Public Sector System Integrator

Application security within air-gapped environments

It helps defense and federal government revolutionize the way end users address complex challenges and protect against evolving threats. The software development teams leverage an agile development methodology and, because of the sensitive nature of the solutions and its clients, all development takes place in an air-gapped environment, where security is maintained by physical isolation from unsecured networks.

Development cycles are generally becoming much faster, and software is becoming more complex. When the organization was looking for a solution to embed application security early in the development cycle, OpenText was one of the companies it turned to. With a significant percentage of defense organizations and federal government bodies already leveraging Fortify within their DevOps process to create a DevSecOps environment, it was a natural choice. The Software Asset Manager for the organization explains further: “Having that relevant experience within our specific industry means that we don’t have to worry about how Fortify will perform in an air-gapped environment. This requirement turned out to be an issue for quite a few of the other solutions we investigated.”

We could see straight away that Fortify was expert at the job it is designed to do: scanning application code to ensure robust code and quality applications. It is recognized as a market leader by most analysts and has an extensive and successful track record within our industry.

Effective Fortify integration enables development collaboration

The team decided on a proof of concept (POC) that included Fortify, as well as other alternatives. “OpenText really shone during the POC,” recalls the Software Asset Manager. “The team was completely engaged in understanding our objectives and showing us the value of Fortify. To streamline the process, we needed some custom compiler work done and OpenText Professional Services immediately assisted us. It really built our confidence level. When our usage requirements changed in the middle of the POC, we initially thought OpenText might not be successful because the current proposal did not meet our budget requirements. However, I was impressed when OpenText procurement restructured the deal with a more flexible licensing model that considered our usage requirements more carefully. The Fortify Scan Machine model allows installation of Fortify Static Code Analyzer and WebInspect. This combination perfectly meets our use case and moved OpenText firmly back in the game.”

Fortify is designed to integrate with the tools already in use within a software development ecosystem. In this case, C++ was popular, and Visual Studio and Eclipse were used as IDEs by many developers, with Jenkins as the open-source automation server. Seamless Fortify integration within the agile continuous integration/continuous deployment (CI/CD) environment means issues can be found early and often and are fixed as part of the development testing cycles. Multiple development teams can collaborate on the same code, using a combination of static and dynamic code scanning. “Our developers quickly understood the value of Fortify and found the code scanning process easy and straightforward without causing any delay to the software delivery,” says the Software Asset Manager.

The team was completely engaged in understanding our objectives and helping us to see the value of Fortify. To streamline the process, we needed some custom compiler work done and OpenText Professional Services immediately assisted us. It really built our confidence level.

Creating secure software with flexibility and speed

The organization entered into a three-year agreement with OpenText. The experience with OpenText Professional Services during the POC was so positive that the team decided on a PS service engagement to install, configure, and manage the handover of Fortify to the development teams. This ensured the best start to the implementation.

The Software Asset Manager concludes: “We could see straight away that Fortify was expert at the job it is designed to do: scanning application code to ensure robust and quality applications. It is recognized as a market leader by most analysts and has an extensive and successful track record within our industry. What we were not necessarily expecting, however, was the professionalism and expertise we encountered in working with OpenText. We appreciated the flexibility when we were negotiating the final deal and the support we received to make the POC a success. With Fortify, we now feel very confident that our developers can find and fix security flaws during every stage of the development cycle, creating secure software with more flexibility and speed.”