position themselves as a dashboard that's critical to CIOs, CEOs, security folks and compliance officers who all need to prevent data breaches. Meanwhile, it's hard to argue with Fortify's "security from within" pitch. How many billions do we spend on security stuff only because underlying application code is shoddy?

The one challenge Fortify may face is suite fatigue. Most up-and-coming security players take two approaches: First, these companies bemoan existing suites and note they are cobbled together via acquisitions, don't work well and can't keep up with emerging threats--all of that is true. Then they offer you a newfangled suite. Even if a security company has a good market and serves a need enterprises are unlikely to engage with multiple security suites. There's a lot of inertia to overcome--that's one reason that the suite approach is so appealing. Once a suite is installed most folks don't rip them out.