Application security vendors SPI Dynamics and Fortify Software
both made announcements designed to better enable the sharing of
critical application security information throughout the software
development life cycle.
Atlanta-based SPI Dynamics Inc., provider of Web application
security assessment and testing products, announced the integration
of its QAInspect Enterprise Web application security testing
solution with its Assessment Management Platform (AMP), enabling
organisations to implement standardised quality and security
policies for Web applications throughout the life cycle. This
integration follows on the heels of the company's earlier
integration of AMP and WebInspect, its Web application security
assessment product.
"We're trying to facilitate communication between the
development and production side of the house," said SPI Dynamics'
Erik Peterson, vice president of product management. "For the first
time you see the ability for the QA tester and the security tester
to work together and share the results in the AMP platform."
 | | | | | For the first time you see the
ability for the QA tester and the security tester to work together
and share the results in the AMP platform.
Erik Peterson
Vice president of product managementSPI Dynamics
Inc. |
| | | | | |
| |
|
Typically organisations have a "sneakernet" approach to sharing
application security-related information among different areas of
responsibility, he said. The problem, though, is "something gets
lost in communication," Peterson said. "Our larger customers with
the most to lose are pushing to solve this communications gap."
According to SPI Dynamics, the integration of QAInspect with AMP
enables users to capture all security assessment information and
risk management into a single enterprise database, while
maintaining centralised control and oversight of the application
risk assessment process. With this central control, security
professionals can customise and configure prepackaged security
policies that can be consumed in automated tests across the
organisation. QAInspect can leverage these policies to create a
custom security test that can be added to existing function
tests.
In addition, security professionals can use the data in AMP to
analyse security defects that were identified by QA.
"We wanted to give folks an enterprise view of the security life
cycle. They will know at a moment's glance the status of an
application, if it's in development or QA or production," Peterson
said. "A new feature in AMP is the executive dashboard, which is
Web-based and has the metrics and means to track the security
status of every application in the environment. You can see trends
like how well business units are competing against each other in
terms of the security of their applications. And as applications
move from QA to production/deployment, is my overall risk going
down or getting worse? For the first time we're offering ability to
see the operational status of Web apps. This level of capability is
pretty common in the network world."
The bottom line: "To solve the [application security] problem
you have to speak with developers and testers. We're looking for
ways to keep the communications stream flowing," Peterson said.
| | | | | Our sponsorship [of FindBugs]
will allow developers to take a look at SCA and put two products
together.
Barmak Meftah
Vice president of engineering and operationsFortify Software
Inc. |
| | | | | |
| |
|
Fortify helps find bugs
While SPI is targeting a single view of the security lifecycle,
Fortify's efforts with the FindBugs open source project is aimed at
providing a single view of security and quality-related issues,
said Barmak Meftah, vice president of engineering and operations at
Fortify Software Inc. in Palo Alto, Calif.
Fortify today announced it has joined the FindBugs project as a
sponsor, and is helping to expand the functionality of the open
source tool, which looks for bugs in Java programs and detects
common coding mistakes. In addition to its sponsorship, Fortify
also announced FindBugs' integration with the Fortify Source Code
Analysis (SCA) product. Developers can run FindBugs in conjunction
with Fortify Source Code Analysis and can then load and view the
results from various Fortify tools such as Fortify Audit Workbench
and Fortify Software Security Manager, giving developers a central
view of all results, according to the company.
While the ramifications of a software quality problem may not be
as great as for a security issue, "they are equally important for
engineers," Meftah said. "Fortify identifies software security
issues and emphasises getting them fixed by giving suggestions.
Security issues, if identified and not fixed, will typically get
exploited. Quality issues, if not fixed, can cause the application
to run slower, or the reusability of an application becomes
hard."
With the integration of Source Code Analysis and FindBugs,
"developers have a single view toward security and quality-related
issues in Java code. Beyond that our main interest is to get them
fixed. We like clean code whether it's security or quality issues;
the combination of the two products will result in cleaner code
being written," Meftah said.
FindBugs was originally developed by William Pugh, a professor
at the University of Maryland and a member of Fortify's Technical
Advisory Board. To date, there have been more than 200,000
downloads.
Fortify is contributing both financially to the project and
providing engineering resources, Meftah said. Fortify's
participation will help the company reach a wider development
audience, he said. "In a way it will help everybody. The
development audience is key to us, and the wide adoption of
FindBugs is there. Our sponsorship will allow developers to take a
look at SCA and put two products together. We will make the
integration as nonintrusive as we can, so running SCA will be easy
for them."
Reaching out to developers is key, Meftah said, adding:
"Evangelising is important for security."