Reasoning Touts New Security Service

The Security Inspection (SI) service offers developers and companies fast, third-party analysis of application-level vulnerabilities at any time during a code's life cycle, said William Payne, president and CEO of Reasoning, Mountain View, Calif.

Unlike time-consuming manual static analysis, which inspects only portions of code at any given time, SI delivers 100 percent code coverage in one fell swoop, Payne said. Results that identify and provide a language-based fix for security and other application vulnerabilities are returned in less than 10 business days, he added.

Code errors that could open the door to buffer overflows, tainted data and race conditions that allow hackers to squeeze past verification windows, as well as a range of risky code writing, are all caught by SI, explained Payne.

Reasoning's effort to franchise SI via IT service providers and consulting firms comes as issues of application security, regulatory compliance and the offshoring of code creation are placing added onus on firms to ensure network reliability, Payne said.

"The executive level is extremely afraid of getting a CERT advisory or losing customer confidence because their software group didn't spot a problem that [SI] could have found quite easily," he said.

The advantage of SI is twofold. IDC analyst Melissa Webster points out that not only does SI free developers from the drudgery of manually comparing source code for real- and false-positives, but the service also improves the skill level of developers by essentially teaching them not to make the same mistake twice.

The next step for Reasoning is Java. "We're researching Java security right now.

People didn't think there'd be a reliability issue for Java because it's a much more secure language. But we are finding just as many defects in Java as we are in C," Payne said.