“If you haven’t taken a look at these guys, I think you should, before that ‘bad thing’ happens to your company.” - CIO Magazine “The company making security

“If you haven’t taken a look at these guys, I think you should, before that ‘bad thing’ happens to your company.”

- CIO Magazine

“The company making security a built-in feature to software”

- CNBC Powerlunch

QuickTime™ and aTIFF (Uncompressed) decompressor

are needed to see this picture.

© FORTIFY SOFTWARE INCORPORATED 2006, All Rights Reserved

2

Fortify - the Software Security Market Leader

The technology innovator that defined the segment

Multiple award winning products span the development lifecycleOver 150 patent claims filed to date

Largest & most demanding customer base Sustained 300% revenue growth10:1 win ratio in head-to-head bake-offsThe world’s largest code bases (19M SLOC)

Blue chip technical & management teamAverage 25 years software experienceAdvised by the world’s top security experts

“Fortify is the clear winner for many

reasons, including their superior analysis and reporting capabilities,

and their understanding and support of how security fits into the

software development lifecycle.”

- Mary Ann Davidson, CSO, Oracle

IT Setup

Hidden slide

4

Applications become increasingly critical and pervasive and a prime target for

hackers and malicious insiders creating a staggering increase in lost information and

system downtime.

In-Secure is In-Complete and Not Good Enough

Root cause of security problemsGartner - 75% of breaches due to poorly written applicationsNIST - 92% of vulnerabilities are in software

Leading enterprises take action today!Awareness now at 70%Over 20% implementing or actively investigating

If you are not, you will soon…Demands of customers/partnersRegulatory requirementsIndustry best practices

5

What is your risk exposure now?Baselines and benchmark metrics

Across the enterprise Purchased and custom developed

Key constituents have competing requirements

Management - visibility & risk reduction

Infosec - assurance and accountability

Development - agility and flexibility

How will you introduce security discipline in software development?

New concepts and requirements

Increased responsibility and accountability

Tough Challenges Require an Experienced Partner

“Most companies get this wrong. Success requires executive mandate and clear

controls for establishing accountability for security in development.”

- Gary McGraw, Author and CTO, Cigital

QuickTime™ and aTIFF (LZW) decompressor


The Top 5 Software Security Traps and Pitfalls

ISV Setup

Hidden slide

7

Built-In Software Security Flaws Have Companies Up In Arms

More than half of those responding to InformationWeek Research's Global Security Survey 2006 say vendors should be held legally or financially responsible for products' security vulnerabilities.

InformationWeek Jul 10, 2006 12:01 AM

In-Secure is In-Complete - What is Your Brand Worth?

Software vulnerabilities make for good headlines

76+ articles in Feb 2006 alone

Pressure is mountingCustomers quick to blame vendors

Risk exposure awareness at 90%

Microsoft establishing best practicesAggressively promoting “SDL”

You will be doing SDL…Customers/partners will ask Regulatory requirements will demand itDifferentiator for you or your competitor



8

What priority is security given in your development ranks?

Security is not just another bug…

Key constituents have competing requirements

Management - visibility & risk reduction

Infosec - assurance and accountability

Development - agility and flexibility

How will you introduce security discipline in software development?

New concepts and requirements

Increased responsibility and accountability

Tough Challenges Require an Experienced Partner

“If we have a group that is knowingly ignoring the SDL or de-

prioritizing it, at best we have an accountability problem and at worst

an HR problem.”

- Mike Nash, Corporate VP, Microsoft



The Fortify Solution

Hidden slide

10

Secure Development Lifecycle (SDL)

The Goal of (SDL): “Building Security In”

Software Development Lifecycle (SDL)

Security Training

Threat Modeling

Risk Analysis

Source CodeAnalysis & Review

Security Testing

Application Security Event Monitoring

11

Fortify ApplicationSecurity Deployment Suite

CODECODE FUNCTIONALTEST

FUNCTIONALTEST

PENETRATIONTEST

PENETRATIONTEST DEPLOYDEPLOYDESIGNDESIGNPLANPLAN

Metrics and Reporting

Fortify Software Security Analysis Suite

Fortify SoftwareSecurity Manager

Fortify SoftwareSecurity Test Suite

Source Code Analysisand RunTime Analysis

Security Testing and RunTime Analysis

Application Monitoring and Protection

“Other vendors are promising integrated lifecycle solutions while Fortify has been

delivering on that promise for years.”

Andrew Binstock, InfoWorld Magazine

Fortify Completes Your Software - Makes it Secure

12

Fortify Scales from the Desktop to the Enterprise

Fortify EnterpriseFortify Professional

Fortify Source Code Analyzer

Fortify Team

Q ui ckTi me™ and aTI FF (Uncompressed) decompressor

are needed to see thi s pi cture.





Fortify RunTime Analyzer

Fortify Security Tester

Fortify Software Security Analysis Suite

Fortify Application Security Deployment Suite

Fortify Software Security Manager

Reporting & MetricsLifecycle ManagementPolicy-Driven Analysis

Rules ManagementInfosec Project Auditing

Source Code & RunTime Analysis Developer Desktop and Build Server

Triage, Review and Audit GUI

Dev Pro Version

Individual developers, testers, and auditors

Software development teams

Integrated Enterprise Deployments









Integrates and manages multiple Fortify Team SuitesApplication Monitoring and

Defense

Fortify Software Security Test Suite

RunTime AnalysisSecurity Testing

Security Debugging The “Purify” for Security





Visual Studio Team Suite 2005

13

Teams Delivers Code You Can Trust with Fortify

Development

Fortify SCA Dev ProTargeted, accurate analysis tuned for low false positives

Fortify Source Code AnalyzerComprehensive, accurate analysis tuned for low false negatives

Fortify Audit WorkbenchFast and effective triage, review, and audit

Test

Build Server

Security Lead

DevelopersDesktop

FPR

Management

Fortify Security TesterThorough and effective WhiteBox™ testing leveraging existing QA scripts

Fortify RunTime AnalyzerEnhanced WhiteBox™ testing through concurrent dynamic analysis

Security Testers

Fortify Application DefenseReal-time security event monitoring and protection through production-grade runtime analysis

Security Ops Team

Production

(Visual Studio, Borland, Eclipse, IBM WSS)

14

Fortify is Proven in the Most Demanding Environments

Define

Design

TestDeploy

CodeMonitor

Security

Management

Operations Development

QA

Fortify has proven to meet the needs of enterprise deployments

Extensible solutions that span the development lifecycle (SDL) Solutions for the developers, testers auditorsMore languages, platforms, frameworks and tools than anyone elseSuperior architecture and proven experience with the most demanding customers

Fortify delivers what the others miss - complete and accurate results

The award winning Fortify Source Code Analysis SuitePatent-pending RunTime AnalysisPatent-pending X-Tier AnalysisPatent-pending WhiteBox Security Testing

15

Fortify in the Enterprise – Security In Development

DefineDesign

TestDeploy

CodeMonitor

Security

Fortify SCA Dev Enterprise

Targeted analysis tuned for low false positives at the desktop



Fortify Audit WorkBench

Comprehensive and accurate results for low false negatives at code review

Development

Development Teams

Security Auditors


Fortify Rules Builder

Central visibility and control required to manage an enterprise deployment

Management

Security Leads

“After an extensive evaluation, we found that Fortify not only had the lowest false positives, but routinely found issues the others missed…”

Kevin O’NeilInvestors Bank &Trust

16

Fortify in the Enterprise– Security In QA / Test

DefineDesign

TestDeploy

CodeMonitor

Security

Fortify Security Tester

Thorough and effective security testing leveraging existing QA scripts



QA

Penetration Testing Teams

Security Auditors

Source Code and RunTime Analysis deliver actionable and meaningful WhiteBox™ testing results


Fortify Rules Builder

Central visibility and control required to manage an enterprise deployment

Management

Security Leads

“Fortify tears the cover off black-box testing and offers results that help fix the issues…”

IDC, 2006

17

Fortify in the Enterprise – Security In Production

DefineDesign

TestDeploy

CodeMonitor

Security


Fortify Application Defense

1st embedded application security monitor providing unparalleled insight and protection

Operations

Security

“Fortify delivers on the promises made by application firewalls – it’s accurate, scalable and easy to implement.”

- Aditya Palande, ProTrade

18

Define

Design

TestDeploy

CodeMonitor

Software security audits and tests performed at key milestonesCollect and track metrics and enforce policiesStop faulty code from entering into production

Getting Started is Easy – Security Assurance Gates

Security

Management

Development

Visibility on business risk and software security improvement goals.

Crucial feedback on vulnerabilities and progress towards goals. Augmented with training security is introduced with guidance of the infosec team.

Only Fortify

Hidden slide

20

The dilemma:Accuracy or completeness?

Are you going to miss security issues or make make developers upset?

You don’t need to compromise accuracy for completeness!

Accuracy is meaningless if the results are not complete

Complete results are useless if they are not accurate

Fast, easy and accurate for developers

Complete and accurate for security staff

The Solution You Can Trust - Complete and Accurate

Why is completeness a requirement for security?

Complete

Accu

rate

acceptable risk

acceptable utility

In-adequate Solutions

QA Tools

Pen-TestingProducts

Other Security Analysis Products

21

Fortify Source Code Analysis - The Gold Standard

Source Code

C, C++, .NetJava, JSP,PL/SQL, T-SQL, XML, CFML

Secure Coding Rules

Fortify finds what the others miss - complete and accurate results

5 analyzers deliver breadth and accuracyOver 3,000 security rules covering 118 vulnerability categories Over 20 quality categories through integration with FindBugsExtensible so you can write your own custom analysis rules

Fortify fits the way you work and supports the tools you use today

Separate auditor and developer versionsPlatforms: Windows, Solaris, Red Hat Linux, Mac OS X, HP-UX, IBM AIXFrameworks: EJB (BEA, WebSphere), Cold Fusion, Struts, Hybernate, SpringIDEs: Visual Studio, Eclipse, IBM, Borland

Source Code Analyzers

Broad and deep coverage for the security auditor so you don’t miss a

thing

Directed analysis on

the desktop so you don’t slow

down development

Tuning Options

semanticdataflow

controlflow

config structure

22

ASP JSP

Front End

Java, C#,

C/C++

Business Logic

PLSQL TSQL

Back End

Only Fortify’s patent-pending X-Tier™ Analysis allows complete coverage of all critical code paths

X-Tier™ Analysis For Confidence in the Results

Real world applications are multi-language and multi-tier

Web Applications (3-tier)EIA, SOA and Web Services

Little or no assurance if you can’t model data-flow across the tiers

Attacks are at the top of the stackVulnerabilities can be deep in the system

Fortify RunTime and Source Code Analyzers support X-tier analysis

The only vendor with this technology *(numerous patents pending)

23

See The Entire Picture With Fortify RunTime Analysis

Attack Patterns & Signature DB

Complete and Accurate Results

Finds vulnerabilities that can’t be found in the code

Environmental and runtime errorsErrors is 3rd party (binary) code

Finds vulnerabilities that penetration testing misses

Any server-side event that does not alter HTTP response (XSS, SQL Injection, Process Injection, …)Logging private data

Has far greater accuracy and lower false positives than any other techniques

Nothing more accurate than a monitor at the call site when security event occurs

RunTime Monitors

attacksurface

securityevent

honeytoken

dataprivacy

statisticalcorrelation

Binary

Java, .NET

Security Events

Optional runtime protections provide greater assurance of

deployed applications

“In-house” or 3rd party

24

3rd party librariesQu ickTim e™ an d a

d ecom p r essorar e n eed ed t o see t h is p ict u r e.

execu t ab le ( W A R /exe/d ll )

W eb GUI

W eb S er vices

R DB MS

File I/O

Net wor k I/O

Security Testing Without Fortify = Black Box

Attacks and visibility limited to what can be seen on the web GUIMisses Attack surface: Files (EDI and Config), Database, RPC/IPC, EIA (Tibco, Tuxedo, etc)Cannot find internal security event - ie. logging a credit card into a clear text log file

Blind attacks have zero knowledge of program internalsDoes an input field go to a DB, process invocation, crypto routine, I/O, nowhere?Source file? line of code? call tree? data-flow path? - ALL MISSING FROM REPORTS







25

3rd party librariesQu ickTim e™ an d a

d ecom p r essorar e n eed ed t o see t h is p ict u r e.

execu t ab le ( W A R /exe/d ll )

W eb GUI

W eb S er vices

R DB MS

File I/O

Net wor k I/O



Only Fortify Delivers WhiteBox™ Security Testing

Binary

Java, .NET





Fortify Source CodeAnalyzer



Fortify RunTimeAnalyzer



SourceJava, C/C++, C#, VB.Net, PLSQL, TSQL

Coverage statistics for attack surface and all security relevant operations

Full visibility into what happened “on the inside”

Source Code Analysis provides a blue-print for targeted attacks

“Source Code” view of security issues

27

Benefit From Our Experience and Expertise

2003 2004 2005 2006 2007

Fortify Establishes The MarketSupported by pre-eminent security researchers,

Fortify Software delivers the world’s first commercial software security analyzer.

Actively Engaging LeadersWorking closely with early adopters, Fortify delivers an integrated suite

filing over 150 patent claims.

Source Code Analysis Suite

Security Tester

The award winning market defining platform that the others are still struggling to copy.

Application Defense

The first security testing solution to deliver white box security testing and

deliver it to QA professionals

Event monitoring and protections for legacy

applications and packaged software.

Software Analysis RedefinedFortify Software Analysis

Suite 5.0

Bring it Home

Hidden slide

29

Solutions That Grow With You

Proven options for a quick and painless startSoftware Security Assurance Gates

The most effective way there is to reduce software risk exposure

Discretionary Development Deployment200% increase* in security training retention

Enterprise Software Vulnerability Base-Line AuditAnalysis of legacy systems for base line reporting and risk assessment

Seamless transition to an enterprise software security programIntegrated Development - Infosec Deployment

Flexibility for development, comprehensive assurance for infosec

Enterprise metrics and reportingFull visibility across all projects with and ability to manage through policy

* Arkasoft Security Training Survey - 2005

30

Expertise and Guidance Every Step of the Way

Define

Design

TestDeploy

CodeMonitor

Security

Fortify ServicesFortify Rapid-Start DeploymentFortify 3rd Party Code Verification ServicesFortify Managed Auditing Services

Management

Fortify Global Partners

31

Compare… Others

Fortify is The One That You Can Count On

Fortify is a much better fitExtensible solutions that span the development lifecycle (SDL)

Solutions for the developers, testers auditors, teams, and the enterprise

Support for more languages, platforms, frameworks and tools than anyone else

A superior architecture and proven experience with the most demanding customers across a wide range of deployments

Fortify delivers what the others miss - complete and accurate resultsThe award winning Fortify Source Code Analysis Suite

Patent-pending RunTime Analysis

Patent-pending X-Tier Analysis

Patent-pending WhiteBox Security Testing

32

Take the Fortify Challenge

Allow us to perform a Baseline Security Audit on one of your software projects

If we find no serious security issues - We Pay You $10K

Otherwise pay our standard code audit fee $25K for a typical application < 250K SLOCIf you are anything less than delighted with the findings - You Pay Nothing

Transitions easily into a Managed Audit Service

Pilot a Development Team RolloutInfosec team and 2-3 development groups

Define project scope, introduce technology, measure results

Fee based on project scope, size, and timeline

Get Started…

Hidden Slides - Talking Points Summing up

Competitors

Hidden slide

35

Caveat Emptor - Software Security is the Next Big Thing

Network-vendors

Focusing on the attack over the root cause, “Now fixes

applications” is now the latest craze.

Quality-vendors Penetration Testers

To broaden reach of niche products, static analysis

vendors add security to a list of quality issues.

A popular solution for establishing awareness is

being offered up as a sustainable solution.

• Reactive approach that got us where we are now.

• Focused on addressing the attack or protecting the infrastructure.

• Some solutions serve as a stop gap, but by no means replace the need to build security in.

• Security issues are not “just another bug”.

• Static analysis tools lack the advanced data-flow features like X-Tier™ and RunTime™.

• Products (ParaSoft, Coverity, Klokwork) fall way behind in platforms and rules coverage.

• Great for demonstrating the problem.

• Testing without upstream activities to “test” is pointless and expensive.

• Penetration tests must move to the QA stage of the SDL and be replaced with audits - that most project pass.

“Security Light” “Badness-ometers”“Security in a Box”

36

Rule #1: Never Mention Your Competitors…

Ounce LabsMakes a lot of noise but still catching up on the basics (languages and platforms). Presentation over substance - fact check their claims.

Secure SoftwareWell Respected services firm struggling to transition into a software company. Consultantware architecture (Python Scripts).

SPI DynamicsRecent dramatic change in product strategy promising Fortify functionality validates our approach - What does it say about them?

…unless you maintain better than 10:1 win rate in head to head bake-offs

Documents

“If you haven’t taken a look at these guys, I think you should, before that ‘bad thing’ happens to your company.” - CIO Magazine “The company making security