AppScan Tests for Vulnerabilities During the Development Cycle

Sanctum Inc. last week released an application designed to enable developers to perform security testing and vulnerability assessments of software during the development stage.

Sanctum Inc. last week released an application designed to enable developers to perform security testing and vulnerability assessments of software during the development stage. AppScan Developer Edition 1.5 is targeted at Web-application developers and is integrated with Microsoft Corp.s Visual Studio .Net software.

As a developer goes through the coding process, he or she can quickly test the code for thousands of common security vulnerabilities such as buffer overruns and format string vulnerabilities. To do so, the developer simply compiles the code and runs AppScan, which is a button on the main VS .Net tool bar.

AppScan scans the code and returns a detailed report that includes a complete description of each vulnerability thats found, as well as what the effects of each flaw are. The reports, which are delivered inside a window on the VS .Net desktop, include remediation instructions for every vulnerability.

AppScan DE also gives developers a look at what security implications each fix will have on the rest of the application. This helps eliminate many of the problems that can ripple through an application when a line of code is added or deleted as part of a vulnerability fix.

Further reading

The introduction of AppScan DE comes at a time when software vendors are placing more and more pressure on developers to write secure code. Its far cheaper to find and fix vulnerabilities during the development cycle than after a product is released. As a result, companies such as Microsoft have begun holding individual developers liable for the security and integrity of the code they write.

In fact, Microsoft, of Redmond, Wash., has been testing the product in-house for some time and is going to give it to some of its top customers in a two-week extended beta program.

And performing this kind of testing during the development process can help shorten the time to market and reduce the overall costs of the product development, Sanctum officials said.

"Most developers dont really have any security training, so they dont know what to look for," said Steve Orrin, chief technology officer of Sanctum, based in Santa Clara, Calif. "Its through no fault of theirs; we werent taught anything about security in school. Thats just starting to happen now. Thats why something like this is needed. It gives them a road map of what to do."