Article

Static analysis tools boost security, but integration still an issue

Robert Westervelt, News Editor

Every organization has its application development culture. Depending on the industry, one organization will work much harder to make sure applications are built securely, while for others speed is of the essence, and security is an afterthought.

With attackers targeting application coding errors, security experts are pushing enterprises to emphasize a greater need for software security improvements.

    Requires Free Membership to View

Static code analysis tools scan software source code and identify potential security vulnerabilities. Once errors are identified they can be fixed very early in the development lifecycle, eliminating vulnerabilities at production. Ramon Krikken, an analyst at the Burton Group, sees a vendor landscape in flux. Tools are available from a variety of vendors and include Armorize Technologies Inc., Klocwork Inc., Coverity Inc., Fortify Software Inc. and Veracode Inc. Large vendors are also taking interest, Krikken said. IBM is integrating its acquisition of Ounce Labs to provide its customers code analysis capabilities. Hewlett Packard Co. currently partners with Fortify.

"In the last couple of years there have been significant advances in the usability of the tools," Krikken said. "People are at the point where they're still evaluating their processes and the tools."

Like any technology, static analysis tools have their drawbacks. While they are getting easier to use and return fewer false positives, experts say more work needs to be done to ensure the tools can be introduced without paralyzing the software building process. The tools need to be tuned properly to get a usable analysis of the vulnerabilities within the application and sometimes that can bog down the process, Krikken said. Also, getting developers to use security testing tools may always be a challenge, because development teams are under pressure to get the job done and generally don't want their processes interrupted, said Tivo's Ely.

Some static analysis tools help ease that pressure. Those offered by Fortify and Santa Clara, Calif.-based Armorize Technologies Inc., for example, enable code testing to take place during the code compiling process, making it simpler to implement, Ely said. Armorize's technology almost acts as a spell checker, identifying potential errors during code compiling and suggesting changes.

One of the biggest challenges using code analysis tools is when they sometimes return hundreds and even thousands of errors, overwhelming the development teams. Depending on the code complexity, the process of addressing each one of the problems can potentially extend the project completion date, Ely said.

"Someone has to manually evaluate every one of those issues," Ely said "The problem is that a lot of times security flaws involve multiple pieces of code and it takes time to sort out and find where all the errors are."

Though tools are improving, false positives continue to be a major hindrance to adoption of source code analysis, said Web application security expert Caleb Sima, who co-founded and served as chief technology officer of SPI Dynamics Inc., now part of HP Software Inc. Today Sima runs Armorize as the application security vendor's CEO.

"It requires a lot of manual work and services in order to tune the code analysis tool to be able to identify valid and actionable issues," Sima said.

Sima, a developer, said security isn't easy for software coders. Often the tools are introduced by the company security team to the development organization. The security team then enforces a gate in which code is analyzed for vulnerabilities. The introduction of the tools can often cause friction between the two teams, he said.

"When you come in with a tool that gives me more things that I need to accomplish, that is a very difficult thing for me to accept," Sima said. "The fact that the tool may not be accurate enough or producing actionable results is something that could add more time to the development cycle and is just another phase of things that developers have to get accomplished."

The tools are being simplified to help ease the integration pain, said Chris Wysopal, co-founder and chief technology officer of Burlington, Mass.-based Veracode. Early static analysis tools were aimed at security experts who were doing code review, he said.

"The tools really are focused on the developers now," Wysopal said. "This is the only way we're going to secure software, because there aren't enough security experts to go around."