Fortifying the code

Under intense pressure to identify and fix potential vulnerabilities in code earlier in the application development life cycle, weary developers are gaining new allies in their Herculean quest.

The goal is to make security a part of the application development process instead of an afterthought. But the products to deliver on that end are coming from niche players, such as Sanctum and SPI Dynamics, at this point.

At the VSLive Conference last week, Sanctum Inc. announced AppScan Developer Edition (DE) 1.5. The product is designed to be fully integrated with Microsoft VisualStudio.NET 2003 to give developers ease-of-use features and transparent workflow mechanisms straight from the development environment, said Steve Orrin, CTO of Santa Clara, Calif.-based Sanctum.

Available in March, AppScan DE can be configured to unit test and view any Web application for myriad security incongruities from within the development environment. Once a defect is found, Orrin notes, the product supplies detailed descriptions, offers applicable in-line correction recommendations, and provides the developer with analysis of each individual test and response.

The Sanctum security tool tests applications created with all languages supported by VS.NET, including C#, C++, VB, and J#.

Orrin said that Sanctum plans to release an AppScan DE tool catered to the IBM Corp. WebSphere and BEA Systems Inc. WebLogic environments by mid-2003. However, there are no plans at this time to offer a version tailored for Sun ONE, he said.

The cleaning up of security flaws is being pushed further back in the security process, even to the point at which the code is being written, in an attempt to hold costs down, said analysts.

Lance Wolrab, network security engineer for the IT arm of dental insurance and medical insurance behemoth DeltaNet in Rancho Cordova, Calif., said that early implementation of security features into the application development process will result in fewer problems later on.

"The later you wait to get security involved, the more you have to rework testing and engineering cycles. Sometimes the entire product fails because the architecture doesn’t work in a secure model," Wolrab said. "Our primary purpose is to help our developers build solid and modular code they could reuse and has already been proven in service."

Running a Microsoft-centric shop and IDE, Wolrab is currently evaluating the merits of AppScan.

If it gets the green light, he said funding for the product may come from a budgetary release via his organization’s Healthcare Information Portability and Accountability Act (HIPAA) compliance effort.

Analysts expect mandated U.S. government privacy and disclosure of information initiatives, such as HIPAA and the Graham-Leach-Bliley Act, to hasten the degree of security imparted upon code development to safeguard corporate or customer data granted Internet access.

Providing developers with the ability to review test results and fix recommendations directly from their desktops and the Visual Studio.NET development environment should boost Microsoft’s Trustworthy Computing effort, notes Michael Kass, .Net framework product manager at Microsoft in Redmond, Wash.

"For the first time, developers have [an integrated security] tool at development time," Kass said. "We hope over time organizations will learn things from this and actually build into their own internal templates and practice guides."

It’s not surprising that Sanctum went after the Microsoft VS.Net community first with AppScan DE since its broad user base has a plethora of "foot soldier" types that are much more visually oriented, said Laura Koetzle, a security analyst at Cambridge, Mass.-based Forrester Research Inc.

"Java developers don’t trust people to do their work anyway; [they are] a smaller market," Koetzle said. After Microsoft VS.Net, the remaining development communities tend to brandish their loyalties through a sorted list of favorite development environments, Koetzle said. The most popular include: IBM WebSphere, BEA, and Borland Software Corp.’s TogetherSoft.

Koetzle remarked, however, that Sanctum would be "foolish" not to present its AppScan DE platform for other in-demand development platforms.

"[Sanctum] doesn’t want to have all their eggs in one basket. … Microsoft might want to include this in the next version of Microsoft VisualStudio.Net," Koetzle said.

Although SPI Dynamics Inc., Sanctum's Web application scanning competitor, does not offer a product specifically geared to developers, the company says developers are using its WebInspect tool as a proxy to view the input and output of their requests for debugging purposes.

Caleb Sima, CTO and founder of Atlanta-based SPI Dynamics, said developers are asking to see a greater correlation of scans and integrating WebInspect directly into BugTraqing software.

Sima said future WebInspect releases will be designed to accommodate the developer’s perspective and will not be dependent on any one DE for integration.

In fact, SPI Dynamics will soon announce a new product that will enable developers to audit Web services, whether based on the Microsoft Corp. .Net, Sun ONE, or WebSPhere platform.

One area SPI Dynamics will not become enamored with is the concept of automated fixes for developers.

"That’s a recipe for disaster. It’s easy to do automated fixes when you install a patch; now you’re talking about messing with custom code. You’re going to have to know too many things," Sima said.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Brian Fonseca

InfoWorld
Show Comments

Cool Tech

Breitling Superocean Heritage Chronographe 44

Learn more >

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?