OpenText
Fortify (SAST/DAST) test
Static & Dynamic Application Security Testing · Category 9. AppSec · Tier 1
CL Listed — Visible
Methodology v3.5 · OLIR Schema
Avril 2026
Evaluation Tier:
Visible (Listed)
→
Verified (CAE)
→
Enterprise (EEE)
Layer 1-2 only · Documentary assessment · All capabilities vendor-claimed
⚡ Executive Summary 30 seconds
What it is
Enterprise application security testing platform combining Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST). Fortify identifies vulnerabilities in source code, binaries, and running applications across 30+ programming languages.
Best for
Secure SDLC integration (NIST SSDF PW.6), PCI DSS Req. 6.2 (secure software development), DORA Art. 8(4) (secure ICT development). Ideal for large enterprises with complex multi-language codebases and CI/CD pipelines.
What it does NOT do
No runtime protection (RASP), no WAF capabilities, no network security, no IAM, no data masking, no endpoint detection. Not a SIEM or SOC tool — focuses exclusively on application-layer vulnerabilities.
CL Recommendation
Fortify is the reference platform for enterprise SAST/DAST. Broadest language support (33 languages). Critical for PCI DSS 6.x, DORA Art. 8, and NIST SSDF compliance. Combine with WAF (Cat. 6), SIEM (Cat. 12), and IAM (Cat. 1) for full stack security. Gartner MQ Leader for 10+ consecutive years.
⚖ Regulatory Fit Per regulation verdict
PCI DSS v4.0
~22% of requirements
✔ Strong — Req. 6.2, 6.3, 6.5 (secure dev lifecycle)
DORA
~15% of obligations
● Moderate — Art. 8(4) secure ICT dev
NIS2
~12% of Art. 21
● Moderate — Art. 21(2)(e) secure dev
GDPR
~5% of articles
△ Supporting only — Art. 25 (DPbD via secure code)
HIPAA
~8% of provisions
● Moderate — §164.312(a) access controls via secure code
NIST SSDF
~65% of practices
✔ Strong — PW.4, PW.5, PW.6, PW.7, PW.8 (code analysis)
PCI DSS v4.0 (PROPRIETARY)
| Focal | Obligation | OLIR Rel. | Hub Ref | Rationale |
|---|
| Req. 6.2.1 | Secure development processes | Direct | SA-3 / PR.PS-06 | Functional |
| Req. 6.2.3 | Code review before release | Direct | SA-11 / PR.PS-06 | Functional |
| Req. 6.3.1 | Identify vulnerabilities | Direct | RA-5 / ID.RA-01 | Functional |
| Req. 6.5.5 | Address common coding vulnerabilities | Contributing | SA-11 / PR.PS-06 | Semantic |
DORA (OPEN_GOV)
| Focal | Obligation | OLIR Rel. | Hub Ref | Rationale |
|---|
| Art. 8(4) | Secure ICT dev lifecycle | Direct | SA-15 / PR.PS-06 | Functional |
| Art. 8(5) | ICT testing methodologies | Contributing | SA-11 / PR.PS-06 | Semantic |
| Art. 24(1) | Threat-led penetration testing | Contributing | CA-8 / RS.AN-02 | Semantic |
NIS2 (OPEN_GOV)
| Focal | Obligation | OLIR Rel. | Hub Ref | Rationale |
|---|
| Art. 21(2)(e) | Security in system acquisition/dev | Direct | SA-15 / PR.PS-06 | Functional |
| Art. 21(2)(d) | Supply chain security | Contributing | SR-3 / GV.SC-05 | Semantic |
NIST SSDF (OPEN_GOV)
| Focal | Obligation | OLIR Rel. | Hub Ref | Rationale |
|---|
| PW.6 | Verify code meets security requirements | Equivalent | SA-11 / PR.PS-06 | Syntactic |
| PW.7 | Review and test code for vulnerabilities | Equivalent | SA-11 / PR.PS-06 | Syntactic |
| PW.5 | Create source code adhering to practices | Contributing | SA-15 / PR.PS-06 | Semantic |
| RV.1 | Identify and confirm vulnerabilities | Direct | RA-5 / ID.RA-01 | Functional |
Articles without contribution omitted. Full OLIR mapping available in Audit Pack export.
🎯 Buyer Guidance Decision support
✔ Consider When
- + PCI DSS Req. 6.2/6.3 secure development lifecycle compliance
- + Large enterprise with 5+ programming languages in codebase
- + CI/CD pipeline integration needed (Jenkins, Azure DevOps, GitLab)
- + NIST SSDF compliance for federal/government contracts
- + Need both SAST (source code) and DAST (running app) in one platform
- + Regulatory pressure from DORA Art. 8 or NIS2 Art. 21
❌ Avoid When
- − Small team with single-language codebase (overkill)
- − Need runtime application protection (RASP)
- − Budget-constrained startup — enterprise pricing only
- − Need WAF or network-level protection
- − Looking for open-source or free SAST alternative
- − Need SaaS-only deployment — on-prem component required for SAST
⚙ Capabilities 23 claimed · 4 groups · DR-2 Quality Tiers + Config Modifiers
Static Analysis (SAST) 5✓ 1● 0✗▼
✓Source code analysis (33 languages)
Java, C#, Python, JS, Go, Swift, COBOL, etc.
Specific Obl.Out-of-Box
✓Binary/bytecode analysis
Compiled code scanning without source
Specific Obl.Out-of-Box
✓IaC security scanning
Terraform, CloudFormation, Kubernetes
Control FamilyConfig Change
✓Custom rule creation
Proprietary rule language for custom checks
Control FamilyConfig Change
✓Incremental scanning
Scan only changed files in CI/CD
Generic ControlOut-of-Box
●AI-assisted remediation
Autofix suggestions powered by ML
Data SurfacedConfig Change
Dynamic Analysis (DAST) 3✓ 1● 1✗▼
✓Automated web app scanning
OWASP Top 10, CWE/SANS Top 25
Specific Obl.Out-of-Box
✓API security testing
REST, SOAP, GraphQL endpoints
Specific Obl.Config Change
✓Authenticated scanning
Login sequence recording and replay
Control FamilyConfig Change
●Mobile app testing (DAST)
iOS and Android runtime testing
Control FamilyConfig Change
✗Interactive testing (IAST)
Combined SAST+DAST correlation
Specific Obl.N/A
CI/CD & DevSecOps Integration 6✓ 0● 0✗▼
✓Jenkins plugin
Native Jenkins integration
Control FamilyOut-of-Box
✓Azure DevOps integration
Pipeline extension available
Control FamilyOut-of-Box
✓GitLab CI integration
YAML template provided
Control FamilyConfig Change
✓IDE plugins (VS Code, IntelliJ)
Real-time developer feedback
Generic ControlOut-of-Box
✓REST API for automation
Full programmatic access
Control FamilyOut-of-Box
✓Policy-as-code gates
Break builds on severity thresholds
Specific Obl.Config Change
Reporting & Compliance 4✓ 1● 1✗▼
✓OWASP Top 10 compliance report
Pre-built compliance template
Specific Obl.Out-of-Box
✓PCI DSS 6.x compliance report
Req. 6.2, 6.3, 6.5 mapping
Specific Obl.Out-of-Box
✓CWE/CVE correlation
Map findings to known vulnerability DBs
Specific Obl.Out-of-Box
✓Executive dashboard
Trend analysis and risk scoring
Generic ControlOut-of-Box
●SIEM integration (Splunk, QRadar)
Forward findings to SIEM
Control FamilyConfig Change
✗SBOM generation
Software Bill of Materials output
Specific Obl.N/A
🛡 MITRE ATT&CK Mapping Layer 4 — Derived via SP 800-53
M1016
Vulnerability Scanning
Full (claimed)
M1051
Update Software
Full (claimed)
M1054
Software Configuration
Partial (claimed)
M1050
Exploit Protection
Full (claimed)
M1013
Application Developer Guidance
Full (claimed)
Score: 3.8 / 5.0 (76%) — All vendor-claimed. Techniques addressed: T1059, T1190, T1203, T1211 (execution & exploitation family).
▼ Show ATT&CK techniques detail| Technique | Name | How Addressed | Provenance |
|---|
| T1190 | Exploit Public-Facing Application | SAST/DAST identifies exploitable vulnerabilities before deployment | DERIVED via M1016 |
| T1059 | Command and Scripting Interpreter | Detects injection flaws (SQL, OS, LDAP) in source code | DERIVED via M1016 |
| T1203 | Exploitation for Client Execution | Identifies client-side vulnerabilities (XSS, CSRF) | DERIVED via M1050 |
| T1211 | Exploitation for Defense Evasion | Detects insecure coding patterns enabling bypass | DERIVED via M1016 |
📄 Evidence Pack DR-2 §5.1 — Proof of value
✔SAST scan reports (PDF/XML)
Detailed findings per scan with CWE mapping. Exportable.
✔DAST scan reports
OWASP Top 10 compliance evidence. PDF/HTML export.
✔CI/CD audit trail
Pipeline execution logs with pass/fail decisions.
✔Compliance mapping reports
PCI DSS, OWASP, CWE/SANS pre-built templates.
⚠Third-party penetration test
Vendor security posture independently verified.
❌SBOM (Software Bill of Materials)
Not natively generated. Requires third-party SCA tool.
Evidence level: Documentary review only (CL Listed). For verified evidence, upgrade to CAE (Examine + Interview) or EEE (+ Test).
⏱ Operational Metrics & Anti-Hype DR-2 §5.1 + §9.2
| Metric | Fortify on Demand (SaaS) | Fortify On-Prem | Enterprise (Full Suite) |
|---|
| Implementation | 1-2 weeks | 4-8 weeks | 8-16 weeks |
| FTE Required | 0.25 FTE | 0.5-1 FTE | 1-2 FTE |
| Time to first value | Day 1-5 (first SAST scan on primary codebase) |
| Time to production | Month 2-6 (all repos onboarded, CI/CD gates active, policies tuned) |
Anti-Hype: Marketing vs. Reality
33 programming languages supported
Accurate. Broadest language coverage in the market, including legacy languages (COBOL, ABAP).
Verified
Gartner Magic Quadrant Leader 10+ years
Verified. Consistent Leader positioning since 2014.
Verified
Zero false positives with AI tuning
False positive rate reduced but not eliminated. Expect 15-25% FP rate on initial scans. Requires tuning.
Misleading
Seamless CI/CD integration
Plugins exist for major CI tools but initial setup requires AppSec expertise. SAST scans can add 10-30 min to builds.
Partial
Complete application security platform
No RASP, no SCA (Software Composition Analysis), no container security. Requires complementary tools.
Partial
⚖ Strengths & Cautions
✔ Strengths
- + 33 languages — broadest SAST coverage in the market
- + Combined SAST + DAST in a single platform
- + Gartner MQ Leader for 10+ consecutive years
- + Deep CI/CD integration (Jenkins, Azure DevOps, GitLab)
- + Pre-built PCI DSS and OWASP compliance reports
- + On-prem and SaaS (Fortify on Demand) deployment options
- + Mature enterprise-grade platform with 20+ years track record
⚠ Cautions
- ! Enterprise pricing — no free tier or community edition
- ! SAST scan times can be significant on large codebases (30+ min)
- ! Initial false positive rate requires tuning effort (15-25%)
- ! No SCA (Software Composition Analysis) built-in
- ! No RASP or runtime protection capabilities
- ! Complex on-prem deployment — requires dedicated AppSec team
- ! All capabilities VENDOR-CLAIMED (no CL independent testing)
📈 Competitive Positioning Category 9 — AppSec
| Capability | Fortify (SAST/DAST) test | Checkmarx | Veracode | Snyk |
|---|
| SAST | ✔ | ✔ | ✔ | ✔ |
| DAST | ✔ | ● | ✔ | ✗ |
| SCA | ✗ | ✔ | ✔ | ✔ |
| IaC scanning | ✔ | ✔ | ● | ✔ |
| CI/CD integration | ✔ | ✔ | ✔ | ✔ |
| On-prem deployment | ✔ | ✔ | ✗ | ✗ |
| Pricing entry | Enterprise only | Enterprise only | Enterprise only | Free tier |
Competitive data based on public information. CL has not evaluated these alternatives — for detailed assessment, see individual CL Listings.
📑 Framework Views Hub: CSF 2.0 + 800-53r5 + ISO 27001
▼ Show NIST SP 800-53, CSF 2.0, ISO 27001 mapping tablesNIST SP 800-53 Rev 5
| Control | Name | Contribution | Provenance |
|---|
| SA-11 | Developer Testing & Evaluation | direct | DERIVED via PCI DSS 6.2 |
| SA-15 | Development Process & Standards | direct | DERIVED via DORA Art. 8(4) |
| RA-5 | Vulnerability Monitoring & Scanning | direct | DERIVED via PCI DSS 6.3 |
| SA-3 | System Development Life Cycle | contributing | CL-ORIGINAL |
| CM-4 | Impact Analyses | contributing | CL-ORIGINAL |
| SI-10 | Information Input Validation | direct | DERIVED via OWASP A03 |
NIST CSF 2.0
| Control | Name | Contribution | Provenance |
|---|
| PROTECT | PR.PS-06 Secure software development | direct | DERIVED via SA-11 |
| IDENTIFY | ID.RA-01 Vulnerability identification | direct | DERIVED via RA-5 |
| DETECT | DE.CM-09 Software monitoring | contributing | CL-ORIGINAL |
| RESPOND | RS.AN-02 Impact analysis | contributing | CL-ORIGINAL |
ISO 27001:2022 Annex A
| Control | Name | Contribution | Provenance |
|---|
| A.8.25 | Secure development life cycle | Equivalent | OFFICIAL via ISO 27034 |
| A.8.29 | Security testing in dev & acceptance | direct | DERIVED via NIS2-ISO |
| A.8.28 | Secure coding | direct | DERIVED via OWASP-ISO |
| A.8.8 | Management of technical vulnerabilities | contributing | CL-ORIGINAL |
| SSDF ID | Practice | Status |
|---|
| PW.1 | Risk-based secure design | Claimed |
| RV.2 | Timely vulnerability remediation | Claimed |
| PO.5 | Secure development environment | Claimed |
| PS.3 | SBOM available | Not stated |
| RV.1 | Vulnerability disclosure program | Claimed |
| PS.2 | Code signing | Unknown |
Compliance Labs · Software Listing v3.5 · OLIR Schema
Hub: CSF 2.0 ↔ 800-53r5 ↔ ISO 27001 · Avril 2026
