Skip Navigation

Micro Focus Bolsters Strategic Partnership With Sonatype, Brings Best-In-Class Open Source Security to All Fortify Customers


New Joint Solution Delivers a Single, Fully Integrated Application Security Platform for Managing Open Source Risk and Vulnerabilities for Fortify on Demand and Fortify On-Premise

SANTA CLARA, CA -- Sept. 9, 2019 – Micro Focus (LSE: MCRO; NYSE: MFGP) today announced an expanded strategic partnership with Sonatype to provide the combined power of Micro Focus' application security as a service, Fortify, and Sonatype's leading automated open source governance solution, to even more customers. The new relationship, which promotes Sonatype as Fortify's preferred Software Composition Analysis (SCA) partner, delivers the advantages of a single, fully integrated application security platform, without compromising depth and capability in managing open source risk and vulnerabilities.

Open source software components make up a significant portion of many applications' codebases, making SCA a "must-have" AppSec capability. Powered by Sonatype, Fortify's SCA is much more than a simple match of open source component names against issues noted in the National Vulnerability Database (NVD). Sonatype uses artificial intelligence and machine learning along with human curation to ingest and identify security vulnerabilities from other open source projects, GitHub commits, advisory websites, the NVD, and a number of other vulnerability sources.

"In today's DevSecOps world, customers demand a holistic view of their applications that encompasses both custom and packaged code. That is why an integrated AppSec platform – combining SAST and SCA - that empowers developers at speed and scale is required," said Scott Johnson, General Manager of Fortify at Micro Focus. "Sonatype and Fortify are long term partners and market leaders that together are taking AppSec to the next level of value for customers."

Additionally, new vulnerabilities are regularly discovered by a dedicated team of security researchers and added to the proprietary knowledge-base. Fortify simplifies the onboarding and scanning process by combining static and composition analysis into a single integration point, whether that's in the IDE or CI/CD pipeline. The comprehensive software bill-of-materials, including security vulnerabilities and license details, is delivered as a fully integrated experience for security professionals and developers alike.

"On average, enterprises use over 150,000 open source libraries across their applications, resulting in 85% of all modern applications being made up of open source components. At this scale, it has become vital that automated and accurate open source security analysis is a core element of an enterprise's AppSec program," said Bill Karpovich, Executive Vice President of Sonatype. "We're excited to expand our relationship with Fortify and to make it easier for enterprises to benefit from this powerful combined solution for application security."

Key features and updates to Fortify on Demand include:

  • Simultaneously run SAST and SCA analysis
  • Supports Java, .NET, JavaScript and Python
  • Integrated results deliver one platform for remediation, reporting and analytics
  • Examines fingerprints of over 65 million components - not file names and package manifests
  • Detects 70% more vulnerabilities than the NVD database alone

Together, the companies will broaden the open source library scanning capabilities in Fortify on Demand, and Sonatype will continue to offer a turnkey integration of its Nexus Lifecycle solution for on-premises and cloud hosted Fortify SSC customers. "Sonatype pioneered open source application security and is already trusted by the world's largest enterprises, so it's natural for us to expand our relationship with deeper integrations across the Fortify product suite," said Johnson. Additional cross-portfolio integrations are also planned for 2020.

More Information
Micro Focus Fortify on Demand integrated with Sonatype joins the growing portfolio of Security, Risk, and Governance solutions offered by Micro Focus and is available today.

Join Micro Focus on LinkedIn and follow @MicroFocus X.

About Micro Focus
Micro Focus helps organizations run and transform their business through four core areas of digital transformation: Enterprise DevOps, Hybrid IT Management, Predictive Analytics and Security, Risk & Governance. Driven by customer-centric innovation, our software provides the critical tools they need to build, operate, secure, and analyze the enterprise. By design, these tools bridge the gap between existing and emerging technologies—enabling faster innovation, with less risk, in the race to digital transformation.

About Sonatype
More than 10 million software developers rely on Sonatype to innovate faster while mitigating security risks inherent in open source. Sonatype’s Nexus platform combines in-depth component intelligence with real-time remediation guidance to automate and scale open source governance across every stage of the modern DevOps pipeline. Sonatype is privately held with investments from Accel Partners, Goldman Sachs, Hummer Winblad Venture Partners, and TPG. Learn more at