Is Fortify the Right Choice for Your Next SAST Tool?
There are many embedded systems out there, but only a few static code analysis tools that realistically support embedded software developers. The recent acquisition of Micro Focus by OpenText, including the Fortify Static Code Analyzer, reignites the question of which static code analysis tool is best for your embedded software project.
Between Fortify and Klocwork, our experts have the answer. Read along or jump ahead to the section that interests you the most:
- What Is Fortify Static Code Analyzer?
- What to Consider When Evaluating Fortify vs. Klocwork
- Why Consider Replacing Fortify Static Code Analyzer?
- Why You Should Consider Klocwork
What Is Fortify Static Code Analyzer?
Fortify was founded in 2003, a few years after our own Klocwork technology launched, as a set of code analyzers identifying violations of specific coding rules and guidelines. After its acquisition by HP in 2010 and through to its merger with Micro Focus in 2016, Fortify’s capabilities have focused on enterprise security and broad language support.
Fortify’s new owner, OpenText, comes from a different angle, focusing on enterprise information management. The acquisition of Micro Focus signals their desire to expand into a world new to them: application development and testing, with a focus on today’s API-driven world. In a recent DevOps.com article, OpenText CEO Mark J. Barrenechea told analysts:
“The ultimate goal is to enable organizations to accelerate their digital business transformation initiatives using a set of application programming interface (API)-centric offerings that reside on a private cloud.”
It isn’t difficult to gauge what this new corporate combination means: A stronger push into static application security testing (SAST) for enterprise developers.
While embedded software developers often work in enterprise environments, the two “e”s aren’t interchangeable. That’s why it’s helpful to know what to consider when comparing Fortify Static Code Analyzer with Klocwork.
What to Consider When Evaluating Fortify vs. Klocwork
Language Capabilities and Experience
“Developer-friendly language coverage” for Fortify means supporting over 29 languages, from ASP.NET to Visual Basic. Klocwork supports 7 languages, including the most popular ones for embedded software like C, C++, C#, and Java.
While breadth can be good for enterprise environments, with multiple teams and large application frameworks, embedded developers require specialized support built upon the unique demands of resource-constrained systems. For example, a web developer likely doesn’t care how their application uses memory, but an embedded developer certainly does.
Release Investment and Cadence
Klocwork releases updates every quarter, guaranteeing you access to the latest features, performance updates, and bug fixes. Fortify only releases twice a year, sometimes less. Whether this cadence is a reasonable option for your team depends on your usage patterns and involvement with static analysis and SAST tools.
Perforce continues to invest in Klocwork, across research activities, technology development, product maintenance, and growing the internal experience necessary to deliver relevant, effective SAST features to the embedded audience. It’s unclear where OpenText will take Fortify, but we have some guiding questions to ask below.
Embedded Industry Experience
From the beginning, Klocwork was designed to perform large-scale source code analysis against specific requirements for resource-constrained systems (it was telecom software back in 2001) and has never deviated since. By having embedded developers build a static analysis and SAST tool for embedded developers – supported by QA teams, product managers, and compliance experts from the industry – you get the ideal combination of deep experience and application-relevant features.
For example, the recent addition of nested streams to Klocwork was the direct result of embedded software teams needing to manage multiple variants and branches of the same code base. By simplifying configuration, issue management, and defect citing and reporting, Klocwork is better able to support projects with multiple target devices within a release cycle.
Fortify’s static code analysis is a beneficial tool for enterprise teams and an asset for cloud-native development. While these domains play a role in many embedded systems, Fortify is clearly built for a different market.
More embedded software teams have adopted standards compliance than ever before, requiring tools that can keep up with evolving guidelines, rules, and expectations. Fortify offers support for popular standards like OWASP and a few MISRA versions.
While Klocwork’s compliance taxonomies are designed to support the functional safety and security needs of embedded C, C++, C#, and Java developers working in automotive, aerospace and defense, medical devices, financial systems, and more.
Our Customers’ Opinions
“Klocwork provides solid static code analysis results that have helped us to avoid potential bugs. It is easy to setup and use both directly in the development tools and with our continuous integration server.”
– Network Engineer
From automotive to medical devices, Klocwork users are the best advocates. Here are some case studies and videos that illustrate why static analysis and SAST built for embedded software matters:
- Elektrobit: From False Positives to Trust: A Story of Static Code Analysis Adoption
- Johns Hopkins: How Johns Hopkins Enhanced Software Reliability and Developer Productivity With Klocwork
- How Klocwork Supports Safety-Critical Development
- Achieving AUTOSAR C++14 Compliant Code with Klocwork
Building a world-class static code analysis tool is more than just opinions – we also hold monthly Static Analysis Sync events to educate, align with, and support the embedded software community. Every event is an opportunity to participate in live, open panel discussions with our static analysis experts. These include gathering developer feedback on their projects, concerns, and evolving needs, and product roadmap discussions to educate customers on what to expect in upcoming quarterly releases of our products.
Why Consider Replacing Fortify Static Code Analyzer?
Aside from the technical specifics and embedded industry knowledge, the Fortify acquisition brings up very real questions about where to invest your static analysis and testing budgets. Whether it's renewal time or you’re researching purchase options, key questions to ask are:
- What does the product roadmap look like for the next 2 – 5 years?
- How invested is the company in the tool’s research and development?
- What changes will happen to the product’s release cadence, maintenance benefits, and support agreements?
- Will the acquisition impact the customer support team?
- Will the product line continue, be rolled into something else, or be deprecated?
Acquisitions can be a tricky path to navigate for end users, so it’s always good to understand the change and recognize the impacts to your projects.
Why You Should Consider Klocwork
For industries where compliance and safety are imperative, choosing a static code analysis tool that provides full coverage without interrupting the dev process is a business-critical decision.
Here, we outline why Klocwork is a top-of-class static analysis and SAST tool:
- Runs seamlessly in the CI/CD pipeline.
- Provides lightning-fast analysis speeds, even on massive codebases.
- Provides depth and breadth of coverage.
- Has limited false positives and provides guidance for remediation.
- Is independently certified and offers deep company expertise.
Bottom line: Klocwork is the smart choice for ease of use, flexibility, and scalability. If you’d like a deeper comparison between Fortify Static Code Analyzer and Klocwork, get in touch with our product experts here.
To try Klocwork now, sign up for our free seven-day trial.