Fortify and Watchfire partnership improves application vulnerability detection

The combination of Fortify's source code analyser with Watchfire's web application vulnerability scanner provides a more complete assessment of application vulnerabilities. By correlating the results, developers can be taken to the actual line of code that needs to be fixed rather than just receiving an notification that there's a problem with the page.

A new partnership between Fortify Software and Watchfire, leaders in the application security market, is intended to bring together "white box" and "black box" testing to provide a more complete assessment of application vulnerability throughout the software development life cycle (SDLC).

The results of the partnership will integrate Fortify's Source Code Analysis Suite and Watchfire's AppScan, a web application vulnerability scanner. With the integration, customers will have a single interface to view vulnerability data in one dashboard.

The integration of these two different types of products makes sense on several fronts, said Barmak Meftah, vice-president of engineering and operations at Fortify. "A lot of our customers already use AppScan, and the correlation of the results we find in the source code and what AppScan finds will provide a complete and accurate list. Static analysis finds a slew of issues, but there are certain security vulnerabilities you can only find when running the application."

The ability to have the integrated results was a request the two companies were hearing from their collective customers, according to Michael Weider, founder and chief technology officer of Watchfire.

If you're trying to get a complete assessment of application vulnerability, then the combination of source code scanning and web application scanning is needed.
Neil MacDonald
vice president and distinguished analyst, Gartner

"If you're trying to get a complete assessment of application vulnerability, then the combination of source code scanning and web application scanning is needed," said Neil MacDonald, vice-president and distinguished analyst at Gartner. "One or the other alone gets part of the picture, but the best results are to correlate the information to develop a complete picture."

While static source code analysers and web application vulnerability scanners are typically used by different parts of the development organisation, the integration of the results found in both types of testing "helps both sides of the fence," MacDonald said. For example, he said, a web application scanner might identify a page that is subject to a SQL injection, and that can help the developer get to the area of the code where the problem exists.

"By correlating the results you could take the developer to the actual line of code that needs fixing, saving time and energy. It's better from the developer's point of view than saying 'this page has a problem,'" MacDonald said.

On the other hand, he said, one criticism of source code scanners is that they find a lot of issues, some serious, some not so serious. "One way to help prioritise efforts is to understand and test if these vulnerabilities are exploitable from the outside world. If you take knowledge of the vulnerabilities in source code, and you test exploitability from a web app perspective, you can focus on the higher severity problems. It's real from a source code perspective and real from a web app perspective, so the correlation flows in both directions, and there is value in both."

Education is an additional benefit of this type of integration, said Eric Ogren, a security analyst at Enterprise Strategy Group. "It can start pointing out trends from a security standpoint. If [the tools] are catching things, you can use it as education for developers - things they might not have been exposed to before." For example, he said, "If you're seeding the coding errors of cross-site scripting, you can share [that information] so it's not repeated."

Today, the common denominator driving the use of source code analysers and web application scanners is the information security person, Weider said. However, he said he sees a "big turning point" in bringing together the different aspects of application security across the SDLC "instead of viewing software security in isolation between developers and QA. Infosec becomes the common denominator to drive this, but results [of the two types of testing] will be aggregated and will provide for complete results."

Pressure to compete
Driving this partnership between Fortify and Watchfire is the pressure coming from Compuware, MacDonald said. Compuware now offers the DevPartner SecurityChecker and the DevPartner Fault Simulator as part of its DevPartner family.

"I believe the catalyst for these types of strategic relationships was Compuware's entry of source code scanning and Web app scanning integrated into a QA tool environment," he said. "Some tools vendors are starting to make noise, and it indicates that longer term it will put pressure on this market for providing both types of tools, whether through a single company or a partnership."

Application vulnerability resources

Vulnerability assessment service pays off for Debt Exchange

Vulnerability assessment: Leave the scanning to someone else?

What kinds of app security tools are there?

Reason for application vulnerabilities

However, MacDonald added, "Compuware is fairly late." Platform suppliers tend to be late and not feature rich but close the gap over time, he said. The partnership between Fortify and Watchfire raises the bar," MacDonald said.

"We've got two products that stand alone that will be made stronger by linking. It also puts pressure on other standalone vendors, most notably SPI Dynamics and Ounce Labs, to also have similar agreements," he said. "It definitely raises the table stakes for vendors in this market space."

Fortify and Watchfire have some prototype integration now and expect to have correlated data by the year-end, according to Weider. The partnership also includes joint sales and marketing.

Read more on IT risk management