IBM Targets Security at Developers

Applications begin with developers, so it makes sense that security should start with them as well. At least, that’s the thinking at IBM, which is taking the wraps off its new AppScan Developer Edition security, built on technology that IBM acquired when it bought application security vendor Watchfire last year.

Many security tools, including those from IBM’s AppScan product line, identify vulnerabilities in applications through run-time analysis. The problem is that with security threats continuing to grow, it may pay off to catch security issues earlier — in the development process. The new offering from IBM also comes as the market for application security heats up with enterprises shelling out big bucks to be in line with regulatory and compliance regulations like PCI-DSS.

“Developers are building insecure code, security people are tying to catch things too late and because of that, it’s too costly,” David Grant, director of security and compliance solutions at IBM Rational, told “What we need to do is get development more involved in the security process.”

Grant admitted that the idea of targeting security at developers is not a new idea, though he argued that existing developer security tools are built for security auditors, not developers, and they don’t integrate into their development environments.

“AppScan Developer Edition seamlessly builds into Rational or Eclipse, and it becomes almost a spell checker” within the development environment, Grant said. “What we want to do here is operationalize security as part of the development process. ”

IBM is a leading sponsor of the open source Eclipse IDE , and its Rational IDE is based on Eclipse as well. Grant noted that any Eclipse-based IDE, not just those from IBM, could be integrated with AppScan for code testing.

Big Blue last updated the AppScan product in November, 2007, expanding the number of vulnerabilities that it can detect. The new Developer Edition goes a step further with what’s called “string analysis,” a detection approach intended to further optimize developer-focused security.

String analysis helps to reduce the number of false positives that occur while providing actionable information for developers in a format that they understand.

“Since most Web applications rely heavily on data being passed between the user and the database, not having sanitizers properly configured can result in an overwhelming number of issues, the vast majority of which are false positives,” Grant explained.

The technique processes strings more deeply while building models of code, allowing subsequent queries to ask much more accurate questions and obtain much more accurate answers when seeking vulnerabilities.

Drive to comply

Grant said IBM is seeing increasing interest in the application security space driven in part by the need for compliance regulations like PCI-DSS. One of the requirements of PCI-DSS is that enterprises build security into the application development lifecycle, and Grant argued that AppScan Developer Edition could help to satisfy that requirement.

The push for PCI compliance has been noted by analysts as helping to drive security spending, though it’s debatable as to whether or not it has actually improved overall security.

AppScan traditionally competed against application security product from SPI Dynamics (now part of HP) and Cenzic. With the developer-focused edition, Grant expect the competitive field will broaden to include code analysis vendors like Fortify and Coverity.

“Of course, because we have move developer offerings in this space, now we’ll be looking to compete more with everyone that has offerings for application security,” Grant said.

News Around the Web