Introduction to the Sales Enablement Curriculum
Where does this Session fit within the learning path?
Identity & Access
Data Privacy and
1 Market Observations
Key Trends, Primary Use Cases, and Stakeholders Priority
Fortify Portfolio Overview and Business Value
Market Insights – Competition
About This Course
Things You’ll Learn
There is an ever-increasing shortage of skilled security staff, which dilutes security
Organizations worldwide are facing sophisticated ransomware, deeply embedded
vulnerabilities, and attacks on the digital supply chain.
The COVID-19 pandemic accelerated hybrid work and the shift to the cloud,
challenging CISOs to secure an increasingly distributed enterprise.
Financial Impacts of Security Breaches
Average total cost and frequency of data breaches by initial attack vector
Source: Cost of a data breach report 2021 by Ponemon Institute and IBM
Top Security and Risk Management Trends for 2022
New responses to
Digital Supply Chain Risk
Cybercriminals have discovered that attacks on
the digital supply chain can provide a high
return on investment. Gartner predicts that by
2025, 45% of organizations worldwide will have
experienced attacks on their software supply
chains, a three-fold increase from 2021
Attack Surface Expansion
Risks associated with the use of cyber-
physical systems and IoT, open-source
code, cloud applications, and more have
made organizations’ exposed surfaces
outside of a set of controllable assets
Identity Threat Detection and Response
Organizations have spent considerable
effort improving user authentication, which
increases the attack surface. Credential
misuse is now a primary attack vector.
The evolution and reframing
of the security practice
The CISO role has moved from a
technical subject matter expert to that of
an executive risk manager,” said
Firstbrook. CISOs must reconceptualize
their responsibility matrix to empower
Boards of Directors, CEOs and other
business leaders to make their own
informed risk decisions.”
Human error continues to be a factor in
many data breaches, demonstrating that
traditional approaches to security
awareness training are ineffective.
Progressive organizations are investing in
holistic security behavior and culture
programs (SBCPs), rather than outdated
compliance-centric security awareness
The consolidation of
Security technology convergence is accelerating, driven
by the need to reduce complexity, reduce administration
overhead and increase effectiveness. This consolidation
will lower total cost of ownership and improve
operational efficiency in the long term, leading to better
The security product consolidation trend is driving
integration of security architecture components.
However, there is still a need to define consistent
security policies, enable workflows and exchange data
between consolidated solutions. A cybersecurity mesh
architecture (CSMA) helps provide a common,
integrated security structure and posture to secure all
assets, whether they’re on-premises, in data centers or in
Attackers Move from Infrastructure Level to App Level
Application layer attacks are perceived as normal traffic and pass-through network, perimeter,
data, and endpoint security systems.
• Not mature; lack of developer training
• Growing attack surface: more applications,
more connected to the Internet
• Accelerating releases reduces time available for
Identity & Access
* Security functionality testing is
different from application security
• Highly mature
• Substantial investments in place
• Systems are more secure out-of-the-box than
Security Is Often Left Out
• Need for Speed
Developers have to deliver functional code fast –
anything else is friction.
• Digital Transformation
82% of CIOs say they have implemented new
technologies, IT strategies, and/or methodologies due
to the COVID-19 pandemic*.
• More Volume
Because of the volume of apps being pushed into
production, security is not the focus of DevOps.
* IDG 2021 State of the CIO Report
Customers Need Help!
Training Developers around Security Testing
• Engage developers early in the testing
• Make it easy for developers to initiate
security scans on the code
• Prioritize security alerts to drive productivity
Third-Party and Open-Source Vulnerabilities
• As much as 90% of applications use open-
source software and libraries while they are
available under GNU general public license.
• Blindly using code previously written by
someone else is a huge risk. You cannot know
what security measures had been taken; the
code might contain many weaknesses and
• By reusing old code or legacy applications,
without adequate security testing or
validating the health of the project can lead
to vulnerabilities getting embedded in the
new application . This is known as technical
• Open-source modules might have security
defects or known vulnerabilities, which could
lead to software supply chain attacks.
Many customers are still in their early phases of
adopting an integrated approach.
• They lack an understanding of the impact of
not remediating vulnerabilities early in the
• Involve developers to shift security left in the
• Break Silo’s through a centralized reporting
and monitoring solution for found
Application Security Key Trends 2022
Shift left Cloud Transformation AppSec Maturity OpenSource Risk
Securing the Software Supply
Supply chains have many blind spots or
cracks that attackers can take advantage of,
resulting in increased severity and frequency
AppSec Orchestration and
• AppSec orchestration and correlation has
increasingly become a hot topic in the
industry, with many benefits and
Next Generation DAST
• We are starting to see developer-driven
DAST testing expand, extending the use of
DAST beyond the hands of AppSec/QA
and fully within the Dev CI/CD automation
Machine Learning and AI are key
to the next evolution of
Companies who use automation are twice as
likely to implement security testing, in
addition, there are numerous use cases for
machine learning advancements
• With the broad IT industry trend towards
the cloud, a modern software stack
includes many cloud-native elements of
• As a result, the demarcation between
AppSec and InfraSec is becoming blurred
API security needs are growing
• APIs are the most rapidly growing attack
surface, but still aren´t widely understood
and are often overlooked by developers
and AppSec managers
AppSec Is evolving from Shift-Left
to Shift Everywhere
• Test early is now test everywhere and
• There is no one-size fits all, but finding the
right tools for right job, at the right time.
• It´s all about defense in depth.
Chief Information Security Officer (CISO)
DevOps Manager (DevOps)
Application Security Manager (AppSec)
Product Owner (DevLead)
Protect the organization’s
applications, and infrastructure.
Cost optimization for security
Manager with a technical
background, responsible for
developer tooling and overall
CI/CD pipeline lights on
Identify, track, and reduce
application security risks
across the applications
Release schedules and deadlines;
ensures applications are secure
before releasing to production.
Why Fortify ?
AppSec on demand
Application Security-as-a-Service with security testing and
vulnerability management gets you started with minimal skilled
With Fortify, you don’t need to trade quality of results for speed in
order to scale up your DevSecOps processes.
Our research supports 1,224 vulnerability categories across 30+
languages and over 1 million APIs to improve threat detection.
Protect your software
Software resilience from a
partner you can trust
Focus on whats matters with
accurate, through results.
Evolve your AppSec
A holistic, scalable platform
that supports your needs
What we do – Enable Secure Code Development
Find and fix security vulnerabilities with fast
and accurate results, whether the application is
built in-house, by a third party, or using open-
Automatically identify and tune out false
positives with machine learning. Fix known
issues with minimal developer friction.
Flexibility in testing application security on-
premises, hosted, or delivered as a SaaS
managed service. Cloud SDK’s to support cloud
DevOps integration ad testing cloud
Fortify offers end-to-end application security
solutions, including integration with the
developer (IDE) as well as the DevOps tool
Fortify is named #1 for Enterprise by
Gartner (Critical Capabilities report), including
its machine learning capabilities.
Fortify customers benefit from a holistic,
inclusive, and extensible platform that uses a
single taxonomy and provides building blocks
to mature your software security assurance
aka “Check the Box” aka “Stage Gate” aka “Shift Left” aka ”Speed vs Cost”
2001 - 2008
ERA OF THREAT
2008 - 2014
ERA OF DX
2014 - 2020
ERA OF GROWTH
COMPLY DE-RISK ENABLE RESILIENT
COVID DRIVING DX
AppSec’s Journey Toward Cyber Resilience
Then, now, and in the future
Fortify Product Offerings
Flexible offering for Modern Development
Static Code Analyzer: Analyzes source code for security vulnerabilities to enable Static
Application Security Testing (SAST).
Software Composition Analysis (SCA): Scans open-source components for
vulnerabilities, either using Debricked (SaaS) or through our partnership with Sonatype
WebInspect: Analyzes applications in their running state and simulates attacks to find
vulnerabilities to enable Dynamic Application Security Testing (DAST).
Software Security Center (SSC): Holistic application security platform included with on-
premises or hosted solutions to centralize the visibility of application security risks
Fortify on Demand (FoD): AppSec as a managed service that includes SAST, DAST, SCA,
and MAST capabilities and managed by CyberRes security analysts.
Fortify Hosted: SaaS-based offering deployed in the cloud with managed infrastructure
deployment and support.
Solutions that Align with DevSecOps Success Integration Automation Speed
Backed by the Market-Leading Software Security Research Team
1,244 Vulnerability Categories | 30 Programming Languages | 1M+ Individual APIs
The world’s leading enterprises entrust their AppSec
needs to Fortify
9 out of 10
of the largest information technology
5 out of 5
of the largest telecommunication
9 out of 10
of the largest banks
4 out of 5
of the largest pharmaceutical companies
3 out of 3
of the largest independent software
Strongest AppSec solution provider in
Federal space (FedRAMP Certified)
"Micro Focus Fortify really addresses the needs of
the developers. It makes sense to them.“
- Damien Suggs, AppSec Director
“This is a partnership to drive AppSec
modernization with Fortify on Demand to deliver
actionable, data driven results.”
- Rajan Gupta, VP, Product Security
Fortify Has a Continued Leadership Position in the
Fortify Key Competitive Differentiation
Maturity at Scale
Fortify is a good fit for enterprises with complex application projects and AST users with
experience and advanced requirements.
Fortify Security Assistant is a real-time security checker that operates in the IDE. It is not
a replacement for a comprehensive SAST scan, but can provide a lightweight automatic
check for developer security mistakes as the developer codes.
Fewer False Positives
The Fortify Audit Assistant feature has been extended to allow teams the flexibility to
either manually review artificial intelligence (AI) predictions on issues or to opt in to
“automatic predictions,” which support completely in-band automated triaging of
This contributes to reducing false positives.
Micro Focus provides DAST that is able to address many of the challenges with modern
applications, such as scanning client-side vulnerabilities or support for 2FA, among other
Leader in Application Security Testing
Application Security Testing Market Size and Growth
• Increasing investment in AppSec aligned with
risk of breaches.
• Emergence of DevSecOps: Security becoming a
critical component of DevOps, on-premises or in
• Open Source: Significant % of production
application has OSS code, leading to software
supply chain risks.
• Developer-Lead: Developers are both users and
a source for insider threats, which requires zero
trust in the SDLC.
• Shift Left: Faster time to vuln identification and
fix, driven by DevOps and the cost impact of
remediation if done during production.
Source: Forrester Analytics: Application Security Solutions Forecast, 2017 to 2023 (Global)
F = Forecast
2018 (F) 2023 (F)
Market Size Forecast 2017 to 2023 (Global)
Static Application Security Testing (SAST)*
Dynamic Application Security Testing (DAST)*
Software Composition Analysis (SCA)*
Interactive Application Security Testing (IAST)*
Security Scanning Tools
Web Application Firewall (WAF)
Runtime Protection Tools
*Fortify’s currently served market segments
Strengthen Your Cyber Resilience
CyberRes at a Glance
Protect across your identities,
applications, and data.
Detect, respond, and recover from
Evolve your security posture at
the speed of change.
Identities Data Applications
Top 4 Points for Learners to Remember
Application Security is a growing
Every customer is a potential
prospects for Application
Fortify is a leader in the
Application Security market
Fortify offers a Full Spectrum
solution for SCA, SAST, DAST and
Before You Leave . . .
Exit from full screen mode (if used).
Close the window containing the
Close any intermediate screens.
When you return to the course page in
SABA, it should say “Completed.”
Close the browser.