RealTime IT News

A New Approach to Fortify Your Software

In an era where crackers are increasingly finding ways to get into corporate networks to cause havoc, a startup out of Menlo Park, Calif., has come up with a seemingly novel approach to security -- get rid of application vulnerabilities before they're deployed.

With that approach in mind, Fortify Software launched its company Monday, pitching its Source Code Analysis and Run-time Analysis software suites, designed to comb through source code in an application development project and point out likely security lapses.

Application vulnerabilities are becoming more than just a nuisance in recent years. According to Carnegie-Mellon's CERT Coordination Center, the number of reported vulnerabilities has jumped from 171 in 1995 to 3,784 last year. The result: crippling breaches, not just in Microsoft products, but in seemingly-secure software such as FreeBSD and OpenSSL Project.

The software fits every sphere of influence in the project; from the desktop tool, Developer Toolkit, which programmers run before filing their day's work with the program lead, to the server-based Source Code Analysis Server, which takes the code and runs a comprehensive scan (a la late-night database refreshes) against a list of 540 known code vulnerabilities. Run-time analysis lets project testers and quality assurance teams rake the software through the coals just before deployment, including simulating a hacker using every trick in the bag to compromise the software.

The Monday announcement is a "sounding-out" exercise to see if application security is really a concern with businesses worldwide; in beta tests with several companies now, the software suites won't be publicly available until sometime between now and June.

The company's already garnered some high-profile traction -- financially backed by Kleiner, Perkins, Caufield and Byers since its formation in 2003, AT&T Wireless and PayPal have already committed themselves to the software.

It's likely to grab some attention, and new customers, in the wake of an April 1 U.S. Task Force report, "Improving Security Across the Software Development Lifecycle," which finds software security awareness lacking. The coalition of academics, trade associations and public and private sector executives report security "must be at the heart of the software specification, design and implementation process," the report stated. The task force is looking at several incentives to get companies and agencies to embrace software-as-a-lifestyle choice, including: making software security a job performance factor, awards/grants/rewards, and certifying proven secure software implementations (with the end goal of creating a National IT Security Certification Accreditation Program).

Its clear Fortify's software caters to large customers. A 25-programmer team using the security platform runs around $150,000 to start, with an annual $1,000 subscription to get the latest rules when they come out.

But Mike Armistead, Fortify founder and vice president of marketing, argues the price is justified when you consider the alternatives. "It's less than the price of one software security person," he said.

Their software is a contradiction to most of today's security practices these days, Armistead said, to wall off the network using an array of routers, firewalls and other security devices. For companies that get their revenue from Internet-based companies, that doesn't make a lot of sense (or money, for that matter). Armistead said the company instead takes an inside-out approach to security: develop applications the right way from the inside (source code) and let them out.

In January 2003, the Open Web Application Security Project (OWASP), published 10 "surprisingly common" vulnerabilities found in software code: buffer overflows, invalidated parameters, broken access control to name a few. "A stunning number of organizations spend big bucks securing the network and somehow forget about the applications," said Aspect Security CEO of web applications Jeffrey Williams of the OWASP report.

Fortify's applications provide something not found in most software programs today: agnosticism. Code analyzers like Fortify's have been around for some time: Sun Microsystem's experimental Jackpot project works in the NetBean's Java programming environment, while Microsoft Software (Specifications), Languages, Analysis and Model (SLAM) checking project is underway. Both, however, are works-in-progress for their respective programming frameworks, J2EE and .NET . Fortify, on the other hand, works in not only C and Java environments, but others as well.

"One of the first things we found when we took [Fortify] to early users was that their applications were mixed languages," Armistead told internetnews.com. "Typically, you don't mix Java and C, but you definitely mix C with PL/SQL (a query of Oracle database information) and Java with JSPs (Java Server Pages). And we've designed it so that we can add more languages down the road."