Why static analysis?

Static testing help organizations identify security vulnerabilities early in the software development lifecycle when issues are easiest and least expensive to fix. HP Fortify Static Code Analyzer offers comprehensive vulnerability discovery early in the software development lifecycle and provides immediate feedback to developers and security professionals on issues introduced into code during development so they can begin their remediation effort.

Verify your code

Reduce business risk by identifying and removing exploitable issues in your applications that pose the biggest threat to your business. 

Fits into your Development Environment

HP Fortify SCA supports a wide variety of development environment, with over 22 programming languages, 669+ unique vulnerability categories, 825k component-level APIs, multiple platforms, frameworks and IDEs, to enable security reviews in mixed development and production environments. 

Most accurate in the market

HP Fortify SCA provides accurate results and detects a breath of issues. It categorizes and prioritizes vulnerabilities and provides a detailed action plan. Fortify SCA is guided by the largest and most complete set of security coding rules that are updated by HP's Fortify Software Security Research Group. 

“Fortify helps us find and remediate security vulnerabilities in Vital Images medical imaging software before they go to market. It is directly responsible for an improvement to the security posture of our software.”  — Tim Dawson, Senior Director, Software Engineering, Vital Images


“HP Fortify has helped us to establish secure development practices based on its analysis of our software security architecture and application code. We will continue to use HP Fortify software to test all of our software throughout its lifecycle to ensure it is secure at all times.”  — Luc Porchon, Banking Applications Project Manager, Parkeon

Benefits: It’s time to transform your application security program

HP Fortify Static Code Analyzer helps to ensure that the software that runs your business is protected and secure. Fortify SCA automates your static testing process and enables your organization to be proactive in securing applications across your enterprise. Building a repeatable process, prioritizing vulnerabilities by criticality, and having a remediation plan, will increase development productivity, streamline your security review processes, and lay the foundation for secure coding best practices. 

HP Fortify SCA supports 22+ programing languages, 825,000+ component-level APIs, 669+ unique vulnerability categories, and major platforms, build environments and IDEs. It helps identify risk in all types of applications, maintains the security integrity of applications, and scale with the growing demands of your business. 

HP Fortify SCA provides reports that enables development and security teams the ability to quickly organize, investigate, and prioritize analysis results, so critical vulnerabilities that pose the biggest risk to your organization can be remediated quickly. 

Building secure code is a team effort between Development, QA, Security Teams and Management. It involves communication, collaboration and a committment to improve the security posture of the organization. HP Fortify SCA's web-based collaboration capabilities provide a shared workspace and repository to communicate and work together on code reviews and remediation activities.

It's important to prioritize results by vulnerabiity impact and likelihood of exposure. HP Fortify SCA will prioritize vulnerabilities by severity and importance, provide a detailed action plan, and deliver risk ranked and categorized issues so developers can address critical vulnerabilities first. 

Why HP?

HP Fortify, the most broadly adopted SAST tool in the market, continues to deliver compelling innovations with IAST and RASP technologies.


HP Fortify continues its unbroken streak of leadership in every application security MQ ever issued. Once again, Gartner has positioned HP as a leader.

According to Gartner, leaders in the AST (Application Security Testing) market demonstrate breadth and depth of AST products and services. Leaders should provide mature, reputable SAST, DAST and, desirably, IAST techniques in their solutions. Leaders also should provide organizations with AST-as-a-service delivery models for testing, or with a choice of a tool and AST as a service, using a single management console and an enterprise-class reporting framework supporting multiple users, groups and roles. In addition, Leaders should provide capabilities for testing mobile applications.

Fortify's application security solutions include SCA, the most broadly adopted SAST tool in the market, WebInspect for comprehensive DAST, and the newest, RASP technology, Application Defender. To learn more about HP Application Security, visit hp.com/go/fortify.