SaaS unification of SAST, DAST, and Core SCA
One platform across all three scan types with shared findings management, unified policy, and one suppression history. Programs running Fortify standalone scanners get the unification benefit.
OpenText • Application security
OpenText Core Application Security
Core Application Security is the SaaS edition of the OpenText AppSec line, formerly Fortify on Demand. It unifies SAST, DAST, and Core SCA scan execution and findings management into one platform with Application Security Aviator AI augmentation across all three.
Programs modernizing off legacy Fortify on-prem onto the SaaS bundle do it through Merito, with policy refresh, suppression-discipline redesign, CI/CD integration, and Aviator pilot rollout treated as the work rather than a license swap.
- Best for
- AppSec leaders modernizing off Fortify on Demand or legacy Fortify on-prem, AppSec architects adopting SaaS-unified SAST + DAST + SCA, Engineering leaders integrating Core Application Security with PR-time gates
- Hosting
- SaaS
- Time to value
- First repository onboarded and scanning across SAST, DAST, and SCA in two to four weeks. PR-time gates, Aviator augmentation, and unified policy live in four to eight weeks. Enterprise rollout across portfolio typically runs three to nine months.
- Security posture
- GDPR, HIPAA-aligned design, SAML SSO
- Last reviewed
- 2026-04-26
What it is
OpenText Core Application Security in the enterprise stack
OpenText Core Application Security is the SaaS-unified AppSec product carrying the Fortify on Demand lineage. It bundles SAST (Static Application Security Testing), DAST (Dynamic Application Security Testing), and Core SCA (Core Software Composition Analysis) into one platform with shared findings management, unified policy, and Application Security Aviator as the AI augmentation surface across all three. Customers running standalone Fortify scanners on-premises modernize onto Core Application Security; net-new programs adopt Core Application Security directly as the unifying surface.
The Fortify lineage matters. Fortify Static Code Analyzer became SAST. Fortify WebInspect became DAST. Fortify SCA became Core SCA. Fortify on Demand became Core Application Security. The engines are mature (Fortify SAST has been in regulated production for two decades), the language coverage is broad, and the regulated-industry footprint (financial services, government, defense, healthcare) is real. The 2024-2025 rebrand cycle is cosmetic at the engine level; the modernization opportunity is at the operational level (SaaS unification, CI/CD integration, AI augmentation).
Modernization off legacy Fortify on-prem is the most common engagement. Programs running Fortify Static Code Analyzer on-premises with Fortify on Demand SaaS for some teams typically end up with two policy stores, two suppression histories, and two sets of CI/CD integrations. Core Application Security unifies the operational surface in SaaS. Merito treats the move as a chance to refresh policies, redo suppression discipline, modernize CI/CD wiring, and layer Aviator AI augmentation rather than a license-swap exercise.
What breaks Core Application Security adoption is treating the SaaS migration as identical to the on-prem deployment. The on-prem Fortify model assumes manual scan triggering and post-hoc triage and the SaaS Core Application Security model assumes CI/CD-triggered scans, PR-time integration, and continuous triage. Programs that lift-and-shift the on-prem operating model into SaaS get Fortify on Demand-shaped operations rather than Core Application Security-shaped operations. Merito's engagement redesigns the operating model rather than copying it.
Ideal use cases
- Modernizing off legacy Fortify on-prem onto SaaS-unified Core Application Security
- Net-new AppSec programs adopting SaaS SAST + DAST + Core SCA in one platform
- Application Security Aviator AI augmentation across the AppSec line
- Regulated AppSec evidence (SOC 2, FedRAMP, HIPAA, PCI DSS) under one SaaS platform
- Consolidating multiple Fortify license shapes onto one Core Application Security subscription
What it is best at
Where OpenText Core Application Security earns its seat
Carries the Fortify lineage
Fortify Static Code Analyzer, WebInspect, and Fortify SCA engines under the Core Application Security umbrella. Mature regulated-industry footprint (20+ years in financial services, government, defense, healthcare).
Application Security Aviator AI across the line
Aviator runs across SAST, DAST, and Core SCA findings inside Core Application Security. Programs running the bundle get unified AI augmentation rather than per-scanner AI.
Regulated compliance posture
FedRAMP authorization on selected SaaS editions, SOC 2 Type II, ISO 27001 + 27017 + 27018, HIPAA-aligned design. Programs subject to federal or sector-specific mandates get the compliance trail in SaaS.
Modernization from on-prem Fortify
Strategic modernization target for legacy Fortify Static Code Analyzer, WebInspect, and Fortify on Demand customers consolidating onto SaaS.
Core capabilities
OpenText Core Application Security capabilities, grouped by outcome
Unified scan execution
SAST + DAST + Core SCA running on one platform with shared findings management.
SAST inside Core Application Security
Fortify Static Code Analyzer engine, broad language coverage including legacy stacks, source and binary code analysis.
DAST inside Core Application Security
Fortify WebInspect engine, authenticated web scanning, API and mobile DAST coverage.
Core SCA inside Core Application Security
Fortify Software Composition Analysis engine, OSS dependency scanning, license compliance.
Unified findings management
One backlog across SAST, DAST, and SCA. Shared severity, suppression, and audit trail.
AI augmentation
Aviator on top of unified findings.
Application Security Aviator integration
Cross-product AI grounded in the customer's findings, triage history, and codebase across SAST, DAST, and SCA.
AI-assisted triage
Aviator clusters related findings, proposes remediation paths, and reduces false-positive review time.
AI-augmented developer workflow
IDE and PR-review integration so AI suggestions reach developers in the workflow they already use.
CI/CD and operations
SaaS-unified AppSec inside the customer's release pipelines.
CI/CD integration
PR-time scanning, build-gate policy, and release-time evidence across Jenkins, GitHub Actions, GitLab CI, Azure DevOps, and Bitbucket.
Application Quality Management traceability
AppSec evidence flowing into AQM for regulated test management and audit traceability.
Compliance reporting
Audit-ready evidence for SOC 2, FedRAMP, HIPAA, PCI DSS, and ISO 27001 attestations.
Findings-routing operating model
Suppression workflow, triage assignment, and PR-time integration designed for SaaS continuous AppSec rather than on-prem batch AppSec.
Where it fits in the stack
How OpenText Core Application Security connects to the rest of your landscape
OpenText AppSec line (native)
Native- OpenText Static Application Security TestingSAST engine inside Core Application Security with shared findings management.
- OpenText Dynamic Application Security TestingDAST engine inside Core Application Security with shared findings management.
- OpenText Core Software Composition AnalysisCore SCA engine inside Core Application Security with shared findings management.
- OpenText Application Security AviatorAI augmentation across SAST, DAST, and Core SCA findings.
CI/CD and developer tooling (certified)
Certified- Jenkins, GitHub Actions, GitLab CI, Azure DevOps, Bitbucket PipelinesPR-time and build-gate scanning across the CI fabric.
- VS Code, IntelliJ, EclipseIDE plugins surface findings and Aviator suggestions during authoring.
- OpenText Application Quality ManagementTest management and traceability for regulated AppSec programs.
- Jira, Azure Boards, ServiceNowFindings flow into ticketing as work items with bi-directional status sync.
Custom integrations
Custom- Internal CI/CD platformsREST and webhook integration for non-standard pipelines.
- Custom SIEM and risk dashboardsFindings export to internal SIEM, GRC, and risk-management dashboards.
- Federal compliance reportingFedRAMP and federal-specific compliance evidence packages.
Deployment and implementation
How it rolls out
- Hosting
- SaaS (North America, EMEA, APJ)
- Implementation complexity
- High
- Typical time to value
- First repository onboarded and scanning across SAST, DAST, and SCA in two to four weeks. PR-time gates, Aviator augmentation, and unified policy live in four to eight weeks. Enterprise rollout across portfolio typically runs three to nine months.
- Prerequisites
- Repository inventory and scanning priority list
- CI/CD platform decision (Jenkins, GitHub Actions, GitLab CI, Azure DevOps, Bitbucket)
- Named AppSec policy owner
- Triage and findings-routing operating model designed for SaaS continuous AppSec
- Application Security Aviator pilot application identified
- What Merito usually handles
- Core Application Security runs as SaaS with FedRAMP-authorized editions for federal customers. Merito handles tenant setup, modernization from legacy Fortify on-prem, policy refresh, suppression-discipline redesign, CI/CD integration, and Aviator pilot rollout.
Licensing and packaging
How it is bought
- Model
- Subscription
- What to expect
- OpenText Core Application Security is SaaS-licensed by application count, scan volume, and edition (commercial vs. Government Cloud / FedRAMP). Pricing depends on SAST, DAST, and SCA scope, Aviator seats, and edition. Pricing flows through Merito; the modernization program is scoped under a separate engagement.
- Editions and modules
Core Application Security commercial
SaaS-unified SAST + DAST + Core SCA bundle with Aviator AI augmentation.
Best for: Programs modernizing off legacy Fortify or starting net-new AppSec in SaaS.
Core Application Security Government Cloud (FedRAMP)
FedRAMP-authorized edition for federal customers and federal contractors.
Best for: Federal programs and contractors requiring FedRAMP-authorized AppSec SaaS.
- Common expansion areas
- Add Application Security Aviator seats for AI augmentation across the line
- Add Open Source Select for sourcing-time OSS controls
- Layer OpenText Application Quality Management for test management traceability
- Add OpenText DevOps Aviator for AI augmentation on the broader DevOps catalog
Merito services
How Merito helps you win with OpenText Core Application Security
Merito sells licenses and the delivery work around them. Pick the service that matches where you are in the lifecycle.
01
Core Application Security Implementation
Tenant setup, modernization from legacy Fortify, policy refresh, suppression-discipline redesign, CI/CD integration, Aviator pilot.
Explore service02Upgrade and Migration
Fortify on-prem to Core Application Security migrations including policy and suppression-history transfer.
Explore service03MAPS Assessment
AppSec program scoping for Core Application Security adoption alongside Checkmarx One and Snyk.
Explore service04DevOps Consulting
PR-time SAST, DAST, and SCA gates and build-gate policy in the customer's CI fabric.
Explore service05CRAFT Enablement
Developer enablement and AppSec champion programs around SaaS continuous AppSec.
Explore service06Premium Support
Named engineer, priority SLAs, and release-time coverage for Core Application Security.
Explore service07Managed Services
Long-term run support including policy tuning, suppression-discipline maintenance, and Aviator rollout evolution.
Explore service08Training and Enablement
Role-based training for AppSec architects, security engineers, and developers using Core Application Security output.
Explore service09Staff Augmentation
Merito-placed AppSec engineers and OpenText specialists embedded on long-running programs.
Explore serviceOpenText Core Application Security licensing
License the SaaS bundle. Redesign the operating model. Same engagement.
Core Application Security pricing arrives with Fortify-to-Core modernization, policy refresh, CI/CD integration, and Aviator pilot rollout that turn the SaaS migration into a real AppSec modernization rather than a lift-and-shift license swap.
Merito point of view
The Fortify rename is cosmetic. The modernization opportunity is operational.
Merito has migrated programs off legacy Fortify on-prem onto Core Application Security and watched some teams lift-and-shift the operating model verbatim. The result is Fortify on Demand-shaped operations running in Core Application Security, which is not what the SaaS unification is for. The modernization opportunity is at the operational level: continuous CI/CD-triggered scans, PR-time gates, AI augmentation through Aviator, unified findings management across SAST + DAST + SCA. Programs that treat the move as a license swap leave most of the value on the table.
Merito recommends Core Application Security specifically when the program is consolidating off legacy Fortify on-prem, when SaaS unification across SAST + DAST + SCA pays back the migration cost, and when regulated compliance posture (SOC 2, FedRAMP, HIPAA) matters. For programs running mature Checkmarx One pipelines, replacing them with Core Application Security is a 12-month project that often does not deliver enough delta to justify the disruption. Merito runs that decision honestly.
Application Security Aviator is the AI augmentation that pays back when grounding is real. Programs licensing Aviator without piloting and without grounding configuration get generic AppSec AI that looks correct and frequently is not. Merito treats Aviator pilot validation as part of the Core Application Security implementation rather than an upsell.
What buyers usually underestimate
- Lift-and-shifting the on-prem Fortify operating model into SaaS without redesigning for continuous AppSec.
- Treating the rename from Fortify on Demand to Core Application Security as cosmetic, missing the modernization opportunity.
- Adopting Core Application Security without piloting Aviator on a single application before broad rollout.
- Migrating off mature Checkmarx One pipelines without an honest assessment of delta value.
- Skipping policy refresh during the migration, carrying forward suppression debt that should be cleaned up.
Related from Merito
Continue exploring OpenText Core Application Security on Merito
Related solutions
Related services
Related products
- OpenText Static Application Security TestingStandalone SAST license for programs not running the Core bundle.
- OpenText Dynamic Application Security TestingStandalone DAST license for programs not running the Core bundle.
- OpenText Core Software Composition AnalysisStandalone SCA license for programs not running the Core bundle.
- OpenText Application Security AviatorAI augmentation across SAST, DAST, and SCA findings.
- OpenText Cybersecurity (vendor portfolio)Full OpenText Cybersecurity catalog across AppSec, IAM, SecOps, Data Security, and DFIR.
Frequently Asked Questions
OpenText Core Application Security FAQs
Consultation request
Talk to Merito about OpenText Core Application Security
Share your current Fortify footprint, modernization timeline, and AppSec program shape. A Merito OpenText specialist follows up within one business day.
SaaS unification
SAST + DAST + SCA on one platform
Shared findings, unified policy, Aviator AI across the line. Programs running standalone Fortify scanners get the unification benefit.
Modernization opportunity
Operating model redesign
Continuous AppSec, PR-time gates, AI augmentation. Lift-and-shift migrations leave most of the value on the table.
Next step
Modernize the operating model, not just the license.
A Merito Core Application Security engagement starts with policy refresh, suppression-discipline redesign, and Aviator pilot planning. Lift-and-shift migrations leave most of the SaaS unification value on the table.