The World of Application Security

Written By: Nigel Stanley
Published:
Content Copyright © 2008 Bloor. All Rights Reserved.

Application security, and the notion that poorly implemented
code can create a security flaw in a piece of software, is a fairly recent
innovation to many conventional IT security experts. Traditionally these
experts have been focused on securing networks and ensuring that hackers and
malcontents can’t penetrate their ever extending perimeters. Software
programming has been an alien science to be avoided at all cost, and code
security an impenetrable subject.

IT security experts can no longer ignore this crucial
security field, and must work with their software development colleagues to
help fix code related security problems.

The past 2 years has seen the application security market
grow as new vendors entered the space and more established vendors continued to
innovate. The market is set to remain changeable as acquisitions and
consolidations form a backdrop against this growth.

Understanding
Application Security
Significant effort has been put into securing data by IT
professionals using encryption and data loss prevention technologies alongside
anti-malware and attack prevention methods. Whilst it is now possible to
reasonably secure these areas line of business applications still remain
vulnerable to security exploits due to poor or malicious software code.

Applications need to be secured during the software
development process, not as an after thought. Code security reviews must now form
part of the rigorous checks development teams take during the daily build and software
development life cycle (SDLC).
Legislation and regulations are now catching up with the need to ensure application
security and some standards, such as PCI DSS, the Payment Card Industry Data
Security Standards, explicitly demand that software code security checks take
place.

The increasing demand to cut IT costs has lead to outsourced
software developments, often to partners that have not been audited by the
customer. In many instances this outsourced model is hidden by using a local prime
contractor who inturn sub contracts work to organisations, some of which the original
customer would probably be unhappy with.

The opportunities to deliberately create code “back doors”
and the like could be numerous and tempting. Although little evidence suggests
this is a prevalent problem undoubtedly it is an area being explored by more
sophisticated criminals thwarted by traditional IT security measures.

Application security products typically comprise the
following elements;

  • Central knowledgebase/database
    that contains details of code security issues
  • Management environment
    used to build and configure security policies and initiate code scanning
    routines
  • Integrated Development
    Environment (IDE) plug-in that provides a security package to an existing
    developer’s coding environment and defect tracking tool
  • Reporting application that
    returns statistics to development managers about the quality of the
    applications being created and the significance of any issues found

Application security auditing is a complex task. Vendors
take different approaches to reviewing code, some will undertake a review of
the source code whilst others will review the executable code. Contextual
awareness is vital, as a function call may seem innocent in one setting but create
havoc in another. More advanced solutions will offer pertinent explanations to
developers why specific code is problematic and may offer work arounds or links
to other useful resources. Full automatic fixing of problems is still outside
the scope of current products due to the complexity of such an implementation.

Other terms used to describe application security include;

  • Business software
    assurance
  • Software vulnerability
    detection
  • Security source code
    analysis
  • Software Real Time
    Analyzer
  • Security auditing tool
  • Rule based security
    auditing tool
  • Vulnerability detection
    tool
  • Static code analysis

Bloor Research have recently released a Market Update in
this area that takes a look at a number of vendors and their offerings,
including;

  • Veracode
  • IBM Rational Software
  • Fortify
  • Parasoft
  • Ounce Labs
  • Coverity
  • Amorize
  • Klocwork
  • Cenzic

The report is available free of charge from www.bloorresearch.com