Application security, and the notion that poorly implemented code can create a security flaw in a piece of software, is a fairly recent innovation to many conventional IT security experts. Traditionally these experts have been focused on securing networks and ensuring that hackers and malcontents can't penetrate their ever extending perimeters. Software programming has been an alien science to be avoided at all cost, and code security an impenetrable subject.
IT security experts can no longer ignore this crucial security field, and must work with their software development colleagues to help fix code related security problems.
The past 2 years has seen the application security market grow as new vendors entered the space and more established vendors continued to innovate. The market is set to remain changeable as acquisitions and consolidations form a backdrop against this growth.
Significant effort has been put into securing data by IT professionals using encryption and data loss prevention technologies alongside anti-malware and attack prevention methods. Whilst it is now possible to reasonably secure these areas line of business applications still remain vulnerable to security exploits due to poor or malicious software code.
Applications need to be secured during the software development process, not as an after thought. Code security reviews must now form part of the rigorous checks development teams take during the daily build and software development life cycle (SDLC). Legislation and regulations are now catching up with the need to ensure application security and some standards, such as PCI DSS, the Payment Card Industry Data Security Standards, explicitly demand that software code security checks take place.
The increasing demand to cut IT costs has lead to outsourced software developments, often to partners that have not been audited by the customer. In many instances this outsourced model is hidden by using a local prime contractor who inturn sub contracts work to organisations, some of which the original customer would probably be unhappy with.
The opportunities to deliberately create code "back doors" and the like could be numerous and tempting. Although little evidence suggests this is a prevalent problem undoubtedly it is an area being explored by more sophisticated criminals thwarted by traditional IT security measures.
Application security products typically comprise the following elements;
- Central knowledgebase/database that contains details of code security issues
- Management environment used to build and configure security policies and initiate code scanning routines
- Integrated Development Environment (IDE) plug-in that provides a security package to an existing developer's coding environment and defect tracking tool
- Reporting application that returns statistics to development managers about the quality of the applications being created and the significance of any issues found
Application security auditing is a complex task. Vendors take different approaches to reviewing code, some will undertake a review of the source code whilst others will review the executable code. Contextual awareness is vital, as a function call may seem innocent in one setting but create havoc in another. More advanced solutions will offer pertinent explanations to developers why specific code is problematic and may offer work arounds or links to other useful resources. Full automatic fixing of problems is still outside the scope of current products due to the complexity of such an implementation.
Other terms used to describe application security include;
- Business software assurance
- Software vulnerability detection
- Security source code analysis
- Software Real Time Analyzer
- Security auditing tool
- Rule based security auditing tool
- Vulnerability detection tool
- Static code analysis
Bloor Research have recently released a Market Update in this area that takes a look at a number of vendors and their offerings, including;
- IBM Rational Software
- Ounce Labs
The report is available free of charge from www.bloorresearch.com