Automated Code Analysis Apps: IT Lifesavers

Automated source code analysis tools help you review and secure massive amounts of code, providing peace of mind for developers and managers.
(Page 1 of 2)

For Jon Lucenius, information security analyst at JPMorgan Chase & Co., there’s nothing like a manual code review to shore up holes in programs. But since his time is at a premium, he’s learned to rely on the next best thing: automated source code analysis tools.

“Applications today are at such a great size and complexity that doing a manual review isn’t always practical and you want to be able to be as thorough as possible. With automated source code analysis, you can cover a lot of ground,” says Lucenius, who is based in Wilmington, Del.

Source code analysis tools, such as those from Fortify Software and Ounce Labs, help companies ferret out vulnerabilities in applications as well as spot areas where developers might need more security training.

Related Articles
The Golden Rule Of Business Technology Investments

How To Avoid An IT Project 'Death March'

IT In 2007: Budget and Trends

Virtualization: Xen vs. Microsoft vs. VMware

FREE IT Management Newsletters

Many companies use the automated tools not just for internal applications, but for those developed by outsourcers. “We want to make sure there are no backdoors left in our code by any developers,” Lucenius says.

Sprawling Code

Andreas Antonopoulos, senior partner at New York-based Nemertes Research, says this mission is becoming increasingly more difficult for companies. “Code is no longer self-contained in one computer or even in one application. It can be distributed across the network and therefore is far less deterministic. There is a greater opportunity for code errors to creep in and make systems more exploitable,” he says.

While many IT organizations are stretched too thin to do frequent source code analysis, Antonopoulos says compliance, security and performance issues are pressuring them to be more diligent about code reviews. Letting bugs make it to the desktop is costly in terms of time, money and credibility, he says.

“If you can fix a flaw at the design stage it’s ten times cheaper than trying to do so at deployment or once it’s made it into the headlines. As you go through design, architecture, coding, testing, quality assurance and production, it gets progressively more expensive to fix a bug,” he says.

Lucenius agrees. Because JPMorgan Chase falls under numerous regulatory bodies, code analysis has to be central to the company’s security plan. “A good code review will generate a report that shows you what you need to do to make your applications more secure. Then you can say to regulators this is more secure than it was and it’s getting more secure every day,” he says.

Regulatory Requirements

For Matthew Todd, chief information security officer at Financial Engines, in Palo Alto, Calif., the automated tools have also provided a safeguard against regulators and other potential liabilities. “Legal action can be quite a bit more severe if vulnerabilities are found and a firm has failed to do penetration testing or code review. It’s not sufficient to have just one of these. You need a multi-step strategy in place,” he says.

Financial Engines, a benefits service provider, creates its own customer-facing applications. “We’re concerned about SQL Server injections and other related vulnerabilities,” he says.

Todd uses Fortify Software’s source code analysis tools throughout the development process. “You should have security practices in place from the birth of an idea through every release. We introduce secure code analysis at the product specification point and take it through to release,” he says.

At JPMorgan Chase, the mantra is the same. Lucenius contends that source code analysis is only as effective as your overall strategy to deal with vulnerabilities. “You can’t just do a casual review of your applications. Something has to come out of it,” he says.


Page 1 of 2

 
1 2
Next Page





0 Comments (click to add your comment)
Comment and Contribute

 


(Maximum characters: 1200). You have characters left.