Software optimizes black box security testing efficiency.

Press Release Summary:

Fortify® Tracer provides code-level information to optimize black box security testers' efforts, covering more of application and identifying additional vulnerabilities. With this software, users can measure percentage of security-critical points reached by black box security tests; accelerate remediation of identified vulnerabilities; and discover additional runtime vulnerabilities. It can be used in conjunction with any manual or automated security testing procedure.

Original Press Release:

Fortify Software Introduces Fortify Tracer to Improve the Effectiveness of Black Box Security Testing

New Software Security Technology Makes Every Manual and Automated Black Box Security Test Measurable and More Actionable

PALO ALTO, Calif., Oct. 23 -- Fortify Software, the leading provider of security products that help companies identify, manage, and remediate software vulnerabilities, today announced the introduction of Fortify(R) Tracer. Fortify Tracer provides code-level information so that black box security testers can:

1) Measure in a consistent way the percentage of security-critical points actually reached by black box security tests;
2) Speed remediation of identified vulnerabilities;
3) Discover additional runtime vulnerabilities that black box security testing tools cannot find.

"While black box security testing is important for analyzing the security of deployed applications, its scope is limited by the fact that the testing resides outside of the application," said Barmak Meftah, VP of Products & Services, Fortify Software. "Our research and early product feedback demonstrates the importance of knowing how many of a web application's security-critical points are covered during a test. In addition to providing this important metric, Fortify Tracer helps security professionals improve the effectiveness of their black box security tests and fix security flaws faster."

By providing code level information, Fortify Tracer helps security professionals adjust their black box testing efforts to cover more of the application and identify additional vulnerabilities. Fortify Tracer can be used in conjunction with any manual or automated security testing procedure, providing consistency and repeatability among independent application security tests.

"Fortify Tracer is a valuable addition to any black box application testing toolkit," said Andrew Nairn, Co-Founder of Gotham Digital Science, a leading security testing provider for Fortune 100 companies. "The detailed runtime information and code coverage statistics provided by Fortify Tracer will really assist security teams in performing more effective and comprehensive black box assessments."

"Fortify Tracer's code-level information is an exciting complement to AppScan, the market leading web application security testing solution," stated Michael Weider, CTO, Watchfire. "Used together, these two products will give customers a powerful solution that not only yields more secure applications but demonstrates how the Fortify-Watchfire partnership continues to provide meaningful security solutions for both our customers and the industry."

About Fortify Tracer

Fortify Tracer provides reports on coverage percentages and code-level details about runtime security errors discovered during automated and manual application penetration tests. Its patent-pending Call Site Monitor(TM) technology tracks security-critical APIs, such as database and file system, within the web application itself, and detects runtime vulnerabilities that are not visible through an application's web interface.

Fortify Tracer details which security-critical function points of a given application are actually exercised by specific penetration tests. In doing so, it helps security professionals evaluate and correct their tests, and remediate vulnerabilities much faster by showing them the actual location of vulnerabilities in the source code.

Fortify Tracer features include:

o Insightful security coverage reports detail percentage of security-critical functions exercised during a test. Key areas of the application that interact with sensitive interfaces, such as Web input, the database, and the file system, are tracked separately to provide additional coverage information;
o Patent-pending Call Site Monitor technology works from inside to provide vulnerability identification at the root cause;
o Dashboards clearly communicate key metrics and allow users to compare runs, inspect issues, and find the flaws quickly and easily;
o Fortify Tracer currently works on any J2EE executable (.war/.ear) files; users simply point to the file and the Fortify instrumentation engine inserts monitors at security-critical call sites;
o Detailed reports show vulnerabilities according to their categories, such as cross-site scripting and SQL injection.

Fortify Tracer is available today.

In a report released today, Fortify Software disclosed its findings that manual and automated web application black box security tests generally reach less than 50% of security-critical sites within the code. The report is based on sixty days of empirical data gathered from Fortify Tracer's black box security tests on numerous applications varying in function, size, and complexity. The full report is available today at

About Fortify Software, Inc.

Fortify Software products protect companies from the threats posed by security flaws in business-critical software applications. Its software security products, Fortify Source Code Analysis (SCA), Fortify Tester, Fortify Tracer and Fortify Defender drive down costs and security risks by automating key processes of developing and deploying secure applications. Fortify Software's customers include government agencies and Fortune 500 companies in a wide variety of industries such as financial services, healthcare, e- commerce, telecommunications, publishing, insurance, systems integration, and information management. The company is backed by a world-class team of software security experts and partners. More information is available at

All Topics