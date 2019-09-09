SANTA CLARA, CA - Micro Focus (LSE: MCRO; NYSE: MFGP) today announced an expanded strategic partnership with Sonatype to provide the combined power of Micro Focus' application security as a service, Fortify, and Sonatype's leading automated open source governance solution, to even more customers. The new relationship, which promotes Sonatype as Fortify's preferred Software Composition Analysis (SCA) partner, delivers the advantages of a single, fully integrated application security platform, without compromising depth and capability in managing open source risk and vulnerabilities.

Open source software components make up a significant portion of many applications' codebases, making SCA a 'must-have' AppSec capability. Powered by Sonatype, Fortify's SCA is much more than a simple match of open source component names against issues noted in the National Vulnerability Database (NVD). Sonatype uses artificial intelligence and machine learning along with human curation to ingest and identify security vulnerabilities from other open source projects, GitHub commits, advisory websites, the NVD, and a number of other vulnerability sources.

'In today's DevSecOps world, customers demand a holistic view of their applications that encompasses both custom and packaged code. That is why an integrated AppSec platform - combining SAST and SCA - that empowers developers at speed and scale is required,' said Scott Johnson, General Manager of Fortify at Micro Focus. 'Sonatype and Fortify are long term partners and market leaders that together are taking AppSec to the next level of value for customers.'

Additionally, new vulnerabilities are regularly discovered by a dedicated team of security researchers and added to the proprietary knowledge-base. Fortify simplifies the onboarding and scanning process by combining static and composition analysis into a single integration point, whether that's in the IDE or CI/CD pipeline. The comprehensive software bill-of-materials, including security vulnerabilities and license details, is delivered as a fully integrated experience for security professionals and developers alike.

'On average, enterprises use over 150,000 open source libraries across their applications, resulting in 85% of all modern applications being made up of open source components. At this scale, it has become vital that automated and accurate open source security analysis is a core element of an enterprise's AppSec program,' said Bill Karpovich, Executive Vice President of Sonatype. 'We're excited to expand our relationship with Fortify and to make it easier for enterprises to benefit from this powerful combined solution for application security.'

Key features and updates to Fortify on Demand include:

Simultaneously run SAST and SCA analysis

Supports Java, .NET, JavaScript and Python

Integrated results deliver one platform for remediation, reporting and analytics

Examines fingerprints of over 65 million components - not file names and package manifests

Detects 70% more vulnerabilities than the NVD database alone

Together, the companies will broaden the open source library scanning capabilities in Fortify on Demand, and Sonatype will continue to offer a turnkey integration of its Nexus Lifecycle solution for on-premises and cloud hosted Fortify SSC customers. 'Sonatype pioneered open source application security and is already trusted by the world's largest enterprises, so it's natural for us to expand our relationship with deeper integrations across the Fortify product suite,' said Johnson. Additional cross-portfolio integrations are also planned for 2020.