Application security—the notion of tightening up software code—should now form a major part of any corporate IT security strategy.
As detailed in a recent Coverity has been around application security for a number of years. The company was born out of some in-depth work at Stanford University to analyse source code which in turn has been productised to give them a range of software integrity products.
Talking to Ben Chelf (Coverity CTO and co-founder) recently I was interested in where the application security market was going and in particular where Coverity saw their future.
Enterprise readiness is focusing minds at Coverity as they look at scaling up their products to meet the needs of 1000's of users rather than the smaller workgroup level that has traditionally been associated with software code testing. As executives ‘get' the importance of the code security issue so comes the requirement for an enterprise dashboard that provides senior staff with an overall risk assessment at any given moment in time. That way the CxO community can be assured that there is one less IT security issue for them to be worried about—hopefully.
The software build process has, in the past, gained almost mystical powers as development teams rush to check in their final lines of code before the routine build. Unfortunately there is some real pain to be had in the build process as it is often left to a black box to produce the final cut of the code. Coverity are uncomfortable with this and are taking steps to look into the build process to detect configuration and build issues sooner in the software development lifecycle than may normally be the case. Build failures can cause release delays and sometimes produce oddities such as an incremental build that doesn't produce the right executables.
Combined with the notion of parallel builds, what was the nightly build can hopefully be reduced to an hourly build with better quality control. This will be a real boon to development shops.
Couple enterprise readiness, improved build quality and more checking for specific threats and you end up with quite an interesting view of what Coverity have planned in the next year. I for one will be watching with interest.