CodeAssure 2.0 Automates Security in the App Layer
- By John K. Waters
Viruses are bad and worms are worse, but these broad types of attacks
just aren't having the same negative financial impact on the enterprise as the
growing number of targeted attacks against the application layer, says
John Pescatore, an analyst at Gartner.
"Removing vulnerabilities from those business applications as early in
the development process as possible will be the most cost-effective way of preventing
those attacks," Pescatore says.
More and more companies are acknowledging there's a bull's-eye on their application
code, but they're also finding that building security into that code is easier
said than done.
"Most development teams are focused on features and deadlines," says
Kevin Kernan, CEO of Secure Software. "They test their applications for
functionality, performance and integration, and security is an afterthought."
The raison d'etre of Kernan's company, Secure Software, is to get
security into the development lifecycle early with automated processes that
identify risks, coupled with services to help correct those security gaps. The
firm was founded by author and security expert John Viega, who wrote Building
Secure Software, (with Gary McGraw, Addison Wesley, 2001), Network
Security with OpenSSL (O’Reilly, 2002) and Secure Programming
Cookbook for C and C++ (O’Reilly, July 2003). Secure Software launched
its flagship CodeAssure product suite earlier this year, and just released the
2.0 version this summer.
CodeAssure 2.0 is designed to allow developers to analyze and fix security
defects at the development level, while letting project managers monitor, analyze
and manage performance at the portfolio level. It includes the enhanced versions
of the Workbench source-code analysis tool, and the Integrator for integrating
security testing with existing quality assurance tools and processes, both of
which were part of the previous release.
New to this version is the CodeAssure Management Center, which offers reporting,
analysis, administration and policy-management capabilities to provide executives,
project managers and security administrators with information on project performance
and policy compliance.
The Management Center integrates for the first time the company's Comprehensive,
Lightweight Application Security Process. Developed by Viega, CLASP is a series
of role-based activities, artifacts, guidelines and templates organizations
can adopt and overlay on their software development process. The complete 350-page
CLASP reference guide for integrating source code analysis and vulnerability
remediation into existing development lifecycles is now part of the Management
"Software development is a process-oriented discipline with defined roles
for everyone from individual developers all of the way up to senior-level executives
with product-management responsibilities," says Dale Gardner, director
of product management, Secure Software. "We leveraged our intimate knowledge
of the development process to design a management console that maps to the typical
roles within development organizations, and provides each of those roles with
unmatched management, reporting and analysis capabilities. "
CodeAssure 2.0 supports programs written in Java and C. For more information
on CodeAssure 2.0, click here.
John K. Waters is a freelance writer based in Silicon Valley. He can be reached