We manage the overall software development security organization, encompassing assistance to all developers across our organization worldwide. Our 10,000 developers help identify vulnerabilities in their code. We use Fortify Static Code Analyzer to explore methods to expedite vulnerability detection and remediation through a self-service pipeline.

Initially, we utilized Just Cloud, but subsequently, we developed our on-premises tools over the ensuing year. This resulted in substantial cost savings, as on-premises security solutions are generally more economical than their cloud-based counterparts.

We use the product as a SaaS analysis tool. We review static code. It allows you to find vulnerabilities.

The value that combining Fortify and Sonatype is that we use Fortify as a SaaS analysis tool. We review static code and Sonatype allows you to find vulnerabilities. 

I use it as a security center. I review it for any kind of issues, whether for proof or to deny, the source code, the findings, and then the enterprise can go back and provide their recommendation for how to fix the issue. It is used to scan the code base. 

Fortify SAST performs static code analysis, which means it reviews the source code or compiled binary code without executing the application. This helps in identifying vulnerabilities, coding errors, and security issues within the codebase.
Fortify SAST supports a wide range of programming languages, including popular ones like Java, C/C++, C#, Python, and more. This broad language support makes it suitable for various development environments.

It comes with a comprehensive set of security rules and patterns to identify vulnerabilities, including issues related to OWASP Top Ten, CWE (Common Weakness Enumeration), and other industry standards

We use Fortify SCA or SAST for scanning the source code, and we use Sonatype Nexus to scan libraries for any vulnerabilities. We get secure code and libraries by combining these two solutions. If we find any issues, we can fix them.

We use Fortify Static Code Analyzer and Sonatype in conjunction with Azure DevOps to view all code processes, from scheduling to deployment in production. This is typically included in the build. Therefore, when a colleague performs a build, all scans are automatically done, and they can see the results through the Fortify and Sonatype web portals.

Fortify Static Code Analyzer enables developers to identify and fix broken references within the code. We sought to understand how to write secure code by design.

We're consultants and it supports our primary banking group in Italy in terms of cybersecurity strategies.

Due to the mandatory use of Sonatype within the Italian banking industry, we rely on both Fortify and Sonatype to conduct a comprehensive analysis of the implemented code. 

We maintain several applications that utilize a mix of custom PHP packages and native functionality. When a package becomes outdated or a security vulnerability emerges within one, our lifecycle management system flags the issue and assigns a threat level of critical, high, or moderate. We prioritize mitigation based on severity, addressing critical issues first. Additionally, we've integrated Fortify on Demand into our build pipeline. This tool scans our codebase for static vulnerabilities as new code is built and performs dynamic scans for potential runtime issues once builds are deployed.

We implemented Fortify Static Code Analyzer to ensure our platform meets security standards, stays up-to-date with threats, and streamlines security remediation.

I make use of this solution every day in my current position. I have experience in its installation and troubleshooting and always ensure I am up to date with their latest releases. 

We use this solution to run and scan SQL code. 

Fortify Static Code Analyzer is used for scanning the container image, such as Kubernetes or Docker, and its main role is to do the static security analysis.

We usually run the product through the pipelines through GitLab, CICD, or Jenkins pipelines. I'm currently experimenting with AWS CodePipeline right now with integrating those types of tools into the pipeline.

I work for a company that implements these solutions for customers. So, we've got it everywhere. I've done implementations that are very simple and are developer workstation-based or security analyst desktop-based. We also have implementations all the way up through their big kahuna, which is decentralized and automated scanning.

We use the tool for web-based applications.