@stake product helps clean code

A new product from computer security firm @stake will help developers search computer code for errors, security holes and other...

A new product from computer security firm @stake will help developers search computer code for errors, security holes and other flaws that malicious hackers can use to break applications and break into computers.

SmartRisk Analyzer, an application security modelling and analysis tool that scans computer code written in the C, C++ and Java languages for flaws such as buffer overflows that, if left undetected, pose security risks for customers using finished software products.

Using a technique called "deep binary analysis", the new product scans computer code after it is "compiled", or translated into binary code, the zeros and ones that are the foundation of all computer languages. 

Working with compiled, as opposed to uncompiled code, allows SmartRisk Analyzer to spot flaws that may only appear when the application interacts with services on an operating system, said Chris Wysopal, vice president for research and development at @stake.

Those include interactions with security APIs, cryptographic APIs or network file services, as well as improper input validation and so-called "backdoors" that would allow malicious hackers to secretly compromise machines.

The product compares code to an @stake database of about 400 security and code reliability rules. It can generate reports that list flaws by type or rank them by severity. A remediation module marks erroneous code in an environment that resembles the IDEs (integrated development environments) most software developers work in, and appends suggestions for ways to fix coding mistakes.

"We wanted to design something that could be used by somebody who wasn't a security expert," Wysopal said.

SmartRisk Analyzer is the latest addition to a small, but growing, list of automated software tools that use a process called "static analysis" to help developers and companies vet computer code for security vulnerabilities and other problems.

As opposed to so-called "dynamic" analysis tools that use automated input tests to measure the response of finished applications, static analysis tools allow developers to test for problems as they are writing code, reducing the work needed to fix those holes when they are found. 

In April, Fortify Software, a startup company, introduced Fortify Source Code Analysis, a suite of software products that lets companies compare C++ and Java code against a list of more than 500 vulnerabilities published by software quality management company Cigital.

While SmartRisk Analyzer is a new entry into the category, the technology is not new. The underlying technology in SmartRisk Analyzer stems from proprietary technology developed by @stake in 1999 and used by the company's security consultants since 2002, Wysopal said.

SmartRisk Analyzer for C and C++ on Windows and Sun Microsystems' Sparc platform is now available. A version for Java will be released next month. The product runs on machines using the Windows 2000, 2003 and XP operating system.

Paul Roberts writes for IDG News Service

Read more on IT strategy