Tuesday, April 01, 2008

Pitching business software assurance

Source : Click

In an environment where anti-virus providers are openly admitting that their products cannot stop many attacks and in which customers are under more pressure than ever before to keep their sensitive data protected, Fortify is touting a new process dubbed business software assurance that it maintains will change the manner in which organizations defend themselves from external threats.

While many companies are using products like Fortify's software vulnerability scanning tools to block the channels most frequently being used by outside attackers, such processes will soon evolve from sporadic exercises into a continuous routine aimed at staving off any and all applications-level threats, company officials said.

From the time that applications are written until they are up-and-running in production, companies will use a plethora of technologies, from Fortify's static code analysis scanners to black box testing tools and penetration testing systems, to secure their code, officials with the vendor maintain.

In that sense, applications security is maturing from a mere testing market into a larger, more continuous process, said Roger Thornton, chief technology officer at Fortify.

"When people think about applications security today, they think of these various types of tests, but what they are realizing today is that they need to be doing this work in a risk management framework, in a more repeatable manner," Thornton said. "Companies cannot keep addressing this process from the standpoint of looking at individual point products -- they need to approach it from the perspective of business software assurance."

Leery of having the idea pigeonholed as mere vendor marketing, Thornton said that an ecosystem of providers will drive business software assurance, or BSA, including companies whose tools are used by developers as software code is being written, such as its own, through to the so-called black box testing technologies used to test live applications.

Fortify sells a bundle of static code analysis tools and more "dynamic" scanning technologies for use by software quality assurance testers, along with some real-time applications monitoring capabilities for use after programs go live.

With attacks having moved to the applications-level in dramatic fashion over the last several years, and new compliance regulations holding companies more responsible for vulnerabilities in their systems, the need to adopt risk management throughout the development lifecycle is rapidly being brought into focus, Thornton contends.

"If you have the right risk management approach within the development process, you can go a lot further toward making applications impervious toward attacks," he said. "We're in the nascent stages of this whole idea of software assurance, but we believe that this is how customers, developers, and government agencies are going to begin looking at this problem, even as soon as over the next six months."

As part of the BSA process, organizations will require that business partners and even their customers are doing their own due diligence in keeping vulnerabilities out of their applications, according to Fortify's espoused vision.

It's no coincidence that the company announced its backing of the BSA concept simultaneous to the release of its new Fortify 360 product line, which is more expansive than the company's previous products in terms of its reach across various stages of applications development.

However, the product was tailored to reflect emerging demands from the firm's customers, some of whom are already mature enough in their development operations to embrace the BSA process, Fortify executives said.

Officials with at least one of the company's customers, online stock trading provider Scottrade, said that they are moving in the direction of BSA, even if they have yet to adopt that nomenclature for their work.

Scottrade and its rivals, including eTrade and other online stock sites, have been among those businesses who have publicly announced significant financial write-offs driven by applications-level attacks on their trading systems.

The key idea is approaching applications security as a process, rather than on a more piecemeal basis, as has been common practice for many firms up until now, said Grant Bourzikas, director of information security at Scottrade.

"To really address the security problem, you have to fix your code; intrusion prevention, Web applications firewalls, and a lot of other security technologies don't address the root cause, which is poor code left vulnerable that forces people to write signatures to protect at the network the level," Bourzikas said. "Of course we use all those products, and we have a traditional layered security approach, but by better securing our code and having this two-pronged effect, we can protect ourselves and our customers a lot better."

Whether or not the market will wrap its arms around the phrase business software assurance or merely view the process as part of a common SDLC (secure development lifecycle) program, the notion of continuous code and applications scanning is one that will continue to catch on with more companies, the executive said.

Yet, as important as any technology is the cultural change that must be affected among developers if the strategy is to succeed, said Bourzikas.

"Tools like this can help with SDLC, but you also have to consider the awareness issue," he said. "People have to better understand all the risks, because no one goes out and tries to write code that is insecure by default, they've been told to write something that works and they meet those requirements. We're hoping to teach our developers on what they need to protect, so in that sense, education is every bit as important."