Officials at security software vendor Fortify Software released a
downloadable application that gives IT managers a peek at potential
security risks in applications.
The 84KB-sized Fortify Application Risk Analyzer, a small introduction into the Palo
Alto, Calif., company’s product line, scans an application’s executable for hints that the code has
weaknesses a hacker could exploit to gain access to critical information or
other malicious behavior.
The download is currently available on the Windows, Linux and Solaris
platforms for applications created in the C programming language. Officials
expect to include Java and C++ support in the next three months.
There are notable limitations to Fortify’s application. Since the target
application is already compiled, a user can’t pinpoint exactly where to find
the faulty code. Also, it only scans programs with DLLs
Unix-based Execute and Link Formats (ELF).
But officials say Risk Analyzer gives users an indication whether there are any potential flaws. A company analyzes software by performing a binary analysis through a list of some of Fortify’s security risk functions. It then looks for functions and coding techniques that have been known to be exploited in the past or have the potential to be exploited.
“What binary analysis can do is say, ‘well, you’ve got a risky function that
you’re using in the program there, I can only tell you it’s risky and the
general level of severity,'” said Mike Armistead, vice president of
marketing at Fortify.
That information, Armistead said, can then be sent to the owner to determine
whether developers have taken the potential flaws into account.
“The owner of the software can go back to the producer of the software and
say, ‘this thing is showing me that there are indications of risk; prove to
me that you’ve mitigated that risk,'” he said. “It’s going to put a little
bit of pressure on the internal [developers] and vendors.”
Because the Risk Analyzer is a small application, only the more notable
application security vulnerabilities are assessed. Any program run through
Risk Analyzer is given a score based upon the severity of the threat
discovered and number of possible flaws.