With application developers bearing a
growing share of the enterprise IT security burden, it's necessary for
development-tool budgets to provide for the scrutiny of code and support of
rigorous process, as well as boosting traditional measures of developer
productivity.
Software quality assurance tools such
as Parasoft's Jtest 6.0 are adding security rules to their portfolios of
automatically identified coding-practice violations. This year's update of
Parasoft's Java testing environment added more than 100 vulnerability signatures
to its more than 500 Java development rules.
In eWEEK Labs' tests, Jtest 6.0
generated and ran standard JUnit tests with impressive speed, producing what we
found to be informative, easily navigated results.
Click here to read more about
application developers being in the cross hairs of the next generation of IT
system attacks.
A slate of application security suites
from Fortify Software Inc. was released to developers last month. The Labs
received an extended walk-through of the company's Audit Workbench product that
quickly identified and aided in diagnosing possible vulnerabilities such as
back-door exposures.
The Labs found the Fortify product
attentive to the need to minimize the time-wasting false-positive warnings that
too often discourage developers from using automated analysis tools.
With its data flow analysis, it
appeared that developers could expect Audit Workbench to call attention to real
risks—especially those arising from unexpected interactions among separately
developed modules without constantly triggering alerts on normal and necessary
program actions.
Different modes in Fortify's tool
respond to the differing needs of various users. For example, programmers can
choose to look only at high-confidence, high-severity warnings to minimize
distraction during development, while code auditors can choose to see a more
complete list of possible problems as an application approaches readiness for
deployment.
Fortify's rule base and analytic tools
also confirm more complex requirements, such as the pairing of actions to
restore lower privilege levels after temporary privilege elevation.
Another tool that belongs on
developers' shortlists is DevPartner SecurityChecker, introduced at the
beginning of this year by Compuware Corp. By examining vulnerabilities at both
compile time and run-time, DevPartner SecurityChecker is well-aimed at
application-level risks.
Also of growing importance to
development teams are requirements of process compliance imposed by the
Sarbanes-Oxley Act and other regulations, including those affecting non-U.S.
operations.
Rather than trying to gear up a new
apparatus of ongoing audit and verification, some enterprise sites will want to
explore the "SOX in a box" offering of a managed-service compliance workbench
from Mercury Interactive Corp.
Unveiled at the beginning of this
month, Mercury's IT Governance Center 6.0 includes process regulatory compliance
aids that can maintain and document required segregation of duty; manage
required documentation with included EMC Corp. Documentum tools; and allocate IT
resources, including the time of key personnel.
"Governing IT has been like trying to
get democracy to work in Afghanistan," said Mercury Chief Marketing Officer
Chris Lochhead during a conversation with eWEEK Labs immediately before the
product announcement. "When it becomes a matter of people going to jail, we will
have governance in IT."
Indeed, there might be nothing better
than the prospect of a CEO "perp walk" to elevate a development shop's
priority.
