Rooting Out Vulnerabilities at the Source

New app aims to help developers find and fix software vulnerabilities during development.

Sanctum Inc. on Monday released a new application designed to enable developers to perform security testing and vulnerability assessments of their software during the development process. AppScan Developer Edition 1.5 is targeted mainly at Web application developers and is completely integrated with Microsoft Corp.s Visual Studio .Net software.

As a developer goes through the coding process, he can quickly test his code for thousands of common security vulnerabilities such as buffer overruns, format string vulnerabilities and others. To do so, he simply compiles the code and then runs the AppScan process, which is another button on the main VS .Net toolbar. AppScan then scans the code and returns a detailed report that includes a complete description of each vulnerability thats found as well as what the effects of each flaw are. The reports, which are delivered inside a window on the VS .Net desktop, also include remediation instructions for every vulnerability.

AppScan DE also gives developers a look at what security implications each fix will have on the rest of the application. This helps eliminate many of the problems that can ripple through an application when a line of code is added or deleted as part of a vulnerability fix.

The introduction of AppScan DE comes at a time when software vendors are placing more and more pressure on their developers to write secure code. Its far cheaper to find and fix vulnerabilities during the development cycle than after a product is released. As a result, companies such as Microsoft have begun holding individual developers liable for the security and integrity of the code they write.

In fact, Microsoft has been testing the product in-house for some time and is going to give it to some of its top customers in a two-week extended beta program.

And, performing this kind of testing during the development process can help shorten the time to market and reduce the overall costs of the product development, Sanctum officials said.

"Most developers dont really have any security training, so they dont know what to look for," said Steve Orrin, CTO of Sanctum, based in Santa Clara, Calif. "Its through no fault of theirs; we werent taught anything about security in school. Thats just starting to happen now. Thats why something like this is needed. It gives them a roadmap of what to do."