Software Searches for Security Flaws

A new company hopes to make life a lot harder for malicious hackers, releasing technology that analyzes computer code for security violations and enforces secure coding practices.

Fortify Software, a startup company based in Menlo Park, California, plans to unveil two new product suites on Monday, one to inspect source code written in the C++ and Java programming languages, the other to probe security holes in software applications, the company says.

The new products give companies a way to strengthen software applications against attack by spotting and removing common vulnerabilities like buffer overflows, format string errors, and unchecked input from the product code early in the development process, says Mike Armistead, Fortify Vice President of Marketing.

At the heart of Fortify's products is technology called "extended static checking" that analyzes the properties of software code rather than the behavior of the finished program, says Brian Chess, chief scientist at Fortify.

Most source code analysis products work by trying to "stimulate" finished software applications with long lists of data. This can produce an invalid response. Extended static checking enables Fortify's products to enumerate all the paths in computer code that can take action or "execute," quickly spot sensitive areas in the computer code, then determine the exact limits of the vulnerability, he says.

That makes Fortify's product different from those of competitors such as Sanctum and SPI Dynamics, says Theresa Lanowitz, research director at Gartner.

"Fortify tackled this problem of security at the application level from a developer perspective only," she says.

Product Suite

Fortify Source Code Analysis is a suite of products that includes the Fortify Developer Toolkit and Fortify Source Code Analysis Server that compare code to a list of more than 500 vulnerabilities published by software quality management company Cigital.

The Developer Toolkit is a desktop application that runs on Linux and Windows desktops and works with leading Integrated Development Environments (IDEs) to pinpoint security vulnerabilities early on, as code is being written and tested, Armistead says.

"The developer gets output that looks like output from a compiler," he says. For example, the Fortify Developer Toolkit might spot the developer using a software function that is known to introduce security risks.

"Instead of a compiler error saying 'I can't parse this,' developers will get a Fortify error saying that they're using a dangerous function, why not to use it and here's what could happen if you do use it," Chess says. "The idea is that just because a program compiles correctly, it's not necessarily a good program. So if the security checker doesn't like the program, you need to fix it."

The Analysis Server is another component of the Fortify Source Code Analysis product that analyzes software code for vulnerabilities and security flaws during "integration builds," when the work of multiple developers is knitted together, Armistead says.

The Analysis Server can analyze input as it flows through code to spot vulnerabilities where external input is digested by software functions, enabling the product to spot vulnerabilities that might not exist in a discrete segment of code, but pop up when combined with other vulnerable components, Chess says.

Application Analysis

Also on Monday, Fortify will announce an application to analyze finished software applications before they are deployed.

Fortify Red Team Workbench is a penetration testing tool that uses both static analysis and dynamic analysis to probe security holes in running applications. The product can simulate sophisticated hacks and malicious behavior and works with quality assurance tools such as Mercury Interactive's LoadRunner and the open source JUnit Java testing framework, Fortify says.

The idea is to make "red teams" that take the role of hackers to test application security more effective by providing them with powerful, automated tools, Armistead says.

The idea of applying security at the application development level is still nascent, but is gaining in popularity, Lanowitz says.

"The industry has to make sure that development groups understand the importance of security at the application level. ...Vendors will help with this problem by delivering content to the developers to help them ... focus on [security]at the application and source code level," she says.

Put to the Test

New Vine Logistics of American Canyon, California, a third-party logistics company serving the wine industry, has also been evaluating the Fortify technology, says Pierre Tehrany, vice president of technology at New Vine.

New Vine has a staff of five software developers who write custom Web applications and business logic for the company, which handles inventory controls, order processing and financial information flows for wineries selling directly to consumers in 42 states, or to major distributors and other supply-chain partners, he says.

"It's critical that we're stable, that there's data integrity, and that data is secure and only seen by our customers," Tehrany says.

New Vine has tested both the Developer Toolkit and Source Code Analysis Server. While the products didn't turn up any glaring security holes, they did discover problems that New Vine's development team missed and probably wouldn't have found, he says.

More importantly, the tools relieved developers of the need to become experts on security vulnerabilities, he says.

"[Fortify] tells the developers what's wrong and right, and gives them suggestions on how to fix it. I feel like I can close up or prevent vulnerabilities without having to have software engineers invest in [security] training or hire somebody," he says.

To comment on this article and other PCWorld content, visit our Facebook page or our Twitter feed.
Shop Tech Products at Amazon