Monday 25 June 2012

Any real-world Fortify RTA case studies out there?

One of the replies I got for my Dynamically patching ASP.NET code in real-time? (Why don't WAF vendors do it?)  post, was the question "is this something similar to HP RTA?" (see HP Fortify Real-Time Analyzer (RTA) and RTA Customization: The power of being inside the application )

The answer is Yes(ish).

RTA (which they call Real-Time Analysis), would fit into the 'In memory, on app that has been instrumented and allows dynamic function hooking' mode.

My understanding (and please correct me if I'm wrong) is that RTA works by inserting stubs in code (just like AOP) that gives you hooks into method calls.

So yes RTA will allow 'Dynamic Patches' to be created, but it requires applications to be set-up like that (which you would also get in .NET if you started the process under the Profiller).

One of the key concepts that I think should exist with the concept of 'Dynamic Patches' is that it should be a 'patch' i.e. it should be something that can be dynamically enabled and disabled.

That said, I've always been a fan of the RTA concept since it goes on the right path of allowing apps to be patched for security vulnerabilities.

So ... now that this product has been out for a while (5+ years?), are there any real-world case studies of RTA working?

Also, how much of a commercial success is RTA? Are customers actually buying it?

If there is a market, what are the competitors?