IBM Stresses App Security

IBM is planning to bolster its development tool set with features to help developers bake security into their applications.

IBM is planning to bolster its development tool set with features to help developers bake security into their applications.

Anthony Nadalin, chief security architect for IBMs Software Group, said IBM is looking to do more to address the issue of security throughout the application life cycle, starting during the requirements process and going straight through to modeling and deployment.

Nadalin said IBM, of Armonk, N.Y., will apply technology to automate the processes of enhancing security in its tools, most likely the Rational Toolset.

"There is a lot of interest in companies building secure applications and how to guarantee that, so were looking at the notion of security in the application life cycle."

Nadalin said IBM is considering enhancing its modeling capability to enable users to integrate security into the process.

IBM is also considering more of a model-driven application life cycle, "highlighting the security aspects of programming," Nadalin said. In this scheme, IBM will "check code for security vulnerabilities such as scanning code for public classes. Were looking at the static analysis of code," he said.

In addition, IBM is thinking of tying the application development process with identity management. "We see the standards becoming increasingly important here," Nadalin said.

IBM plans to use "the policy-driven aspects of modeling to help developers choose the best way to go," Nadalin said. The authentication becomes a policy issue, and "you wind up with a policy-driven model."

IBMs goal is to make sure the developer makes the best decision, according to Nadalin. Applying security measures in the development phase "has been hot on our customers list because compliance is biting them," he said.

In addition, "finding bugs before an application goes out the door is 40 to 50 times cheaper than finding them after the app is in the field," Nadalin said.

"You can bake in a certain degree of security, but most tools just find holes ... then you have to fix them," said Thomas Murphy, an analyst with Gartner Inc., in Stamford, Conn.

"Security takes ground-up design and planning upfront to work right. It is nearly impossible to retrofit," Murphy said. "Otherwise, Microsoft [Corp.] would just run some big tool, and, like magic, Windows would be secure."


Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.