This article can also be found in the Premium Editorial Download "Information Security magazine: Comparing five of the top network-based inline IPS appliances."
Download it now to read this article plus other related content.
Price: Starts at $49,000 for 10 developers
|CodeAssure Suite is a solid first step to securing source code.|
Secure Software has created a solid series of tools to remedy most vulnerabilities in insecure source code. Its core CodeAssure Workbench component finds buffer overflows, format string issues, hard-coded clear-text passwords and potentially insecure listening sockets, while CodeAssure Management Center provides a means for reporting on these issues in multiple formats.
Make no mistake--Secure Software's CodeAssure Suite is enterprise software for computer scientists and programmers, not security engineers. Installation and integration within the software development lifecycle could take a week or two of planning with a couple days set aside for actual implementation.
We tested Workbench against Firefox, GAIM and BitTorrent, and found numerous vulnerabilities, including buffer overflows and improper function and method usage. Unfortunately, we are not aware of any source code analysis product that answers the key question: Are these identified vulnerabilities actually exploitable? Vulnerabilities are important, but vulnerabilities that could be exploited by remote anonymous attackers are much more important.
Running your first analysis can be complicated and requires some developer skills; you have to create a project within the application, configure your workspace (where the files will be stored), configure the app to understand what type of program you will be analyzing, and then configure the "Run" function. A team of Secure Software specialists and your developers could complete this in a morning.
CodeAssure Management Center provides the enterprise-level reporting required for medium-to-large development environments. Key reports include security and bug trends and project comparisons. You can identify teams with less secure programming experience and track whether the teams are getting better or worse.
CodeAssure Integrator is designed to infuse automated security assessments into software development cycles. It permits the system to query and report on bugs and trouble tickets. Integration within your software bug tracking or ticketing system is highly recommended, as most mature dev teams implement bug tracking systems to help wrap processes and even SLAs to find and fix software glitches.
The CodeAssure Suite has reports that are tailored for security and development organizations, but be prepared for a challenge. The security team is likely to recommend this type of software in the near future as the technology continues to mature, but neither security nor development will voluntarily jump to put it in their budgets.
This software has proven the ability to find vulnerabilities that all Web application scanners will miss--such as embedded clear-text passwords and poor crypto implementations--but justifying its cost for a large development environment and its limited language support may set back implementation for the next 12 to 18 months.
--JAMES C. FOSTER
This was first published in October 2005