FORTIFY SSA CONSULTING SERVICES

Advancing Software Security Assurance in the Enterprise

Data sheet

Software Security Assurance (SSA)

Consulting from the Market Leader
in Enterprise Software Security
As the number and severity of data security breaches
increase, organizations everywhere are finding it
necessary to implement practices that will help assure
the security of their software. While some have the
experience and expertise to successfully integrate
these practices into their software development and
procurement processes, many more do not. To assist
corporations seeking to adopt leading practices in
software security, Fortify offers a portfolio of SSA
Consulting Services. Built around Fortifys industrytested Framework*SSA, Fortify SSA consulting services
help organizations succeed with their adoption and
implementation of critical software security initiatives.

An Introduction to SSA
SSA is the capability to adequately address the
problem of software risk within an organization. Where
the software quality assurance function assures that
an application will perform as it was intended, SSA
assures that it cannot be used in a way that might
cause financial damage, loss of intellectual property, or
business interruption. SSA is being rapidly adopted by
enterprises in response to the growing world-wide threat

from attacks seeking to exploit security flaws in software.

Fortifys Framework*SSA (further details can be found on
the back of this brochure), is an approach to organizing,
implementing, and measuring software security within an
organization. It is built upon leading practices gleaned
from many thousands of hours that Fortify consultants
have spent working with hundreds of leading enterprises
around the world.

Help from Experts: Fortifys SSA

Consulting Services
Fortify can help an enterprise mitigate software
security risk regardless of the enterprises current level
of software security sophistication. Fortify offers its
customers a portfolio of consulting services that can be
tailored to suit an individual enterprises requirements.
Staffed with experts who are knowledgeable across
the entire SSA spectrum, Fortify can provide expertise
and guidance for advancing software security
awareness, implementing industry leading practices,
and mitigating security risk. Fortify can also help assess
the softwarebased business and technical risks an
organization is exposed to and develop and implement
plans to mitigate these risks.

92% of exploitable vulnerabilities are in software.

National Institute of Standards and Technology (NIST)

Awareness and Assessment of Software Security Risk

Understanding the extent of a problem is essential for gaining consensus among
stakeholders and developing an appropriate plan of action. To aid in this effort,
Fortify offers customers a complete set of assessment services that help identify,
quantify, and communicate the level of risk in in-house software development,
outsourced projects, commercial off-the-shelf software and open source software.
Security Awareness and Secure Coding
Education
The Security Awareness and Secure Coding programs
offered by Fortify provide customers with the ability
to increase security awareness and usage of industry
leading practices within their organization. These
training classes or information sessions can be geared
toward both the technical and non-technical communities
within an organization.

SSA Risk Assessment

A Fortify SSA Risk Assessment determines an
organizations exposure to software security risk.
Fortify examines the business goals, software practices,
and deployed applications that contribute to the
organizations current security posture.
As part of the SSA Risk Assessment, an expert from
Fortify will:
Analyze the organizations people, processes, and
technology through interviews with key stakeholders
Examine the current state of security governance to
create a concise picture of existing efforts
Check the effectiveness of current practices by
reviewing the source code of key applications with
Fortify 360
Compare current activities to best practices in use by
industry leaders
Findings are summarized and include a high-level
roadmap for a software security initiative. The roadmap
is developed in conjunction with the supporting businesscase detail to help create sponsorship and support for a
broader SSA initiative.

Application Vulnerability Assessment

This engagement helps customers understand the
risks associated with an application by analyzing the
softwares source code and providing a comprehensive
list of vulnerabilities. A Fortify consultant performs a
code review using the industry-leading Fortify 360 Suite.
A detailed summary of all vulnerabilities is produced
along with a description of the underlying code issues
and methods to address the vulnerabilities. To facilitate
remediation, customers can evaluate results from Fortify
360 using their development environment.

Third-Party Software Assessment

Much of the outsourced and third-party shrinkwrapped software developed today is coded
with little consideration for security. The Third-Party
Software Assessment service gives an organization
the opportunity to have their third-party software
assessed for security weaknesses. The team, consisting
of customers and Fortify consulting, conducts the
assessment in conjunction with the third party and
provides the security assessment results to both the third
party and the customer in a form that facilitates the
remediation effort.

Ongoing Managed Assessments

If an organization lacks sufficient software security
resources, a Fortify consultant can provide the needed
software security resources on a regular basis. The
consultant has access to the Fortify 360 Suite, making it
available to use on the customers code. The consultant
visits the customer on site to perform assessments and
advise customer team members. Consultants can engage
with the customer during any part of the software
development lifecycle and provide the necessary insight
and advice to assist during that stage. A consultant can
also act as a regular member of an internal security
team and engage various internal projects as part of the
organizations security engagement process.

Planning and Implementing Secure Software

Once security risk is properly identified and understood, work can begin to define
and implement the processes necessary to remediate the existing risk and prevent
additional risk from being introduced into the enterprise. Fortify security experts can
help with designing and developing SSA-adherent processes, planning enterprisewide security strategy, designing a customized Secure Development Lifecycle, and
authoring policies, guidelines, and white papers for secure development.

Software Security Strategy and Planning

Secure Development Lifecycle Planning

This consulting engagement provides the means to

define an effective strategy for reducing the risk profile
of an enterprises software portfolio. A Fortify consultant
works with the enterprise to develop and document a
strategy for addressing software security. The strategy is
developed through a series of technical workshops with
lead technical engineers, architects, business sponsors,
testers, and other individuals involved in the software
development process.

Integrating a Secure Development Lifecycle (SDL) into

an enterprises development methodology ensures that
security is considered in every step of the development
process. This service helps an organization integrate
best-practice SDL into their development strategies.
A Fortify consultant reviews existing methodologies,
workflows, and processes from a software security
perspective. A gap analysis is performed to illustrate
the strengths and weaknesses in the current processes.
New workflows and artifacts are injected into existing
development methodologies to assist the various project
stakeholders during the implementation and testing
phases of a project. Overall, the integration of SDL into
the development process helps programmers develop
code with enhanced security instead of relegating
security to a later, more costly process.

SSA Roadmap Development

The SSA process ensures that enterprises are adequately
addressing the software security risks in their business.
An effective SSA process provides the means to
identify and remediate risk in business software and
prevent additional risk from being introduced into the
organization via third-party code or outsourced projects.
It also provides executive management with an effective
governance model for ensuring the organization is
maximizing its efforts.
A Fortify consultant works with project stakeholders to
assess the customers current organizational approach
to software security. A gap assessment is performed
to determine variance between the customers current
strategy and industry best practices. Current software
security policies, guidelines, and specifications, along
with existing artifacts and workflow processes within the
project management cycle, are all carefully reviewed
and considered from a software security perspective.
Recommendations on appropriate levels of compliance
for each functional area are made. Plans for addressing
deficiencies can be developed.

Policies, Guidelines, and Technical

Papers
Internalizing industry standards and leading practices for
developing secure applications within an organization
requires a significant investment in knowledge and in
documenting that knowledge. Technical policies and
guidelines allow the business and technical community
of an organization to clearly adopt specific software
security standards as non-functional requirements of any
development project. Standards for the requirements,
design, and development phases of a software project
help ensure that the organization is producing secure
software. For this service, a Fortify consultant provides
assistance in developing technical guidelines, policies,
and white papers that define and communicate these
standards.

Fortify Software Security Assurance

The enterprises capability for adequately addressing the problem of application risk.

Education
&
Guidance

Standards
&
Compliance

Strategic
Planning

Threat
Modeling

Alignment & Governance

Security
Requirements

Defensive
Design

Architecture
Review

Requirements & Design

Code
Review

Security
Testing

Vulnerability Infrastructure
Management Hardening

Verification & Assessment

Operational
Enablement

Deployment & Operations

About Software Security Assurance

SSA Importance

Software Security Assurance (SSA) is the process of

ensuring the organizations software meets the security
needs of the business. A comprehensive approach to
SSA addresses risks from:

The estimated total cost to enterprises of the 443

reported data breaches in 2007 is $25 billion.
(InformationWeek)

In-house software development

Outsourced projects
Commercial off-the-shelf software (COTS)

At an average cost of over $56 million, the financial

impact of non-compliance with SSA can be significant.
Fortify can help an enterprise understand its risks and
increase assurance through Framework*SSA.

Use of open source

Framework*SSA

A software security initiative instills secure development

practices for creating strong new code and addresses
the weaknesses already present in deployed
applications. It includes training and technology
for software builders, a cooperative approach to
vendor management, a strategy for compliance and
management of Personally Identifiable Information (PII),
and a set of metrics for demonstrating progress.

Framework*SSA is a systematic approach to organizing,

implementing, and measuring SSA capabilities within
the enterprise. It consists of four disciplines: Alignment
and Governance; Requirements and Design; Verification
and Assessment; Deployment and Operations. These
disciplines encapsulate a total of 12 functional areas that
address the entire SSA lifecycle.

A successful software security initiative leads to:

Measurably reduced risk from existing applications
A controlled process for preventing vulnerabilities in
new releases and procurements

Framework*SSA uses a Maturity Model to help

an enterprise characterize each functional area
and advance toward Software Security Assurance.
Combining a level-by-level assessment with an
enterprises unique business risks, Framework*SSA helps
craft a roadmap to software assurance.

This in turn reduces costs, delays, and wasted effort from

emergency bug fixes and incident clean-up.

Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties
for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be
construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.
All other product and company names may be trademarks or registered trademarks of their respective owners.
ESP-DTS002-121911-01, Created December 2011