A new partnership between Fortify Software and Watchfire,
leaders in the application security market, is intended to bring
together "white box" and "black box" testing to provide a more
complete assessment of application vulnerability throughout the
software development life cycle (SDLC).
The results of the partnership will integrate Fortify's Source
Code Analysis Suite and Watchfire's AppScan, a web application
vulnerability scanner. With the integration, customers will have a
single interface to view vulnerability data in one dashboard.
The integration of these two different types of products makes
sense on several fronts, said Barmak Meftah, vice-president of
engineering and operations at Fortify. "A lot of our customers
already use AppScan, and the correlation of the results we find in
the source code and what AppScan finds will provide a complete and
accurate list. Static analysis finds a slew of issues, but there
are certain security vulnerabilities you can only find when running
the application."
The ability to have the integrated results was a request the two
companies were hearing from their collective customers, according
to Michael Weider, founder and chief technology officer of
Watchfire.
 | | | | | If you're trying to get a
complete assessment of application vulnerability, then the
combination of source code scanning and web application scanning is
needed.
Neil MacDonald
vice president and distinguished analyst,
Gartner |
| | | | | |
| |
|
"If you're trying to get a complete assessment of application
vulnerability, then the combination of source code scanning and web
application scanning is needed," said Neil MacDonald,
vice-president and distinguished analyst at Gartner. "One or the
other alone gets part of the picture, but the best results are to
correlate the information to develop a complete picture."
While static source code analysers and web application
vulnerability scanners are typically used by different parts of the
development organisation, the integration of the results found in
both types of testing "helps both sides of the fence," MacDonald
said. For example, he said, a web application scanner might
identify a page that is subject to a SQL injection, and that can
help the developer get to the area of the code where the problem
exists.
"By correlating the results you could take the developer to the
actual line of code that needs fixing, saving time and energy. It's
better from the developer's point of view than saying 'this page
has a problem,'" MacDonald said.
On the other hand, he said, one criticism of source code
scanners is that they find a lot of issues, some serious, some not
so serious. "One way to help prioritise efforts is to understand
and test if these vulnerabilities are exploitable from the outside
world. If you take knowledge of the vulnerabilities in source code,
and you test exploitability from a web app perspective, you can
focus on the higher severity problems. It's real from a source code
perspective and real from a web app perspective, so the correlation
flows in both directions, and there is value in both."
Education is an additional benefit of this type of integration,
said Eric Ogren, a security analyst at Enterprise Strategy Group.
"It can start pointing out trends from a security standpoint. If
[the tools] are catching things, you can use it as education for
developers - things they might not have been exposed to before."
For example, he said, "If you're seeding the coding errors of
cross-site scripting, you can share [that information] so it's not
repeated."
Today, the common denominator driving the use of source code
analysers and web application scanners is the information security
person, Weider said. However, he said he sees a "big turning point"
in bringing together the different aspects of application security
across the SDLC "instead of viewing software security in isolation
between developers and QA. Infosec becomes the common denominator
to drive this, but results [of the two types of testing] will be
aggregated and will provide for complete results."
Pressure to compete
Driving this partnership between Fortify and Watchfire is the
pressure coming from Compuware, MacDonald said. Compuware now
offers the DevPartner SecurityChecker and the DevPartner Fault
Simulator as part of its DevPartner family.
"I believe the catalyst for these types of strategic
relationships was Compuware's entry of source code scanning and Web
app scanning integrated into a QA tool environment," he said. "Some
tools vendors are starting to make noise, and it indicates that
longer term it will put pressure on this market for providing both
types of tools, whether through a single company or a
partnership."
However, MacDonald added, "Compuware is fairly late." Platform
suppliers tend to be late and not feature rich but close the gap
over time, he said. The partnership between Fortify and Watchfire
raises the bar," MacDonald said.
"We've got two products that stand alone that will be made
stronger by linking. It also puts pressure on other standalone
vendors, most notably SPI Dynamics and Ounce Labs, to also have
similar agreements," he said. "It definitely raises the table
stakes for vendors in this market space."
Fortify and Watchfire have some prototype integration now and
expect to have correlated data by the year-end, according to
Weider. The partnership also includes joint sales and
marketing.