Fortify Launches Security Tool For Software Developers
The company, which operates out of the Menlo Park, Calif., offices of lead investor Kleiner Perkins Caufield and Byers, has shipped tools that let developers scan for security problems as they work. Traditionally, an application is checked for flaws after the development process.
Fortify's focus on the application to strengthen security makes more sense than a strategy that focuses almost solely on trying to get malware before it enters the network, company officials said. While a strong security fence of firewalls and intrusion detection systems is pivotal, so are less-vulnerable applications.
"There hasn't been enough focus on the root cause of a lot of these security issues, which is that the applications themselves are fundamentally vulnerable," Mike Armistead, vice president of marketing and cofounder of Fortify, said. "The prevailing security strategy is to isolate applications behind the perimeter."
That tactic, however, is becoming more difficult to sustain as more companies deploy software to conduct business with suppliers and customers across the Internet, taxing devices at the edge of the network.
A recent report solicited by the U.S. Department of Homeland Security has identified the root cause of security problems as faulty applications, and has recommended new practices for designing and developing securer software.
The new Fortify Source Code Analysis suite comprises two components, the Developer Toolkit and the Source Code Analysis Server.
The toolkit works with a developer's integrated development environment running on a Linux or Windows desktop. A developer can choose to have his C++ or Java source code scanned by the tool at anytime to check for security flaws.
Within the IDE, the toolkit will mark the problem code and describe a remedy, basing its analysis on 500 problems identified by consulting firm and Fortify partner Cigital Inc. The tool checks not only for flaws in code patterns, but also in data flows.
The Analysis Server is for those members of a development team responsible for putting together the various developer-built components that will become the whole application. The process is often called an "integration build," and the tool scans the links between the components for flaws.
A simple example of an integration build would be stitching together the Java server pages the make up the user interface, the business logic running on an application server and the SQL code calling the backend relational database.
The Fortify Developer Toolkit sells for $3,500 per developer, and the Source Code Analysis Server, $50,000 per CPU.
This story courtesy of TechWeb News