starting at $50,000 for team versions
Menlo Park, California
Also back for a briefing this week is Fortify, who have made great
strides with their security analysis tools in the last six months. You
may recall that they focus on static code analysis of software, with the
goal of finding security issues at development time rather than
deployment time. After all, we all know that finding problems early is
the key to fixing them without spending a ton of money.
Their key tool is a source code analysis tool with an extensible rules
engine. It can analyze C, C++, Java, PL-SQL and (new in the latest
version) C# code; support for other languages is planned for future
versions. The analysis tool works as standalone (good for integrating
into a build process) or as part of an IDE such as Eclipse or Visual
Studio (good for pointing out vulnerabilities when they're introduced
into the code, so that they can be corrected at once). They're also
shipping a version as part of Borland's JBuilder 2005. They also have a
version that can run on your build server as things are checked in,
giving you continuous security auditing.
Also new is the ability to build custom rules. If your company is using
a library or an API with particular secure coding concerns, you can
develop rules to address those concerns and deploy them as part of
Fortify. This helps you make sure that every component in your solution
is used securely. An "Audit Workbench" piece lets you sort and
prioritize rules violations. This is especially useful as you move large
projects over to secure coding, when you might have thousands of
vulnerabilities to deal with.
Fortify's pricing is three-tiered. You can get into the individual
bundles like JBuilder's in the hundreds of dollars. For a more flexible
team-based solution, including the Audit Workbench and build-based
analysis, you should expect to spend around $50,000. At the enterprise
level, you get more rules and a Security Manager piece that tracks the
entire security history of your code. A typical enterprise deployment
runs around $125,000.
Mike Gunderloy has been developing software for a quarter-century now, and writing about it for nearly as long. He walked away from a .NET development career in 2006 and has been a happy Rails user ever since. Mike blogs at A Fresh Cup.