RealTime IT News

Fortify Gauges Code Security

Officials at security software vendor Fortify Software released a downloadable application that gives IT managers a peek at potential security risks in applications.

The 84KB-sized Fortify Application Risk Analyzer, a small introduction into the Palo Alto, Calif., company's product line, scans an application's executable for hints that the code has weaknesses a hacker could exploit to gain access to critical information or other malicious behavior.

The download is currently available on the Windows, Linux and Solaris platforms for applications created in the C programming language. Officials expect to include Java and C++ support in the next three months.

There are notable limitations to Fortify's application. Since the target application is already compiled, a user can't pinpoint exactly where to find the faulty code. Also, it only scans programs with DLLs or Unix-based Execute and Link Formats (ELF).

But officials say Risk Analyzer gives users an indication whether there are any potential flaws. A company analyzes software by performing a binary analysis through a list of some of Fortify's security risk functions. It then looks for functions and coding techniques that have been known to be exploited in the past or have the potential to be exploited.

"What binary analysis can do is say, 'well, you've got a risky function that you're using in the program there, I can only tell you it's risky and the general level of severity,'" said Mike Armistead, vice president of marketing at Fortify.

That information, Armistead said, can then be sent to the owner to determine whether developers have taken the potential flaws into account.

"The owner of the software can go back to the producer of the software and say, 'this thing is showing me that there are indications of risk; prove to me that you've mitigated that risk,'" he said. "It's going to put a little bit of pressure on the internal [developers] and vendors."

Because the Risk Analyzer is a small application, only the more notable application security vulnerabilities are assessed. Any program run through Risk Analyzer is given a score based upon the severity of the threat discovered and number of possible flaws.