Securing Apps Against Attack
Reasoning, a Mountain View, Calif.-based company with roots in artificial-intelligence technology, Y2K prep and software-code testing, is among a handful of firms looking at the problem differently today. The company is a proponent of application-level security and offers a new security-focused service aimed at helping ISVs rid their software of vulnerabilities before it goes into production. In other words, bulletproof the software and you neutralize the hacker threat.
"It's a hot space, though we have only scratched the surface in our ability to assess source code and identify vulnerabilities," says Pete Lindstrom, research director at Spire Security, an independent analyst firm in Malvern, Pa. "Latent vulnerabilities are created every day in our universe of source code, and the idea is to catch them before they get into production."
The service works like this: You write an application, send Reasoning the source code and it subjects the code to a sophisticated method of diagnostic testing called "static analysis." What is unique about this method is that it pairs human intervention with IT diagnostic tools and "inspection engines," which are able to identify multiple points of failure, buffer overflows, tainted data and "race conditions" that cause lags between operations.
Once the code has gone through Reasoning's electronic diagnostics, it is subjected to two manual processes that scour parts of the code for a deeper analysis. According to president and CEO Bill Payne, tackling security at the application level makes the most sense from an effectiveness standpoint. But while customers are beginning to see the merits, vendors thus far have not, he says.
"We went to RSA's [security] show recently, and it was amazing that the companies there are not addressing the real problem of application security vs. perimeter," he says. "We know that IT budgets for security are getting the highest growth this year, and we also know that [customers] are devoting a lot of it to application security. Yet that is so totally different than how the vendor market is approaching things."
Reasoning's service doesn't fix the flaws. Rather, it issues a report outlining all the problem spots, including location and recommendations on how to mend them.
On the customer front, Reasoning counts such big guys as IBM, which sends over code from seven or eight of its development labs. Payne says he has also pursued Microsoft with earlier testing tools to no avail, but hopes the security offering might pique its interest. "We could do a very good job with Microsoft, but they want to do something in-house," Payne says. "You know, eventually they will solve these problems, but how long will it take?"