A New Approach to Fortify Your Software

In an era where crackers are increasingly finding ways to
get into corporate networks to cause havoc, a startup out of Menlo Park,
Calif., has come up with a seemingly novel approach to security — get rid
of application vulnerabilities before they’re deployed.

With that approach in mind, Fortify Software launched its company Monday, pitching
its Source Code Analysis and Run-time Analysis software suites, designed to
comb through source code in an application development project and point out
likely security lapses.

Application vulnerabilities are becoming more than just a nuisance in recent
years. According to
Carnegie-Mellon’s CERT Coordination Center, the number of reported
vulnerabilities has jumped from 171 in 1995 to 3,784 last year. The result:
crippling breaches, not just in Microsoft products, but in seemingly-secure software such as FreeBSD
and OpenSSL
Project
.

The software fits every sphere of influence in the project; from the desktop
tool, Developer Toolkit, which programmers run before filing their day’s
work with the program lead, to the server-based Source Code Analysis Server,
which takes the code and runs a comprehensive scan (a la late-night database
refreshes) against a list of 540 known code vulnerabilities. Run-time
analysis lets project testers and quality assurance teams rake the software
through the coals just before deployment, including simulating a hacker using every
trick in the bag to compromise the software.

The Monday announcement is a “sounding-out” exercise to see if application
security is really a concern with businesses worldwide; in beta tests with
several companies now, the software suites won’t be publicly available until sometime between now and June.

The company’s already garnered some high-profile traction — financially
backed by Kleiner, Perkins, Caufield and Byers since its formation in 2003,
AT&T Wireless and PayPal have already committed themselves to the software.

It’s likely to grab some attention, and new customers, in the wake of an
April 1 U.S. Task Force report, “Improving Security Across the Software
Development Lifecycle,” which finds software security awareness lacking.
The coalition of academics, trade associations and public and private sector
executives report security “must be at the heart of the software
specification, design and implementation process,” the report stated.
The task force is looking at several incentives to get companies and
agencies to embrace software-as-a-lifestyle choice, including: making
software security a job performance factor, awards/grants/rewards, and
certifying proven secure software implementations (with the end goal of
creating a National IT Security Certification Accreditation Program).

Its clear Fortify’s software caters to large customers. A 25-programmer
team using the security platform runs around $150,000 to start, with an
annual $1,000 subscription to get the latest rules when they come out.

But Mike Armistead, Fortify founder and vice president of marketing, argues
the price is justified when you consider the alternatives. “It’s less than
the price of one software security person,” he said.

Their software is a contradiction to most of today’s security practices
these days, Armistead said, to wall off the network using an array of
routers, firewalls and other security devices. For companies that get their
revenue from Internet-based companies, that doesn’t make a lot of sense (or
money, for that matter). Armistead said the company instead takes an
inside-out approach to security: develop applications the right way from
the inside (source code) and let them out.

In January 2003, the Open Web Application Security Project (OWASP), published 10
“surprisingly common” vulnerabilities
found in software code: buffer
overflows, invalidated parameters, broken access control to name a few. “A
stunning number of organizations spend big bucks securing the network and
somehow forget about the applications,” said Aspect Security CEO of web
applications Jeffrey Williams of the OWASP report.

Fortify’s applications provide something not found in most software programs
today: agnosticism. Code analyzers like Fortify’s have been around for
some time: Sun Microsystem’s experimental Jackpot
project works in the NetBean’s Java programming environment, while Microsoft
Software (Specifications), Languages, Analysis and Model
(SLAM) checking project is underway. Both, however, are works-in-progress
for their respective programming frameworks, J2EE and .NET
. Fortify, on the other hand, works in not only C and Java
environments, but others as well.

“One of the first things we found when we took [Fortify] to early users was
that their applications were mixed languages,” Armistead told
internetnews.com. “Typically, you don’t mix Java and C, but you
definitely mix C with PL/SQL (a query of Oracle database information) and
Java with JSPs (Java Server Pages). And we’ve designed it so that we can
add more languages down the road.”

Get the Free Newsletter!

Subscribe to our newsletter.

Subscribe to Daily Tech Insider for top news, trends & analysis

News Around the Web