UK business typically spends 75% of software development
budgets on eliminating security flaws, according to IT cost studies
by security firmComsec Consulting.
This means £750,000 is lost to fixing security flaws found late
in the process for every £1m spent on software development by
medium to large organisations.
Comsec has developed an on-demand service for new application
code testing and analysis that the firm claims has cut code
remediation costs by half for early adopters.
On-demand code analysis services typically reduce costs by
eliminating the need for businesses to invest in costly code review
software with annual licensing fees.
But Comsec's Codefend service, launched today, is aimed at
providing a more comprehensive review than competitors.
The service aims to achieve this by combining automated standard
testing with customised testing and human analysis.
The Codefend service includes detailed questionnaires on the
authentication and authorisation processes used by each customer
software development team.
These are used to construct customised tests ahead of the
analysis process to identify weaknesses such as potential
backdoors, which standard tools typically do not detect.
The customised tests are run on customer source code with
standard tests for security vulnerabilities to common attack types
like buffer overflows and cross-site scripting.
"Once the tests are run, the human analysis team eliminates
false positives to identify only real vulnerabilities," said Stuart
Okin, managing director at Comsec UK.
Codefend is aimed at opening up to all companies in-depth
software reviews previously available only to developers at big
software firms, said Okin.
Ed Gibson, chief security officer at Microsoft UK, said the
service will enable more organisations to adopt secure development
processes.
Secure coding from the very start of software development
processes has delivered significant gains for Microsoft.
"Windows Vista is a classic example of the success of
secure development, with no meaningful [security] compromises
since its release three years ago," said Gibson.
Vista was the first version of Microsoft's Windows operating
system to be developed from start to finish using the firms
security development lifecycle (SDL) processes.
"Comsec's Codefend offers businesses what many would either not
have thought of before or could not afford. Now there is little
excuse not to check code in development," said Gibson.