The Web    Google
More Fortification For Code

More Fortification For Code
November 22, 2004

Seven months after opening for business, officials at Fortify Software announced improvements to its analysis tool for weeding out code that leads to application hacks.

The improvements to the Palo Alto, Calif., company's Source Code Analyzer builds on its existing ability to detect patterns in software development that can lead to security vulnerabilities like SQL injections, buffer overflows and information leakage.

In addition to new language support for C# -- the software already supports C, C++, PL/SQL, Java Server Pages (JSP) and Java -- Fortify has added four new analyzers, a rules manager and an audit manager to prioritize the level of software flaws.

Fortify automates what would take a security expert hours to accomplish, with 3,500 rules that detect software behavior that can lead to an application vulnerability. Developers can use the standalone Fortify plug-ins for the Borland JBuilder, Java-based Eclipse or Microsoft .NET Studio IDEs . And at the build level, where individual code snippets from individual programmers are brought together, project leads and architects can run the more robust Enterprise or Team suites.

The four new analyzers look for particular flaws in the code: data flows, which follow the paths data takes when executed; control flows, which track the sequence of data flow in a program; semantics, the use of functions or procedures that can lead to a flaw; and configuration, which tracks the interaction between configuration and code.

Also added is a custom rules builder, a GUI-based tool that lets developers define which internal components built by the software company -- and thus are not recognizable by the analyzers -- might be vulnerable.

Recognizing the deadlines many software projects are under, Fortify also incorporated an audit workbench and help tool into the analyzer update. Since the number of potential vulnerabilities in thousands, and sometimes millions, of lines of code could easily swamp quality control efforts, officials took a page from the popular TurboTax software application, which lets even the novice user audit tax returns and rank potential errors by severity and in groups.

"The reality is, in any software organization, they're going to want to rank-order these and fix the top ones, and they'll probably let the other ones go," said Mike Armistead, Fortify founder and vice president of marketing. "Sometimes it's going to be the experienced auditor that's going to be looking at this code; sometimes it's just going to be the lead on the development team or someone they deputize to be the security expert."

Fortify's Source Code Analysis is the initial "stack" in the company's plans for application protection. It serves as the base for what officials say will soon be an overall suite of products spanning the application lifecycle. The company already has a simulation tool -- Attack Simulation -- that acts like a cracker employing an application-level attack and an overall reporting and diagnosis engine that incorporates the entire suite. Armistead said an application defense tool will fill out the suite in the middle of next year.

Many of today's network attacks target application-level security weaknesses, which lead to stolen credit card numbers, personal and account information. Though the Web server, which is protected by hardware and software in firewalls and routers, might be safe, the applications people see on the Internet are, in many cases, not protected.

  • Corporate Data Leaks Spur Interest in Storage Security
  • 12/3: Rbot-QX a Worm and IRC Trojan
  • 12/2: QLowZones-4 Trojans Attack IE
  • Nine out of 10 U.S. Emails Now Spam
  • 8/3: MyDoom-Q Arrives in the Wild
  • 6/28: Rbot-CA Allows Remote Access
  • 5/2: Sober-S Worm a 'Medium Threat'
  • FTC Seeks Court Order Against "Do Not Call" Web Site
  • 2/17: Poebot-A Worm Has Backdoor Functions
  • 2/28: Elitper-A Worm Uses MAPI
  • Can Market Forces Secure the Internet?
  • Security Camera Price