Under intense pressure to identify and fix potential vulnerabilities in code earlier in the application development life cycle, weary developers are gaining new allies in their Herculean quest.
The goal is to make security a part of the application development process instead of an afterthought. But the products to deliver on that end are coming from niche players, such as Sanctum and SPI Dynamics, at this point.
At the VSLive Conference last week, Sanctum Inc. announced AppScan Developer Edition (DE) 1.5. The product is designed to be fully integrated with Microsoft VisualStudio.NET 2003 to give developers ease-of-use features and transparent workflow mechanisms straight from the development environment, said Steve Orrin, CTO of Santa Clara, Calif.-based Sanctum.
Available in March, AppScan DE can be configured to unit test and view any Web application for myriad security incongruities from within the development environment. Once a defect is found, Orrin notes, the product supplies detailed descriptions, offers applicable in-line correction recommendations, and provides the developer with analysis of each individual test and response.
The Sanctum security tool tests applications created with all languages supported by VS.NET, including C#, C++, VB, and J#.
Orrin said that Sanctum plans to release an AppScan DE tool catered to the IBM Corp. WebSphere and BEA Systems Inc. WebLogic environments by mid-2003. However, there are no plans at this time to offer a version tailored for Sun ONE, he said.
The cleaning up of security flaws is being pushed further back in the security process, even to the point at which the code is being written, in an attempt to hold costs down, said analysts.
Lance Wolrab, network security engineer for the IT arm of dental insurance and medical insurance behemoth DeltaNet in Rancho Cordova, Calif., said that early implementation of security features into the application development process will result in fewer problems later on.
"The later you wait to get security involved, the more you have to rework testing and engineering cycles. Sometimes the entire product fails because the architecture doesn’t work in a secure model," Wolrab said. "Our primary purpose is to help our developers build solid and modular code they could reuse and has already been proven in service."
Running a Microsoft-centric shop and IDE, Wolrab is currently evaluating the merits of AppScan.
If it gets the green light, he said funding for the product may come from a budgetary release via his organization’s Healthcare Information Portability and Accountability Act (HIPAA) compliance effort.
Analysts expect mandated U.S. government privacy and disclosure of information initiatives, such as HIPAA and the Graham-Leach-Bliley Act, to hasten the degree of security imparted upon code development to safeguard corporate or customer data granted Internet access.
Providing developers with the ability to review test results and fix recommendations directly from their desktops and the Visual Studio.NET development environment should boost Microsoft’s Trustworthy Computing effort, notes Michael Kass, .Net framework product manager at Microsoft in Redmond, Wash.
"For the first time, developers have [an integrated security] tool at development time," Kass said. "We hope over time organizations will learn things from this and actually build into their own internal templates and practice guides."
It’s not surprising that Sanctum went after the Microsoft VS.Net community first with AppScan DE since its broad user base has a plethora of "foot soldier" types that are much more visually oriented, said Laura Koetzle, a security analyst at Cambridge, Mass.-based Forrester Research Inc.
"Java developers don’t trust people to do their work anyway; [they are] a smaller market," Koetzle said. After Microsoft VS.Net, the remaining development communities tend to brandish their loyalties through a sorted list of favorite development environments, Koetzle said. The most popular include: IBM WebSphere, BEA, and Borland Software Corp.’s TogetherSoft.
Koetzle remarked, however, that Sanctum would be "foolish" not to present its AppScan DE platform for other in-demand development platforms.
"[Sanctum] doesn’t want to have all their eggs in one basket. … Microsoft might want to include this in the next version of Microsoft VisualStudio.Net," Koetzle said.
Although SPI Dynamics Inc., Sanctum's Web application scanning competitor, does not offer a product specifically geared to developers, the company says developers are using its WebInspect tool as a proxy to view the input and output of their requests for debugging purposes.
Caleb Sima, CTO and founder of Atlanta-based SPI Dynamics, said developers are asking to see a greater correlation of scans and integrating WebInspect directly into BugTraqing software.
Sima said future WebInspect releases will be designed to accommodate the developer’s perspective and will not be dependent on any one DE for integration.
In fact, SPI Dynamics will soon announce a new product that will enable developers to audit Web services, whether based on the Microsoft Corp. .Net, Sun ONE, or WebSPhere platform.
One area SPI Dynamics will not become enamored with is the concept of automated fixes for developers.
"That’s a recipe for disaster. It’s easy to do automated fixes when you install a patch; now you’re talking about messing with custom code. You’re going to have to know too many things," Sima said.