Fortify tracer improves the effectiveness of black box security testing

Fortify Software today announced the introduction of Fortify Tracer. The product provides code-level information so that black box security testers can:

1) Measure in a consistent way the percentage of security-critical points actually reached by black box security tests
2) Speed remediation of identified vulnerabilities
3) Discover additional runtime vulnerabilities that black box security testing tools cannot find

Fortify Tracer features include:

– Insightful security coverage reports detail percentage of security-critical functions exercised during a test. Key areas of the application that interact with sensitive interfaces, such as Web input, the database, and the file system, are tracked separately to provide additional coverage information;

– Patent-pending Call Site Monitor technology works from inside to provide vulnerability identification at the root cause;

– Dashboards clearly communicate key metrics and allow users to compare runs, inspect issues, and find the flaws quickly and easily;

– Fortify Tracer currently works on any J2EE executable (.war/.ear) files; users simply point to the file and the Fortify instrumentation engine inserts monitors at security-critical call sites;

– Detailed reports show vulnerabilities according to their categories, such as cross-site scripting and SQL injection.