Additional License  
Authorizations  
For Application Security software  
products  
Additional License Authorizations  
For Application Security software products  
Products and suites covered  
Term License  
Non-production  
use category (if  
available)  
E-LTU or  
E-Media  
available*  
Perpetual License  
Non-production  
use category **  
Products  
Security ArcSight Application View (previously called HPE Security  
ArcSight Application View)  
Yes  
Class 1  
Class 3  
Fortify Audit Assistant On-Premise  
Yes  
Yes  
Yes  
Class 3  
Class 3  
Class 3  
Class 3  
Class 3  
Class 3  
DevInspect (previously called HPE DevInspect)  
Security Fortify for Managed Service Provider on Premise (previously  
called HPE Security Fortify for Managed Service Provider on Premise)  
Security Fortify Governance (previously called HPE Security Fortify  
Governance)  
Yes  
Yes  
Class 3  
Class 3  
Class 3  
Class 3  
Security Fortify Real-Time Analyzer (previously called HPE Security  
Fortify Real-Time Analyzer).  
Security Fortify Runtime (previously called HPE Security Fortify Runtime)  
Yes  
Yes  
Class 3  
Class 3  
Class 3  
Class 3  
Security Fortify Static Code Analyzer (previously called HPE Security  
Fortify Static Code Analyzer)  
Security Fortify Concurrent Scanning License Model  
Yes  
Class 3  
Class 3  
Class 3  
Class 3  
Security Application Defender (previously called HPE Security Application Yes  
Defender)  
Software Security Center (previously called HPE Software Security  
Center)  
Yes  
Class 3  
Class 3  
Security WebInspect (previously called HPE Security WebInspect)  
Yes  
Yes  
Class 3  
Class 3  
Class 3  
Class 3  
Security WebInspect Enterprise (previously called HPE Security  
WebInspect Enterprise)  
Sonatype Fortify On Premise  
Yes  
N/A  
Class 3  
Term License  
Non-production  
use category (if  
available)  
E-LTU or  
E-Media  
available*  
Perpetual License  
Non-production  
use category **  
Suites  
Security Fortify Express Edition Suite (previously called HPE Security  
Fortify Express Edition Suite)  
Yes  
Yes  
Yes  
Yes  
Yes  
Class 3  
Class 3  
Class 3  
Class 3  
Class 3  
Class 3  
Class 3  
Class 3  
Class 3  
Class 3  
Security Fortify Premium Edition Suite (previously called HPE Security  
Fortify Premium Edition Suite)  
Security Fortify Ultimate Edition Suite (previously called HPE Security  
Fortify Ultimate Edition Suite)  
Security Fortify Runtime Suite (previously called HPE Security Fortify  
Runtime Suite)  
Security Software Security Center Build to Order Starter Edition  
(previously called HPE Security Software Security Center Build to Order  
Starter Edition)  
2
Additional License Authorizations  
For Application Security software products  
Term License  
Non-production  
use category (if  
available)  
E-LTU or  
E-Media  
available*  
Perpetual License  
Non-production  
use category **  
Suites  
Security Software Security Center Build to Order Starter Edition w/o SSC  
Server (previously called HPE Security Software Security Center Build to  
Order Starter Edition w/o SSC Server)  
Yes  
Yes  
Yes  
Class 3  
Class 3  
Class 3  
Class 3  
Class 3  
Class 3  
Security WebInspect Enterprise Build to Order Starter Edition Suite  
(previously called HPE Security WebInspect Enterprise Build to Order  
Starter Edition Suite)  
Security WebInspect Enterprise Security Consultant Suite (previously  
called HPE Security WebInspect Enterprise Security Consultant Suite)  
* Any product sold as E-LTU or E-Media shall be delivered electronically regardless of any contrary designation in a purchase order.  
**  
Non-production use rights, if any, can be found at software.microfocus.com/legal/software-licensing.  
Definitions  
Capitalized terms not otherwise defined in this ALA document are defined in the governing agreement.  
Term  
Definition  
Agent (Security  
Application Defender)  
Means that portion of the software that manages and may be required for each physical server, virtual  
server, application runtime or container.  
AMP Concurrent User  
Means the software is licensed by the amount of active AMP Users that interact (directly or indirectly)  
with software at any one point in time on one (1) OS Instance.  
AMP User  
Means a single individual who makes use of the software and/or the functionality provided by the  
software either directly or indirectly through user interfaces, clients, 3rd party software, or Application  
Programming Interfaces.  
Application (Security  
Fortify Editions – Static  
Scanning)  
See Project  
Application (Security  
Application Defender)  
Means a deployable unit of software code consisting of a collection of source code, byte code or object  
code, or a running production Instance of that deployed unit of software code, that delivers some or all  
of the functionality of a business application. If a component, subsystem, or interfaced system can be  
removed from the deployable unit of software code and run separately to provide independent  
functionality, that component, subsystem or interface is considered a separate and independent  
Application.  
Application (Security  
WebInspect and Security  
Fortify Editions – Dynamic  
Scanning)  
See Target.  
Application Instance or  
Means the installation and usage of an Instance of an Application on a Server or group of Servers.  
AppInstance  
Application Programmatic Means a set of access methods, through which the functionality provided by the application is made  
Interface (“API”)  
Authorized Machine  
Base  
available to other applications.  
Means a named OS Instance licensed to run the software.  
Means an offering of Security Fortify Governance with a minimum of 10 Projects.  
Build to Order Plan or B2O Means a pricing plan under which Power Users and/or Regular Users use the software on Authorized  
Machines for Projects.  
3
Additional License Authorizations  
For Application Security software products  
Term  
Definition  
CBT Seat  
Clients  
Means a license for an individual to use a specific computer based training course.  
Means any applications or systems which provide functionality separate from that of the software while  
providing for the facility to connect to and interact with the software.  
Cold Standby System  
Means a standby non-production system which is NOT up and running. If the production system breaks  
down, or needs to be taken out of service, you are required to switch on and start the Cold Standby  
System in order to take over for the production system.  
Concurrent Users or  
CC Users  
Means the software is licensed by the amount of users that simultaneously use the software at any one  
point in time. The software can be installed on any number of computers, provided that the actual usage  
of the software does not exceed the number of licenses purchased.  
Connection  
Means an application actively communicating through an established and authenticated communication  
session with the AMP Server.  
Curriculum  
Developer  
Means a combination of courses that may or may not be offered individually.  
Means an individual responsible for the design and development of the source code assessed by  
DevInspect.  
Development and Test  
Systems  
Means a non-production system to be used for a) developing your add-on applications in order to access  
the licensed software b) migration testing c) pre-production staging or d) version  
upgrades/configurations and transition purposes.  
Device or Dev  
Means an addressable entity, physical or virtual, including but not limited to router, switch, bridge, hub,  
server, PC, laptops, handheld device or printer that resides within the range defined for interrogation  
and asset tracking.  
Documentation  
Dynamic Engine  
Means any explanatory written or on-line material including, but not limited to, user guides, reference  
manuals and HTML files.  
Means a single installed OS Instance of a dynamic Application testing software used by Security  
WebInspect or Security WebInspect Enterprise Sensor for Scanning Applications for security  
vulnerabilities.  
E-LTU and E-Media  
Means products which are electronically delivered only, and as such any reference to FOB Destination or  
delivery methods that are stated on your purchase order other than electronic shall be null and void with  
respect to these E-LTU or E-Media products.  
Enterprise or Ent  
Fail or Failover  
Means a license which allows Unlimited CBT Seats within the legal entity.  
Means a backup operation that automatically switches the functions of a primary system to a standby  
server if the primary system fails or is temporarily taken out of service.  
Flexible Deployment Plan  
or Flex  
Means the licensing arrangement under which Customer knows how many developers contributed code  
to the applications, and the software may be used to analyze/scan code written only by the Named  
Contributing Developers.  
Fortify Dynamic Only Scan  
Machine  
Means an instance of WebInspect that is actively running a single scan.  
Fortify Scan Machine  
Means an instance of Fortify Static Code Analyzer (SCA) or WebInspect that is actively running a single  
translation or scan.  
Fortify Scan Model  
Fortify User  
See Fortify User.  
Means any named user who is using Fortify Software Security Center (SSC), or any tooling provided by  
Fortify, or a Fortify Dynamic Only Scan Machine.  
Foundation  
Means a single Instance of the core or primary components of a software application which enable its  
basic functionality, and without which the additional modules available for the application are unable to  
operate. Foundation software may be installed on one or multiple servers, depending on the specific  
architecture required to enable the functioning of the single Instance.  
Hot Standby System  
Means a non-production system which is up and running, ready to take over from the production system  
if the production system breaks down or needs to be taken out of service.  
4
Additional License Authorizations  
For Application Security software products  
Term  
Definition  
Implementation  
Means an installation of the software on a single Server or installed on a cluster of Servers which work  
together as a single installation of the software.  
Instance  
Means each implementation of the application.  
Internal Use  
Means access and Use of the software for purposes of supporting your internal operations or functions.  
Lines of Code or LOC  
Means the total number of lines of your software source code that are authorized to be scanned by an  
Unlimited number of software developers on an Unlimited number of Authorized Machines using the  
software.  
Lines of Code Plan or LOC  
Means the licensing arrangement that specifies the authorized Lines of Code.  
Plan  
LTU  
Means License To Use.  
Managed Service or MS  
Means services provided by you using the eligible Micro Focus Products for managing or augmenting the  
information technology functions of other companies for a fee, such as but not limited to, outsourcing,  
hosting, Infrastructure- as-a-Service (“IaaS”), Platform-as-a-Service (“PaaS”), Software –as-a-Service  
(“SaaS”), or Business Process-as-a-Service (“BPaaS”), remote network management, security monitoring,  
log management, patch management, remote data back-up, and application services such as load  
testing, quality testing, regression testing, or performance testing.  
Managed Service Provider Means you when acting as a third party service provider contracted by an end user (that is not your  
or MSP  
Affiliate) to provide Managed Services to that end user.  
Named Contributing  
Developer or NCD  
Means a named software developer authorized to contribute code to the projects to be scanned by the  
licenses product.  
Named User or Nmd User  
Means a specific individual authorized by you to access the software regardless of whether they are  
actively using the software.  
Non-Production or NP  
Means internal use which is limited to Use on Development and Test Systems and Hot and/or Cold  
Standby Systems. This NP license requires the previous purchase of the equivalent or greater production  
licenses. Support for NP licenses is restricted to the period of and current status of the equivalent  
production license.  
Operating System  
Instance or OS Instance  
Means each implementation of the bootable program that can be installed onto a physical system or a  
partition, such as system Virtual Machines, virtual environments, virtual private servers, containers,  
guests and zones, within the physical system. A physical system can contain multiple Operating System  
Instances. A container means a system partition based on software rather than hardware. Guests means  
a VM system running on a host system where the host runs its own complete OS Instance (as opposed to  
a hypervisor), like VMware Workstation. Zone means Oracle/Sun Solaris specific nomenclature for a  
software partition which can run a virtual OS instance including but not limited to Sparse, native, and  
ipkg.  
Professional Services  
Engagement(s)  
Means a contract between Managed Service Provider and a third party for the Security Consultant to  
perform a Web Application Vulnerability Assessment of a defined web site or a Static Code Analysis on  
behalf of the third party.  
Project or Prj  
Power User  
Regular User  
Means a unique code base analyzed by Security Fortify Static Code Analyzer or managed by Security  
Fortify Governance.  
Means a named user authorized to use Security Fortify Software Security Center, Security Fortify Static  
Code Analyzer, IDE plug-in and Audit Workbench to run Scans on and view results for all Projects.  
Means a Named User authorized to use Security Fortify Software Security Center to view results for only  
Projects that they have worked on. A Security Fortify Static Code Analyzer Regular User license is  
authorized to use IDE plug ins to run Scans and view results for only Projects that you have worked on.  
A Software Security Center Regular User license (when purchased separately) includes a Security Fortify  
Static Code Analyzer Regular User License and therefore is authorized to use IDE plug ins to run Scans  
and view results for only Projects that you have worked on.  
A Software Security Center Build To Order WebInspect Enterprise Edition license includes a version of  
Software Security Center Regular User that is not authorized to use IDE plug ins to run Scans and view  
results for only Projects that you have worked on.  
5
Additional License Authorizations  
For Application Security software products  
Term  
Definition  
SaaS  
Means Software as a Service which is a service that allows access to the software, support and related  
professional services, as described in an order document, datasheet or a Statement of Work (SOW).  
Scan  
Means the act of, through automated or manual means, examining computer software for security  
vulnerabilities.  
Scanning Machine  
Scanning User  
Means the number of named physical or Virtual machines that are running the software.  
Means a physical or Virtual Machine or a person authorized to run, configure, or submit Scans for  
licensed Applications.  
Security Consultants –See  
Means you who enters into Professional Services Engagement contracts with 3rd parties as part of their  
Managed Service Provider defined business offerings and as a material part of their day to day business.  
or MSP  
Sensor  
Means Instances of the of the Micro Focus scanning technology that acts on behalf of and are controlled  
by the AMP Base Server in order to provide application, system and networks scanning capabilities.  
Means any designated computer system in which an Instance or Instances of the software is installed.  
Means an incremental single Scan that can be purchased for FOD for MSPs.  
Server or SVR  
Single Scan Overage or  
SngScanOver  
Static Code Analysis  
Static Engine  
Means analyzing software source code, bytecode, or object code to find security vulnerabilities.  
Means a single installed OS Instance of a static Application testing software used by Security Fortify Static  
Code Analyzer for Scanning Applications for security vulnerabilities. Static application testing software  
that is embedded in Security Fortify Audit Workbench and IDE Plug-ins are not considered Static  
Scanning Engines.  
Suite  
Means two or more software products combined into a single license offering or a single software  
product which includes two or more licenses. The specific software products included in a Suite are  
specified in the Software Specific License Terms below. Software products included in a Suite are  
governed by the individual authorizations and use restrictions associated with each software product  
except where specified in the specific Suite software specific license terms below.  
Target  
Means a unique logical computer system being scanned as part of a Web Application Vulnerability  
Assessment. A unique Target has a single authentication management system (log-in page). Web  
applications that expose services and end-points to support mobile applications are considered two  
distinct Targets (Web and Mobile). A unique Target application is a fully qualified domain name (FQDN)  
unless it is the same Target used for a staging or lab environment.  
Term License to Use or  
Term LTU  
Means a software license to use (LTU) which indicates in its license description that the license is valid for  
a specific period of time such as One Month (1 M), One Year (1 Y) etc. Term LTU’s are not perpetual  
licenses.  
Unlimited or Unl  
Means without restriction in terms of number of systems, devices or media, depending on the context.  
Means a user whose use is restricted to the type of software that is being licensed.  
Means a computer that does not physically exist but is simulated by another computer.  
User  
Virtual Machine(s) or  
VM(s)  
Web Application  
Vulnerability Assessment  
or Web Application  
Vulnerability Assessment  
Scan  
Means the act of, through automated or manual means, examining web based or web delivered  
computer software for security vulnerabilities.  
6
Additional License Authorizations  
For Application Security software products  
Software specific license terms  
Software products with software specific license terms are described below. Software products covered by this ALA  
document (as listed above) and not covered in this section do not have software specific license terms.  
Security ArcSight Application View (previously called HPE Security ArcSight Application View)  
Security ArcSight Application View is licensed by Application Instance for a single ArcSight Enterprise Security Manager or an  
ArcSight Express Implementation.  
Fortify Audit Assistant On-Premise  
Fortify Audit Assistant On-Premise is a results audit tool that uses expert security predictions to help audit the scan results of  
an application. An Audit Assistant instance license is licensed per installation. At least one (1) instance of Fortify Audit  
Assistant On-Premise is required to use the software and provided data.  
DevInspect (previously called HPE DevInspect)  
DevInspect assesses source code from within the developer’s environment and is licensed per Developer. One license is  
required for every Developer authorized to use DevInspect.  
Security Fortify for Managed Service Provider on Premise (previously called HPE Security Fortify for  
Managed Service Provider on Premise)  
Security Fortify for Managed Service Provider on Premise is licensed by Managed Service Provider for the eligible products  
and the number of Applications and/or Scans to be assessed. The license is limited to use by a Managed Service Provider  
who has signed a Managed Service Provider Agreement and only for the purpose of providing Managed Services. Security  
Fortify for Managed Service Provider on Premise cannot be used for internal use.  
Security Fortify Governance (previously called HPE Security Fortify Governance)  
Security Fortify Governance Base: Includes a license for ten (10) Projects. The Security Fortify Governance User license is  
required for each User authorized to customize process templates for use with Security Fortify Software Security Center.  
Security Fortify Real-Time Analyzer (previously called HPE Security Fortify Real-Time Analyzer)  
Security Fortify Real-Time Analyzer (RTA) requires one RTA Server license for each physical Server running one or more  
protected applications in a production environment. One RTA User license is required for each User authorized to configure  
and administer RTA on the licensed RTA Servers.  
Security Fortify Runtime (previously called HPE Security Fortify Runtime)  
Security Fortify Runtime requires one Security Fortify Runtime Platform Server license and either one Security Fortify  
Runtime Application Protection Server or one Security Fortify Runtime Application Logging Server license for each physical  
Server. Security Fortify Runtime Platform Server, Security Fortify Runtime Application Protection Server and Security Fortify  
Application Logging Server are licensed per single Server. One Security Fortify Runtime User license is required for each User  
authorized to configure and administer Security Fortify Runtime on the licensed Servers.  
Security Fortify Static Code Analyzer (previously called HPE Security Fortify Static Code Analyzer)  
Security Fortify Static Code Analyzer (SCA) Scans a code base, produces results, and stores those results in a Fortify Project  
Report (FPR) file. A Project is a unique code base, upon which you choose to perform a Scan using Security Fortify SCA and  
generate an FPR file. Every unique code base that is Scanned is considered to be a Project. A separate license for each  
Project is required. Project licenses cannot be reused or reassigned. The definition of a Project is independent of how the  
operator chooses to initiate a Security Fortify SCA Scan: from Fortify SCA Audit Workbench, IDE Plug-In or part of a build  
process.  
7
Additional License Authorizations  
For Application Security software products  
Security Fortify Static Code Analyzer Build to Order Starter Edition: Includes a license for one (1) Software Security Center,  
one (1) Scanning Machine, one (1) Power User, and thirty (30) Projects.  
Security Fortify Static Code Analyzer Build to Order Starter Edition without Software Security Center: Includes a license for  
one (1) Scanning Machine, one (1) Power User, and thirty (30) Projects.  
Security Fortify Static Code Analyzer Flexible Deployment Plan: Includes unlimited usage of Security Fortify Software  
Security Center, Security Fortify Static Code Analyzer, Audit Workbench and IDE plug-ins to scan code written by Named  
Contributing Developer licenses. This licensing arrangement is based solely on the number of Named Contributing  
Developers that are authorized to contribute code to the projects to be scanned by Security Fortify Static Code Analyzer. It is  
not based on the number of people using the software. A Named Contributing Developer license is required for the  
maximum number of software developers that contributes to the code base of a Project at any given time; therefore, a  
Named Contributing Developer license reflects a maximum capacity of developers contributing code to the Projects and is  
not assigned to a specific named developer. Developers may transfer in and out of the Project without impacting the licenses  
as long as the maximum number of contributing developers does not exceed the number of Named Contributing Developer  
licenses. Code contributed by developers not included in the licensed number of Named Contributing Developers is not  
authorized to be scanned by the software.  
Security Fortify Static Code Analyzer Lines of Code Plan: Includes Unlimited usage of Security Fortify Software Security  
Center, Security Fortify Static Code Analyzer, Audit Workbench and IDE plug-ins to Scan code licensed under the plan. The  
number of Lines of Code authorized under this plan is based on the aggregate number of lines of software source code  
before compilation in all Projects to be Scanned. The Lines of Code should be counted by an industry standard method for  
counting Lines of Code.  
Security Fortify Software Security Center Server: Every individual authorized by you to use the Security Fortify Software  
Security Center Server for any purpose must be a licensed User through one of the following license plans: Build to Order,  
Flexible Deployment or Lines of Code. In the Build to Order plan, either a Regular User or a Power User license is required for  
any individual that uses the Server for any purpose, including but not limited to viewing results and reports, managing  
Projects, Scanning Projects, managing Users, or accessing the collaboration module. In the Flexible Deployment or Lines of  
Code plans, any individual authorized by you is able to use the Security Fortify Software Security Center server, but only for  
licensed Projects. Security WebInspect Enterprise, Security Fortify Governance Projects and Security Fortify Governance  
Users authorized to customize process templates are licensed separately and are not included by default in any of these  
license plans.  
Security Fortify Concurrent Scanning License Model  
With this license model, Fortify does not count the number of machines where the software is installed, but the number of  
active scans happening at any given time. Fortify Static Code Analyzer and WebInspect can be installed on an unlimited  
number of machines. A Fortify Scan Machine license is required for any single scan being executed on any machine. Any scan  
running requires an active Scan Machine license to be used. A machine not actively running a scan is not counted against the  
quantity of Fortify Scan Machines purchased. A machine is considered to be anything used for physical or virtual scanning  
(including a container).  
Examples:  
A machine running two (2) scans requires two (2) Fortify Scan Machine licenses.  
Translation requires a Fortify Scan Machine license.  
8
Additional License Authorizations  
For Application Security software products  
A Fortify User is required for any person who is using Fortify Software Security Center (SSC), or any tooling provided by  
Fortify. For the avoidance of doubt, the following list of tools do require a Fortify User, this list is not complete, and is subject  
to change:  
Fortify Audit Workbench  
Fortify IDE Plugins  
Fortify Security Assistant  
Fortify Packaging Utility  
A minimum of two (2) Fortify Scan Machines and one (1) Fortify user OR one (1) Fortify Dynamic Only Scan Machine and one  
(1) Fortify user is required per customer. No use of the software is allowed by anyone who is not a Fortify User. No mixing of  
license models is allowed.  
Security Fortify Edition Suite Add-ons (previously called HPE Security Fortify Edition Suite Add-ons)  
Security Fortify Add-on Applications with Dynamic Engine are licensed by Application and Dynamic Engine (prior to May 1,  
2015).  
Security Fortify Add-on Applications with Static Engine are licensed by Application and Static Engine (prior to May 1, 2015).  
Security Fortify Add-on Application Packs are licensed by Application.  
Security Fortify Add-on Dynamic Engine is licensed by Dynamic Engine (prior to May 1, 2015).  
Security Fortify Add-on Static Engine is licensed by Static Engine (prior to May 1, 2015).  
All the Security Fortify Add-ons referenced above require a license for one of the Security Fortify Edition Suites.  
Security Application Defender (previously called HPE Security Application Defender)  
Security Application Defender is a service that monitors and protects customer’s Applications. The on-premise solution  
consists of two independently licensed components, the Application Defender Server is licensed per Implementation and the  
Application Defender Agents are licensed per Application Instance. A working solution requires at least one Application  
Defender Server and one or more Application Defender Agents.  
Security WebInspect (previously called HPE Security WebInspect)  
Security WebInspect Named User License: WebInspect Named User License is for use on one (1) OS Instance. There are no  
limits on the number of Scans performed or the number of Targets scanned.  
Security WebInspect Concurrent User License: WebInspect Concurrent Users License is required for each of the end users of  
the Clients who concurrently access the software functionality. WebInspect Concurrent Users require the License and  
Infrastructure Manager Server. WebInspect Concurrent User licenses may be purchased individually and added to new or to  
existing AMP Base Servers. There are no limits on the number of Scans performed or the number of Targets scanned.  
WebInspect Concurrent User Licenses require a licensed, installed and active Instance of a Micro Focus License and  
Infrastructure Manager. Available AMP Concurrent User License required when connecting to the AMP Base Server.  
Security WebInspect Single Scan Target License: WebInspect Single Scan Target License performs unlimited web application  
vulnerability Scans on a single IP address. This license is further restricted to installation on not more than five (5) logical  
computer systems. Available AMP Concurrent User License required when connecting to the AMP Base Server. You may  
request two (2) changes to the IP address in a 12 month period. Micro Focus maintains the right to refuse the change in  
cases where the change of IP address is outside of normal IT operations.  
9
Additional License Authorizations  
For Application Security software products  
Security WebInspect Security Consultant Term License: The WebInspect Term Licenses are limited to: 1) use by Managed  
Service Provider and only for the purpose of performing Web Application Vulnerability Assessments during the course of a  
Professional Services Engagement and 2) a single Web Application Vulnerability Assessment in the case of the one (1) month  
License, or a series of single Web Application Vulnerability Assessments in the case of a one (1) year License. WebInspect  
Term LTU is restricted to one (1) Named User for use on (1) OS Instance for a limited time period. License includes the ability  
to Scan premium languages.  
Security WebInspect Flexible Deployment Plan License: The WebInspect Flexible Deployment Plan License enables  
unlimited Web Application Vulnerability Assessment Scans for a single Target. This license allows an unlimited number of  
logical computer systems.  
Security WebInspect Enterprise (previously called HPE Security WebInspect Enterprise)  
Security WebInspect Enterprise license entitles User to install one Instance of the Security WebInspect Enterprise software.  
Every individual authorized by you to use the Security WebInspect Enterprise software for configuring, managing, executing,  
auditing, reviewing or reporting on Scans must be a licensed User of Security Fortify Software Security Center Server. Users  
that only login to request Scans do not require a User license.  
Security WebInspect Enterprise Security Consultant Suite: The WebInspect Enterprise for Security Consultant Suite Term  
License is limited to: 1) use by Managed Service Provider and only for the purpose of performing Web Application  
Vulnerability Assessments during the course of a Professional Services Engagement and 2) a series of single Web Application  
Vulnerability Assessments in the case of a one (1) year License.  
Sonatype Fortify On Premise  
Sonatype Fortify On Premise is offered to Fortify customers who need open source scanning with their static code analysis.  
The open sources scans are powered by Sonatype’s Nexus Intelligence. The Fortify Sonatype offering is available per  
application and per developer. Must own Fortify Static Code Analyzer and Software Security Center to use offering.  
Fortify Sonatype Per User: Includes unlimited usage of the Sonatype On Premise offering, including Sonatype Lifecycle, by  
licensed users. A user is defined as someone who: (A) produces, consumes, or evaluates one or more software artifacts that  
is/are stored in or scanned, analyzed or otherwise evaluated by Sonatype product, and/or (B) evaluates or in any way uses  
any reports generated by Sonatype product; (ii) the subscriptions may not be accessed by more than the licensed number of  
users, and (iii) subscriptions are restricted for use by designated users only and cannot be shared or used by more than one  
user; provided that Company may reassign a subscription to a new user replacing a former user who no longer requires  
ongoing use of or access to the Sonatype product.  
Fortify Sonatype Per Application: Includes usage for the number of applications purchased. This offering does not include  
access to Sonatype Lifecycle. An Application (see Project) is a unique code base upon which you choose to perform a scan  
using Security Fortify SCA and generate a FPR file. Every unique code base that is scanned is considered to be an Application.  
A Sonatype Application is required for every application used by SCA.  
10  
Additional License Authorizations  
For Application Security software products  
Application Security Suite offerings  
Suite  
Offering includes  
Additional terms (if any)  
Security Fortify  
Express Edition  
Suite  
Suites sold until April 30, 2015:  
.
.
10 Applications  
1 Security WebInspect Dynamic Engine  
Suites sold as of May 1, 2015:  
.
Suite includes Security WebInspect to dynamically  
scan up to 10 Applications by one Named User.  
.
.
10 Applications  
1 Security WebInspect Named User  
Security Fortify  
Premium  
Edition Suite  
Suites sold until April 30, 2015:  
.
.
.
.
.
10 Applications  
1 Security Fortify Static Code Analyzer Static Engine  
Secure Coding Plug-ins  
Audit Workbench  
Security Software Security Center  
.
.
Scan code and audit Scan data by individuals  
authorized as Scanning Users on licensed  
Applications which are licensed by the number of  
Scanning Users and Applications to be scanned  
by Security Fortify Static Code Analyzer.  
A Scanning User license is required for each  
physical or Virtual Machine or a person  
authorized to run, configure, or submit Scans for  
licensed Applications.  
The maximum number of Scanning Users may  
not exceed the number of Scanning User licenses.  
Use of software products and tools by individuals  
not authorized as Scanning Users on licensed  
Applications is restricted to viewing Scan data in  
Software Security Center.  
Suites sold as of May 1, 2015:  
.
.
.
.
.
.
.
10 Applications  
5 Security Fortify Scanning Users  
Security Fortify Static Code Analyzer Static Engine  
Secure Coding Plug-ins  
Audit Workbench  
Security Software Security Center  
Premium Languages  
.
.
Security Fortify  
Ultimate Edition  
Suite  
Suites sold until April 30, 2015:  
.
.
.
.
.
.
.
20 Applications  
1 Security WebInspect Dynamic Engine  
1 Security Fortify Static Code Analyzer Static Engine  
Secure Coding Plug-ins  
Audit Workbench  
Security Software Security Center  
Security WebInspect Enterprise  
.
.
Scan code and audit Scan data by individuals  
authorized as Scanning Users on licensed  
Applications which are licensed by the number of  
Scanning Users and Applications to be scanned  
by Security Fortify Static Code Analyzer.  
A Scanning User license is required for each  
physical or Virtual Machine or a person  
authorized to run, configure, or submit Scans for  
licensed Applications.  
The maximum number of Scanning Users may  
not exceed the number of Scanning User licenses.  
Use of software products and tools by individuals  
not authorized as Scanning Users on licensed  
Applications is restricted to viewing Scan data in  
Software Security Center.  
Suites sold as of May 1, 2015:  
.
.
.
.
.
.
.
.
.
.
10 Applications  
Unlimited Dynamic Applications  
5 Security Fortify Scanning Users  
Security Fortify Static Code Analyzer Static Engine  
Secure Coding Plug-ins  
Audit Workbench  
Premium Languages  
Security Software Security Center  
Security WebInspect Enterprise  
Security Fortify Governance  
.
.
11  
Additional License Authorizations  
For Application Security software products  
Suite  
Offering includes  
Additional terms (if any)  
.
Security WebInspect Enterprise is licensed by the  
number of Sensors which perform Unlimited  
dynamic Scans.  
Security Fortify  
Runtime Suite  
.
.
.
.
1 Security Fortify Runtime Platform Server  
1 Security Fortify Runtime Application Protection Server  
1 Security Fortify Runtime Application Logging Server  
1 Security Fortify Runtime User  
Security  
Software  
Security Center  
Starter Edition  
.
.
1 Security Software Security Center Build to Order Server  
1 Security Software Security Center Build to Order Power  
User  
1 Security Fortify Static Code Analyzer Scanning Machine  
30 Security Fortify Static Code Analyzer Projects  
.
.
Security  
Software  
.
1 Security Software Security Center Build to Order Power  
User  
Security Center  
Starter Edition  
w/o SSC Server  
.
.
1 Security Fortify Static Code Analyzer Scanning Machine  
30 Security Fortify Static Code Analyzer Projects  
Security  
.
.
1 Security Software Security Center Build to Order Server  
1 Security WebInspect Enterprise Build to Order OS  
Instance  
1 Security WebInspect Enterprise Sensor  
1 Security WebInspect Named User  
5 Security Software Security Center Build to Order  
Regular Users  
WebInspect  
Enterprise Build  
to Order Starter  
Edition Suite  
.
.
.
Security  
.
.
.
.
1 Security Software Security Center Server Instance  
1 Security WebInspect Enterprise Server Instance  
1 Security WebInspect Enterprise Sensor  
1 Security WebInspect Security Consultant Named User  
(Desktop but can push to Software Security Center)  
WebInspect  
Enterprise  
Security  
Consultant Suite  
.
.
.
5 Security Software Security Center Regular Users  
Unlimited Scans  
30 Projects  
12  
Additional License Authorizations  
For Application Security software products  
Additional license terms  
Term  
A.  
B.  
C.  
Software contains software and associated specifications licensed from third parties that are confidential to, and trade  
secrets of, such parties. You will not take any action other than to Use it as authorized under the agreement as part of the  
software products and will not disclose it to third parties.  
You shall install and use the software as authorized in the applicable agreement only as a complete product and may not use  
portions of such software on a standalone basis separate from the complete software unless expressly authorized in the  
Supporting Material, specifications or an applicable agreement.  
The software is restricted to use solely for the purpose of scanning software for security vulnerabilities that is (i) owned by  
you; (ii) for which you have a valid license to use; or (iii) with the explicit consent of the owner of the to be scanned and may  
not be used for any other purpose.  
D.  
E.  
You shall not install or use the software on any third party or shared (hosted) server without explicit consent from the third  
party.  
To the extent this restriction is not prohibited under applicable law, you shall not disclose to any third party the results of (i)  
any performance benchmarks you run on software products themselves, or any portion thereof, or (ii) specific detailed  
comparisons you make between software products, or any portion thereof, and any of your or third-party products, in each  
case under (i) and (ii) without the prior written consent of Micro Focus.  
F.  
LICENSEE ACKNOWLEDGES THAT SOME OF THE SOFTWARE IS DESIGNED TO TEST THE SECURITY OF COMPUTER SOFTWARE  
AND WHEN FUNCTIONING PROPERLY IN ACCORDANCE WITH ITS SPECIFICATIONS MAY NEVERTHELESS DISCLOSE OR CREATE  
PROBLEMS IN THE OPERATION OF THE SYSTEMS TESTED. LICENSEE ACCEPTS THIS RISK AND ASSUMES FULL RESPONSIBILITY  
FOR ANY SUCH PROBLEMS THAT MIGHT RESULT.  
software.microfocus.com/legal/software-licensing  
Latest version of software licensing documents  
© Copyright 2009-2020-2021 Micro Focus.  
5200-1835, December 3, 2021; Replaces 5200-1829 (October 27, 2021)