The concept of adding security to the coding phase of application development is catching on, with new companies delivering tools to help developers test for vulnerabilities early in the process.
One company is not only delivering tools but also attempting to seed the market with the talent to create secure applications. Ounce Labs Inc., of Waltham, Mass., last week introduced its Secure Foundations Initiative, a program that puts the source code vulnerability analysis software vendor in collaboration with universities to train developers in secure software.
The Ounce Labs Secure Foundations Initiative has committed software and research grants worth more than $500,000 to launch the program to promote security at schools such as The George Washington University, Southern Methodist Universitys High Assurance Computing and Networking Lab, the United States Military Academy at West Point, and The Center for Education and Research in Information Assurance and Security at Purdue University, said Ounce Labs CEO Jack Danahy.
“This is a problem we need to figure out how to solve,” Danahy said. “A lot of people dont realize the problem, but there are only about 300 to 500 people worldwide who can do a competent [secure] code review,” he said.
In May, Ounce released its Prexis tool, which automatically scans source code to analyze an applications security and pinpoint vulnerabilities during development.
“I intend to use it to have our students run their code through the tool to show them where they may have made some security errors—without any foreknowledge or planning for security in their code—to let them see what are known pitfalls,” said Ron Dodge, director of the IT and operations center at West Point, in New York.
Julie Ryan, professor of information security management at The George Washington University, in Washington, said, “One of the problems for information technology security is that the market demands that software be developed quick and cheap.” That means less emphasis on coding for security.
West Points Dodge said an influx of tools to help with security at the development phase would be welcome. “Its like somebody trying to build a fence without a level,” he said.
Although tools for automating the detection of software vulnerabilities have existed, the space is relatively uncharted. In the next version of its Visual Studio Tools, Microsoft Corp. plans to deliver to developers the ability to check for security vulnerabilities.
One other company following a similar path is Kenai Systems Inc., of Rocklin, Calif., which last week announced its ExamineST Web services security tool, which provides vulnerability assessment to test for problems with Web services at their development phase, said Bill Kesselring, CEO of Kenai.
ExamineST allows developers to import WSDL (Web Services Description Language) files and test them for compliance with the Web Services-Security specification and other known vulnerabilities.