How to Automatically Verify Security Requirements: SD Elements & Fortify Integration

November 12, 2013

We’re excited about our integration with Fortify. It follows on our recent Veracode integration. With these integrations a company can automatically create a set of tailored security requirements and automatically test the requirements. We think it’s a huge boost for application security. It works like this:

Start by modeling your application in SD Elements:


Then generate a set of tailored tasks (i.e. requirements) in SD Elements:


Use these requirements during development:


Run the application through Fortify and import the scanning results:


Review the verification status of requirements in SD Elements:


You now know:

  • Which requirements have failed verification (i.e. a vulnerability was discovered)
  • Which requirements have passed verification (i.e. a vulnerability was not discovered, and Fortify can generally find this kind of vulnerability in supported languages / frameworks)
  • Which requirements have partially passed verification (i.e. Fortify can find some but not all instances of a vulnerability)
  • Which requirements were not covered by Fortify. These need to be manually tested

Now use SD Elements test cases to manually test areas not covered by Fortify:


About the Guest Blogger:


Chris Tyson, has recently joined Security Compass as our Customer Success Engineer.

Most recently he was a Senior Sales Engineer at Klocwork. Klocwork’s tools find exploitable security defects, code quality issues, architecture and metrics issues in software. Previous to that Chris has extensive customer facing experience in Pre-Sales Engineering, Training, Consulting, Customer Support, Software Development and management of software development teams. He is passionate about security, software quality and user experience. Chris has a Bachelor’s Degree in Computing and Information Science with a minor in Business Administration from the University of Guelph.

Previous Article
Business Logic Pitfalls in Trading Applications (Blog Series) — 1
Business Logic Pitfalls in Trading Applications (Blog Series) — 1

Business logic vulnerabilities have always been the elusive unicorn of the application security world that ...

Next Article
5 Common Windows Hardening Misconfigurations
5 Common Windows Hardening Misconfigurations

Over numerous Windows configuration review engagements that we have performed for our clients, we observed ...

Find out how our solution builds security and compliance into software.

Free Demo