Tools for Secure Application Coding

Code ViolationsDecoding Application Security focuses on addressing application security by using gateways to examine incoming traffic and whether applications are behaving as expected (find the full story on Page 48). But as that article notes, CSOs and CISOs have other options for making their software more secure. In a perfect world, the flaws commonly exploited by application-level attacks wouldn’t exist in the first place. Sadly, we won’t arrive in software utopia anytime soon, but some vendors provide services and products that inspect software throughout the development process. Research indicates that 10 common coding errors (things with scary names like unvalidated input, cross-site scripting vulnerability and injection flaws) account for the vast majority of application-level vulnerabilities (for details, see the Open Web Application Security Project at www.owasp.org). Therefore, it shouldn’t be terribly difficult to make dramatic improvements in application security just by scanning code for those particular flaws.

CISOs already spending a bundle on intrusion detection, virus scanning and the like may need more budget-justification ammo to spend on another layer of information security. One of the big selling points many of these code inspection companies have latched onto is regulatory compliance. Sarbanes-Oxley, Gramm-Leach-Bliley and other regulations give brownie points for third-party validation of good internal controls and risk-reduction measures.

Whether you’re in compliance mode or simply focused on keeping hackers at bay, here are several vendors ready to help whip your code into shape.

Reasoningwww.reasoning.com

Reasoning started providing code inspections strictly for quality purposes. With the growing number of security exploits aimed at coding flaws, President and CEO Bill Payne says turning Reasoning into a security company seemed natural. Reasoning works as a service provider, charging on a per-line basis to run C and C++ application code through algorithms that test for buffer overflows and other common security lapses. In addition to identifying the location and nature of individual code flaws, the company produces higher-level reports to help clients identify their most frequent errors and improve the initial development process.

Primeon www.primeon.com

Primeon performs source code audits, dubbed DeepSource Solutions, using third-party tools (such as Sanctum’s AppScan software) plus proprietary processes and expertise. Primeon compares clients’ source code to a knowledge base of known application security flaws. The company says it examines code on several levels: data level, front end and business rules.

SPI Dynamicswww.spidynamics.com

The company’s flagship software line, WebInspect, uses agent-based technology to dynamically catalog aspects of the application in question; it analyzes these results and then launches attack algorithms to find vulnerabilities and characterize their severity.

WebInspect also offers a version integrated with Mercury Interactive’s TestDirector quality assurance software, which allows for identification of security flaws earlier in the software development lifecycle.

Fortifywww.fortifysoftware.com

Fortify addresses application security at two levels (with more evidently in the pipeline). Like Reasoning, the company offers code inspection throughout the development lifecycle, although Fortify sells its software rather than acting as a service providerwhich may prove cheaper in the long run for users who want to perform multiple inspections at each development stage. Fortify also does run-time testing, along the lines of what SPI Dynamics or Sanctum offer.