With application developers bearing a growing share of the enterprise IT security burden, its necessary for development-tool budgets to provide for the scrutiny of code and support of rigorous process, as well as boosting traditional measures of developer productivity.
Software quality assurance tools such as Parasofts Jtest 6.0 are adding security rules to their portfolios of automatically identified coding-practice violations. This years update of Parasofts Java testing environment added more than 100 vulnerability signatures to its more than 500 Java development rules.
In eWEEK Labs tests, Jtest 6.0 generated and ran standard JUnit tests with impressive speed, producing what we found to be informative, easily navigated results.
A slate of application security suites from Fortify Software Inc. was released to developers last month. The Labs received an extended walk-through of the companys Audit Workbench product that quickly identified and aided in diagnosing possible vulnerabilities such as back-door exposures.
The Labs found the Fortify product attentive to the need to minimize the time-wasting false-positive warnings that too often discourage developers from using automated analysis tools.
With its data flow analysis, it appeared that developers could expect Audit Workbench to call attention to real risks—especially those arising from unexpected interactions among separately developed modules—without constantly triggering alerts on normal and necessary program actions.
Different modes in Fortifys tool respond to the differing needs of various users. For example, programmers can choose to look only at high-confidence, high-severity warnings to minimize distraction during development, while code auditors can choose to see a more complete list of possible problems as an application approaches readiness for deployment.
Fortifys rule base and analytic tools also confirm more complex requirements, such as the pairing of actions to restore lower privilege levels after temporary privilege elevation.
Another tool that belongs on developers shortlists is DevPartner SecurityChecker, introduced at the beginning of this year by Compuware Corp. By examining vulnerabilities at both compile time and run-time, DevPartner SecurityChecker is well-aimed at application-level risks.
Also of growing importance to development teams are requirements of process compliance imposed by the Sarbanes-Oxley Act and other regulations, including those affecting non-U.S. operations.
Rather than trying to gear up a new apparatus of ongoing audit and verification, some enterprise sites will want to explore the "SOX in a box" offering of a managed-service compliance workbench from Mercury Interactive Corp.
Unveiled at the beginning of this month, Mercurys IT Governance Center 6.0 includes process regulatory compliance aids that can maintain and document required segregation of duty; manage required documentation with included EMC Corp. Documentum tools; and allocate IT resources, including the time of key personnel.
"Governing IT has been like trying to get democracy to work in Afghanistan," said Mercury Chief Marketing Officer Chris Lochhead during a conversation with eWEEK Labs immediately before the product announcement. "When it becomes a matter of people going to jail, we will have governance in IT."
Indeed, there might be nothing better than the prospect of a CEO "perp walk" to elevate a development shops priority.