A new product from computer security firm @stake will
help developers search computer code for errors, security holes and
other flaws that malicious hackers can use to break
applications and break into computers.
SmartRisk Analyzer, an application security modelling and
analysis tool that scans computer code written in the C, C++ and
Java languages for flaws such as buffer overflows that, if left
undetected, pose security risks for customers using finished
software products.
Using a technique called "deep binary analysis", the new product
scans computer code after it is "compiled", or translated into
binary code, the zeros and ones that are the foundation of all
computer languages.
Working with compiled, as opposed to uncompiled code, allows
SmartRisk Analyzer to spot flaws that may only appear when the
application interacts with services on an operating system, said
Chris Wysopal, vice president for research and development at
@stake.
Those include interactions with security APIs, cryptographic
APIs or network file services, as well as improper input validation
and so-called "backdoors" that would allow malicious hackers to
secretly compromise machines.
The product compares code to an @stake database of about 400
security and code reliability rules. It can generate reports that
list flaws by type or rank them by severity. A remediation module
marks erroneous code in an environment that resembles the IDEs
(integrated development environments) most software developers work
in, and appends suggestions for ways to fix coding mistakes.
"We wanted to design something that could be used by somebody
who wasn't a security expert," Wysopal said.
SmartRisk Analyzer is the latest addition to a small, but
growing, list of automated software tools that use a process called
"static analysis" to help developers and companies vet computer
code for security vulnerabilities and other problems.
As opposed to so-called "dynamic" analysis tools that use
automated input tests to measure the response of finished
applications, static analysis tools allow developers to test for
problems as they are writing code, reducing the work needed to fix
those holes when they are found.
In April, Fortify Software, a startup company, introduced
Fortify Source Code Analysis, a suite of software products that
lets companies compare C++ and Java code against a list of more
than 500 vulnerabilities published by software quality management
company Cigital.
While SmartRisk Analyzer is a new entry into the category, the
technology is not new. The underlying technology in SmartRisk
Analyzer stems from proprietary technology developed by @stake in
1999 and used by the company's security consultants since 2002,
Wysopal said.
SmartRisk Analyzer for C and C++ on Windows and Sun
Microsystems' Sparc platform is now available. A version for Java
will be released next month. The product runs on machines using the
Windows 2000, 2003 and XP operating system.
Paul Roberts writes for IDG News
Service