How does Fortify software work? [closed]

Fortify is a SCA used to find the security vulnerabilities in software code. I was just curious about how this software works internally. I know that you need to configure a set of rules against which the code will be run. But how exactly it is able to find the vulnerabilities in code.

Does anyone have any thoughts about this?

Thanks in advance.


HP Fortify SCA has 6 analyzers: data flow, control flow, semantic, structural, configuration, and buffer. Each analyzer finds different types of vulnerabilities.

Data Flow This analyzer detects potential vulnerabilities that involve tainted data (user-controlled input) put to potentially dangerous use. The data flow analyzer uses global, inter-procedural taint propagation analysis to detect the flow of data between a source (site of user input) and a sink (dangerous function call or operation). For example, the data flow analyzer detects whether a user-controlled input string of unbounded length is being copied into a statically sized buffer, and detects whether a user controlled string is being used to construct SQL query text.

Control Flow This analyzer detects potentially dangerous sequences of operations. By analyzing control flow paths in a program, the control flow analyzer determines whether a set of operations are executed in a certain order. For example, the control flow analyzer detects time of check/time of use issues and uninitialized variables, and checks whether utilities, such as XML readers, are configured properly before being used.

Structural This detects potentially dangerous flaws in the structure or definition of the program. For example, the structural analyzer detects assignment to member variables in Java servlets, identifies the use of loggers that are not declared static final, and flags instances of dead code that will never be executed because of a predicate that is always false.

Semantic This analyzer detects potentially dangerous uses of functions and APIs at the intra-procedural level. Basically a smart GREP.

Configuration This analyzer searches for mistakes, weaknesses, and policy violations in an application's deployment configuration files.

Buffer This analyzer detects buffer overflow vulnerabilities that involve writing or reading more data than a buffer can hold.


@LaJmOn has a very good answer, but at a completely different level of abstraction I can answer the question in another way:

  1. Your source code is translated into an intermediate model, which is optimized for analysis by SCA.

  2. Some types of code require multiple stages of translation. For instance, a C# file needs first to be compiled into a debug .DLL or .EXE, and then that .NET binary file disassembled into Microsoft Intermediate Language (MSIL) by the .NET SDK utility ildasm.exe. Whereas other files like a Java file or ASP file are translated in one pass by the appropriate Fortify SCA translator for that language.

  3. SCA loads the model into memory and loads the analyzers. Each analyzer loads rules and applies those roles to functions in your program model, in a coordinated manner.

  4. The matches are written into an FPR file, with the vulnerability match information, security advice, source code, source cross-reference and code navigation information, user filtering specification, any custom rules, and digital signatures all zipped into the package.


Also an addendum to @Doug Held comment above ... Starting with Fortify 16.20, SCA now supports scanning .Net C#/ASP/VB source code directly - no longer requiring pre-compilation.