Tools Make the Developer

By Peter Coffee  |  Posted 2005-05-17 Print this article Print

With application developers bearing a growing share of the enterprise IT security burden, it's necessary for development-tool budgets to provide for the scrutiny of code and support of rigorous process, as well as boosting traditional measures of develope

With application developers bearing a growing share of the enterprise IT security burden, its necessary for development-tool budgets to provide for the scrutiny of code and support of rigorous process, as well as boosting traditional measures of developer productivity.

Software quality assurance tools such as Parasofts Jtest 6.0 are adding security rules to their portfolios of automatically identified coding-practice violations. This years update of Parasofts Java testing environment added more than 100 vulnerability signatures to its more than 500 Java development rules.
In eWEEK Labs tests, Jtest 6.0 generated and ran standard JUnit tests with impressive speed, producing what we found to be informative, easily navigated results.

Click here to read more about application developers being in the cross hairs of the next generation of IT system attacks. A slate of application security suites from Fortify Software Inc. was released to developers last month. The Labs received an extended walk-through of the companys Audit Workbench product that quickly identified and aided in diagnosing possible vulnerabilities such as back-door exposures.

The Labs found the Fortify product attentive to the need to minimize the time-wasting false-positive warnings that too often discourage developers from using automated analysis tools. With its data flow analysis, it appeared that developers could expect Audit Workbench to call attention to real risks—especially those arising from unexpected interactions among separately developed modules—without constantly triggering alerts on normal and necessary program actions.

Different modes in Fortifys tool respond to the differing needs of various users. For example, programmers can choose to look only at high-confidence, high-severity warnings to minimize distraction during development, while code auditors can choose to see a more complete list of possible problems as an application approaches readiness for deployment.

Fortifys rule base and analytic tools also confirm more complex requirements, such as the pairing of actions to restore lower privilege levels after temporary privilege elevation.

Another tool that belongs on developers shortlists is DevPartner SecurityChecker, introduced at the beginning of this year by Compuware Corp. By examining vulnerabilities at both compile time and run-time, DevPartner SecurityChecker is well-aimed at application-level risks.

Also of growing importance to development teams are requirements of process compliance imposed by the Sarbanes-Oxley Act and other regulations, including those affecting non-U.S. operations. Rather than trying to gear up a new apparatus of ongoing audit and verification, some enterprise sites will want to explore the "SOX in a box" offering of a managed-service compliance workbench from Mercury Interactive Corp.

Unveiled at the beginning of this month, Mercurys IT Governance Center 6.0 includes process regulatory compliance aids that can maintain and document required segregation of duty; manage required documentation with included EMC Corp. Documentum tools; and allocate IT resources, including the time of key personnel.

"Governing IT has been like trying to get democracy to work in Afghanistan," said Mercury Chief Marketing Officer Chris Lochhead during a conversation with eWEEK Labs immediately before the product announcement. "When it becomes a matter of people going to jail, we will have governance in IT."

Indeed, there might be nothing better than the prospect of a CEO "perp walk" to elevate a development shops priority.

Check out eWEEK.coms for the latest news, reviews and analysis in programming environments and developer tools.
Peter Coffee is Director of Platform Research at, where he serves as a liaison with the developer community to define the opportunity and clarify developers' technical requirements on the company's evolving Apex Platform. Peter previously spent 18 years with eWEEK (formerly PC Week), the national news magazine of enterprise technology practice, where he reviewed software development tools and methods and wrote regular columns on emerging technologies and professional community issues.Before he began writing full-time in 1989, Peter spent eleven years in technical and management positions at Exxon and The Aerospace Corporation, including management of the latter company's first desktop computing planning team and applied research in applications of artificial intelligence techniques. He holds an engineering degree from MIT and an MBA from Pepperdine University, he has held teaching appointments in computer science, business analytics and information systems management at Pepperdine, UCLA, and Chapman College.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel