When it comes to protecting applications from attack, you need
to cover all your bases. That job got a little easier for Java
developers this week with SPI Dynamics announcement of DevInspect
3.0.
SPI Dynamics' Hybrid Analysis, a combination of source code
analysis and black box testing previously available for just .NET
applications, now runs on J2EE applications.
"We're taking the advancement of Hybrid Analysis in the .NET
market and broadening it," said Jason Schmitt, product manager of
developer and QA products at SPI Dynamics. "DevInspect 3.0 is the
most complete and unmatched combination of platform support, tool
integrations and analysis approaches."
The importance of the Hybrid Analysis, Schmitt said, is that the
information gained from the source code analysis is used in
cooperation with the black box security testing.
 | | | | | We can focus the black box
testing on what we know about the code from the source code
analysis. And the black box testing can add value to what is found
during the source code analysis.
Jason Schmitt
Product managerSPI
Dynamics |
| | | | | |
| |
|
First, the source code analysis defines the application attack
surface, identifying all application inputs and finding common
security coding errors and all potential vulnerabilities, he said.
Then the black box testing uses the intelligence and data from the
source code analysis to discover and verify exploitable security
defects using automated attack techniques against running
applications.
"We can focus the black box testing on what we know about the
code from the source code analysis. And the black box testing can
add value to what is found during the source code analysis,"
Schmitt said.
DevInspect for Java is available as a standalone tool or as a
plug-in to the most popular Java integrated development
environments, including the Eclipse platform and IBM Rational
Application Developer (RAD) versions 6 and 7. DevInspect for Java
also integrates with IBM Rational ClearQuest for the creation and
management of security defects within the development team.
Automatic code fixes
DevInspect 3.0 also provides automatic remediation of code in .NET
applications. "Now we can take the information and not just suggest
fixes but automatically remediate," Schmitt said.
The tool tells you what code it's about to apply, and it can
make the change automatically or it can be set up so the developer
decides whether to apply the changes.
This feature will be available for Java applications in early
2007, Schmitt said.
Support for Microsoft ASP.NET 2.0 AJAX
Developers creating applications with ASP.NET 2.0 AJAX (formerly
called Atlas) can also use DevInspect 3.0 to test the security of
those extensions. That makes it the first security product to
analyze and remediate security vulnerabilities in Web applications
built using ASP.NET AJAX, Schmitt said.
"Ajax applications are difficult to analyze because user
requests are always changing," he said. "But we can look deeply
into Ajax now. Analysis of the source code can help pinpoint things
before running a black box test."
Schmitt added that SPI Dynamics worked closely with Microsoft's
ASP.NET AJAX team when creating this feature. So, when AJAX is
released, DevInspect will be fully capable of testing those types
of extensions.
DevInspect 3.0 for Microsoft Visual Studio Team
System
SPI Dynamics also announced the release of DevInspect 3.0 for
Microsoft Visual Studio Team System, an integrated defect tracking
and configuration management product. The tight integration of
DevInspect with Visual Studio Team System enables developers to
share data about security defects with their entire development
team, Schmitt said.
Additionally, the product boasts an added security control that
checks code for vulnerabilities before code is checked in. "If it
has a vulnerability, it won't allow it to be checked in," Schmitt
said. "We want to make sure vulnerabilities aren't introduced."
DevInspect 3.0 costs about $3,000 per user. It will be available
Dec. 1, 2006. For more information, please visit
SPI Dynamics' Web
site.