Application security vendors SPI Dynamics and Fortify Software both made announcements designed to better enable the sharing of critical application security information throughout the software development life cycle.
Atlanta-based SPI Dynamics Inc., provider of Web application security assessment and testing products, announced the integration of its QAInspect Enterprise Web application security testing solution with its Assessment Management Platform (AMP), enabling organisations to implement standardised quality and security policies for Web applications throughout the life cycle. This integration follows on the heels of the company's earlier integration of AMP and WebInspect, its Web application security assessment product.
"We're trying to facilitate communication between the development and production side of the house," said SPI Dynamics' Erik Peterson, vice president of product management. "For the first time you see the ability for the QA tester and the security tester to work together and share the results in the AMP platform."
Typically organisations have a "sneakernet" approach to sharing application security-related information among different areas of responsibility, he said. The problem, though, is "something gets lost in communication," Peterson said. "Our larger customers with the most to lose are pushing to solve this communications gap."
According to SPI Dynamics, the integration of QAInspect with AMP enables users to capture all security assessment information and risk management into a single enterprise database, while maintaining centralised control and oversight of the application risk assessment process. With this central control, security professionals can customise and configure prepackaged security policies that can be consumed in automated tests across the organisation. QAInspect can leverage these policies to create a custom security test that can be added to existing function tests.
In addition, security professionals can use the data in AMP to analyse security defects that were identified by QA.
"We wanted to give folks an enterprise view of the security life cycle. They will know at a moment's glance the status of an application, if it's in development or QA or production," Peterson said. "A new feature in AMP is the executive dashboard, which is Web-based and has the metrics and means to track the security status of every application in the environment. You can see trends like how well business units are competing against each other in terms of the security of their applications. And as applications move from QA to production/deployment, is my overall risk going down or getting worse? For the first time we're offering ability to see the operational status of Web apps. This level of capability is pretty common in the network world."
The bottom line: "To solve the [application security] problem you have to speak with developers and testers. We're looking for ways to keep the communications stream flowing," Peterson said.
Fortify helps find bugs
While SPI is targeting a single view of the security lifecycle, Fortify's efforts with the FindBugs open source project is aimed at providing a single view of security and quality-related issues, said Barmak Meftah, vice president of engineering and operations at Fortify Software Inc. in Palo Alto, Calif.
Fortify today announced it has joined the FindBugs project as a sponsor, and is helping to expand the functionality of the open source tool, which looks for bugs in Java programs and detects common coding mistakes. In addition to its sponsorship, Fortify also announced FindBugs' integration with the Fortify Source Code Analysis (SCA) product. Developers can run FindBugs in conjunction with Fortify Source Code Analysis and can then load and view the results from various Fortify tools such as Fortify Audit Workbench and Fortify Software Security Manager, giving developers a central view of all results, according to the company.
While the ramifications of a software quality problem may not be as great as for a security issue, "they are equally important for engineers," Meftah said. "Fortify identifies software security issues and emphasises getting them fixed by giving suggestions. Security issues, if identified and not fixed, will typically get exploited. Quality issues, if not fixed, can cause the application to run slower, or the reusability of an application becomes hard."
With the integration of Source Code Analysis and FindBugs, "developers have a single view toward security and quality-related issues in Java code. Beyond that our main interest is to get them fixed. We like clean code whether it's security or quality issues; the combination of the two products will result in cleaner code being written," Meftah said.
FindBugs was originally developed by William Pugh, a professor at the University of Maryland and a member of Fortify's Technical Advisory Board. To date, there have been more than 200,000 downloads.
Fortify is contributing both financially to the project and providing engineering resources, Meftah said. Fortify's participation will help the company reach a wider development audience, he said. "In a way it will help everybody. The development audience is key to us, and the wide adoption of FindBugs is there. Our sponsorship will allow developers to take a look at SCA and put two products together. We will make the integration as nonintrusive as we can, so running SCA will be easy for them."
Reaching out to developers is key, Meftah said, adding: "Evangelising is important for security."