Seven months after opening
for business, officials at Fortify Software announced improvements to its analysis tool for
weeding out code that leads to application hacks.
The improvements to the Palo Alto, Calif., company’s Source Code Analyzer builds on its existing
ability to detect patterns in software development that can lead to security vulnerabilities like
SQL injections, buffer overflows and information leakage.
In addition to new language support for C# — the software already supports C, C++, PL/SQL, Java
Server Pages (JSP) and Java — Fortify has added four new analyzers, a rules manager and an audit
manager to prioritize the level of software flaws.
Fortify automates what would take a security expert hours to accomplish, with 3,500 rules that
detect software behavior that can lead to an application vulnerability. Developers
can use the standalone Fortify plug-ins for the Borland JBuilder,
Java-based Eclipse or Microsoft .NET Studio IDEs
And at the build level, where individual code snippets from individual programmers are brought
together, project leads and architects can run the more robust Enterprise or Team suites.
The four new analyzers look for particular flaws in the code: data flows, which follow the paths data
takes when executed; control flows, which track the sequence of data flow in a program; semantics,
the use of functions or procedures that can lead to a flaw; and configuration, which tracks the
interaction between configuration and code.
Also added is a custom rules builder, a GUI-based
which internal components built by the software company — and thus are not recognizable by the
analyzers — might be vulnerable.
Recognizing the deadlines many software projects are under, Fortify also incorporated an audit
workbench and help tool into the analyzer update. Since the number of potential vulnerabilities
in thousands, and sometimes millions, of lines of code could easily swamp quality control efforts,
officials took a page from the popular TurboTax software application, which lets even the novice
user audit tax returns and rank potential errors by severity and in groups.
“The reality is, in any software organization, they’re going to want to rank-order these and fix
the top ones, and they’ll probably let the other ones go,” said Mike Armistead, Fortify founder and vice
president of marketing. “Sometimes it’s going to be the experienced auditor that’s
going to be looking at this code; sometimes it’s just going to be the lead on the development
team or someone they deputize to be the security expert.”
Fortify’s Source Code Analysis is the initial “stack” in the company’s plans for application
protection. It serves as the base for what officials say will soon be an overall suite of products
spanning the application lifecycle. The company already has a simulation
tool — Attack Simulation — that acts like a cracker
attack and an overall reporting and diagnosis engine
that incorporates the entire suite. Armistead said an application defense tool
will fill out the suite in the middle of next year.
Many of today’s network attacks target application-level security weaknesses, which
lead to stolen credit card numbers, personal and account information. Though the Web server,
which is protected by hardware and software in firewalls and routers, might be safe, the
applications people see on the Internet are, in many cases, not protected.