This article can also be found in the Premium Editorial Download "Information Security magazine: Reviews of six top Web application firewalls."
Download it now to read this article plus other related content.
Outside the Sandbox|
New tool allows developers to work locally, secure globally.
Not long ago, pleas for secure development, particularly for Internet-facing apps, couldn't compete with the imperative to get it developed, get it working and get it deployed. Predeployment reviews have typically focused on QA, but not security per se.
No more. Because of celebrated data breaches and regulations, application- and source code-testing products are getting serious attention. Last year, two of the better-known black box app testing vendors, Watchfire and SPI Dynamics, were acquired by IBM and HP, respectively, validating the importance of security vetting for existing applications and those under development.
Companies like these and the still independent Cenzic offered themselves as cost-effective alternatives to labor-intensive and very expensive third-party application testing. WhiteHat and Veracode offer application security through the SaaS model. WhiteHat provides vulnerability scanning for live apps or those in development. Veracode tests compiled code, so enterprises and their development partners can
| order security tests without sharing or exposing source code.
Klocwork, which competes with companies such as Fortify and Ounce Labs in source code review, introduced its latest product, Insight, which allows developers to test their work in the context of the entire development system while remaining within their individual build space.
Insight gathers meta data from across an entire project into a database and makes it available to individual C, C++ and Java developers and teams in their native work environment.
"Insight brings the accurate context of an entire system analysis to the local build. You're still in your sandbox, but with the context you get downstream," says Gwyn Fisher, Klocwork CTO. "So, when you call into system-wide code, we can make sure you are doing it in non-vulnerable way."
This offers several key benefits. Individuals or groups working on a piece of a project can only test the code before them, without being able to determine the effect on other pieces of the project. Insight allows the developer to uncover errors that could propagate from a 50,000-line chunk of code through the millions of lines contained in a large application. This also means organizations will spend less time in systemwide testing and painstaking backtracking to remediate errors that could have been caught early.
Think, too, of an outsourced project--in the U.S. or abroad--in which a partner/developer can test the code it is working on against the entire application without having access to proprietary code it is not authorized to see.
This leaves Klocwork's K7 Enterprise Development Suite or competing products to be focused more purely as endgame audit tools.
This was first published in March 2008