RealTime IT News

Taking a Wider View of Code Security

Attacks against applications come from all sides, so why not perform code analysis the same way? That's the basic premise behind code analysis vendor Fortify's new 360 product.

For the most part, Fortify has been best known as a vendor for static code analysis tools. With Fortify 360, analysis extends beyond static development to dynamic, real-time runtime analysis during quality-assurance (QA) testing, as well as real-time deployment monitoring for live code.

By taking a holistic view, the idea is that more code vulnerabilities can be positively identified.

"We try to check for vulnerabilities as best as we can at each point," Roger Thornton, Fortify's Chief Technology Officer and founder, told InternetNews.com. "But some things we can see in a production environment better than the source code environment."

Production code analysis excels at catching problems in a number of categories, such as Cross-Site Scripting (XSS) vulnerabilities.

Thornton explained that in the source code environment, analysis tools can see data coming from a database to a browser. On the other hand, performing analysis in a runtime production environment can enable a tool to can see data coming back from the database. This additional visibility enables a user to ensure that data coming from the database isn't corrupted or tainted.

Other areas handled well by runtime analysis are data leakage and privacy-related issues. If an application is somehow logging or streaming private information, it's pretty easy to identify with runtime analysis, Thornton said. In contrast, he said, static code analysis is limited to just looking at data flows -- and may not be able to identify similar issues as easily.

The concept of using a production or QA server environment for vulnerability testing isn't necessarily new, with a number of security offerings -- including IBM's Watchfire AppScan and Cenzic's Hailstorm -- that support looking for issues on application servers.

Thornton argued that Fortify is coming at the issue from a different angle, however.

"What we're doing is launching the execution of the program and looking inside the program ... for vulnerabilities," Thornton said. "Whereas a [penetration] testing solution is throwing attacks at the program and then trying to determine if there are vulnerabilities internally."

In any event, the new capabilities enable Fortify to branch out from its core practice in static source code analysis -- an area in which it competes against Coverity and Klocwork, among others.

In addition to providing multiple points of code analysis, a key part of the Fortify 360 promise is the ability to do collaborative remediation. The idea is that the software makes it easier for developers to identify and collaborate on fixing vulnerabilities, making the process quicker.

One possible shortcoming with the solution may be that Fortify 360 does not offer direct integration with Intrusion Prevention/Detection (IPS/IDS) systems, which may be deployed by an enterprise.

IPS/IDS-type systems are often used by businesses as part of an overall security infrastructure, enabling them to identify and manage vulnerable network assets.

Though Fortify doesn't offer direct integration, its makers said users can still pull Fortify 360 information into other security systems.

"It can be done by virtue of the fact that our output is all-XML, but we don't currently have adapters to transform the XML into the various IPS monitoring devices," Thornton said. "But we will be adding stuff over time, and if someone wanted to do it in a deployment today, it would be pretty straightforward."