When it comes to protecting applications from attack, you need to cover all your bases. That job got a little easier for Java developers this week with SPI Dynamics announcement of DevInspect 3.0.
SPI Dynamics' Hybrid Analysis, a combination of source code analysis and black box testing previously available for just .NET applications, now runs on J2EE applications.
"We're taking the advancement of Hybrid Analysis in the .NET market and broadening it," said Jason Schmitt, product manager of developer and QA products at SPI Dynamics. "DevInspect 3.0 is the most complete and unmatched combination of platform support, tool integrations and analysis approaches."
The importance of the Hybrid Analysis, Schmitt said, is that the information gained from the source code analysis is used in cooperation with the black box security testing.
First, the source code analysis defines the application attack surface, identifying all application inputs and finding common security coding errors and all potential vulnerabilities, he said. Then the black box testing uses the intelligence and data from the source code analysis to discover and verify exploitable security defects using automated attack techniques against running applications.
"We can focus the black box testing on what we know about the code from the source code analysis. And the black box testing can add value to what is found during the source code analysis," Schmitt said.
DevInspect for Java is available as a standalone tool or as a plug-in to the most popular Java integrated development environments, including the Eclipse platform and IBM Rational Application Developer (RAD) versions 6 and 7. DevInspect for Java also integrates with IBM Rational ClearQuest for the creation and management of security defects within the development team.
Automatic code fixes
DevInspect 3.0 also provides automatic remediation of code in .NET applications. "Now we can take the information and not just suggest fixes but automatically remediate," Schmitt said.
The tool tells you what code it's about to apply, and it can make the change automatically or it can be set up so the developer decides whether to apply the changes.
This feature will be available for Java applications in early 2007, Schmitt said.
Support for Microsoft ASP.NET 2.0 AJAX
Developers creating applications with ASP.NET 2.0 AJAX (formerly called Atlas) can also use DevInspect 3.0 to test the security of those extensions. That makes it the first security product to analyze and remediate security vulnerabilities in Web applications built using ASP.NET AJAX, Schmitt said.
"Ajax applications are difficult to analyze because user requests are always changing," he said. "But we can look deeply into Ajax now. Analysis of the source code can help pinpoint things before running a black box test."
Schmitt added that SPI Dynamics worked closely with Microsoft's ASP.NET AJAX team when creating this feature. So, when AJAX is released, DevInspect will be fully capable of testing those types of extensions.
DevInspect 3.0 for Microsoft Visual Studio Team System
SPI Dynamics also announced the release of DevInspect 3.0 for Microsoft Visual Studio Team System, an integrated defect tracking and configuration management product. The tight integration of DevInspect with Visual Studio Team System enables developers to share data about security defects with their entire development team, Schmitt said.
Additionally, the product boasts an added security control that checks code for vulnerabilities before code is checked in. "If it has a vulnerability, it won't allow it to be checked in," Schmitt said. "We want to make sure vulnerabilities aren't introduced."
DevInspect 3.0 costs about $3,000 per user. It will be available Dec. 1, 2006. For more information, please visit SPI Dynamics' Web site.
This was first published in November 2006