CodeAssure 2.0 Automates Security in the App Layer

Viruses are bad and worms are worse, but these broad types of attacks just aren't having the same negative financial impact on the enterprise as the growing number of targeted attacks against the application layer, says John Pescatore, an analyst at Gartner.

"Removing vulnerabilities from those business applications as early in the development process as possible will be the most cost-effective way of preventing those attacks," Pescatore says.

More and more companies are acknowledging there's a bull's-eye on their application code, but they're also finding that building security into that code is easier said than done.

"Most development teams are focused on features and deadlines," says Kevin Kernan, CEO of Secure Software. "They test their applications for functionality, performance and integration, and security is an afterthought."

The raison d'etre of Kernan's company, Secure Software, is to get security into the development lifecycle early with automated processes that identify risks, coupled with services to help correct those security gaps. The firm was founded by author and security expert John Viega, who wrote Building Secure Software, (with Gary McGraw, Addison Wesley, 2001), Network Security with OpenSSL (O’Reilly, 2002) and Secure Programming Cookbook for C and C++ (O’Reilly, July 2003). Secure Software launched its flagship CodeAssure product suite earlier this year, and just released the 2.0 version this summer.

CodeAssure 2.0 is designed to allow developers to analyze and fix security defects at the development level, while letting project managers monitor, analyze and manage performance at the portfolio level. It includes the enhanced versions of the Workbench source-code analysis tool, and the Integrator for integrating security testing with existing quality assurance tools and processes, both of which were part of the previous release.

New to this version is the CodeAssure Management Center, which offers reporting, analysis, administration and policy-management capabilities to provide executives, project managers and security administrators with information on project performance and policy compliance.

The Management Center integrates for the first time the company's Comprehensive, Lightweight Application Security Process. Developed by Viega, CLASP is a series of role-based activities, artifacts, guidelines and templates organizations can adopt and overlay on their software development process. The complete 350-page CLASP reference guide for integrating source code analysis and vulnerability remediation into existing development lifecycles is now part of the Management Center.

"Software development is a process-oriented discipline with defined roles for everyone from individual developers all of the way up to senior-level executives with product-management responsibilities," says Dale Gardner, director of product management, Secure Software. "We leveraged our intimate knowledge of the development process to design a management console that maps to the typical roles within development organizations, and provides each of those roles with unmatched management, reporting and analysis capabilities. "

CodeAssure 2.0 supports programs written in Java and C. For more information on CodeAssure 2.0, click here.

About the Author

John K. Waters is a freelance writer based in Silicon Valley. He can be reached at [email protected].